Use case sighting: Personal cyber insurance

Aaron Harris writes,

As more things in our lives become hackable, we’ll need more help protecting ourselves from those things. Existing companies that focus on homeowner’s insurance are unlikely to understand these issues well enough to create great products.

If a user visits an insurance site for a personal cyber insurance quote, will the number be higher or lower of the user is running Privacy Badger? How about Apple Safari with Intelligent Tracking Prevention?

If you need to check a user's browser to make sure they're protected from third-party tracking and all its negative security externalities, we have a tool for that.

Adblock Plus and deceptive dark patterns

Some sites recommend Adblock Plus (or just "an ad blocker," for which Adblock Plus is often the first search result) as a privacy or security tool. But Adblock Plus uses deceptive "dark patterns" to avoid offering real privacy or security to users.

Please do not recommend either Adblock Plus or "an ad blocker" to users who are concerned about web privacy or security.

Adblock Plus runs a paid whitelisting program called "Acceptable Ads". The "Acceptable" criteria include no rules against common user privacy and security concerns, such as malvertising and PII misuse. And configuring Adblock Plus to actually provide tracking protection is complicated.

  • Go to "Filter Preferences" in the ABP menu.

  • Click "Add filter subscription"

  • No privacy lists appear on the main drop-down. You will have to hunt for them behind "Add a different subscription".

  • Scroll down and eventually find the "EasyPrivacy" entry from a long list.

  • Click "Add subscription".

So far, it's time-consuming and deliberately complicated, but not deceptive. (Keep this in mind when Adblock Plus proponents talk about how users are mad about annoying ads but don't mind tracking. If users don't mind tracking, why did Adblock Plus make it so hard to make the choice?)

Turning on a privacy list is enough of a maze to discourage users, but not deceptive deceptive. That's found in another place.

Now for the deceptive part.

Even after you go through the above five-step (!) process to find and turn on "EasyPrivacy", you're still not protected. This is not clear unless you read the fine print. The "Acceptable Ads" paid whitelisting program actually overrides your explicit EasyPrivacy choice, to allow tracking by Google, Criteo, and other companies.

In order to make your tracking protection choice take effect, you also have to turn off "Acceptable Ads" using a different option, which is labeled "Allow some non-intrusive advertising."

whitelisting screenshot

To really block trackers, un-check a box with a label that says nothing about trackers at all.

The checkbox is not even labeled "Acceptable Ads," maybe just in case a user has heard of "Acceptable Ads" and knows about the controversial paid whitelisting program.

What to do instead

The good news is that alternatives are available.

  • Instead of recommending "an ad blocker," link to a list of legit tracking protection tools, or make your own list of tools that work well with your site. It's easy to use a JavaScript browser detector like bowser to recommend an appropriate one for the user.

  • If you maintain a directory of web software, please do not list Adblock Plus in a privacy or security category.

More: Aloodo for Web Publishers

Support your favorite business news site. Install Privacy Badger.

Geoffrey A. Fowler, at the Wall Street Journal, shares some good first steps for users to to protect themselves from online tracking, in Don’t Expose Yourself: A Guide to Online Privacy. Read the whole thing, even if you have tracking protection. Lots of up-to-date recommendations on current tools and opt-out options.

But the personal side of web tracking protection is only part of the story. Walt Mossberg ran into the business side of the tracking problem while at The Verge:

About a week after our launch, I was seated at a dinner next to a major advertising executive. He complimented me on our new site’s quality and on that of a predecessor site we had created and run, I asked him if that meant he’d be placing ads on our fledgling site. He said yes, he’d do that for a little while. And then, after the cookies he placed on Recode helped him to track our desirable audience around the web, his agency would begin removing the ads and placing them on cheaper sites our readers also happened to visit. In other words, our quality journalism was, to him, nothing more than a lead generator for target-rich readers, and would ultimately benefit sites that might care less about quality.

High-reputation sites such as the Wall Street Journal can't enforce ad standards when an original content site is in direct competition with bottom-feeder and fraud sites that claim to reach the same audience. But when users install privacy tools such as Better by and EFF Privacy Badger, a lot of problematic ad inventory goes away. Crap sites can only make money from users who are vulnerable to third-party tracking. When tracking protection tools keep ad money from flowing to crappy and fraud sites, then the Wall Street Journal wins.

Real, high-reputation sites have branding advantages over generic eyeball-buying. and users are concerned and confused about web ads. That's an opportunity for a high-reputation publisher to get users safely protected from tracking, and not caught up in publisher-hostile schemes such as paid whitelisting, ad injection, and fake ad blockers. (The New York Times gets it too: Free Tools to Keep Those Creepy Online Ads From Watching You)

More info: What The Verge can do to help save web advertising

Next steps: Aloodo for publishers

If I'm wrong about GDPR, I'll buy you a burrito

Europe is getting new privacy regulations that will limit surveillance marketing.

I see their point. Instead of making people navigate the fine print of privacy policies and click through broken opt-out systems. the EU is trying to save everyone some time and risk.

Meanwhile, California, like the rest of the USA, has basically zero privacy. But we do have great burritos here, so we've got that going for us anyway.

Some surveillance marketing proponents say that if Europe rolls out GDPR, then there goes all the creative stuff on the Internet. (which is roughly what the DRM proponents said about DRM, but Hugo-award-winning author Charles Stross already explained that one.)

Personally, I agree with Doc Searls that the role of privacy violation in ad-supported Internet services is way overrated. Most of the value is in ad context (what site the ad is on) and search (which does have some customization based on who you are, but mostly works based on what you search for.) Targeting just provokes blocking and makes ads less valuable. So GDPR won't break the Internet, or even ad-supported sites. I'm confident enough in this that I will back it up with an offer.

If the surveillance marketers are right, then Europeans would be deprived of some neato Internet services that we, here in California, are allowed to have. So, demonstrate for me an Internet service that is...

  • mentioned in a news story as creative or innovative

  • not offered in Europe, and the company behind it has stated that they won't offer it in Europe because GDPR.

...and I'll buy you a California burrito and link to the service from here and on Twitter. First five demos get a burrito and link.

If I'm right, then Europeans will get better advertising, a safer Internet, less fraud, stronger brands, and I'll get to eat the burritos myself.

Work together to fix web ads? Let's not.

Web advertising is a dangerous mess. But why keep thinking about it as a "let's have a meeting about it" problem? It's more of a "what can I fix now and make serious money doing it" problem. Read on for a link to some JavaScript that a brand advertiser (or publication, but we covered that before) can start using today.

The opportunity comes from the fact that low-reputation and high-reputation brands need fundamentally different qualities from an advertising medium.

  • Low-reputation brands need to send ads only to people likely to respond.

  • High-reputation brands need to send a costly, hard-to-repudiate signal to an large audience.

When an ad medium is targetable, sellers lose the ability to signal. When an ad could have been targeted to a small group, you can see that the advertiser isn't spending as much to reach you.

Bob Hoffman explains.

Most people are pretty good behavioral economists. They may not know anything about how the products they buy work, but they know how to read the advertising signals.

Signaling failure is obscured by all the other problems that web advertising has. You're lucky if your brand's ad ends up being shown to an adfraud bot, because if that ad gets through to a real user, it's probably attached to a beheading video or conspiracy theories or malware or something. What a shitshow.

People are still nerding out over new technologies without fixing the obvious problems, never mind the deep problem of signaling failure.

Work together? Why not?

Fortunately, web advertising is not a problem where "the industry" needs to "work together". Mark Glaser, on the DCN site, does an excellent job of identifying the problems. But he writes,

If the demand for money and efficiency is eroding the integrity of content—not to mention that of brands and platforms—everyone involved must collaborate to gain that trust back.

In the IT business, this kind of call for coordinated action is what executives from legacy companies say while they're getting ready for an expensive conference with a golf tournament. And they say it right about the time that an independent programmer in a basement somewhere is writing the code to eat their lunch. When a whole industry is wrong about something, that doesn't mean you have a big boring assignment to persuade everyone in the industry. It means you have an opportunity to make mad cash by being right. A good agency working independently can solve the web advertising problem for one brand, just as a good publication working independently can solve the web advertising problem for its own audience.

If your idea of a solution to the web advertising problem involves meetings about how everybody has to solve the problem or nobody can, then I've got nothing for you. Go look at cat GIFs or something.

Still with me? Good.

The more that a user gets protected from tracking and targeting, the more signalful the web becomes as an ad medium from that user's point of view. This can work one user at a time. No coordination required. It's a matter of informing and nudging users to take precautions and become less trackable. Please grab the code (it's open source) and try it out.

What kinds of brand advertisers will be good early adopters for tracking protection strategies?

Does the brand have noisy, low-reputation competitors?

Some high-reputation categories are great fits for tracking protection because there are so many rip-offs using targeted web ads.

  • Insurance

  • Financial services

  • Health care

Does the brand depend on reputation earned over long-term use?

Look for goods that are difficult to evaluate at point of purchase and where an experience with a deceptive seller can be costly.

High-signal advertising is a way to take a position on future customer satisfaction and what kind of word of mouth that the brand is betting it will earn.

  • Tools

  • Cookware

Is the email list an (expletive deleted) gold mine?

This is an easy one. If you already have the customers reliably opening your email, or participating in some other medium such as a customer web board, you've got great data and nothing to lose by helping to deny their info to the competition. Play defense.

Does the brand already have a tracking-protected customer base?

Some product categories already appeal to Internet "privacy nerds" who are hard to reach by conventional web ads. Worse, conventional marketing tech is giving you really bad numbers when enough of the customer base is "invisible". Tracking protection strategy is essential here, just to keep from getting wrong answers. Don't do a big new product launch based on what bots want.

Next steps

If you answered "yes" to one or more of these, the first step is to collect some data on tracking protection adoption among the brand's customers and prospects. A high-traffic support or service page is a good place to install tracking protection measurement to get a baseline measurement on how well-protected the audience is. From there, it's a creative marketing project to customize a tracking protection campaign—something new and different to offer to a brand stuck in the online advertising mess.

Please let me know if you have any questions.

Bonus link: Brian O'Kelley, Data is fallout, not oil

Pass the popcorn. Hide the checkbook.

A new digital ad medium is making its way up the upward slope of the Peak Advertising curve.

Aldo Agostinelli of Sky Italia writes,

In the age of the IoT, web-connected devices are the new smart tools that will give advertisers unprecedented access to their users’ daily lives. But there is more to it: the IoT could also help advertisers deliver timely messages and persistently reach consumers.

This is how all targeted ad media, from direct mail to junk fax to mobile banners, get their start. Some Marketing person comes up with the idea of using some new technology to better target some users but not others.

Pass the popcorn. We've seen this show before.

Now it's time for a flood of videos from agencies about how well the new medium works, surveys where marketers say they're going to put budget into it, a bunch of VC funding for firms that do it, and before you know it, the new medium is something that marketers don't want to be caught not doing. The whole shitty carnival of "let's build a new targeted ad medium" is in town. Or in this case, on your toaster.

For a little while anyway.

Marketers know that you have to enjoy the new targeted ad medium while you can. Any new targeted ad medium always peaks, and then declines—right about the time users figure it out.

It's not that the technology is bad. Many new targeted ad media do provide technical advantages in more accurately matching ads to users. But somehow targeted ad media always go through a boom and bust cycle, unlike mass media advertising, where print and broadcast ads tend to hold their value.

Peak Advertising in targeted ad media keeps happening, because, as Agostinelli writes,

The IoT has many benefits for advertising: not only can a message related to a product reach a specific and clearly identified target audience, but the message can be designed based on data which makes it more personal and, therefore, more efficient.

Read that again. That's where every targeted ad medium breaks down. Efficient is why users bail. They start voting to ban junk faxes. They start running spam filters and ad blockers. And yes, they will, somehow, figure out how to kick the targeted ads off their toasters.

Meanwhile, users continue to accept magazine ads and at least tolerate the TV commercials. It's the targeted ad media, the ones that sound the coolest and most efficient, that get ignored, blocked, and regulated.

Let me share with you a sentence that's an obvious, even stupid, platitude for regular people, but a strange and terrible secret for digital advertisers. Ready?

There's no such thing as a free lunch.

Advertising, done in a sustainable way, is an exchange of value between the advertiser and the audience. The audience gives up some attention as the ad interrupts an ad-supported resource such as a news story or cultural work. In exchange, the advertiser offers economic signal, a hard-to-fake message about the advertiser's intentions in the market.

When a targeted ad medium helps advertisers try to get a free lunch by cutting back on the signal—by making it hard for users to estimate the amount spent to place the ad—the user no longer has an incentive to "pay" for the ad with his or her attention. The Peak Advertising curve is the result of users figuring out the targeting.

User tracking and targeting projects, built at tremendous expense, make an ad medium less valuable, not more. This is hard for computer nerds to understand. "What do you mean my program makes things worse? But it was so hard to write!"

No ad medium entirely goes away. When the IoT advertising hype is over, crappy toaster ads will remain, spreading security problems and brand-unsafe ad placements just like crappy web ads do today. The trick for brands is to sit back and enjoy the show, not get ripped off.

What The Verge can do to help save web advertising

Walt Mossberg, at The Verge, points out that lousy ads are ruining the online experience.

No doubt about that. Web ads are crap.

Just try reading the same newspaper story in print and online. In print it's next to a professionally-shot photo in a kitchen remodeling ad. On the web it's next to YOU WILL DIE FROM LIVER FUNGUS UNLESS YOU CLICK ON THIS INFECTED LIVER NOW, done in MS Paint.

And it seems to be getting worse, not better. (Not surprisingly, ad blocking keeps going up.) The ads that provoke blocking and mockery are the same ones that get clicks. Everyone agrees that "we" need to get rid of "bad" ads. But naturally, "we" is defined as "you" and "bad" is "not the ads that work for me."

Print ads stay tolerable because in print, publishers have the market power to enforce standards. On the web, not so much. Mossberg again (read the whole thing):

About a week after our launch, I was seated at a dinner next to a major advertising executive. He complimented me on our new site’s quality and on that of a predecessor site we had created and run, I asked him if that meant he’d be placing ads on our fledgling site. He said yes, he’d do that for a little while. And then, after the cookies he placed on Recode helped him to track our desirable audience around the web, his agency would begin removing the ads and placing them on cheaper sites our readers also happened to visit. In other words, our quality journalism was, to him, nothing more than a lead generator for target-rich readers, and would ultimately benefit sites that might care less about quality.

Publishers can't enforce ad standards when an original content site is in direct competition with bottom-feeder and fraud sites that claim to reach the same audience. As Aram Zucker-Scharff mentions in an interview on the Poynter Institute site, the number of third-party trackers on a site grows as new advertising deals bring new trackers along with them. Those trackers leak audience data into the dark corners of the Lumascape until the same data re-emerges, attached to a low-value or fraudulent site that can claim to reach the same audience as the original publisher. Deceptive and extremist sites are part of a larger problem. They're just especially good at playing the same adtech game that all low-value sites do.

So how to turn web advertising from a race to the bottom into a sustainable revenue source, like print or TV ads? How can the web work better for high-reputation brands that depend on costly signaling?

The good news for cash-crunched news sites is that the hard work of web-ad-saving software development must happen, and is happening, on the browser side. Every time a user turns on a protection tool such as Better by, EFF Privacy Badger, or the experimental Firefox Tracking Protection, a little bit of problematic ad inventory goes away. Crap sites can only make money from users who are vulnerable to third-party tracking. When tracking protection tools keep ad money out of the nasty corners of the internet, legit sites can win.

For example, if a chain restaurant wants to advertise to people in a town, today they have a choice: support local news, or pay intermediaries who follow local users to low-value sites. When the users get protected from tracking, opportunities to reach them by tracking tend to go away, and market power returns to the local news site.

The Verge and other legit sites are a key part of the solution. The problems of web advertising have grown over years, and won't go away all at once. Sites will have to fix it in a data-driven, incremental way. Fortunately, we're getting the data to make it happen.

Measure the tracking-protected audience. Tracking protection is a powerful sign of a human audience. A legit site can report a tracking protection percentage for its audience, and any adtech intermediary who claims to offer advertisers the same audience, but delivers a suspiciously low tracking protection number, is clearly pushing a mismatched or bot-heavy audience and is going to have a harder time getting away with it. Showing prospective advertisers your tracking protection data lets you reveal the tarnish on the adtech "Holy Grail"—the promise of high-value eyeballs on crappy sites.

Tracking protection is hard to measure accurately, because there are many different kinds. What works for detecting AVG Crumble might not work to detect Privacy Badger. But now anyone with basic web metrics and JavaScript skills can do the measurement with the Aloodo un-tracking pixel and scripts.

Use data to sell brands on Flight to Quality. Real, high-quality sites have branding advantages over generic eyeball-buying, and adfraud is becoming a mainstream concern. The complex adtech that tracking protection protects against is also the place where fraud hides. (Adtech also tends to drag brands into Internet poo-flinging contests by attaching them to controversial sites, but that's another story.)

Higher-reputation publishers need more and better data to take to numbers-craving CMOs. Much of that data will have to come from the tracking-protected audience. When quality sites share tracking protection data with advertisers, that helps expose the adfraud that intermediaries have no incentive to track down.

Use service journalism. Users are already concerned and confused about web ads. That's an opportunity for The Verge. The more that someone learns about how web advertising works, the more that he or she is motivated to get protected. A high-reputation publisher can win by getting users safely protected from tracking, and not caught up in publisher-hostile schemes such as paid whitelisting, ad injection, and fake ad blockers.

Here is a great start, on the New York Times site. Read the whole thing:

Free Tools to Keep Those Creepy Online Ads From Watching You by BRIAN X. CHEN and NATASHA SINGER

Some ways to both help users and work in the interests of a quality site include:

Can't hurt to expose the protection racket behind AdBlock Plus, either.

Beware nerds who claim to fix everything (including me). High-reputation sites are still skeptical about alternate web business models, which is a good move. Better to put the resources into doing some careful adblocker workarounds, advocating responsible tracking protection, and working on magazine-style ads where the four-currency price of accepting the ad is lower than the four-currency price of blocking it.

Upgrading web advertising to a high-signal medium

Why do people watch and share Super Bowl commercials while web ad blocking continues to trend up?

The problem is that the story of web advertising has been one of frantically throwing technology at the lowest-value parts of the ad business while reducing the power of web ads to get a piece of the high-value parts. People who live in market economies are pretty good applied behavioral economists. They'll pay attention to ads that pay their way, with signal, while avoiding cold calls and ads that, through tracking and targeting, work like a cold call and fail to carry signal.

Tim Sullivan and Ray Fisman:

The challenge facing sellers of some genuine product—be it true late-night love or a Tiffany necklace on eBay — and the buyers in search of them is to prove that they’re not just full of empty words. This is where Super Bowl ads come in. Airtime during the game is, of course, fantastically expensive. So why do companies bother buying it? For the same reason that gang members get face tattoos: to prove that they’re in it for the long haul.

Pedro Gardete:

The researchers found that highly targeted and personalized ads may not translate to higher profits for companies because consumers find those ads less persuasive.

Privacy projects such as Better by, EFF Privacy Badger, and Firefox Tracking Protection aren't just ways to implement the kind of personal data protection that users want. Those projects can also work in the interests of high-reputation sites, by making signaling work better. Sites like The Verge can help, by helping users squeeze out the signal-destroying tracking and targeting, and helping web ads become a signal-carrying medium.

Next steps: Aloodo HOWTO

Online marketing secrets that the hackers behind Methbot don't want you to know

A lot of the responses to Methbot have been along the lines of hey, look, a squirrel! So here are a few of the non-squirrel things to think about.

Methbot does two interesting things. Adtech is fixing one of them.

White Ops published some good info on two Methbot capabilities.

  • Spoof data center IP addresses as residential

  • Work around anti-fraud software

Almost all of the news about Methbot is focused on the first one. But look at the original White Ops report (PDF) and skip to page 24.

The White Ops security research team found traces of analysis code where Methbot developers dissected the logic of the most widely adopted fraud detection vendors on the web. It’s apparent that they spent some time reverse-engineering these capabilities, manually running portions of measurement code inside legitimate browsers to learn what its output looks like, and then porting the logic to spoof those values in Methbot execution context.

And page 25.

In addition to code specifically designed to defeat viewability measurements used by specific vendors, White Ops found routines for spoofing industry-standard measurements. In particular, flash VPAID events are expected and handled.

Methbot impressions are more viewable than human impressions. Methbot is a more skillful Web user than the average CMO. Augustine Fou writes,

To put it bluntly, bad guys don't even care to find out the actual secret sauce of the various fraud detection companies because they have already A/B tested their bots and know for sure they get by various detection platforms. In fact they openly sell "fraud vendor compliant" traffic on a CPM/CPC basis.

When you pay for anti-fraud technology, you're just paying for the software testing that fraud hackers are using to build better bots. White Ops CEO Michael Tiffany told AdExchanger, The ultimate source of truth about where an advertising opportunity is happening is in the browser—but if you carefully rig the browser to lie about that, there is almost no defense.

There is one defense. It has two parts, tracking protection and flight to quality, and we'll hear more about it in 2017.

Methbot didn't cost advertisers any money.

Advertisers already know about adfraud in general. Methbot was just one ambitious example. Other fraud rings are still doing what they do. If you got an Internet of Things device for Christmas, it might already be running a bot. Methbot's IP addresses are no more, but the anti-anti-fraud code lives on.

When enough players in a market know about a problem, it's priced in. And adfraud has been priced in to the online ad market for a long time. (This is why the recommendations at Shortin' Adtech are bogus. Advertisers and investors can flee web advertising, but have no incentive to, because publishers pay for fraud. Publishers can't flee, because online is displacing print, but they have every incentive to if they could. An important reason for the "print dollars to digital dimes" problem is that everyone is used to paying the fraud-adjusted price.)

For every dollar that adfraud costs advertisers, they save a dollar or more in lower costs for legit ads. For every dollar that adfraud takes out of the game, publishers lose more. This is pretty basic economics, and explains why advertisers are willing to talk but not take action on the adfraud problem.

Data-driven can turn into bot-driven.

Advertisers do pay for adfraud, but not in money. When you're running a data-driven organization and the data comes from bots, then you're making decisions based on bots, not customers. Some kind of Ground truth on your online data—checking anything from the Internet against a trustworthy data source—is needed.

This is especially true for connecting ad and social data to sales. Attribution models are subject to gaming, but the Criteo/SteelHouse lawsuits were dropped, so instead of waiting for the techniques to come out in discovery we're going to have to dig some more to see how the fraud hackers are doing it. Happy new year.

And the most facepalm-worthy (and accurate) web ad prediction for 2017 is...

In the news:

Want to get a little more info on the brand-unsafe ad problem? Two minutes, easy experiment.

  • Get a fresh browser, not one you normally use. If you're on Safari or Chrome, try this in Firefox, or vice versa. (Don't pick a browser such as Brave that has a built-in ad blocker. This is about the ads.)

  • Go to your favorite—or least favorite—jihadi, white nationalist, or shitlord site.

  • Look at the ads.

That's the kind of thing I get based on the above site's ability to get ads based on its content. Crappy ads from advertisers that will settle for any impression, anywhere, whether brand-safe or not.

I don't see any reputable brands showing up when I do this with a fresh browser. How about you? LMK on Twitter which seems to be the place to talk about this stuff.

So why is the Sleeping Giants campaign even a thing? Why are people finding real brand ads on brand-unsafe sites?

The problem is that browsers have old bugs, some left over from the 1990s browser wars, that let information leak from one site to another. "Your ad on a site we know is crap" is pretty much worthless to an ad agency, but they will pay for "your ad to a known user" and pretend the brand safety issues don't exist.

But putting brand safety last, and trying to hack around it when people complain, can't work when the other side just has better hackers.

Here's the most facepalm-worthy but also totally accurate 2017 web advertising prediction so far:

Really? A brand-new service rushed out the door, by companies that never cared about shitlords before, is going to have a chance? When shitlords consistently have better skills, and out-hack the entire Lumascape, without even mussing their "dapper" outfits? Good luck with that.

Maybe there's a better way. Brands, legit sites, and users can stop playing a losing game, and it starts with a few lines of JavaScript.

Bonus link: Without these ads, there wouldn't be money in fake news

Bullshit is there for a reason

As Professor Harry G. Frankfurt once wrote,

One of the most salient features of our culture is that there is so much bullshit.

Bob Hoffman points out that this is especially true in keynote speeches about online advertising. But all that bullshit is there for a reason. What would happen if you took the bogus scientification and marketing-speak out of the Thought Leader Insights? You'd get something more like these.

  • You don't need to make creative advertising because a machine, or some random person on Amazon Mechanical Turk, can generate a bunch of ads until something sticks.

  • Third-party tracking lets you reach high-value users for less money on low-value sites, because CTOs and minivan buyers regularly visit and watch the videos all the way through.

  • Fraud isn't a problem because code monkeys in an open-plan monkey house, reporting to douchebags and working for point squat percent of a company in four years, are smart enough to out-hack a fraud developer who is working on his own time, for 100% of the gain, in 30 days.

  • If you just educate users about how web ads work, they'll be happy to let sites they've never heard of excrete untested combinations of code onto the computers and devices where they keep stuff they care about.

None of those will fly in their bare form, but load them up with a bunch of "customer journey" and "deep learning" and now you've got a keynote.

So there may be perfectly good reasons why you might want to apply a substantial layer of bullshit to what you're doing. If so, carry on.

But what if you have a real problem?

  • The web is still a terrible place to build brands.

  • Web advertising is still low-value enough that it won't sustain high-reputation publications when print revenue goes away.

  • Third-party crap is still a security risk.

Then you need an alternative to bullshit, so go read more about getting Bob to speak at your event.

Would you still like to buy the world a Coke?

Here's a TV commercial from 1971.


But here on the Internet, at least a lot of the time, people are more like, I'd like to buy my tribe a Coke® and the rest of the world can go die in a fire.

People have an us-and-them side and a more inclusive side. And advertising has an unwritten rule about which side of the customer you're allowed to talk to. For a long time brands have stuck with a kind of generic globalism, not enough to satisfy a bona fide social justice warrior but never tied up with a specific tribe. Right-wing talk radio in the USA has trouble keeping mainstream advertisers. In one case, a blogger going by "Spocko" made fair use recordings of some radio shows and raised a stink to the advertisers. Despite some legal threats, it basically worked. Most brands are risk-averse enough to stay off talk radio. Even on the web, it's news when a brand shows up sponsoring a beheading video on a jihadi site.

Do things work differently, though, when it's an algorithm placing the ad in a niche that only sympathizers can see?

Timothy B. Lee writes,

The increasing polarization of news through social media allows liberals and conservatives to live in different versions of reality. And that’s making it harder and harder for our democratic system to function.

From BuzzFeed, Hyperpartisan Facebook Pages Are Publishing False And Misleading Information At An Alarming Rate.

The rapid growth of these pages combines with BuzzFeed News’ findings to suggest a troubling conclusion: The best way to attract and grow an audience for political content on the world’s biggest social network is to eschew factual reporting and instead play to partisan biases using false or misleading information that simply tells people what they want to hear. This approach has precursors in partisan print and television media, but has gained a new scale of distribution on Facebook.

Filter bubbling has been a thing for political advertising for quite a while, as Zeynep Tufekci pointed out back in 2012. Campaigns can target ethnic groups on Facebook with "voter suppression", or share misleading messages where they're harder for outsiders to track down.

What happens after the election, when tribal rage bubbles keep right on being a thing, but the political ads dry up? Are regular brand ads going to get placed on fake news, scenes of violence or threats of violence, and all the other us-versus-them crap out there? You probably wouldn't put your brand on Stormfront, but will you put your brand on one of the thousands of algorithmically micromanaged mini-Stormfronts of Facebook? Are dark posts the thing now?

This isn't a question about whose politics match with whose, or whether or not Facebook enables targeting using data that we would prefer to keep private, or whether or not individuals should leave Facebook. The question is whether brands are now getting comfortable with working inside bubbles that would not have previously been considered brand-safe.

People keep saying that Google doesn't get social, but in a way, that's a compliment. A lot of the time, people's idea of being social is to split up into tribes and fling Internet poo, or worse, at each other. Part of getting social is developing the ability to exploit people's other-tribe-hating brain circuitry in the same way that spammers took advantage of open SMTP relays and SilverPush took advantage of an opportunity to sneakily connect mobile user data. (The Peter Thiel brouhaha is raising the profile of the social filter bubble issue by putting a human face on it. Every time Sanford Wallace's smug face made the news in the 1990s, it motivated us to fix up our mail servers and set up the early spam filters. Now it's Thiel in the news, making money on both ends of the pipeline—recruiting 4GW participants on Facebook, and selling Palantir contracts to track them down later. Ingenious patriotism at scale. So what to invent now?)

Andy Warhol once said:

What's great about this country is that America started the tradition where the richest consumers buy essentially the same things as the poorest. You can be watching TV and see Coca-Cola, and you know that the President drinks Coke, Liz Taylor drinks Coke, and just think, you can drink Coke, too. A Coke is a Coke and no amount of money can get you a better Coke than the one the bum on the corner is drinking. All the Cokes are the same and all the Cokes are good. Liz Taylor knows it, the President knows it, the bum knows it, and you know it.

That was then. But today we're not even drinking the same damn Coke. I'm drinking the version bottled in Mexico. Meanwhile, out in High Fructose Corn Syrup land, they're drinking the other kind.

And that's just Coke. Are economic inequality and social distances between tribes getting big enough that the idea of a brand-safe ad placement is over? Are brands just supposed to take sides now? That's fine for fast food and soda pop, but what happens when an IT brand that benefits from economies of scale has to pick a side?

Related: Zeynep Tufekci on "Digital Inclusion and Decentralization"

Bonus links

Open letter to the adfraud whistleblower

Dear adfraud whistleblower,

First of all, I respect you a lot for wanting to do the right thing.

Posting the information that you did, where you did, is a dangerous way to do it.

As you pointed out in your posts, you are risking your job and risking physical harm.

But you're also risking a complex legal case, where you as an individual could be accused of all kinds of crimes. Your complaints against the web of companies that you know about would be forgotten, and you would have to carry out a costly legal defense. Most of the companies you mention are in good standing in the adtech industry. You'll be coming in looking like an employee accused of wrongdoing and making up stuff.

And, if half of what you're saying is true, you know how quickly they can delete information or move it to a new "clean" company.

If you're really motivated to bring these guys down—and that's something that only you can decide—there is a better way.

You can send documents to a trustworthy reporter who knows Internet security issues. Look for someone whose writing about complex technology doesn't make you facepalm, and who has either put up a personal PGP key or writes for a company that's on the SecureDrop Directory.

You shouldn't contact me, since it's just one more opportunity for someone to mess up. The best way is to do some reading and see who knows the malware/adtech business and can receive documents securely.

Regulatory action follows "viral" news stories, not the other way around. We all know that regulators are relatively uninterested in adfraud, but you have a story that can change people's minds.

The "tl;dr" of all this is "delete your account" but please don't take it that way. Again, much respect and stay safe.


UPDATE: Twitter thread

Why no □s at □Week?

Bob Hoffman asks,

Who Stole The Ads From Ad Week? I'm on my third morning at Advertising Week and I've yet to see an ad.

All right, Bob, here's some 21st-century advertising. (You're welcome.)

Jeep ad

That's the kind of thing that the sessions at the big conferences are all about. It's a targeted ad.

But even though targeting and the technology behind it are core subjects at Advertising Week, somehow everyone knows that it would be uncouth, unwise, or both to show targeted ads to people there.

Advertising Week participants recognize at some level that actually showing a targeted ad to someone is an act of communication aggression. It treats the recipient as a component of a mechanism, like a flask moving down a bottling line at a distillery.

In the Jeep ad above, I'm targeted as a person who doesn't drive off-road and basically can get by with a minivan. So instead of honestly communicating about the qualities of the Jeep brand, they throw together something that some algorithm says is more my speed.

The only information that ad offers me about Jeep is a little insight into what that algorithm, that Jeep paid for, thinks about me. Some new Jeep has the same kind of electronic doo-dads as every other new car does, and the software predicts that I care.

Brand advertising works differently. Rory Sutherland explains how people with limited information about complex buying decisions can use reputation to help. Reputation is hard to build, brand ads can help if you do them right, and those ads are the kind of thing that you show at a conference.

Brand advertising does have complicated math in it, but it's behavioral economics math, with the calculations done on the "reputation coprocessor" in the user's brain. (For the data nerds out there, reputation-based advertising is like rendering your graphics on the GPU on the client, instead of paying for cycles in the data center. Reputation math is way cooler, and has way more force multipliers hidden in it, than direct response math. But the power to use that math looks "creative" so is out of fashion.)

So many of the proposals for funding Journalism are based on allowing people to buy out of seeing ads. That only makes sense if you assume that ads are all targeted, not worthy of being shown at a conference, and adversarial. But when the web can fix a few old bugs, valuable print-like ads can emerge. One bright spot: Firefox Tracking Protection is now available as a Test Pilot experiment. Give it a try. A lot of the targeted ads will disappear, but you might just find your inner behavioral economist paying some attention to the ads that remain.

Closing the data gap for web publishers

Duane Kinsey writes, "For Publishing Companies, The Problem Is Publishing Companies." He suggests,

Publishers can voluntarily choose to leave the current ad tech landscape behind just as quickly as they decided to partner with many of the companies currently running the industry into the ditch.

Good goal. That is where we're going to have to get to in order to save the ad-supported web. Yes, the current web ad system is a dumpster fire. It's no secret that adtech intermediaries can leak user data from high-reputation sites to low-reputation ones. Right now the web is a good match for advertisers that want to do targeting-based, low-reputation strategies, but terrible for signaling-based, high-reputation strategies. Third-party tracking is a bad deal for publishers, too. For example, chumboxes are currently good for quick cash, but can leak user data and motivate users to install ad blockers.

TrustX: a better way, or same broken system with new owners?

(I have contributed several items to the Digital Content Next blog.)

Jack Marshall at the Wall Street Journal reports that Digital Content Next is launching a new ad marketplace called TrustX.

With no outside investors and no profit motives, TrustX will focus on driving long-term benefits to marketers and publishers, DCN said.

Are publishers just getting a piece of a low-value ad system, or really changing things?

Here's how we'll be able to know.

Who is in the tracking-protected audience? Tracking protection is fundamental to web publisher value. From the high-reputation publisher's point of view, DNT is more like "Do not leak data" or "Do not commoditize." But it's hard to measure accurately, because there are many different kinds. What works for detecting AVG Crumble might not work to detect Privacy Badger. Any project to fix web ads depends on getting good numbers on site audiences that are protected from third-party tracking, and so harder to track from high-value to low-value sites. (You can do this with the Aloodo un-tracking pixel and scripts.)

What does the market for competing low-value ads look like? Who else is selling impressions that claim to reach the TrustX audience? Get on one or more DSPs and buy some. Right now, conventional adtech can make a lot of bold claims about quality. (Ever notice that web ad impressions overall are about 30% bots, but every individual adtech company claims 2% bots? Somebody's math is wrong.) Buy the cheapest impressions that claim to be "your audience" that you can, and check them out. Part of that is comparing their tracking protection rates. If you have an early adopter audience that's well-protected, then a competing site that's full of bots will really stand out.

How can publishers refine the data-driven case for Flight to Quality? Real, high-quality sites have branding advantages over generic eyeball-buying, and adfraud is becoming a mainstream concern. The complex adtech that tracking protection protects against is also the place where fraud hides. But conventional adtech has a lead in data collection. Higher-reputation publishers need more and better data to take to numbers-craving CMOs. Much of that data will have to come from the tracking-protected audience.

This thing could really work.

If TrustX can do things right—CNAME support and EFF-flavored DNT would be solid choices—then ad blockers start to be less of a concern. Legit publishers can deal with the ad blocker the same way that MailChimp deals with the spam filter. Accept that it's there, carefully get around it, and comply with user norms. It would be counterproductive for MailChimp to get email newsletter subscribers to turn off the spam filter entirely, but they can get their own newsletters through without paying anybody off.

Facebook showed that you can beat the pattern-matching of Adblock Plus with fairly simple HTML changes. If TrustX can keep the privacy developers on the sidelines by respecting DNT, then that gives high-reputation sites some options. Refuse to pay into the "Acceptable Ads" racket, do some careful adblocker workarounds, advocate responsible tracking protection, and keep the four-currency price of accepting magazine-style ads on the web lower than the four-currency price of blocking them.

Consumer privacy tool, not so much

Update 7 Nov. 2016: As of today, privacy claims and the "disable tracking" switch have been removed from the Adblock Plus first install page. (Get real tracking protection.)

Consumer Reports has just published "66 Ways to Protect Your Privacy Right Now".

Many of those suggestions look good. But that should probably be more like 65 ways.

One piece of software linked to from the CR story is Adblock Plus, which would be a better fit for CR's "Selling it" feature on sneaky offers, weasel wording, and other examples of gray-hat marketing.

What's so bad about Adblock Plus?

When you first install Adblock Plus, the privacy option looks good. It says "Adblock Plus can do more than block ads." Scroll down to the bottom of the page, and you see

Browse privately by disabling tracking - hiding your tracks from ad companies that would track your every move.

Looks good, so flip the "Disable Tracking" switch.

disable tracking screenshot

Protected from tracking, right? Wrong.

It looks like you made the responsible choice, and now you're protected.

But start web-surfing with your browser's developer tools open, and you'll see third-party trackers from, for example, What's up with that? How could it be that even when you deliberately turn on "Disable Tracking" you still get trackers?

That's the tricky part. The company's "Acceptable Ads" whitelisting program actually overrides the other choices made by the user, including that nifty little "Disable Tracking" switch. Google and other companies pay Adblock Plus for "Acceptable Ads".

Want to make your decision to block trackers actually take effect? You'll find the other option that you need in order to protect yourself in a different dialog, cleverly but not helpfully labeled "Allow some non-intrusive advertising".

whitelisting screenshot

To really disable trackers, un-check a box that has a label that says nothing about trackers at all.

It is possible for a user to configure AdBlock Plus to block trackers. And fixing something by changing an option in one obvious place and again in a not-so-obvious place is not really that bad, by the standards of instructions for computer hobbyists.

But this isn't about a story in Puzzles for Computer Nerds Reports, it's about Consumer Reports, and "Consumers" probably expect things to be more a little more straightforward.

Next steps: There are better ways to deal with problem web ads, and sites can help recommend them to users.