
I left the ad industry because of data tracking - Ygg2
https://www.fastcompany.com/90359992/an-ad-tech-pioneer-on-where-our-data-economy-went-wrong-and-how-to-fix-it
======
jorams
At some point companies like Fast Company have to accept that they are a
significant part of the problem, and just writing articles about it is not
enough. This page contains a ridiculous number of trackers. The site pulls in
content from the following 3rd-party domains:

s.skimresources.com, sb.scorecardresearch.com, secure-cdn.mplxtms.com,
z.moatads.com, ml314.com, secure-us.imrworldwide.com,
www.googletagservices.com, www.google-analytics.com, www.dianomi.com,
d1z2jf7jlzjs58.cloudfront.net, static.chartbeat.com, assets.adobetm.com,
platform.twitter.com, www.queryly.com, cdn.polyfill.io, www.lightboxcdn.com,
content.jwplatform.com, platform.instagram.com, www.inc.com,
images.fastcompany.net, connect.facebook.com, cdn.conversant.mgr.consensu.org,
cdnjs.cloudflare.com.

images.fastcompany.net is probably just used to serve static content from a
cookieless domain and some of the others are CDNs for libraries, but the rest
are all there for tracking purposes.

If you don't like what the ad industry is doing with people's personal data,
please don't keep giving them ways to get to it.

~~~
oarsinsync
This point was made recently about the NY Times having an editorial about
advertising / tracking being invasive, while also having advertising /
tracking on their own page.

The justification / defence given was that you _want_ separation between
editorial and business decisions. If the two are aligned, the freedom of the
editorial team to write what they want will diminish, and the business will
ultimately dictate what gets written.

If it feels a bit pessimistic, I agree, but pessimistically, I also feel like
it's just realistic.

~~~
unclefishbits
As their long form journalism with moving graphics and images is so popular
and gets so many clicks, think how awe inspiring and what a major effect it
would have to shut down all of that stuff on articles talking about that
stuff, just to give people a dose of what it could/would be like. It would be
respected, get other articles about it, etc.

------
jccalhoun
What are they doing with all this data tracking because it sure isn't giving
me relevant ads. In addition to the often noted situation where you buy
something online and then get ads for that thing you already bought, I
routinely see totally irrelevant ads and recommendations.

I've been on Facebook since around 2003. I've had an Amazon account for even
longer. Their ads and recommendations for me are terrible.

Two recent examples from facebook: they recommended I join a group for
progressive christian asian-americans. I am not christian or of asian descent.
More recently they gave me an ad for maximizing tax right offs for nannies. I
have no children and make way too little to even consider hiring a nanny.

Facebook has my picture. They know my relationship status. They have the text
of all my posts where I have never mentioned children. They even know my
occupation. Whatever they are doing with this data isn't working.

~~~
vmurthy
I am curious given that I have an Ad-blocker for most websites and am not on
FB. How do you even see ads? Have FB _et al_ found a workaround for ad-
blockers?

~~~
Scoundreller
Mobile? Hard to block in-app ads without a pi-hole.

I avoid apps where I can, but it’s not always avoidable/practical.

Or at work if you’re forbidden from installing “unapproved” software.

~~~
vmurthy
Good point on mobile. I use Adguard Pro on mobile after reading about it on
HN. Yet to test Pi-hole. The work part is unavoidable, I guess.

~~~
ameshkov
Consider trying AdGuard Home as well:
[https://github.com/AdguardTeam/AdguardHome](https://github.com/AdguardTeam/AdguardHome)

~~~
pnutjam
Thanks, this looks great. I put pi-hole on a vps I use, but once I started
tinkering with it; it broke.

It's a nice project, but seems fragile. I'm going to try adguard home. I like
that it has the ability to control access, so I feel safer running it in the
cloud.

------
user17843
I have yet to see a real whistleblower report by someone deep into the ad
industry revealing whats really going on there. There are almost no details
about what's really happening on a technical level (beyond the little things
we already know), and whether large data sets are abused in the sense that
they get routinely de-anonymised.

~~~
otabdeveloper3
There's nothing to whistleblow.

Advertising is applied sociology. As such, advertisers want to aggregate large
data sets into large segments that are easy to manipulate statistically.
(Where the central limit theorem starts working.)

There is no demand for personal data or de-anonymization because that stuff
doesn't sell.

The personal data collection is done by Google, Facebook at al not for
advertising purposes. They're collecting it because they view it as a resource
and a currency in the future de-anonymized world. (Think China's "social
capital" except on a larger scale.)

Source: I've worked in the ad industry for over 15 years.

~~~
cik2e
> _There is no demand for personal data or de-anonymization because that stuff
> doesn 't sell._

Say what?? I’ve also worked in the ad industry and deanonymized personal data
is shared and sold _routinely_. You speak of statistics and large segments but
every advertiser I’ve interacted with is either doing individual-level
targeting or striving towards it.

~~~
nerdponx
To wit, A few weeks ago there was a discussion here about a method by which
you could figure out how fast a browser/machine could compute an SHA 512 hash,
and that this was being used to fingerprint users even who had cookies,
images, JavaScript disabled.

~~~
SquareWheel
Was it just a proof of concept demonstration, or was there evidence that this
method is being used in the wild by advertisers?

~~~
nerdponx
They stated that they were using it in production for that purpose.

~~~
SquareWheel
Gotchya, thanks. That seems... kinda wild to me. That method has to be super
imprecise, and wastes the resources of everybody involved.

------
everdrive
Another very frustrating article about advertising. I don't doubt any of his
conclusions, or his moral claims. But, I do want more details. What are the
various tracking and correlation mechanisms, what do they look like
practically? Does anyone actually really use canvas the way we all fear, or
are smartphone apps and Android itself doing all the heavy lifting? Would a
user's privacy settings in their phones mitigated any of this? Why or why not?

I appreciate that we know in general what the answers to some of these
questions might be, but I'd really like if more of these articles got into
specifics.

~~~
ohitsdom
> Does anyone actually really use canvas the way we all fear

I think I missed something, what do you mean by this? Are there some data
leaking privacy concerns with HTML canvas elements?

~~~
everdrive
My understanding is that websites use Canvas to generate a unique or semi-
unique fingerprint of your browser, whether or not a cookie has been set. It's
absolutely true that this is technically possible. Most people don't have your
exact resolution/cpu speed/fonts installed/etc, so you are somewhat unique
even if you have the same browser and OS as other people. If you block Canvas,
you can actually see some websites request it as you log in. Amazon produces a
popup asking permission to do canvas-y things during the login progress on my
computer, for instance.

I think the tone of most of the conversations around Canvas I've seen are a
bit more catastrophic. Their argument usually goes something like: "Most
websites are making UUIDs of your Canvas profile and tracking you everywhere,
and therefore your cookie blocking and VPN are useless!" Bear in mind, I don't
mean to strawman here, that's just a version of the argument I see most often.

What I personally suspect is that Canvas fingerprinting is used to supplement
other tracking or verification. For example, I have a valid amazon account, an
Amazon cookie is properly set, and Amazon _also_ checks my Canvas information
to make sure nothing looks too out place. ie, my cookie was probably not
replayed since my Canvas, IP address, and credentials check out. Presumably,
my Canvas information cannot generate a true UUID, but it is something like 1
in 10,000. Enough to use it for additional verification.

Now, is any of this correct? Are folks' most paranoid fears accurate? Is my
belief that Canvas is supplementary fraud detection accurate? Whatever answer
is correct, it's unlikely to be broadly uniform across all websites. But, the
point is, I'd really like to hear from an engineer about how Canvas is used.

------
SPGWhistler
This is fear mongering. I work in the ad industry as well - and I can promise
you - 99% of the companies in the ad industry are NOT leading the way when it
comes to tracking you and your data. They are incompetent and can barely do
their jobs. Just take a look at any display advertising for belly fat ads and
you know for sure they aren't targeting you. The 1% however (Google,
Microsoft, Amazon, Apple, Facebook) ARE tracking you and are damn good at it.
Google and Apple being the main offenders here, due to their cell phones. And
when you browse around the web you WILL see those ads following you. But as
much as it sounds terrifying - there just isn't much of a market for geo
tracking individuals. Targeted ads aren't the enemy here anyway - its
governments using this data in ways the infringe on our freedoms that is the
issue. (Like freedom of press, for example....) And THIS is what we should be
worried about.

To be clear: It is not the ad industry we have an issue with here. It is the
data collectors - Google - Apple - Facebook. They are the irresponsible
parties at fault.

~~~
enraged_camel
>> 99% of the companies in the ad industry are NOT leading the way when it
comes to tracking you... The 1% however (Google, Microsoft, Amazon, Apple,
Facebook)

This representation by percentages is a bit disingenuous. Yes, numbers-wise
you may be correct, but if you consider the companies' enormous resources and
amount of influence and impact, Google et al make up the 90+%.

~~~
SPGWhistler
My point was that most ad tech companies are not the issue. It is the big boys
which is the issue. And, that ad tech wasn't the issue. Ads using targeting
data is a symptom of the problem, not the problem it self. The collecting of
the data (by the 1%) is the problem.

------
zeristor
The Pwned website shows you which websites your account details have been
leaked for.

Is there one to show you what the ad industry has on you, and perhaps how it
can by it?

If people had insight to this for how much longer would this be a problem?

I imagine there’s a website that does this which was launched five years ago.

~~~
user17843
the thing is, in theory all of this data is pseudonymous, or even anonymous,
as the industry creates all of these profiles and does not attach real names
to it.

~~~
geocar
This is not true.

Many many companies in this industry attach real names and email addresses to
this data, and even the ones that aim for pseudonymity do it typically in a
very weak way (such as an unsalted md5 hash).

~~~
fumar
Do you have proof? At my previous ad tech employers data was always stripped
of personal identifiable information. The legal and policy teams went to great
lengths to ensure data was anonymous.

------
Vagantem
Had a similar experience - worked in a big ad agency who hired a new web-
developer for one of our clients. As they are one of the biggest website
providers, they could identify most of the people that visited a client's site
- it even automatically saved the identified user's profile pic from facebook
into their database.

~~~
user17843
> it even automatically saved the identified user's profile pic from facebook
> into their database.

Please share more information.

Did that require the user to be logged into FB?

~~~
zed88
Here is a hint

[https://docs.fullcontact.com/#enrich-
api](https://docs.fullcontact.com/#enrich-api)

~~~
Aromasin
As an engineer, I'm amazed. As a person who doesn't want the person on the
other end of every website I visit to know who exactly I am, I feel violated.
At this point though, all I feel I can do as a hapless consumer is to
desensitize myself to said violation.

I use a VPN, Pi-Hole, Ghostery and Firefox. All of these a relatively recent
additions though, so if a website can get my email and that links to an
already existing database of all my collected data up to that point, I'm
buggered anyway.

~~~
pure-awesome
Just making sure you're aware of the discussion around Ghostery that's
happened here on HackerNews, so you can make an informed decision:

[https://news.ycombinator.com/item?id=15969525](https://news.ycombinator.com/item?id=15969525)
[https://news.ycombinator.com/item?id=16809625](https://news.ycombinator.com/item?id=16809625)
[https://news.ycombinator.com/item?id=13652126](https://news.ycombinator.com/item?id=13652126)
[https://news.ycombinator.com/item?id=9617827](https://news.ycombinator.com/item?id=9617827)

~~~
Aromasin
F-ing wonderful. Almost reaffirming the inevitability of it all really. Back
to uBlock it is. Thanks for the heads up.

~~~
lotsofpulp
Not ublock, you need to use ublock origin.

~~~
kazagistar
How about AdNausium for the extra middle finger.

------
hmhrex
Me and a few other people have been pushing for ethical advertising. It
doesn't have to be this way.

We meet monthly to give each other advice and help each other out. It's hard,
it can take more time, but it's been a great experience, and I hope that this
starts to become the norm over time.

Here's the group:

\- Eric Berry with CodeFund ([https://codefund.io](https://codefund.io))

\- David Fischer with ReadTheDocs
([https://docs.readthedocs.io/en/stable/advertising/ethical-
ad...](https://docs.readthedocs.io/en/stable/advertising/ethical-
advertising.html))

\- Roberto Galoppini with Filezilla ([https://filezilla-
project.org/ethical_ads.php](https://filezilla-project.org/ethical_ads.php))

\- Harley Hicks (Me) with RoutineHub
([https://routinehub.co/ads](https://routinehub.co/ads))

~~~
AllegedAlec
> \- Harley Hicks (Me) with RoutineHub
> ([https://routinehub.co/ads](https://routinehub.co/ads))

Heads up: in Firefox Quantum 67, when I attempt to open your page in a new
tab, it instantly closes again.

~~~
hmhrex
I use Firefox as my main driver and just tested this, and it does exactly as
you're saying. Thanks, I'll take a look.

------
nerdponx
Good, as software engineers, machine learning researchers, etc. we have the
real power here. Just stop working for these companies. There are jobs and
good incomes to be had in other industries. Tell recruiters you are not
interested in ad industry.

~~~
luckylion
Somebody else will work for them though. While I'm not saying "so it might as
well be you" (unless you're going undercover), "not doing it" might not be
enough. Actively undermining their efforts may be necessary.

~~~
britch
Actively undermining is good! Specifically fighting for new regulations and
laws around this issue.

I think people in tech have an obligation around this. We understand it better
than most people. It's our responsibility to explain it in ordinary terms and
champion reigning it in.

------
jstewartmobile
This whole "article" is a slimy, PR-firm-injected ad. Hell would freeze over
before I touched this guy's "privacy" "filter" with a 10-foot pole.

------
ssivark
The author of this post seems to be running a Kickstarter now, for a hardware
privacy device:
[https://www.kickstarter.com/projects/winstonprivacy/winston-...](https://www.kickstarter.com/projects/winstonprivacy/winston-
the-worlds-most-advanced-online-privacy-device)

I dunno enough; can folks comment on its technical capabilities vis-a-vis
other solutions available now?

------
mrhappyunhappy
Any company that offers “lead enrichment “ data has already crossed the
privacy line. Google that term to see the companies involved if you care to
know.

------
titzer
We need to stand up and demand that all devices capable of surveillance run
only open source software. Period.

~~~
jefftk
Open source doesn't fix much. Most ad tracking today happens via well
understood open technology, and then adtech companies build profiles server
side. Here's something very simple and fully opensourceable that would still
provide lots of tracking capability:

* Get lots of sites to put an img tag that references your site, perhaps by paying them a tiny amount per visitor

* When you get a request, assign a cookie if there isn't one. Log the cookie and the referrer.

* Sort your logs by cookie. Each cookie represents someone's browsing history, and the more complete your distribution of pixels is the more complete your view is.

You can opt out of this client side by blocking the requests (adblocker) or by
using a browser that blocks 3rd party cookies (ex: Safari) but open source
doesn't do much here.

~~~
thedevilslawyer
In the parent post's defense, open source would actually allow for looking at
exactly what data is sent how. And hold the companies accountable. This would
be dead easy, without the need for whistle-blowing, or reverse engineering

~~~
IggleSniggle
Most of the surveillance I am concerned about is website surveillance, as I
don’t install apps. JavaScript _is_ “source code available.”

------
fumar
The whole thing is an ad for a new service.

~~~
headsoup
Seems so. I also find it interesting that people have sudden moral
realisations working in industries designed not to be morally respectful.

Ad industry is about convincing people to buy things they don't want using any
trick available, the result here is entirely predictable and inevitable.

------
TimMurnaghan
This became obvious a few years ago. I went to a startup pitch event (actually
to get pointers on how to write my own) and was genuinely horrified at what
all of the ad-tech guys were up to. There is no reason to assume any
moderation or morals here. The naked greed of surveillance capitalism is such
that all of the precautions that might have looked like the province of
tinfoil hat wearers are now justified.

------
bobblywobbles
This is why you should block these trackers by modifying your hosts file
([https://debugandrelease.blogspot.com/2019/01/how-to-block-
on...](https://debugandrelease.blogspot.com/2019/01/how-to-block-online-ads-
with-hosts-file.html)). It doesn't just block ads, but trackers too.

------
JSeymourATL
This FastCo article is really a brilliant advertorial for Winston. Upvote for
their cheeky video >
[https://winstonprivacy.com/](https://winstonprivacy.com/)

------
stunt
It becomes scary when you realize this is just the beginning of it. They will
go too far with it in the next ten years.

------
datenhorst
As a citizen of the EU, I really want to find out what the advertising
industry has on me. I once filed a GDPR Art. 5 request with Quantcast but
forgot about it - they give you a link to S3 with a promise that there will be
a ZIP containing data within 30 days.

What other hidden players are out there? I know next to nothing about the ad
industry

~~~
kasey_junk
IAB Europe is the industry group representing ad tech in Europe. Their member
list will give you tons of organizations that makeup the internet ad
ecosystem. Note these are not “hidden” they are the above board members. Shady
operators likely have no interest in joining industry groups but if they want
to be able to credibly sell to big advertisers they will be.

[https://www.iabeurope.eu/membership/member-
directory/](https://www.iabeurope.eu/membership/member-directory/)

------
2Ccltvcm
Hedge funds and intelligence agencies are fingerprinting all groups within our
society by monitoring the responses of various target audiences to engineered
stimuli. This comes in the form of observing the response to selective
dissemination of content with a known effect on observers (you). A few years
ago we heard about some outrage nobody did anything about when it became clear
Facebook was manipulating reader emotional depression by showing some groups
engineered posts. This has become a higher dimensional problem since then. It
is no longer just "Facebook is making some groups of people sad." Now these
orgs are reinforcing complex concepts in our minds subconsciously. One that
comes to mind is a motif you will see in advertisements once you are more
aware of it: strong healthy black man rescues white woman from a bumbling and
pathetic white male. The whole point is to exploit fracture points in society
and shift the overton window. Being able to establish behavioral patterns
triggered by engineered information dissemination helps them control groups of
people for their own benefit. It's a psychological intelligence operation on
an unprecedented scale. Hedge funds stay ahead of new trends to invest in to
maximize ROI. Intelligence agencies similarly identify threats to their power
structures and steer the minds of the consumers of social media to further
their agenda and steer the beliefs of any group in a controlled direction.

~~~
overthemoon
This is paranoid. I remember the story about Facebook doing emotional
manipulation through the feed, but you go from there to hyper rich hedge funds
and shadowy intelligence agencies at the reins of public life shaping the
course of history through social media black magic. I don't doubt there are
bad actors trying to do bad things via advertising and social media, but this
is quite the claim. The rich and powerful are bad enough without adding
internet/advertising mediated mind control to the mix.

It's weird that the story you picked was a black man saving a white woman to
describe the shift of the Overton Window. Where is the window moving to, and
from where?

~~~
somatic
I don’t know about you, but the Snowden Revelations dramatically shifted my
baseline of “paranoid schizo”. Before, I thought the prospect utterly bananas
that “the government” was tapping every phone call, strong-arming ISPs, and
intercepting mail en route to its destination.

Then I found myself in a rabbit hole of Tuskegee experiments, Operation
Northwoodses, MKULTRAs, human-animal hybrids, and so on.

Now, the question I ask is, “is this technologically possible?”

~~~
overthemoon
I have similar feelings, don't get me wrong. I too have experienced that
shift. I guess I just want to know, is _what_ technologically possible?

I see two possibilities here: one is a handful of unimaginably wealthy and
powerful hedge funds and intelligence organizations (heretofore unnamed) which
are somehow coordinated in their efforts to shift public opinion to...
something. The example given is something about black men, white women, and
white men. I'm not sure what that means.

The other, IMO far more believable scenario, is that there are many interested
parties using social media and advertisement in general to change people's
minds about a myriad of topics and issues, which is not remarkable except to
the extent that new technology and new techniques are being used, which we may
not fully understand or be aware of.

The first requires a belief in a conspiracy among the hyper rich and powerful
to create some ill-defined new world, the other does not. Both are
technologically possible, but I find one more convincing than the other.

Edited to add that last sentence and to correct some awkward wording.

~~~
somatic
If I had to guess, I’d say that most of these people are aligned in factions,
most of which probably have roughly similar interests and so are working fully
or partially independently towards roughly the same things, probably with no
little amount of internicene jostling for position.

And in the process they’re probably producing technological horrors simply
because it’s convenient and effective to do so. No hard feelings.

Conspiracies happen all the time, and I would imagine that few ever come to
light.

------
throwayEngineer
Edit, remember not to shoot the people asking questions

I'm not sure why that data is so horrifying. I work a job that I willing put
on Facebook, and I live in a house i am a registered voter at.

You can probably guess my route to work.

I'm unsure why this is bad, it sounds more useless than anything.

~~~
michaelt
Location data tells me how often you go to the gun shop and the shooting
range, when your house is empty, which political protests you go to, how often
you visit the pharmacy/doctor, what prostitutes you visit, what gay bars you
visit, how often you break the speed limit, how much sleep you get, when you
visit your lawyer or your STD clinic, whether you've kept up going to
Alcoholics Anonymous, what restaurants you go to and how often, how often
you're late for work, and how often you visit your grandma.

I'm not an Iranian gay gun owner, but I still have a problem with an
advertising company assembling a database of Iranian gay gun owners.

~~~
throwayEngineer
Why?

Don't you want to hear your different lawyer options, STD check options, gun
options, alcohol help, etc?

Or rather, would you rather have useful advertisement or spammy advertisement?

I still could not relate that those would be bad. The only thing I can imagine
is blackmail. Which is cultural and not moral.

~~~
michaelt

      I still could not relate that
      those would be bad. 
    

I believe the ad tech industry would literally show alcohol ads to recovering
alcoholics if A/B testing or 'machine learning' said they converted at higher
rates.

I believe the ad tech industry does not protect medical and political data
with the appropriate level of privacy protection. So even if they wouldn't
_sell_ their database of gay Iranians to Iran, I think they'd get hacked by
them.

And I believe some companies probably _would_ sell their gun ownership
database to a government that wanted to arrest gun owners, and their gay bar
customer database to a government that wanted to arrest gay people.

    
    
      Or rather, would you rather have
      useful advertisement or spammy
      advertisement?
    

I run an adblocker, so you can guess my answer to that!

~~~
throwayEngineer
Is there any proof this happens?

The hacked thing is about as scary as it gets, but companies need to keep
customers happy.

Btw, ad block is not a solution. Short sighted to mention that.

------
dvfjsdhgfv
There are many reasonable proposals in the article but they are only wishful
thinking: there is no way the USA passes a law similar to GDPR, no matter what
people want and how many similar articles appear.

~~~
luckylion
As for GDPR: at least in Germany it's problematic. Our system typically relies
on competitors to enforce law abidance in companies (so called "Abmahnungen"
based on the "Gesetz gegen den unlauteren Wettbewerb", UWG for short, a set of
laws regarding unlawful competition). One court recently ruled that GDPR
violations don't fall under those laws ([https://www.datenschutzbeauftragter-
info.de/landgericht-stut...](https://www.datenschutzbeauftragter-
info.de/landgericht-stuttgart-zur-abmahnfaehigkeit-von-dsgvo-verstoessen/)).

That leaves us with: \- reporting violations to the officials. They are
chronically understaffed, have little technical expertise and it takes months
to years for them to act. They are very hesitant to hand out fines, but
theoretically can. \- individual citizens suing a company to force them to
abide by the law. This is rare because the citizen will have to cough up the
money to go to court, and even if he wins, the company will only be forced to
abide by the laws regarding this citizen, not in general. \- publicly shaming
companies into compliance.

A higher court might have different opinions, and I very much hope they will,
because GDPR quickly becomes meaningless without enforcement.

Edit: I have literally no idea why this is downvoted. Unless it's just because
you personally don't like me, please leave a comment explaining what is
incorrect.

~~~
icebraining
Unless the site is only available to German users, you should be able to file
a complain with any of EU member state regulators, and not all are so timid as
that.

NOYB, the non-profit org founded by Max Schrems, has already been filing
complaints with the French, Austrian, Belgian and German authorities:
[https://noyb.eu/](https://noyb.eu/)

~~~
luckylion
> Unless the site is only available to German users, you should be able to
> file a complain with any of EU member state regulators, and not all are so
> timid as that.

You can, but they will forward that to the applicable authority, which will be
the local German one for German sites.

~~~
icebraining
On what do you base this? Facebook is registered in Ireland, yet multiple EU
authorities have fined them.

~~~
jefftk
For very large companies that do business in many countries regulators have
various concerns (power of the company relative to the country, jurisdiction
shopping via choice of headquarters location, etc) that don't apply for the
typical case of a German company with a German audience.

