The Threat Inside the “Security”

HUMAN Security sells “trust.”
We looked at what the code actually does.

HUMAN Security (formerly PerimeterX) processes 20 trillion interactions per week across 500+ customers. They call themselves “The Trust Layer for Digital Customer Experiences.” Their code — deployed on linkedin.com and thousands of other sites — runs a 48-feature device fingerprinting system inside hidden zero-pixel iframes, probes for 6,153 browser extensions, and transmits RSA-encrypted payloads to undisclosed infrastructure.

Security is the costume. The data is the business.

BROWSERGATE Investigation — Verified April 2, 2026

What we found on linkedin.com. In one session.

6,153
Extensions scanned per page load
48
Device fingerprint features collected
10,922
Bytes of RSA-encrypted data per visit
200KB
Obfuscated code in crcldu.com auditor.js
1,230
Check definitions in decoded payload
20T
Interactions processed per week (their claim)

Every number above was independently verified by BLACKOUT on April 2, 2026. LinkedIn’s own Senior Engineering Manager confirmed the extension scanning system under oath in German court proceedings. The full investigation is published at /investigations/browsergate.

Observed Techniques

What “bot detection” actually deploys on your visitors.

These are the techniques we observed in HUMAN Security’s PerimeterX sensor running live on linkedin.com. All execute without visitor consent. All run inside hidden infrastructure designed to avoid detection.

Extension scanning

6,153 Chrome extensions probed by ID on every page load

Canvas fingerprinting

Hidden canvas elements rendered with Unicode, output hashed

WebGL fingerprinting

GPU renderer, vendor, 65+ parameters extracted

Behavioral biometrics

Mouse movements (200ms), keystrokes, scroll, touch patterns

Hidden iframes

Zero-pixel, position: -9999px, aria-hidden="true"

Blob Web Workers

Off-thread execution invisible to DevTools

Bot detection requires answering one question: is this a human or a bot? That does not require scanning 6,153 browser extensions. It does not require probing GPU hardware. It does not require hidden iframes, encrypted payloads, or off-thread Web Workers invisible to DevTools. The technology exceeds the stated purpose by orders of magnitude.

Claims vs. Reality

What HUMAN Security says. What BLACKOUT observed.

Every claim is from HUMAN Security’s own Data Security & Privacy FAQ, last updated March 2026.

HUMAN Claims
We store: IP Address, Connection metadata, Mouse interaction events
Observed Reality
We observed: canvas fingerprinting, WebGL fingerprinting (65+ parameters), audio fingerprinting, font enumeration, battery API, WebRTC local IP extraction, CPU core count, device RAM, Do Not Track preference (collected then ignored), incognito detection, and 6,153 browser extension probes — all running inside invisible blob Web Workers.
HUMAN Claims
HUMAN does not resell or transmit user data
Observed Reality
crcldu.com — loaded as a nested hidden iframe inside the PerimeterX iframe — had TLS certificates issued for DSP, SSP, advertiser, and publisher subdomains. That is the certificate infrastructure of a programmatic advertising data pipeline.
HUMAN Claims
Privacy is on by default — we minimize the collection of identifying information
Observed Reality
48 browser fingerprint features collected. 6,153 extension probes fired. Hidden zero-pixel iframe with aria-hidden="true". RSA-encrypted payloads. Blob Web Workers running off-thread to avoid detection. Triple-redundant data exfiltration.
HUMAN Claims
We are clear about our privacy commitments
Observed Reality
LinkedIn's privacy policy contains zero mention of extension scanning. The iframe is positioned at left: -9999px. The PerimeterX sensor uses string table obfuscation to resist analysis. The payload is RSA-encrypted before transmission. crcldu.com/bd/auditor.js is 200KB of military-grade obfuscated code.
HUMAN Claims
Business model succeeds through the maintenance of our customers' privacy
Observed Reality
HUMAN Security's own website runs ZoomInfo (registered CA data broker), ContentSquare (session recording), HockeyStack (DOM scanning), LiveRamp (identity resolution), LinkedIn tracking, and their own PerimeterX fingerprinting — 36 third-party domains total.
Their Own Site

We scanned humansecurity.com.

HUMAN Security Claims
  • "Privacy is on by default"
  • "We minimize the collection of identifying information"
  • "We are clear about our privacy commitments"
  • SOC 2 Type 2 and ISO 27001 compliant
BLACKOUT Scan Results
  • ZoomInfo — registered California data broker, base64-encodes visitor IP
  • ContentSquare — full session recording (mouse, scroll, clicks, forms)
  • HockeyStack — scans DOM to detect other vendors on the page
  • LiveRamp — cookie sync to cross-device identity graph
  • LinkedIn — li/track as the FIRST network request on page load
  • PerimeterX — their own product fingerprinting their own visitors
  • 36 third-party domains total

These are deliberate choices. On their own website, where they control every decision, the company that sells “privacy by default” deployed a registered data broker, session recording, identity resolution, and their own fingerprinting product. If this is how they treat their own visitors, what does the technology do on someone else’s site?

The Company

~$300M raised. $1.5B+ valuation. 500+ customers.

HUMAN Security was formed from the merger of White Ops and PerimeterX in 2022. ~500 employees. $100M+ ARR. Backed by Goldman Sachs, NightDragon, WestCap, ClearSky, and Vertex Ventures.

Tamer HassanCo-founder & Executive Chairman

White Ops co-founder. Fast Company #1 Most Creative Person 2019. Led the 3ve/Methbot botnet takedowns with the FBI.

Stu SolomonCEO

Former President of Recorded Future ($2.65B Mastercard acquisition). Former exec at iSIGHT Partners (acquired by FireEye) and Optiv.

Ido SafrutiCTO

PerimeterX co-founder. Led R&D and product strategy for the sensor technology deployed on linkedin.com.

The technology is sophisticated. Layered concealment architecture (hidden iframes inside hidden iframes). Encrypted exfiltration with automatic fallback. Off-thread execution to avoid observation. 200KB of obfuscated code with a custom bytecode interpreter. This is not proportionate to answering “is this a bot?”

The Business Model

Bot detection is the product. What’s the data for?

1Customer deploys HUMAN Security's sensor on their website for "bot detection"
2Sensor fingerprints every visitor — 48 device features, 6,153 extension probes, behavioral biometrics — inside hidden infrastructure
3Data transmitted encrypted to HUMAN Security's servers and third-party infrastructure (crcldu.com)
4Customer gets a bot/human classification. HUMAN Security gets a comprehensive fingerprint database across 500+ customer sites, 20 trillion interactions per week

The question is not whether HUMAN Security detects bots. They probably do. The question is what else happens with the most comprehensive cross-site fingerprint database ever assembled — 20 trillion interactions per week across 3 billion unique devices. Bot detection requires a yes/no answer. The data collection far exceeds what that answer requires.

When the technology is disproportionate to the stated purpose, the stated purpose isn’t the real business. Security is the costume. The surplus data is the product.

The Irony

They sell script monitoring. They are the script that needs monitoring.

HUMAN Security’s Client-Side Defense product promises to “get full visibility and control over client-side scripts” and protect against “client-side supply chain attacks.” Meanwhile, their own PerimeterX sensor is the undisclosed third-party script operating via hidden iframes and setting tracking cookies without consent on LinkedIn and other properties.

What They Sell

Client-Side Defense

“See all client-side 1st- and Nth-party script behavior in the browser during real visitor sessions. Automate zero-trust policies to block risky script behavior.”

What They Are

The Undisclosed Script

A 226KB obfuscated sensor deployed inside a hidden zero-pixel iframe, fingerprinting visitors across 500+ customer sites, with no disclosure in LinkedIn’s privacy policy or subprocessor list. The EFF’s Privacy Badger blocks PerimeterX because they explicitly refuse to honor Do Not Track signals.

They charge enterprises $105K-$1.5M/year for the privilege of deploying the same surveillance technology that BLACKOUT would flag as hostile. If you ran HUMAN Security’s Client-Side Defense product on a site that also runs HUMAN Security’s PerimeterX sensor, the product would need to flag itself.

The Collapse Engine

HUMAN Security doesn’t protect against GTM collapse. It accelerates all four vectors at once.

BLACKOUT classifies GTM risk across four collapse vectors. Vendors that trigger one are a problem. HUMAN Security triggers all four simultaneously.

Signal Integrity

Your measurement is contaminated.

The fingerprinting system creates a parallel truth about your visitors that you can’t see, can’t audit, and didn’t consent to. 48 features collected, results encrypted before transmission. You’re making decisions based on data flowing through infrastructure you don’t control and can’t inspect.

Data Exposure

Your visitors’ fingerprints are pooled across 500+ sites.

20 trillion interactions per week across 3 billion devices. Your visitors’ device signatures, extension lists, and behavioral patterns flow through HUMAN Security’s infrastructure alongside data from your competitors’ sites. Your demand signals aren’t just leaking — they’re being aggregated into a dataset you don’t own.

Attack Surface

226KB of code you haven’t audited, running on your site.

Hidden iframes. Blob Web Workers. Encrypted payloads. A 200KB auditor script with a custom bytecode interpreter. Each one is an attack surface you own but don’t control. If HUMAN Security gets breached, every site running their sensor is compromised.

Compliance Risk

Your consent banner doesn’t cover what you don’t know about.

LinkedIn’s privacy policy doesn’t mention extension scanning. HUMAN Security isn’t listed as a subprocessor. Your consent mechanism covers the vendors you know about — not the hidden iframes and encrypted payloads your “security” vendor deployed without telling you. When the regulator comes, they fine you. Not the script.

The “security” label is what keeps anyone from noticing. Nobody audits the security vendor. That’s why the costume works — until someone looks at the code.

What GTM Security Actually Means

BLACKOUT.

Runtime Verification

We observe every vendor’s code executing in your environment. Every network request, every cookie, every hidden iframe, every blob Worker. Not a questionnaire. Direct observation.

Vendor Intelligence

600+ vendor dossiers. Claims vs. reality analysis. BTI threat classification. We don’t take vendors at their word. We compare what they say against what we observe.

Evidence-Grade Output

Court-ready evidence packs. HAR captures. Full network traffic analysis. The kind of evidence that holds up when a regulator asks “what did you know and when did you know it?”

BLACKOUT does not fingerprint your visitors. We don’t deploy hidden iframes. We don’t run blob Web Workers. We don’t probe for browser extensions. We run Plausible analytics on our own site. That’s it. Scan us. We’re clean. That’s the point.

HUMAN Security is a cross-site fingerprint database in a security costume.

BLACKOUT exists because companies like HUMAN Security proved the category needs to exist.

When the technology is disproportionate to the stated purpose, the stated purpose isn’t the real business.

Read the InvestigationSearch the VIDB