How This Briefing Works
This report opens with key findings, then maps the gaps between what Smarte discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Smarte was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Smarte
- →Quantify enrichment coverage - measure signal loss from privacy controls to understand audience bias
- →Request complete data segregation - your visitor profiles should not enrich any other customer datasets
- →Verify consent architecture - all tracking must halt until explicit opt-in
- →Implement first-party enrichment without cross-domain sync or persistent identifiers
If You're Evaluating Smarte
- →CRM enrichment via consented form data (no behavioral tracking)
- →First-party CDP with explicit data sharing controls
- →Server-side visitor intelligence with complete data isolation
Negotiation Leverage
- →Perfect CAC subsidization (100) means every visitor you track trains competitor models - demand complete data segregation or reject vendor
- →Perfect legal tail risk (100) indicates violations across all major privacy frameworks - DPA must include unlimited indemnification
- →Advanced persistence (C13) creates multi-year liability accumulation - confirm retention limits and consent renewal
- →Cross-domain profiling requires GDPR Article 35 DPIA - request documentation or accept compliance gaps
- →Comprehensive BTI coverage (7 codes) reflects platform designed for privacy violation - pricing cannot reflect this risk
- →Platform value derives entirely from shared behavioral intelligence - you are product, not customer
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Impact: Interaction patterns and mouse dynamics are biometric identifiers under Article 9, requiring explicit consent and heightened security controls.
Full session replay
Identity stitching
Impact: Visitor profiles synchronized across domains constitute large-scale profiling under GDPR Article 35, requiring DPIA and DPO notification.
Ignoring CMP signals
Device identification
Long-lived identifiers
Impact: Advanced persistence mechanisms enable multi-month tracking without consent renewal. Creates unlimited liability accumulation and violates ePrivacy Directive retention limits.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
83 detection signatures across scripts, domains, cookies, and network endpoints