πŸ”’ BLACKOUT v1.0 β€” GTM Security Operations Platform
Case Studies
RB2B Investigation

RB2B Investigation

Status: Active Investigation Severity: CRITICAL Classification: KILL

Executive Summary

RB2B is a visitor identification vendor that claims to provide "ethical" B2B website visitor identification. BLACKOUT investigation revealed significant discrepancies between marketed behavior and actual technical implementation.

🚫

This case demonstrates a "smoking gun" pattern: vendor API documentation directly contradicts marketing claims.

The Contradiction

Marketing Claims

From RB2B's website:

"We only identify business visitors. Personal emails are never captured."

API Documentation

From RB2B's API docs:

{
  "email": "john.doe@gmail.com",
  "personal_email": true,
  "work_email": "john.doe@company.com"
}

The API explicitly returns personal email addresses, contradicting marketing claims.

Technical Findings

Data Collection

Data PointDisclosedActually Collected
Business emailβœ… Yesβœ… Yes
Personal email❌ Noβœ… Yes
Full nameβœ… Yesβœ… Yes
Phone number❌ Noβœ… Yes
LinkedIn URLβœ… Yesβœ… Yes
Company dataβœ… Yesβœ… Yes

Piggyback Chain

yoursite.com
  └─ rb2b.com
      └─ clearbit.com
      └─ apolloapi.io
      └─ zoominfo.com (undisclosed)

RB2B loads additional data enrichment vendors without disclosure.

Consent Behavior

ScenarioExpectedActual
Before consentNo trackingTracking active
After opt-outNo trackingTracking continues
DNT headerNo trackingIgnored

Evidence

HAR Analysis

POST https://api.rb2b.com/identify
Request Body: {
  "url": "https://victimsite.com/pricing",
  "fingerprint": "a1b2c3d4...",
  "timestamp": 1705312800
}

Response: {
  "person": {
    "email": "john@gmail.com",  // Personal email
    "work_email": "john@company.com",
    "phone": "+1-555-0123",
    "linkedin": "linkedin.com/in/johndoe"
  }
}

Cookie Inventory

CookieDomainExpirationPurpose
_rb2b_id.rb2b.com2 yearsVisitor ID
_rb2b_session.rb2b.comSessionSession tracking
_rb2b_fp.rb2b.com1 yearFingerprint hash

BTSS Score

Score: 18/100 (FAIL)

FactorScoreNotes
Consent compliance0/25Pre-consent tracking
Data minimization5/25Excessive PII collection
Disclosure accuracy3/25API contradicts claims
Piggyback depth10/253 undisclosed vendors

Recommendation

KILL β€” Remove RB2B immediately.

Rationale

  1. Marketing claims are demonstrably false
  2. Personal email collection without disclosure
  3. Pre-consent tracking violates GDPR
  4. Undisclosed data sharing with third parties

Remediation Steps

  1. Remove RB2B script from all properties
  2. Audit data already collected
  3. Consider breach notification obligations
  4. Evaluate alternative compliant solutions

Evidence Pack

Download the full evidence pack for this investigation:

Download RB2B Evidence Pack

Includes:

  • Full HAR capture
  • API response samples
  • Cookie analysis
  • Screenshot timeline
  • Chain of custody certification
OverviewClay Labs Analysis