
The Washington Post is preparing for post-cookie ad targeting - madspindel
https://digiday.com/media/were-building-for-media-businesses-of-tomorrow-how-the-washington-post-is-preparing-for-a-cookieless-future/
======
pdkl95
> what URL they have used to arrive there

This is yet another example of why sending the Referrer header is _insane_.
It's a massive privacy breach _by design_. Anything serious about protecting
privacy needs to stop intentionally betraying the user's browsing path and
simply remove the header from all HTTP requests.

Anything that functionally _relies_ on a valid referrer is at best an
unfortunate but necessary casualty. However, I suspect that far too often this
is simply a way to obfuscate the usual tracking. If you tie your functionality
to something designed to violate user privacy, don't be surprised if that
functionality breaks when the privacy leak is finally fixed.

~~~
spiderfarmer
"something designed to violate user privacy"

I fail to see why sending the referer is a privacy concern. Following that
logic, every datapoint is a privacy concern. From screen resolution to mouse
movement, everything can be abused to build profiles. Referer headers have a
host of valid usecases but if you are opposed any data being shared you'll
probably dismiss all of them.

~~~
pdkl95
> I fail to see why sending the referer is a privacy concern.

From the article:

>> The Zeus platform monitors contextual data such as ... what URL they have
used to arrive there ... The publisher will then match that data to its
existing audience data pools ... to create assumptions on what that news
user’s consumption intent will be. The technology uses machine learning to
decipher the patterns.

They are explicitly stating they use Referrer-like data to track users.

~~~
snowwrestler
> They are explicitly stating they use Referrer-like data to track users.

To me, "track user" means persistently ID one person. This sounds more like
inferring anonymous interest, like inferring that someone arriving from
ESPN.com might be interested in your sports section.

If that person comes back tomorrow from The Financial Times, you might infer
that they are interested in the economy.

But without cookies, I don't see how you would recognize that visit as the
same person as yesterday and integrate the sports and economy interests into a
persistent profile. Each visit would be self-contained, which doesn't fit my
definition of "tracking."

~~~
JohnFen
> But without cookies, I don't see how you would recognize that visit as the
> same person as yesterday and integrate the sports and economy interests into
> a persistent profile.

If you gather enough of that "anonymous" data, and particularly if you combine
it with other data sets (as they claim they are intending to do), then it's
not that hard to recognize individuals based on their usage patterns and
metadata.

~~~
spiderfarmer
But does it matter if you don’t know who they are?

~~~
JohnFen
It does to me.

~~~
eclipxe
Why?

------
yodon
Total online ad spend works out to about $1/person/day in the US.[0]

We have collectively sacrificed our privacy because we're collectively not
willing to pay $1/day for what used to be called newspapers and magazines
($1/day is equivalent to subscribing to a daily paper or a couple magazines,
as most people did in days of old). There is a cost to providing news. The
industry made clear it preferred to sell subscriptions but consumers
collectively said no I want free beer and laughed at newspapers and magazine
publishers for being so stupid as to try to sell subscriptions. Having been
told no I won't pay for subscriptions the industry was dragged forcibly from
what was unquestionably its preferred subscription model into the ad tracking
supported model we have today. All because costs people can see
(subscriptions) are less palatable than far higher costs they can't see
(ubiquitous tracking).

[0] [https://www.vox.com/recode/2019/6/24/18715421/internet-
free-...](https://www.vox.com/recode/2019/6/24/18715421/internet-free-data-
ads-cost)

~~~
beagle3
> we're collectively not willing to pay $1/day for what used to be called
> newspapers and magazines

> The industry made clear it preferred to sell subscriptions but consumers
> collectively said no

That's not how I see it.

People were happy to pay for cable TV and get no ads. But ... cable channels
were all too happy to take that payment AND the money from ads. Magazines and
newspapers aren't any different, and neither is the internet.

I would be happy to pay $1/day, even twice as much, to not be tracked. There
is no one I can pay that to, and there never was; and if such a thing would
have existed, they would still likely start tracking at some point, as
happened with cable TV and ads.

~~~
scarejunba
That's not anywhere near enough. The guy who can pay is worth way more than
the guy who can't pay. The $1 is the arithmetic mean but the distribution
isn't uniform.

~~~
beagle3
And the end result is that the people who are not willing to pay $1/day are
subsidizing me, the person willing to pay much more - because the currency is
ads and tracking — of which I opt out as much as I can through uBO, uMatrix
and a variety of other tools.

------
user17843
All of this money and effort to create something that has never scientifically
been proven to work: Super-targeted ads, instead of contextual ads.

The context is already there. Each article on a newspaper already provides the
context.

What is the true purpose of this? The true purpose is psychological control
and manipulation, as well as making additional money with the data beyond ads.

Psychological manipulation gives the ability to actually create demand. And
this is what this is about, because that's the only way to actually increase
revenue in a meaningful way.

If you can target a person everywhere on all channels, and all the time, you
can do things that are not possible with simple contextual ads, and the
profiles that are being created are for lots of different purposes, not for
ads.

I wait for the day some newspaper actually does an in-depth investigative
study into the level of manipulation that drives sales in ad-tech, because I
suspect that the entire system feeds off low-educated and poor people, for
example lower-class stressed-out people who struggle to lose weight and are
prone to manipulative ads. This is the target audience that you can manipulate
into spending 500$ instead of 50$.

~~~
mochomocha
> All of this money and effort to create something that has never
> scientifically been proven to work: Super-targeted ads, instead of
> contextual ads.

Have you worked in the field? Because I have, and I can tell you that ads
targeting works. I've built some of these systems that people love to hate on
HN. Hundreds of PhDs at Yahoo Labs, Google, FB etc have worked on this for
decades and run thousands of A/B experiments. Are you saying that all these
people are fraudulent / incompetent and that somehow the whole market cap of
Google and FB combined (above 1 trillion dollars) is just a complete fraud?

Contextual advertising works, but much less than behavioral targeting. Anyone
who has seen and worked on the data knows that.

Knowing that you just visited Best Buy website 10 minutes ago and searched for
a camera is _much_ more relevant to figure out which ad to show you on
nytimes.com right now than the content of the article you're reading on
nytimes.com

~~~
Cpoll
> Knowing that you just visited Best Buy website 10 minutes ago and searched
> for a camera is _much_ more relevant to figure out which ad to show you on
> nytimes.com right now than the content of the article you're reading on
> nytimes.com

The concern here is that you're just selling a camera that they were already
going to buy. So the ad agency wins, Best Buy _thinks_ they win because they
register a conversion, but you didn't actually create any value.

In my experience when the PhDs say "this doesn't work," the PMs say "that's
fine, because we still get to say we have machine learning [insert other
buzzword] and the customer thinks it's delivering value."

> Contextual advertising works, but much less than behavioral targeting.
> Anyone who has seen and worked on the data knows that.

I admit this is possible, and my gut feeling is that properly implemented
targetted ads should be immensely effective, but theory isn't implementation,
and I'm taking your word on it either way.

~~~
hombre_fatal
Driving the user back to BestBuy.com to convert into a concrete sale seems
much more valuable than "well, they searched for cameras so they might come
back one day and pull the trigger. Fingers crossed!"

Why wouldn't Best Buy pay for that?

I search things on Amazon all the time without checking out. Those aren't
locked in as eventual purchases at all. There are even things in my Amazon
cart as we speak that I probably won't buy. I'm often a mere teeter from
pulling the trigger. Coming home drunk or being reminded at the right moment
sometimes push me over the edge.

There's obvious value in giving me the right shove.

------
abraae
Is this Jeff Bezos's influence?

Things I would never have imagined a big old newspaper having their IT team
whip up:

> The Zeus platform monitors contextual data such as what article a person is
> reading or watching, what position they have scrolled to on a page, what URL
> they have used to arrive there and what they’re clicking on. The publisher
> will then match that data to its existing audience data pools, which it has
> accumulated over the last four years, to create assumptions on what that
> news user’s consumption intent will be. The technology uses machine learning
> to decipher the patterns.

~~~
KozmoNau7
Yet another extremely compelling reason to simply disable all javascript (and
other active content) by default.

~~~
dvfjsdhgfv
For me it works like this: the default is disabled. When something doesn't
work (actually The Washington Post works great, much better than with JS on),
I esitmate the tradeoffs: if it's a really useful website with JS
functionality that is actually useful to me (say, with JS doing the math
notation rendering or an app I badly need), I enable JS. Otherwise, why
bother?

JS is like ads used to be: first they put it everywhere, then you get fed up
and just switch it off.

~~~
KozmoNau7
Do you block all JS, including 1st party and inline scripts, or only 3rd party
scripts and resources?

I've used uBlock Origin to block all 3rd party scripts and frames for a while,
but I'm seriously considering going full default-deny all scripts and other
active content.

~~~
nathanaldensr
Not the GP, but I block all scripts by default with NoScript, then selectively
enable them, starting with the first-party scripts. I've learned to identify
likely tracking domains and have memorized several of the more widespread
ones, so over time this technique has proven effective.

~~~
immanentizer
Why would you need to memorize them when you can just mark them explicitly
untrusted?

------
ChrisSD
It should be noted that the so-called "cookie law" is about more than just
cookies. It's about all user data and who can access it and for what reason.

If this more tightly controls who user data is given to then that is a big
improvement. If it's just trying to find technical loopholes in the law...
well EU law tends to take a dim view of that.

------
andy_ppp
If I type in the address bar a URL or click a bookmark rather than click a
link, is the referrer still sent?

~~~
mobjack
If they don't see a referer, then they can assume that you typed in the URL or
bookmarked the page.

That could signal higher intent than someone clicking a random clickbait link
to your site.

Other events could prevent the referer from being sent too, but you can filter
some of those out using other tracking methods and looking at user behavior.

~~~
dao-
> If they don't see a referer, then they can assume that you typed in the URL
> or bookmarked the page.

... or followed a link from an IM or some other source outside of the browser.
Too many possibilities to really assume anything and draw conclusions.

------
manishsharan
WashingtonPost has been ahead of the curve on this for a while. Here is my
anecdotal experience with their tracking.

WashingtonPost allows a non subscriber to view a few articles per month and if
you went over the limit it would require a login. I had been able to
circumvent that by clearing out my cache, cookies and local storage or using
the anonymous mode. But now that does not work anymore.

I am able to work around this by disabling javascript. Your move
WashingtonPost!

~~~
spdionis
Well, the next move looks obvious to me.

------
MayeulC
Could Firefox's containers be extended, and include an option to resist
fingerprinting?

This would limit the information sent by the browser (maybe run everything in
a lightweight VM with standardized performance, feature and settings),
including the referrer used to open the containerized tab (which might be done
already).

The VM sounds complicated, but we already have qemu running in browsers.
Reduce the timing granularity, randomize I/O slots, and lie about the RTC, and
fingerprinting becomes much harder, unless I am missing something?

Side note: I am against fingerprinting me across websites as an individual,
but I am perfectly OK with fingerprinting me about my interests, provided
everything is done in a stateless manner: if I spent more time on the
technical section, which 80% people skimmed over, maybe offer me more
technical articles at the bottom?

But please, do not keep information about me. Tracking would be illegal under
the GDPR provisions anyway, AFAIK, cookies or not.

~~~
johnkpaul
If I understand it correctly, this is what tor browser does, in addition to
using the tor network itself to as-close-to-anonymize you. Tor browser has
warnings that encourage you to not-resize your browser because that could be
used as fingerprinting data.

~~~
MayeulC
Well, I was thinking about enabling those on specific domains only (leveraging
the container feature).

An interesting (research) approach would be to taint the data that can be used
as fingerprinting, and forbid its exfiltration, perhaps with different levels
of aggressiveness.

Example: a webGL game requires my wwindow width, GPU capabilities, etc? fine.
But now, the thread that has this data cannot send anything to the other
threads.

It would require some adjustments, and tightening the side-channels (making
available download bandwidth/timings/etc more granular, for once). I do not
expect it to be completely fingerprinting-resistant, but it would go a long
way.

------
rdtsc
Once they have better tracking, wonder if they would use it to manipulate news
items on a per-customer basis. That is show one news item to this person but
not to that person. Or maybe change the tone or phrasing in the articles.

> The Post plans to license the Zeus platform to publishers both domestically
> and internationally

Does that imply data sharing as well?

~~~
mtberatwork
> That is show one news item to this person but not to that person.

I imagine they do this to some extent already. Personalization is nothing new.

~~~
rdtsc
> Personalization is nothing new.

It is for ads, and newspapers adjust their content for different regions. But
I wonder if they intend to do what they do for ads for news stories. They may
choose to hide some, bring some to the top or even reword them. So if I go to
WaPo's front page, I'll see different "news" than what my co-worker next to me
sees.

~~~
JohnFen
> But I wonder if they intend to do what they do for ads for news stories.

I actually pay money to read the WaPo. If they started "personalizing" the
news like that, I'd cancel my subscription and stop reading them at all.

There are a lot of things that I think are made worse by personalization, and
what news reports I get to see is toward the top of that list.

------
amluto
I’m surprised WaPo isn’t trying something simpler and more disruptive: making
a point of selling non-targeted ads. Targeted ads may be somewhat effective at
selling a specific product, but they’re creepy and they don’t help build a
brand. Non-targeted ads are not creepy and signal that a brand is legitimate.

Of course, it’s much harder to apply metrics to this type of ad, since
conversions aren’t the point.

Daringfireball.net does this kind of non-targeted advertising. I would love to
see a major publisher (other than TV) try it.

~~~
OrwellianChild
I'll not say it would be impossible to run a general news website this way,
but Gruber's website is basically pre-targeted already. Advertisers know
pretty much _exactly_ what they're getting with his audience - affluent, tech-
focused Apple-aficionados with disposable income. It works great for him and
his advertisers, but isn't a generalizable example.

------
JohnFen
If I understand what they're proposing, this is a method of ad targeting that
I don't actually object to. It doesn't involve spying on me, identifying me,
or tracking me (either on or off the internet).

It's closer to, but not completely, how ad targeting should be done -- based
on the context the ad appears in rather than trying to figure out my own
personal characteristics.

------
OrwellianChild
I admire steps taken to improve the privacy of ad-supported media ecosystems,
so this effort by WaPo should be applauded on it's own. Their results, taken
along with NYT's switch back to content-only ads in the EU [1] might help
spread the word that all the creepy ad-tech isn't even necessary or
beneficial!

That said, I'd like to make a simple request of media outlets... Please build
a rate plan which provides all of the benefits of subscription, adds the
expected profit from advertising, and then _let me buy it to experience your
content ad- and tracking-free_. Please!

[1] [https://digiday.com/media/gumgumtest-new-york-times-gdpr-
cut...](https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut-off-ad-
exchanges-europe-ad-revenue/)

~~~
OrwellianChild
A case study in this: The New York Times

In 2018, it made $202MM in revenue from digital display advertising. [1]
Averaged across an annual reader base of 125MM worldwide, or 91MM in the U.S.
alone [2], that averages out to just $1.62 or $2.22 per customer. _Let us pay
it to opt-out!_ Where is the harm?

[1]
[https://s1.q4cdn.com/156149269/files/doc_financials/annual/2...](https://s1.q4cdn.com/156149269/files/doc_financials/annual/2018/updated/2018-Annual-
Report-\(1\).pdf)

[2] [https://nytmediakit.com/digital](https://nytmediakit.com/digital)

------
aussieguy1234
Are there any ad networks out there that do not track users?

