How This Briefing Works
This report opens with key findings, then maps the gaps between what Segment discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
84 detections across 54 sites67% pre-consent activity2 critical disclosure gaps
CRITICAL
Subprocessor Disclosure
95+ marketing/advertising vendors (6sense, Clearbit, Demandbase, MetaPixel, etc.) load pre-consent - none disclosed
GDPR Article 28GDPR Article 13CCPA 1798.100
CRITICAL
Pre-Consent Tracking
66.3% of tracking loads before any consent interaction
GDPR Article 7ePrivacy Directive Article 5(3)
CRITICAL
Pre-Consent Activity
Segment was observed loading and executing before user consent was obtained on 67% of sites where it was detected.
GDPRePrivacy
HIGH
Privacy Marketing
Deploys 95+ third-party scripts pre-consent, including identity resolution and advertising
FTC Section 5 Unfair/Deceptive Acts
HIGH
B2B De-anonymization
Clearbit, 6sense, Demandbase, Apollo.io actively de-anonymizing visitors
GDPR Article 9CCPA 1798.140
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
2 CRIT2 HIGH
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X10
Subprocessor Disclosure
GDPR Article 28 · GDPR Article 13 · CCPA 1798.100CRITICAL
They Claim
“Subprocessor list contains AWS, Google, Snowflake as primary data processors”
Observed Behavior
95+ marketing/advertising vendors (6sense, Clearbit, Demandbase, MetaPixel, etc.) load pre-consent - none disclosed
Runtime scan 2026-01-23: 95 unique vendor detections, 66.3% pre-consent rate
Pre-Consent Tracking
GDPR Article 7 · ePrivacy Directive Article 5(3)CRITICAL
They Claim
“Honors GPC and opt-out mechanisms”
Observed Behavior
66.3% of tracking loads before any consent interaction
intel_detections shows 83 total detections across 53 sites, 66.3% pre_consent_pct
Privacy Marketing
FTC Section 5 Unfair/Deceptive ActsHIGH
They Claim
“Secure and private by default”
Observed Behavior
Deploys 95+ third-party scripts pre-consent, including identity resolution and advertising
segment.com security page vs runtime scan
B2B De-anonymization
GDPR Article 9 · CCPA 1798.140HIGH
They Claim
“Not explicitly disclosed”
Observed Behavior
Clearbit, 6sense, Demandbase, Apollo.io actively de-anonymizing visitors
Runtime detections show B2B identity resolution vendors loading pre-consent
Customer Impact
What This Means For You
If Segment powers your customer data infrastructure, you are trusting your data to a CDP whose own website loads 95+ third-party vendors pre-consent while disclosing only AWS, Google, and Snowflake as subprocessors. Under GDPR Art 28, this subprocessor transparency gap is material — Segment's runtime behavior includes 6sense, Clearbit, Demandbase, MetaPixel, and DoubleClick, none of which appear in their disclosures. The 66.3% pre-consent rate on segment.com means the company responsible for managing your consent-gated data flows does not enforce consent on their own property. As a Twilio subsidiary processing data across 700+ integrations, your customer data flows through infrastructure where the parent company faces its own regulatory exposure.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Segment
- →Audit your Segment destinations — each active destination is a data recipient requiring disclosure under GDPR Art 13 and CCPA §1798.100
- →Review Segment's consent enforcement to verify data only flows to destinations after valid consent is obtained from your users
- →Check your subprocessor documentation against Segment's active destinations — the gap between disclosed infrastructure and actual data flows is material
- →Implement server-side Segment to reduce client-side script exposure and maintain tighter control over third-party data flows
- →Request a Segment DPA addendum that specifically lists all third-party vendors operating on segment.com beyond infrastructure providers
If You're Evaluating Segment
- →Request complete list of third-party vendors running on segment.com — 95+ detected versus only infrastructure disclosed is a critical transparency gap
- →Ask for evidence of consent verification before data transmission to destinations — this is core CDP functionality
- →Compare their subprocessor list against runtime scan results to understand the full scope of their data processing ecosystem
- →Evaluate server-side versus client-side deployment options to minimize JavaScript exposure on your property
- →Factor in Twilio parent company regulatory exposure and request contractual data isolation for your Segment deployment
Negotiation Leverage
- →Subprocessor disclosure: Segment discloses only infrastructure providers while 95+ marketing and advertising vendors load pre-consent on segment.com. Require complete enumeration of all third-party vendors operating on Segment properties, not just infrastructure processors.
- →Consent enforcement verification: As a CDP responsible for managing consent-gated data flows, Segment's own 66.3% pre-consent rate is a credibility concern. Require documented evidence of consent verification in their data processing pipeline before data transmission to destinations.
- →Server-side deployment mandate: Client-side Segment deploys JavaScript that introduces third-party script exposure. Require server-side Segment implementation to maintain control over data flows and reduce your client-side attack surface.
- →Destination audit rights: Each Segment destination is a data recipient requiring GDPR disclosure. Require quarterly access to your active destination list with data flow volumes and right to disable destinations without Segment intervention.
- →Twilio parent exposure: As a Twilio subsidiary, Segment data may be subject to Twilio's broader regulatory exposure. Require contractual isolation of your Segment data from Twilio's other products and explicit DPA terms for the Segment product specifically.
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C13Persistence Mechanisms
Long-lived identifiers
BTI-C14Identity Resolution
PII deanonymization
IOC Manifest
IOC Manifest
143 INDICATORS
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*segment.com/etc.clientlibs/clientlibs/granite/utils.lc-*-lc.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dependencies.lc-*-lc.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dependencies.lc-*-lc.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/clientlibs/granite/jquery.lc-*-lc.js*
Tracking script
EXFIL
*segment.com/etc.clientlibs/core/wcm/components/commons/datalayer/v1/clientlibs/core.wcm.components.commons.datalayer.v1.lc-*-lc.js*
Data collection endpoint
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-site.lc-*-lc.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-site.lc-*-lc.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/*.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/390.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/442.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/219.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/387.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/420.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/633.*.js*
Tracking script
TRACK
*segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/34.*.js*
Tracking script
TRACK
*segment.com/content/dam/segment/global/en/Home-page/segment-header-text-mobile.json*
Tracking script
TRACK
*segment.com/content/dam/segment/global/en/Home-page/segment-header-text.json*
Tracking script
TRACK
*segment.com/content/dam/segment/global/en/Home-page/Segment_Hero_V4.json*
Tracking script
TRACK
*cdn.segment.com/analytics.js/v1/zaySL4FGIiLsxt3I7omU5uLxXqxaBMPh/analytics.js*
Tracking script
TRACK
*cdn.segment.com/analytics-next/bundles/tsub-middleware.bundle.*.js*
Tracking script
TRACK
*cdn.segment.com/analytics-next/bundles/ajs-destination.bundle.*.js*
Tracking script
TRACK
*cdn.segment.com/analytics-next/bundles/schemaFilter.bundle.*.js*
Tracking script
TRACK
*cdn.segment.com/next-integrations/actions/koala/*.js*
Tracking script
TRACK
*cdn.segment.com/next-integrations/actions/845/*.js*
Tracking script
TRACK
*cdn.segment.com/next-integrations/integrations/google-tag-manager/2.5.1/google-tag-manager.dynamic.js.gz*
Tracking script
TRACK
*cdn.segment.com/next-integrations/integrations/visual-tagger/0.3.5/visual-tagger.dynamic.js.gz*
Tracking script
TRACK
*cdn.segment.com/next-integrations/integrations/vendor/commons.*.js.gz*
Tracking script
TRACK
cdn.segment.com/analytics.js
Tracking script
TRACK
cdn.segment.com/v1/
Tracking script
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dependencies.lc-d41d8cd98f00b204e9800998ecf8427e-lc.min.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/clientlibs/granite/jquery.lc-7842899024219bcbdb5e72c946870b79-lc.min.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/clientlibs/granite/utils.lc-e7bf340a353e643d198b25d0c8ccce47-lc.min.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-site.lc-3d60d581bb66e9ed8df1565b1fe557bb-lc.min.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dependencies.lc-d41d8cd98f00b204e9800998ecf8427e-lc.min.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-site.lc-d0c36ee551790c5d6bde3ad2b5552696-lc.min.js
Auto-extracted from scan
EXFIL
segment.com/etc.clientlibs/core/wcm/components/commons/datalayer/v1/clientlibs/core.wcm.components.commons.datalayer.v1.lc-70264651675213ed7f7cc5a02a00f621-lc.min.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/7941.84fb182c4d4df94034ad.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/5163.a3b8247fc5dbcc7819af.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/2733.763624ea7e5271a68ff8.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/5874.c1d494a1c6eb384691be.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/2506.a86dc1892da07a9c4323.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/8579.8412a7f80db0a1836aa1.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/3779.48ffcddb916786a2ef3f.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/5494.1508c86eaea27698e226.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/8330.c0a1bf6c381e1c716482.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/7047.27566398341567ff4027.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/9869.4df035ae9e86852e93f8.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/twilio-foundation/clientlibs/clientlib-dynamic-modules/resources/3803.1befa0e76bc3b49e75d8.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/219.ec0077f1ca0c20d9732f.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/34.5f898f071e83f594a9b2.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/420.eec3a427701aad7f4083.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/633.f2c40a34e6b6ec53babd.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/387.035da8a091c69f13a13f.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/442.8ede7e9433ec72729bf7.js
Auto-extracted from scan
TRACK
segment.com/etc.clientlibs/segment/clientlibs/clientlib-dynamic-modules/resources/390.26bf73db749033002143.js
Auto-extracted from scan
TRACK
cdn.segment.com/analytics.js/v1/zaySL4FGIiLsxt3I7omU5uLxXqxaBMPh/analytics.min.js
Auto-extracted from scan
TRACK
cdn.segment.com/analytics-next/bundles/tsub-middleware.bundle.d94be5c4b3baf7f16aa2.js
Auto-extracted from scan
TRACK
cdn.segment.com/analytics-next/bundles/ajs-destination.bundle.8e6b895db75187c55313.js
Auto-extracted from scan
TRACK
cdn.segment.com/analytics-next/bundles/schemaFilter.bundle.1b218d13fed021531d4e.js
Auto-extracted from scan
TRACK
cdn.segment.com/next-integrations/actions/koala/056caa43964f66bb763a.js
Auto-extracted from scan
TRACK
cdn.segment.com/next-integrations/actions/845/3e4ff40158b71395e929.js
Auto-extracted from scan
TRACK
cdn.segment.com/next-integrations/integrations/google-tag-manager/2.5.1/google-tag-manager.dynamic.js.gz
Auto-extracted from scan
TRACK
cdn.segment.com/next-integrations/integrations/visual-tagger/0.3.5/visual-tagger.dynamic.js.gz
Auto-extracted from scan
TRACK
cdn.segment.com/next-integrations/integrations/vendor/commons.59560acdd69ed701c941.js.gz
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Segment operates as a central nervous system in the GTM stack - it both loads vendors and is loaded by them. As a CDP, Segment receives data from 700+ sources and distributes to 700+ destinations. On their own site, Segment is LOADED BY: Google Tag Manager (infrastructure), and LOADS: 6sense, Clearbit, Demandbase (B2B identity resolution), MetaPixel, DoubleClick, LinkedIn (advertising), GA4, Clarity (analytics), HubSpot, Marketo, ActiveCampaign (marketing automation), Qualified, Mutiny (personalization), TrustArc, CHEQ (privacy/fraud). This creates a circular data flow where Segment customers data passes through the same vendors Segment uses internally, creating cross-customer data leakage risk.
Loads (1)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
148 detection signatures across scripts, domains, cookies, and network endpoints