How This Briefing Works
This report opens with key findings, then maps the gaps between what Semcasting discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Semcasting was observed loading and executing before user consent was obtained on 7% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Semcasting
- →Audit identity resolution rates - quantify signal loss from privacy controls to understand audience bias
- →Request identity graph segregation - your visitor data should not enrich competitor profiles
- →Verify consent timing - cross-domain sync must not initiate before explicit opt-in
- →Implement first-party identity resolution without cross-site tracking
If You're Evaluating Semcasting
- →First-party CDPs with hashed email matching (no cross-domain tracking)
- →Server-side identity resolution with explicit data sharing controls
- →Privacy-preserving cohort targeting (Google Privacy Sandbox FLoC)
Negotiation Leverage
- →Perfect CAC subsidization (100) means your visitor data trains all competitor audience models - demand complete data segregation
- →Perfect legal tail risk (100) indicates violations across all privacy frameworks - DPA must include unlimited indemnification
- →Cross-domain tracking requires GDPR Article 35 DPIA - request documentation or accept compliance gaps
- →Persistence mechanisms create multi-year liability - confirm retention limits and consent renewal requirements
- →Platform value derives entirely from shared identity graphs - pricing should reflect your data contribution
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Identity stitching
Impact: Identity resolution across sites constitutes large-scale profiling under GDPR Article 35, requiring Data Protection Impact Assessment and DPO notification.
Ignoring CMP signals
Impact: Cross-site tracking initiates before any consent mechanism, creating strict liability for every visitor interaction under GDPR Article 82.
Device identification
Container/loader (neutral)
Impact: Long-lived identifiers enable multi-year tracking without consent renewal, violating ePrivacy Directive Article 5(3) and creating unlimited liability accumulation.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
86 detection signatures across scripts, domains, cookies, and network endpoints