I just got blocked by the CEO of ZoomInfo for documenting surveillance
infrastructure on their GTM Studio landing page.
Timeline:
1. CEO posts product demo on LinkedIn
2. I analyze the landing page with Chrome DevTools
3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.)
4. CEO blocks me within minutes
Sorry - had to flag this ad posting. Future tip - just release this stuff under one of your employee's or founder's name so it's not as obvious of an ad for the platform you're launching.
While custom here expects a Show HN tag, there’s no specific prohibition against showing HN something you built for profit, so long as you aren’t doing so excessively, the thing you built is interesting and relevant to HN readers, and you’re not making a habit of drive-by posting without engaging further. I found this content to meet those criteria, much more than either prior posting by OP.
However, I specialize in noticing and reporting spammers to the mods who are trying to disguise their connection to the company posted, so please do not try to disguise or mislead the community as directed here; lying by omission with intent to mislead is completely uncool.
OP, you’ve posted three times in six months and you don’t participate on the site other than posting stuff you made. HN generally has good cause to expect a higher bar of participation than that, and if you continue submitting things without participating in the wider site as a whole, users are going to flag your content without considering it at all. I’m not at my threshold for that yet given your history, but certainly I wouldn’t look fondly on another like this one given the dearth of comments on anyone’s posts besides those you posted or those about your works.
1. using the company name to label an isolated incident
2. providing a link to the company research unit that directs to the main company page, forcing a second click to view the research unit
3. advertising the company's black friday sale
i have to say 1 pisses me off as it trojans an ad into an existing pattern (uniquely naming disclosures/exploits), 2 and 3 are both slimy but id probably be able to forgive the company if they only implemented one of those two points, as is this is a bit much
Their DPO will be interested so he can laugh about it and ask ChatGPT for an excuse letter. Their EU customers may be concerned but it’s not like anything will be done about it - especially not now when there are talks of relaxing the already non-enforced GDPR.
there's a corollary to "ask forgiveness later" which is "there are so many complex regulations and in such grey area minutia, there's not time to make that my main job. i have no idea if i'm doing anything wrong but my time seems better spent going ahead and doing something and solving problems as they arise"
Considering that sales/marketing are basically the only business functions that have never been held to a compliance standard, they're betting it never comes.
Automatic execution of javascript from arbitrary random domains is the biggest mistake the web ever made. A completely 180 from the old "Don't run programs you don't know where they're from." We're doing this to ourselves. I know it's too late to save the corporate, institutional, etc environments, but in your personal life you should set your primary browser to not auto-execute random programs. It'd solve this.
> The question to consider: could this data become actionable in litigation?
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?
Not sure why this is downvoted, this is exactly the case on any commercial website. They often whitewash it under the pretext of “legitimate interest” or “fraud protection”.
Timeline: 1. CEO posts product demo on LinkedIn 2. I analyze the landing page with Chrome DevTools 3. I post findings in comments (40+ cookies pre-consent, biometrics, etc.) 4. CEO blocks me within minutes
So I'm releasing the full evidence pack publicly: https://github.com/clark-prog/blackout-public
What I found: - Sardine.ai behavioral biometrics (mouse/typing patterns) firing before consent - PerimeterX device fingerprinting pre-consent - 118 unique tracking domains on a single page load - Base64-encoded config showing "enableBiometrics: true" - Formal partnership with Sardine (partnerId: "zoominfo")
The irony: ZoomInfo sells visitor identification tools but uses 3 external fingerprinting vendors on their own site.
All evidence is reproducible. HAR files, deobfuscated code, legal analysis included.
AMA about findings or methodology.
However, I specialize in noticing and reporting spammers to the mods who are trying to disguise their connection to the company posted, so please do not try to disguise or mislead the community as directed here; lying by omission with intent to mislead is completely uncool.
OP, you’ve posted three times in six months and you don’t participate on the site other than posting stuff you made. HN generally has good cause to expect a higher bar of participation than that, and if you continue submitting things without participating in the wider site as a whole, users are going to flag your content without considering it at all. I’m not at my threshold for that yet given your history, but certainly I wouldn’t look fondly on another like this one given the dearth of comments on anyone’s posts besides those you posted or those about your works.
Looks like a service to do the kinds of scans mentioned. Note the punchlist of laws being broken.
1. using the company name to label an isolated incident
2. providing a link to the company research unit that directs to the main company page, forcing a second click to view the research unit
3. advertising the company's black friday sale
i have to say 1 pisses me off as it trojans an ad into an existing pattern (uniquely naming disclosures/exploits), 2 and 3 are both slimy but id probably be able to forgive the company if they only implemented one of those two points, as is this is a bit much
Nobody cares.
Nobody cares.
Virtually every link in the comments can be construed as advertising depending on how much of a mindless pedant someone else wishes to be :)
Whos to say that they are making it so those 3 vendors work better together?
edit - Also I just know this is a EU dev who thinks if I build a really good product people will just buy.
That's sort of a silly question to pose. That risk always there. It's just a question of estimating that risk. EU is rolling back GDPR, so I'd estimate that risk is getting lower every day.
To play devil's advocate, why should FANG be the only ones allowed to crap all over the public internet's privacy?