How This Briefing Works
This report opens with key findings, then maps the gaps between what Smartlook discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Smartlook was observed loading and executing before user consent was obtained on 33% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Requires claims extraction via CDT”
Live website analysis pending
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Smartlook
- →Audit session recording for PII capture despite input masking configurations
- →Review data retention policies to minimize storage of behavioral recordings
- →Implement consent gates to prevent recording of EU/UK users without explicit opt-in
If You're Evaluating Smartlook
- →Self-hosted session replay to eliminate third-party data exposure
- →Privacy-preserving analytics alternatives that aggregate rather than record individual sessions
- →Sampling strategies to reduce recording volume and associated data liability
Negotiation Leverage
- →Request detailed technical documentation on PII masking reliability and edge cases where sensitive data may still be captured
- →Demand contractual prohibition on using your session recordings for Smartlook's machine learning training or product development
- →Negotiate data residency controls and explicit limits on Smartlook employee access to your customer session recordings
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Fingerprints users through interaction patterns, mouse movements, and engagement signals captured in session recordings
Full session replay
Impact: Records complete user sessions including form interactions, navigation paths, and potentially sensitive input before masking
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
107 detection signatures across scripts, domains, cookies, and network endpoints