I just got blocked by the CEO of ZoomInfo for documenting surveillance
infrastructure on their GTM Studio landing page.
Timeline:
1. CEO posts product demo on LinkedIn
2. I analyze the landing page with Chrome DevTools
3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.)
4. CEO blocks me within minutes
What I found:
- Sardine.ai behavioral biometrics (mouse/typing patterns) firing before consent
- PerimeterX device fingerprinting pre-consent
- 118 unique tracking domains on a single page load
- Base64-encoded config showing "enableBiometrics: true"
- Formal partnership with Sardine (partnerId: "zoominfo")
The irony: ZoomInfo sells visitor identification tools but uses 3 external fingerprinting vendors on their own site.
All evidence is reproducible. HAR files, deobfuscated code, legal analysis included.
AMA about findings or methodology.
linkjuice4all 18 minutes ago [-]
Sorry - had to flag this ad posting. Future tip - just release this stuff under one of your employee's or founder's name so it's not as obvious of an ad for the platform you're launching.
Aeglaecia 9 minutes ago [-]
what exactly is being advertised ?
helloericsf 15 minutes ago [-]
Thanks for sharing.
I bet their DPO and EU customers are super interested in the findings.
The CEO should have handled it better, IMO.
globalnode 49 minutes ago [-]
A lot of orgs operate under the "ask forgiveness later" principle. They were probably hoping the "later" would be much later...
SignalDr 32 minutes ago [-]
Considering that sales/marketing are basically the only business functions that have never been held to a compliance standard, they're betting it never comes.
ethin 29 minutes ago [-]
They're hoping the word "later" is synonymous for "never".
snihalani 29 minutes ago [-]
I wish america was customer first but its always going to be business first
snihalani 29 minutes ago [-]
sorry, investor first*
superkuh 8 minutes ago [-]
Automatic execution of javascript from arbitrary random domains is the biggest mistake the web ever made. A completely 180 from the old "Don't run programs you don't know where they're from." We're doing this to ourselves. I know it's too late to save the corporate, institutional, etc environments, but in your personal life you should set your primary browser to not auto-execute random programs. It'd solve this.
jgalt212 8 minutes ago [-]
> The question to consider: could this data become actionable in litigation?
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?
baiac 44 minutes ago [-]
[flagged]
mike_d 39 minutes ago [-]
User opens DevTools and loads pretty much any website on the internet, film at 11.
Rendered at 23:20:53 GMT+0000 (Coordinated Universal Time) with Vercel.
Timeline: 1. CEO posts product demo on LinkedIn 2. I analyze the landing page with Chrome DevTools 3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.) 4. CEO blocks me within minutes
So I'm releasing the full evidence pack publicly: https://github.com/clark-prog/blackout-public
What I found: - Sardine.ai behavioral biometrics (mouse/typing patterns) firing before consent - PerimeterX device fingerprinting pre-consent - 118 unique tracking domains on a single page load - Base64-encoded config showing "enableBiometrics: true" - Formal partnership with Sardine (partnerId: "zoominfo")
The irony: ZoomInfo sells visitor identification tools but uses 3 external fingerprinting vendors on their own site.
All evidence is reproducible. HAR files, deobfuscated code, legal analysis included.
AMA about findings or methodology.
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?