The easiest way for site-owners to delegate control has been to include third-party javascript. With new browser restrictions, we're starting to see companies switching to loading JS via CNAMEd subdomains, because that's nearly as easy. The next step is probably reverse proxies, though, where the third-party JS comes from the same server that gives you the rest of the site's JS.
(Disclosure: I work in ads; speaking only for myself)
Or we could make all of that illegal and have an ad ecosystem that works for publishers and consumers as it does in every field except for the web (print, broadcast, podcasts, billboards—all work without JS and are great for consumers). Web is the one weirdo market with tracking. Make that illegal and it will be good like all the other markets.
I don't see a good way to do that, at least.. a way that's practical to actually enforce. As it is, the FTC is fairly toothless and is better at offering guidelines than policing.
> as it does in every field except for the web
Well.. that's just because they have dedicated account executives and sell advertising through a combination of direct solicitation and much smaller amount of "walk-in" business, that's not practical for all creators or formats.
> Web is the one weirdo market with tracking.
This has always been the holy grail for advertising, the other industries put up with statistical "audience modelling" only because they have to; however, working in one of those 'other fields' I can tell you.. our account executives will take as much direct tracking data as they can get. e.g. "Have you installed our Radio App?!"
> Make that illegal and it will be good like all the other markets.
I feel like we lost the fight a long time ago.. I remember when the 'Flash Blocker' plugin was a great tool. Unfortunately, too many modern sites are entirely reliant on JS in a way they never really were for Flash and the idea of using 'Script Blocker' that's on by default makes navigating the web exceptionally difficult.
It's too bad, because it's probably the right solution.. why should the sites we visit have the right to execute programs on my computer by default?
2012-02-19: Almost every major retailer, from grocery chains to investment banks to the U.S. Postal Service, has a “predictive analytics” department devoted to understanding not just consumers’ shopping habits but also their personal habits, so as to more efficiently market to them. “But Target has always been one of the smartest at this,” says Eric Siegel, a consultant and the chairman of a conference called Predictive Analytics World. “We’re living through a golden age of behavioral research. It’s amazing how much we can figure out about how people think now.” -- http://www.nytimes.com/2012/02/19/magazine/shopping-habits.h...
2016-02-28: Pass a billboard while driving in the next few months, and there is a good chance the company that owns it will know you were there and what you did afterward. Clear Channel Outdoor Americas, which has tens of thousands of billboards across the United States, will announce on Monday that it has partnered with several companies, including AT&T, to track people’s travel patterns and behaviors through their mobile phones. --
https://www.nytimes.com/2016/02/29/business/media/see-that-b...
2019-03-07: Location-tracking technology can now monitor people so precisely that retailers know, for instance, which customers visited a fitting room but never made it to the cash register. -- https://www.cnbc.com/2019/03/08/how-retailers-can-track-your...
Oh, that is coming to non-web as well, there are already billboards with cameras. Although for now, one 'test' in the Netherlands was declared illegal (for now) due to privacy concerns.
Do you think ad companies will really trust reverse-proxied ad traffic? Seems like a tremendous opportunity for fraud. Right now with user agents hitting ad servers directly, there's much less opportunity for content publishers to fake impressions and clicks.
Instead of websites deploying reverse-proxies to tunnel ads through, Google has entire websites tunnel through their edge via AMP. Wouldn't surprise me if BigTech gets together and introduces standards that open up more avenues for CDNs to take away even more control and monetize the traffic they serve, on their terms.
Google has pretty much checkmated content-blockers in that they control the servers, the OS, and the clients used by an overwhelming majority internet users and service providers, alike.
I guess we get to the point where the content blockers load the scripts, and run heuristics on them before loading them, and perhaps running an adaptive real-time blacklist?
They already do - Instart Logic is one of the reverse proxies dedicated to serving ads first-party.
For tracking and invasive device tracking (WebGL, plugin enumeration, Canvas, audiocontext, WebRTC, WebSocket-based portscanning of your LAN CIDR acquired from WebRTC, ...) there's Shape and Distil that both do inline reverse proxying.
Though, WebRTC tracking is becoming severely limited with the current mDNS initiative that hides all the local IP addresses and other measures to hide available devices.
When I browse European sites I'm always having to click through permissions - I imagine most folks are on autopilot by now in terms of saying "yes" especially in Europe - how can you even browse the web if you don't click yes one everything in Europe?
What's the data on folks actually saying no to these popups / clickthrough alerts?
I used to skim the relatively few permission / yes agreements (ie, this will auto sign you up for XX), but now they are showing up so many places it's not practical anymore I don't think?
Even https://europa.eu/ (the official EU website) has a cookie banner at the top of the very first page you hit. And instead of the website asking me - I normally just block cookies if I don't want to share them.
The Europe site is compliant. They allow you to refuse nonessential cookies. Most sites are not. I'm pretty sure eventually those cases will be handled.
I might be wrong, but GDPR was supposed to force businesses to provide a DNT option unless completely vital to the business. If that is true, most sites are liable for forcing you to click "yes".
Update: I went and found this[1]:
> this provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject
I work in ad-tech too, so I'm not judging you. The donations you've made are awesome, and I can see you've clearly thought a lot about how to best direct your money. But I think you're missing a few downsides.
The digital marketing/analytics industry doesn't spend a lot of time thinking about how to secure all that data they're collecting, and data breaches are happening more and more frequently. A lot of this data is supposedly anonymized, but often can be tied back to identifying information.
I would consider Google to be an exception here, as they have some of the best security people in the world working for them. But they are just that: an exception. Don't forget that the industry that Google enables is a lot less ethical (and a lot less competent) than Google itself.
There are other downsides too (e.g. the impact of advertising on editorial integrity, and the ethics of using political ads to tip the scales in an election).
You could argue that display ads in general are a positive. (I personally disagree, but that I can see how reasonable people might see it differently.) But tracking is not close to being ethical.
The difference is between someone handing out pamphlets for a new baby care product because you are walking into a baby clothing store, and one handing you the same pamphlet because he has gone through your trash and found your pregnancy test results.
Unpersonalized ads can still serve the same democratic funding model you're identifying as the main positive reason for online advertising's existence. You present a false choice between obnoxious (visibility intrusive) ads versus these odious information gathering schemes. Since the latter make more money and people hate obnoxious ads we must choose personalization. Thankfully we're now fully aligned with how Google has implemented their ad targeting.
Hypothetically if congress could ban both obnoxious and targeted ads (somehow) leaving us with the unpersonalized newspaper model of ads would you be for or against that bill?
As a developer in publishing, I would support that bill in a heartbeat. Tracking means you can target a niche market without paying for niche content. It’s terrible for publishers and consumers. It’s good for ad people.
> Tracking means you can target a niche market without paying for niche content. It’s terrible for publishers and consumers.
This only seems partly right to me. Let's say someone wants to sell fishing equipment. The traditional way of doing this is to buy ads on fishing sites. So now my fishing equipment purchases make there be more writing about fishing; yay!
Then one of the fishing websites decides to put a tracking pixel on their site to drop "fishing website visitor" cookies. They make a deal with a third party provider and get paid a small amount per visitor. Then fishing retailers have a new choice: instead of buying ads on fishing sites they can instead buy ads on any site for users who have one of the "fishing website visitor" cookies. If there were a monopoly fishing site, then this would increase their earnings: while the ad space on their site isn't as valuable, they will set the pixel price high enough that they come out ahead. It's not a monopoly, though, so the price of the pixel gets driven down through competition, and money that would go to fishing sites instead goes to the publishers that people who spend money on fishing equipment visit.
In this case I see how it's worse for fishing sites, but not how it's bad for consumers: their willingness to buy fishing equipment translates into support for all the sites they visit, and not just the fishing sites.
But there are also many niches that don't have economic tie-ins, or have ones that are far weaker than "writing about fishing" and "buying fishing equipment". In a world with targeted advertising, these niches do better, because of overlap between audiences. A "let's have better housing policy" blog can show ads for fishing equipment, vacations, HVAC supplies, or whatever else visitors have shown interest in on other sites.
Additionally, targeted advertising increases the total amount of funding available for online content, because people with niche interests are available to be advertised to in more places. Seeing ten fishing ads once a week when you visit a fishing site vs seeing twenty fishing ads spread over the course of the week, etc.
So, yes, niche publishers in lucrative niches would make more money if we only had context-based advertising, but I don't think niche publishers overall, publishers overall, or consumers would be better off.
You're contributing to tech that erodes people's privacy, even when they actively fight against it. Don't delude yourself with net positives. The harm your employer causes still affects people, regadless of the useful things you may work on at Google, or the donations you give.
On the one hand, you’re right jefftk has been cordial. On the other.. where does that argument stop holding water? Just because someone is polite about their views doesn’t really justify them any more or less.
I appreciate your engagement in this, Jeff, but I’ve read the post and I agree that it’s rather light in its evaluation of the negative value of ads.
Anyway I guess it’s getting too far off track at this point. Thanks for at least engaging in the conversation, unlike basically everyone. I would love to chat further in private if you have the time. my contact is in my profile.
While this is definitely true for some adtech vendors, none of the work I do is in that category, and to my knowledge none of the work at my employer is either.
I glanced over the article you linked on your homepage, and you said you worked for google.
Google is and was actively fighting privacy laws[1] (e.g. seeking exemptions allowing them to even track people who consciously opt out of data collection), had a CEO that made no secret about his anti-privacy stance[2], was repeatedly fined[3], also also for violating the privacy of children[4], etc. etc.
How do you reconcile this with your assertion that google and yourself are good players?
If you're going to trot out Upton Sinclair's beaten-to-death horse, you might as well attribute it to him. But then there are also less pretentious ways of pointing out mundane conflicts of interest.
From what I've seen on HN, this quote is one of the top offenders when it comes to commenters just dropping it in without further engagement. On well-moderated subreddits like /r/askhistorians, commenters are required to critically engage with their citations instead of just linking them. Likewise I feel we should put a moratorium on responding exclusively with (well worn) quotations on HN.
To be specific: the way you've responded here is trite, dismissive of someone else's perspective by way of judging them for their occupation, and generally lacking in nuance. It's middle brow posturing of insight without the substantive analysis to back it up.
What have we learned as a result of this solemn reminder that some people get paid to do things we disagree with? People are explicitly calling out their affiliations with adtech in this thread; should we abandon discussion with them because you think their paycheck precludes them from being able to be persuaded?
Here's a riposte for you: "The mark of an educated mind is the ability to entertain an idea without accepting it."
I don't think "ads make people buy stuff they don't need" is a large part of what's going on. One way to think about this would be, what would the world be like if we didn't allow advertising? Not just internet ads, but magazine ads, affiliate links, sponsored posts, product placement, everything. And assume that enforcement is perfect ;)
Here's my speculation about how this would change people's purchasing:
* Products would be a lot stickier. A lot of advertising is about trying to move people between competitors, or keep them from moving. Sometimes it's an explicit "here's a way we're better" (ex: company advertises that they don't charge unpopular fee X), other times it's a more general "you should think positively of our company" (ex: we agree with you on political issue Y).
* Relatedly, it would be much harder to get many new products started. Say a startup makes a new credit card that keeps your purchase history private: right now a straightforward marketing approach would be (a) show that other credit cards are doing something their target audience doesn't like, (b) build on their sense that this isn't ok, and (c) present the new card as a solution. Without ads they would likely still see uptake among people who were aware of the problem and actively looking for a solution, but mostly people would just stick with the well-known companies.
* Purchases of things people hadn't tried before would decrease, both things that people were in retrospect happy to have bought and things they were not. One of the roles of advertising is to let people know about things that, if they knew about them they would want to buy. But "buy stuff they don't need" isn't a great gloss for this, since after buying the products people often like them a lot.
This is just my guesses; I work on the technical side of ads and don't have a great view into their social role, and even if I was in a role like that it would still be very hard to predict how the world would be different with such a large change. Where does your picture differ from mine?"
(For 'saving the planet' I think a carbon tax would make a lot more sense.)
I get that you have the caveat and all, but seriously? The tech industry has widespread cooperation with a regime in China that is brutalizing Hong Kong and committing ethnic cleansing of the Uigurs--and you want to know if he can sleep at night because he codes software to show ads for socks to people that don't want to see ads (but somehow can't bring themselves to live without content that's ad supported)?
> (but somehow can't bring themselves to live without content that's ad supported)?
Every day that becomes less and less of an option and presenting it as an option is disingenuous. Are you seriously suggesting that people live without search engines?
I think it's valid to question the role of cars in our society even if the critic took a car to the meeting, for example.
There’s a difference between questioning the role of cars in our society and morally condemning car engineers while riding around in a car.
As for living without a search engine, people have gone through much worse for their moral beliefs. I personally don’t see the moral issue at all, but if you feel so strongly about it—-then yes I expect you to sacrifice your own interests for those beliefs and not just go around making cheap condemnatory statements.
False dichotomy. Other options might be paid search. Personal search engines. Peer to peer search. Or new business models. Yes, it's possible to imagine a world without Google et al screwing everyone out of their privacy.
I'm not sure... I think I'd be more comfortable working for a weapons shop than for (tracking) adtech. Ethics is a spectrum, so there can be many opinions on the topic.
Going back to adtech, I more or less equate it to the tech you alluded to, as well as global tracking, NSA-sized surveillance, and a complete disregard for "privacy", regulations and civility. Would any self-respecting person follow their neighbors around, write their every moves on a notebook, and sell that to the highest bidder? It's literally what is being done by those tracking giants, on a much bigger scale (and Google does track your every move, or does its best to do so).
I feel like I'm distancing myself more and more from conventional Internet platforms as a result.
As the host of a few web properties, I've always been very discriminating when it comes to third party content (including trackers). In fact my broad rule of thumb is to avoid it. You don't need it to have a successful business model.
I'm disappointed at webmasters who push garbage from their sites.
They might yes, but it is orders of magnitude harder to setup and maintain than this, and as a website owner, you have to put even more trust in your ad serving solution than today.
js running on your domain can read eg login cookies
at least if you cname definitelynotads.yourdomain.com to js.ads.com, the javascript running on definitelynotads... can't read host-only login cookies on yourdomain.com.
In the vast majority of cases integration is by the including a script controlled by the advertising network in the page they are advertising on.
So for the purposes of the browser security model, the script already runs in the domain of the host site. It can directly read any non-HttpOnly cookies, and can make any request it likes using XMLHttpRequest to APIs on the host site using the user's cookie without relying on CORs.
The only very minor difference between first and third party script inclusion is access to HttpOnly cookies (depending on the cookie scoping).
Both of the first party script inclusion approaches have mitigations available to the host site: in the proxy approach, the server could filter the cookies before proxying. In the CNAME approach, taking care with cookie scoping could solve the problem. Careless adoption is likely to open security flaws under both techniques.
Correct. Authentication should always be via cookies with "HttpOnly" set, since (a) the cookie is not needed client side and (b) it somewhat limits the damage XSS can do.
Sites generally set Domain= on their cookies, and so include subdomains. For example, if you click "sign in" on apple.com it brings you to secure2.store.apple.com and after entering your password it sets a cookie with "Path=/; Domain=apple.com; Secure; HttpOnly".
You're right that this does reduce security on some sites: if domain.example doesn't set Domain= on their cookies then ads.domain.example (CNAMED to js.ads.example) won't see the cookies but domain.example/ads would. This is pretty rare, though, because sites you log into generally do need their cookies to work across subdomains.
Except this problem is easier to handle with reverse proxies than with subdomains: with subdomains the cookies are sent whether you want to or not, while with a reverse proxy the site owner can configure it to strip cookies.
(Disclosure: I work in ads; speaking only for myself)