How This Briefing Works
This report opens with key findings, then maps the gaps between what Pubmatic discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Pubmatic was observed loading and executing before user consent was obtained on 22% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Pubmatic
- →Require data processing addendum with explicit identity resolution and cross-domain tracking disclosure
- →Demand consent framework integration that blocks ID sync until user acceptance
- →Implement bidstream data minimization to limit visitor signal exposure to demand partners
- →Configure yield optimization to balance privacy preservation with revenue maximization
- →Establish retention limits for visitor profiles and identity graphs
If You're Evaluating Pubmatic
- →Test consent mechanism to verify ID syncing respects publisher consent state
- →Verify geographic data processing boundaries for GDPR compliance in EU traffic
- →Review identity resolution techniques and cross-device matching mechanisms
- →Assess bidstream data sharing with demand partners and third-party enrichment
- →Request disclosure of secondary data use for vendor intelligence or platform optimization
Negotiation Leverage
- →Pubmatic deploys cross-domain identity resolution across publisher inventory—demand contractual liability protection for GDPR/CCPA violations and explicit DPA terms covering ID syncing
- →Full bidstream visibility exposes publisher floor prices and inventory strategy to demand ecosystem—negotiate data minimization controls and audience signal limitations
- →Identity resolution creates unified visitor profiles across publisher properties—require transparency into matching techniques and user data deletion capabilities
- →Yield optimization signals may distort revenue attribution and monetization strategy—establish baseline measurement methodology for programmatic performance
- →Legal tail risk of 100% reflects programmatic infrastructure requirements—evaluate whether SSP value justifies regulatory exposure or consider privacy-preserving alternatives like contextual-only bidding
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Ad viewability patterns and interaction signals create behavioral profiles for audience segmentation and targeting.
Full session replay
Impact: Interaction capture for viewability measurement records visitor behavior during ad exposure sessions.
Identity stitching
Impact: Identity synchronization across publisher properties enables visitor tracking throughout the programmatic ecosystem.
Ignoring CMP signals
Impact: SSP infrastructure processes bidstream data regardless of publisher consent state, collecting visitor signals before permission.
PII deanonymization
Impact: Cross-device and cross-site identity matching creates unified visitor profiles for programmatic targeting.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
108 detection signatures across scripts, domains, cookies, and network endpoints