How This Briefing Works
This report opens with key findings, then maps the gaps between what SegmentStream discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Claims vs. Observed Behavior
pending
“AI-powered attribution accuracy”
Awaiting scanner verification of runtime JavaScript behavior, data collection endpoints, and cookie patterns
pending
“First-party data only”
Cross-device identity resolution methodology needs direct observation to assess fingerprinting techniques
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for SegmentStream
- →- Audit SegmentStream's JavaScript snippet deployment to understand exactly what first-party data is being collected and how cross-device identity graphs are constructed. - Review consent mechanisms to ensure users are explicitly informed about and consenting to cross-device and cross-browser identity resolution. - Request documentation on what percentage of attributed conversions are modeled vs. directly observed, and establish internal thresholds for acceptable modeling ratios. - Evaluate whether data processing agreements adequately cover probabilistic identity resolution and international data transfers. - Establish parallel measurement using a privacy-respecting analytics tool to validate modeled attribution against directly observed behavior.
Negotiation Leverage
- →Leverage: SegmentStream's value proposition depends on customers trusting its AI-modeled conversions — ask for transparency on model accuracy rates, false positive rates, and how modeled conversions are validated against ground truth. The cross-device identity resolution capability creates compliance liability for you as the data controller; negotiate for explicit indemnification clauses covering regulatory actions related to probabilistic identity matching.
- →Key questions: What specific data points feed the cross-device identity model? What is the retention period for visitor-level behavioral data? How are modeled conversions distinguished from observed conversions in exported reports? What happens to collected data if the contract is terminated?
- →Contractual protections: Require data deletion upon contract termination with certification. Include audit rights for data processing activities. Negotiate for the ability to disable cross-device identity resolution while retaining single-session attribution. Ensure the DPA explicitly covers AI-based identity inference as a processing activity.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: SegmentStream's conversion modeling creates a measurement layer where modeled conversions blend with observed conversions, making it difficult to distinguish actual customer behavior from AI-inferred behavior. Budget decisions driven by modeled attribution can create feedback loops where spending increases in channels the model favors, regardless of actual performance.
Identity stitching
Device identification
Long-lived identifiers
PII deanonymization
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
87 detection signatures across scripts, domains, cookies, and network endpoints