How This Briefing Works
This report opens with key findings, then maps the gaps between what SegmentStream discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Claims vs. Observed Behavior
pending
“AI-powered attribution accuracy”
Awaiting scanner verification of runtime JavaScript behavior, data collection endpoints, and cookie patterns
pending
“First-party data only”
Cross-device identity resolution methodology needs direct observation to assess fingerprinting techniques
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for SegmentStream
- →- Audit SegmentStream's JavaScript snippet deployment to understand exactly what first-party data is being collected and how cross-device identity graphs are constructed. - Review consent mechanisms to ensure users are explicitly informed about and consenting to cross-device and cross-browser identity resolution. - Request documentation on what percentage of attributed conversions are modeled vs. directly observed, and establish internal thresholds for acceptable modeling ratios. - Evaluate whether data processing agreements adequately cover probabilistic identity resolution and international data transfers. - Establish parallel measurement using a privacy-respecting analytics tool to validate modeled attribution against directly observed behavior.
Negotiation Leverage
- →Leverage: SegmentStream's value proposition depends on customers trusting its AI-modeled conversions — ask for transparency on model accuracy rates, false positive rates, and how modeled conversions are validated against ground truth. The cross-device identity resolution capability creates compliance liability for you as the data controller; negotiate for explicit indemnification clauses covering regulatory actions related to probabilistic identity matching.
- →Key questions: What specific data points feed the cross-device identity model? What is the retention period for visitor-level behavioral data? How are modeled conversions distinguished from observed conversions in exported reports? What happens to collected data if the contract is terminated?
- →Contractual protections: Require data deletion upon contract termination with certification. Include audit rights for data processing activities. Negotiate for the ability to disable cross-device identity resolution while retaining single-session attribution. Ensure the DPA explicitly covers AI-based identity inference as a processing activity.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: SegmentStream's conversion modeling creates a measurement layer where modeled conversions blend with observed conversions, making it difficult to distinguish actual customer behavior from AI-inferred behavior. Budget decisions driven by modeled attribution can create feedback loops where spending increases in channels the model favors, regardless of actual performance.
Identity stitching
Device identification
Long-lived identifiers
PII deanonymization
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
87 detection signatures across scripts, domains, cookies, and network endpoints