clark-prog/blackout-public: Blackout — The Official Blackout Public FAFO Repo.

“You can block the researcher. You can’t block the evidence.”

On November 25, 2025, ZoomInfo CEO Henry Shook posted on LinkedIn a product demo of GTM Studio – their AI-powered platform that “identifies person-level website visits.”

A security researcher analyzed the GTM Studio landing page and documented extensive pre-consent tracking infrastructure. The findings were posted as a comment on the CEO’s LinkedIn post.

Within minutes the researcher was blocked.

No improvement. no explanation. Just silence.

This evidence pack ensures that the findings cannot be suppressed.

{
  "enableBiometrics": true,
  "enableDNS": true,
  "partnerId": "zoominfo",
  "dBaseDomain": "d.sardine.ai",
  "environment": "production"
}

This configuration collector was decoded from the base64-encoded payload in the iframe URL.

Translation:

• Mouse movements are tracked by default
• Typing pattern recorded
• DNS fingerprinting enabled
• ZoomInfo formalizes partnership with Sardine.ai
• This is production, not testing

ZoomInfo markets GTM Studio as a tool to “identify person-level website visits”.

still on them own landing page For this product, they deploy:

• 3 External Identification/Fingerprinting Vendors (Sardine.ai, PerimeterX, IdentityMatrix.ai)
• Behavioral Biometrics Before Consent
• 118 different tracking domains

Even visitor identification vendors don’t rely on their own product for visitor identification.

You are not a privacy lawyer. You are trying to achieve pipeline goals. So why should you care?

Every dollar spent on vendors with document-pre-consent tracking is potentially a dollar spent on future legal liability. When class actions arise in this area, “we didn’t know” is often not accepted as a defense – it may be described as negligence.

Questions to consider: Could this data be actionable in litigation?

Data collected without proper consent cannot be processed legally. This may mean:

• Your Lead Score May Be Built on Problematic Data
• Your ABM campaigns can target profiles collected without consent
• Your attribution model may include bad signals

This is worth evaluating with your legal team.

Are people being tracked without consent? These are the same people you are trying to convert. When they find out (and the prevalence of these practices is becoming increasingly public), you may not only lose a deal – you may also create a rival with legal standing.

Every visitor is a potential plaintiff. Every page view is potential evidence.

GDPR Article 26. CCPA 1798.100. Your contract may state “Seller guarantees compliance.” Courts have found joint liability regardless. When a vendor’s practices become public record, your legal team will ask: “Who approved this vendor?”

That answer is worth finding.

Imagine losing an enterprise deal because a potential client’s security team researched your martech stack. Imagine the RFP question: “Do you use vendors with pre-agreed document tracking?”

Your vendor’s options can be explored. Choose accordingly.

Marketing has been operating in “move fast, apologize” mode for 15 years. That era is ending.

The tracking infrastructure that drove the “growth at all costs” playbook is now:

• documents (you are reading the evidence)
• searchable (public GitHub repo)
• potentially actionable (GDPR, CCPA, CIPA may apply)

You can either:

1. Audit your stack now and evaluate liability before it becomes apparent
2. wait for external verification And explain why you did not act on the public evidence

The seller will not protect you. Your contracts can’t protect you. It will be your choice only.

zoominfo-gtm-studio/
├── FINDINGS.md              # Full technical analysis
├── TIMELINE.md              # CEO post → comment → block sequence
├── code/
│   ├── sardine-config.json  # Decoded biometrics configuration
│   ├── perimeterx.md        # PerimeterX infrastructure details
│   └── tracking-sequence.md # Complete request timeline
├── methodology/
│   └── how-we-tested.md     # Reproduction instructions
└── legal/
    ├── gdpr-analysis.md     # EU regulation analysis
    ├── ccpa-analysis.md     # California privacy law analysis
    └── cipa-exposure.md     # California wiretapping exposure analysis

1. Open Chrome in incognito mode
2. DevTools (F12) → Open Network tab
3. Enable “Preserve Logs”
4. Navigate to: https://www.zoominfo.com/products/gtm-studio
5. Do not interact with consent banner
6. Count requests that fire before the banner is seen

• collector-pxosx7m0dx.px-cloud.net – PerimeterX Fingerprinting
• *.d.sardine.ai/bg.png – Sardine Behavioral Biometrics
• gw-app.zoominfo.com/gw/ziapi/fraud-detection – Session Fingerprinting

• Article 5(3): Cookie consent required before tracking
• Article 6: Lawful basis required for processing
• Article 9: Behavioral biometrics may constitute special category data

• right to know: Sardine.ai partnership not disclosed in privacy policy
• Right to opt-out: No opt-out presented before tracking began
• Data Sharing: Data transmitted to 40+ third parties before consent

• Wiretapping Provisions: Biometric collection without consent could affect wiretapping laws
• Two-Party Consent: California requires all-party consent for certain recordings

,[Henry_Schuck_Post](./screenshot 2025-11-25 100147.png)

When documentary evidence of this is presented:

• pre-consent tracking
• behavioral biometrics collection
• 118 tracking domains on a single page

The CEO of a publicly traded company chose:

• block researcher
• Do not dispute the findings
• don’t explain

ZoomInfo did not respond to requests for comment on these findings.

This is not a legal advice.

The information contained in this evidence pack is provided for informational and educational purposes only. Nothing herein constitutes legal advice, and accessing, reading, or using this information does not create an attorney-client relationship.

You should consult a qualified attorney Obtain a license in your jurisdiction before taking any action based on the information presented here. Privacy law is complex, varies by jurisdiction and is subject to change. What may be a violation in one jurisdiction may not apply in another.

Blackout is not a law firm. We are security researchers documenting technical findings. We make no representations or warranties about:

• Legal accuracy or completeness of any analysis
• Applicability of the quoted rules to your specific situation
• The current state of any company’s tracking practices (which may change)
• Result of any legal action based on this information

All conclusions are based on publicly observable behavior At the time of testing. The network capture, decoded configuration, and request timeline represent a point-in-time snapshot. Vendors may modify their practices after publication.

If you believe you have been affected By pre-consent tracking or monitoring practices, consult a privacy attorney or contact your local data protection authority. Do not rely solely on this document to assess your legal rights or remedies.

By accessing this Evidence Pack, you acknowledge that you have read and understand this Disclaimer.

This evidence pack has been released in public interest.

Vendor tracking infrastructure should be transparent and verifiable, not burdensome at the time of documentation.

Issued by: blackout research
date: 25 November 2025

Free Forensic Scan. 100 domains. 24 hour.

Find out what your vendors are doing.

→ Deployblackout.com

“You can block the researcher.
You can’t withhold evidence.”