ZoomInfo CEO blocks researcher after documenting pre-consent biometric tracking(github.com)

123 pointsby SignalDra day ago5 comments

SignalDra day ago
I just got blocked by the CEO of ZoomInfo for documenting surveillance infrastructure on their GTM Studio landing page.
Timeline: 1. CEO posts product demo on LinkedIn 2. I analyze the landing page with Chrome DevTools 3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.) 4. CEO blocks me within minutes
So I'm releasing the full evidence pack publicly: https://github.com/clark-prog/blackout-public
What I found: - Sardine.ai behavioral biometrics (mouse/typing patterns) firing before consent - PerimeterX device fingerprinting pre-consent - 118 unique tracking domains on a single page load - Base64-encoded config showing "enableBiometrics: true" - Formal partnership with Sardine (partnerId: "zoominfo")
The irony: ZoomInfo sells visitor identification tools but uses 3 external fingerprinting vendors on their own site.
All evidence is reproducible. HAR files, deobfuscated code, legal analysis included.
AMA about findings or methodology.
- linkjuice4alla day ago
  Sorry - had to flag this ad posting. Future tip - just release this stuff under one of your employee's or founder's name so it's not as obvious of an ad for the platform you're launching.
  - altairprimea day ago
    While custom here expects a Show HN tag, there’s no specific prohibition against showing HN something you built for profit, so long as you aren’t doing so excessively, the thing you built is interesting and relevant to HN readers, and you’re not making a habit of drive-by posting without engaging further. I found this content to meet those criteria, much more than either prior posting by OP.
    However, I specialize in noticing and reporting spammers to the mods who are trying to disguise their connection to the company posted, so please do not try to disguise or mislead the community as directed here; lying by omission with intent to mislead is completely uncool.
    OP, you’ve posted three times in six months and you don’t participate on the site other than posting stuff you made. HN generally has good cause to expect a higher bar of participation than that, and if you continue submitting things without participating in the wider site as a whole, users are going to flag your content without considering it at all. I’m not at my threshold for that yet given your history, but certainly I wouldn’t look fondly on another like this one given the dearth of comments on anyone’s posts besides those you posted or those about your works.
  - celloductora day ago
    idk the content itself was the main point i found the ad unobtrusive
  - Aeglaeciaa day ago
    what exactly is being advertised ?
    ChrisMarshallNYa day ago
    Looks like deployblackout -dot- com.
    Looks like a service to do the kinds of scans mentioned. Note the punchlist of laws being broken.
    Aeglaeciaa day ago
    ok thanks , so theres 3 spots of advertisement :
    1. using the company name to label an isolated incident
    2. providing a link to the company research unit that directs to the main company page, forcing a second click to view the research unit
    3. advertising the company's black friday sale
    i have to say 1 pisses me off as it trojans an ad into an existing pattern (uniquely naming disclosures/exploits), 2 and 3 are both slimy but id probably be able to forgive the company if they only implemented one of those two points, as is this is a bit much
  - infamouscowa day ago
    Nobody cares.
    Nobody cares.
    Nobody cares.
    Virtually every link in the comments can be construed as advertising depending on how much of a mindless pedant someone else wishes to be :)
- helloericsfa day ago
  Thanks for sharing. I bet their DPO and EU customers are super interested in the findings. The CEO should have handled it better, IMO.
  - Nextgrida day ago
    Their DPO will be interested so he can laugh about it and ask ChatGPT for an excuse letter. Their EU customers may be concerned but it’s not like anything will be done about it - especially not now when there are talks of relaxing the already non-enforced GDPR.
    helloericsfa day ago
    Wow, didn't know there were talks about relaxing GDPR. Can you share a few links? Many thanks.
    buzera day ago
    https://news.ycombinator.com/item?id=45980117
    Some more details:
    https://noyb.eu/en/eu-commission-about-wreck-core-principles... Textual analysis of the changes from the original leaked draft (especially "Overview Table of the Draft & Comments by noyb")
    https://noyb.eu/en/digital-omnibus-first-legal-analysis Video about the proposed changes (there are some changes compared to the leaked draft)
- globalnodea day ago
  A lot of orgs operate under the "ask forgiveness later" principle. They were probably hoping the "later" would be much later...
  - SignalDra day ago
    Considering that sales/marketing are basically the only business functions that have never been held to a compliance standard, they're betting it never comes.
    Nextgrida day ago
    They’re betting right. Only single-digit percentages of GDPR breaches ever led to a fine.
  - ethina day ago
    They're hoping the word "later" is synonymous for "never".
  - fsckboya day ago
    there's a corollary to "ask forgiveness later" which is "there are so many complex regulations and in such grey area minutia, there's not time to make that my main job. i have no idea if i'm doing anything wrong but my time seems better spent going ahead and doing something and solving problems as they arise"
  - snihalania day ago
    I wish america was customer first but its always going to be business first
    snihalania day ago
    sorry, investor first*
- chzblcka day ago
  You do know that lots of software is just meshing a few things together and selling that as a service right?
  Whos to say that they are making it so those 3 vendors work better together?
  edit - Also I just know this is a EU dev who thinks if I build a really good product people will just buy.
superkuha day ago
Automatic execution of javascript from arbitrary random domains is the biggest mistake the web ever made. A completely 180 from the old "Don't run programs you don't know where they're from." We're doing this to ourselves. I know it's too late to save the corporate, institutional, etc environments, but in your personal life you should set your primary browser to not auto-execute random programs. It'd solve this.
- sershea day ago
  Given the lack of friction going to a random website, "Don't run programs you don't know where they're from." automatic execution of javascript from arbitrary random domains would mean "including the one you are visiting".
  Which is exactly the way I think it should be. Web should have been noscript by default, domains should be added on case by case basis. Compared to the current situation banning web scripting essential to the functioning of any commercial websites altogether (because something something ADA screen readers for example) would have been better :)
jgalt212a day ago
> The question to consider: could this data become actionable in litigation?
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?
- N_Lensa day ago
  If I only read headlines on HN I'd also say 'EU is rolling back GDPR'.
baiaca day ago
[flagged]
mike_da day ago
User opens DevTools and loads pretty much any website on the internet, film at 11.
- Nextgrida day ago
  Not sure why this is downvoted, this is exactly the case on any commercial website. They often whitewash it under the pretext of “legitimate interest” or “fraud protection”.