I just got blocked by the CEO of ZoomInfo for documenting surveillance
infrastructure on their GTM Studio landing page.
Timeline:
1. CEO posts product demo on LinkedIn
2. I analyze the landing page with Chrome DevTools
3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.)
4. CEO blocks me within minutes
Sorry - had to flag this ad posting. Future tip - just release this stuff under one of your employee's or founder's name so it's not as obvious of an ad for the platform you're launching.
While custom here expects a Show HN tag, there’s no specific prohibition against showing HN something you built for profit, so long as you aren’t doing so excessively, the thing you built is interesting and relevant to HN readers, and you’re not making a habit of drive-by posting without engaging further. I found this content to meet those criteria, much more than either prior posting by OP.
However, I specialize in noticing and reporting spammers to the mods who are trying to disguise their connection to the company posted, so please do not try to disguise or mislead the community as directed here; lying by omission with intent to mislead is completely uncool.
OP, you’ve posted three times in six months and you don’t participate on the site other than posting stuff you made. HN generally has good cause to expect a higher bar of participation than that, and if you continue submitting things without participating in the wider site as a whole, users are going to flag your content without considering it at all. I’m not at my threshold for that yet given your history, but certainly I wouldn’t look fondly on another like this one given the dearth of comments on anyone’s posts besides those you posted or those about your works.
1. using the company name to label an isolated incident
2. providing a link to the company research unit that directs to the main company page, forcing a second click to view the research unit
3. advertising the company's black friday sale
i have to say 1 pisses me off as it trojans an ad into an existing pattern (uniquely naming disclosures/exploits), 2 and 3 are both slimy but id probably be able to forgive the company if they only implemented one of those two points, as is this is a bit much
Their DPO will be interested so he can laugh about it and ask ChatGPT for an excuse letter. Their EU customers may be concerned but it’s not like anything will be done about it - especially not now when there are talks of relaxing the already non-enforced GDPR.
Considering that sales/marketing are basically the only business functions that have never been held to a compliance standard, they're betting it never comes.
there's a corollary to "ask forgiveness later" which is "there are so many complex regulations and in such grey area minutia, there's not time to make that my main job. i have no idea if i'm doing anything wrong but my time seems better spent going ahead and doing something and solving problems as they arise"
Automatic execution of javascript from arbitrary random domains is the biggest mistake the web ever made. A completely 180 from the old "Don't run programs you don't know where they're from." We're doing this to ourselves. I know it's too late to save the corporate, institutional, etc environments, but in your personal life you should set your primary browser to not auto-execute random programs. It'd solve this.
Given the lack of friction going to a random website, "Don't run programs you don't know where they're from." automatic execution of javascript from arbitrary random domains would mean "including the one you are visiting".
Which is exactly the way I think it should be. Web should have been noscript by default, domains should be added on case by case basis. Compared to the current situation banning web scripting essential to the functioning of any commercial websites altogether (because something something ADA screen readers for example) would have been better :)
> The question to consider: could this data become actionable in litigation?
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?
Not sure why this is downvoted, this is exactly the case on any commercial website. They often whitewash it under the pretext of “legitimate interest” or “fraud protection”.
I just got blocked by the CEO of ZoomInfo for documenting surveillance infrastructure on their GTM Studio landing page.
Timeline: 1. CEO posts product demo on LinkedIn 2. I analyze the landing page with Chrome DevTools 3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.) 4. CEO blocks me within minutes
So I'm releasing the full evidence pack publicly: https://github.com/clark-prog/blackout-public
What I found: - Sardine.ai behavioral biometrics (mouse/typing patterns) firing before consent - PerimeterX device fingerprinting pre-consent - 118 unique tracking domains on a single page load - Base64-encoded config showing "enableBiometrics: true" - Formal partnership with Sardine (partnerId: "zoominfo")
The irony: ZoomInfo sells visitor identification tools but uses 3 external fingerprinting vendors on their own site.
All evidence is reproducible. HAR files, deobfuscated code, legal analysis included.
AMA about findings or methodology.
Sorry - had to flag this ad posting. Future tip - just release this stuff under one of your employee's or founder's name so it's not as obvious of an ad for the platform you're launching.
While custom here expects a Show HN tag, there’s no specific prohibition against showing HN something you built for profit, so long as you aren’t doing so excessively, the thing you built is interesting and relevant to HN readers, and you’re not making a habit of drive-by posting without engaging further. I found this content to meet those criteria, much more than either prior posting by OP.
However, I specialize in noticing and reporting spammers to the mods who are trying to disguise their connection to the company posted, so please do not try to disguise or mislead the community as directed here; lying by omission with intent to mislead is completely uncool.
OP, you’ve posted three times in six months and you don’t participate on the site other than posting stuff you made. HN generally has good cause to expect a higher bar of participation than that, and if you continue submitting things without participating in the wider site as a whole, users are going to flag your content without considering it at all. I’m not at my threshold for that yet given your history, but certainly I wouldn’t look fondly on another like this one given the dearth of comments on anyone’s posts besides those you posted or those about your works.
idk the content itself was the main point i found the ad unobtrusive
what exactly is being advertised ?
Looks like deployblackout -dot- com.
Looks like a service to do the kinds of scans mentioned. Note the punchlist of laws being broken.
ok thanks , so theres 3 spots of advertisement :
1. using the company name to label an isolated incident
2. providing a link to the company research unit that directs to the main company page, forcing a second click to view the research unit
3. advertising the company's black friday sale
i have to say 1 pisses me off as it trojans an ad into an existing pattern (uniquely naming disclosures/exploits), 2 and 3 are both slimy but id probably be able to forgive the company if they only implemented one of those two points, as is this is a bit much
Nobody cares.
Nobody cares.
Nobody cares.
Virtually every link in the comments can be construed as advertising depending on how much of a mindless pedant someone else wishes to be :)
Thanks for sharing. I bet their DPO and EU customers are super interested in the findings. The CEO should have handled it better, IMO.
Their DPO will be interested so he can laugh about it and ask ChatGPT for an excuse letter. Their EU customers may be concerned but it’s not like anything will be done about it - especially not now when there are talks of relaxing the already non-enforced GDPR.
Wow, didn't know there were talks about relaxing GDPR. Can you share a few links? Many thanks.
https://news.ycombinator.com/item?id=45980117
Some more details:
https://noyb.eu/en/eu-commission-about-wreck-core-principles... Textual analysis of the changes from the original leaked draft (especially "Overview Table of the Draft & Comments by noyb")
https://noyb.eu/en/digital-omnibus-first-legal-analysis Video about the proposed changes (there are some changes compared to the leaked draft)
A lot of orgs operate under the "ask forgiveness later" principle. They were probably hoping the "later" would be much later...
Considering that sales/marketing are basically the only business functions that have never been held to a compliance standard, they're betting it never comes.
They’re betting right. Only single-digit percentages of GDPR breaches ever led to a fine.
They're hoping the word "later" is synonymous for "never".
there's a corollary to "ask forgiveness later" which is "there are so many complex regulations and in such grey area minutia, there's not time to make that my main job. i have no idea if i'm doing anything wrong but my time seems better spent going ahead and doing something and solving problems as they arise"
I wish america was customer first but its always going to be business first
sorry, investor first*
You do know that lots of software is just meshing a few things together and selling that as a service right?
Whos to say that they are making it so those 3 vendors work better together?
edit - Also I just know this is a EU dev who thinks if I build a really good product people will just buy.
Automatic execution of javascript from arbitrary random domains is the biggest mistake the web ever made. A completely 180 from the old "Don't run programs you don't know where they're from." We're doing this to ourselves. I know it's too late to save the corporate, institutional, etc environments, but in your personal life you should set your primary browser to not auto-execute random programs. It'd solve this.
Given the lack of friction going to a random website, "Don't run programs you don't know where they're from." automatic execution of javascript from arbitrary random domains would mean "including the one you are visiting".
Which is exactly the way I think it should be. Web should have been noscript by default, domains should be added on case by case basis. Compared to the current situation banning web scripting essential to the functioning of any commercial websites altogether (because something something ADA screen readers for example) would have been better :)
> The question to consider: could this data become actionable in litigation?
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?
If I only read headlines on HN I'd also say 'EU is rolling back GDPR'.
[flagged]
User opens DevTools and loads pretty much any website on the internet, film at 11.
Not sure why this is downvoted, this is exactly the case on any commercial website. They often whitewash it under the pretext of “legitimate interest” or “fraud protection”.