62 comments

[ 3.5 ms ] story [ 137 ms ] thread
Oh, I remember this, from like 2000 (in CGI/Perl). Did it this way for ages then there was this ground-breaking company for ads called "DoubleClick" (I think) that did it all with cookies and js. Wonder whatever happened to them.
DoubleClick became the world’s largest web ad broker and was bought by Google to shore-up their own AdSense + AdWords business.

Due to cross-site “third-party” cookies being disabled in modern web-browsers and the HTTP Referer [sic] header being unofficially deprecated the only way for websites and ads to work together is by either IP address tracking or visitor fingerprinting.

IPv4 address tracking is a blunt instrument that is next to useless when visitors are using ISPs with CG-NAT. But IPv6 makes every device addressable - and thus - followable. I imagine that eventually CPE (home internet modem and router) will offer some kind of IPv6 address randomisation system on a per-TCP-connection basis, though they’d all share the same 64-bit prefix (I think?) so it doesn’t mitigate per-residence tracking.

(EDIT: Ah, so IPv6 does have privacy protection by rotating autoconfigured addresses on a regular basis: https://www.internetsociety.org/blog/2014/12/ipv6-privacy-ad... )

————-

I do believe the end of third-party cookies is going to make internet advertising significantly less profitable and more and more ad-funded sites will either add paywalls or shut-down.

I’m surprised Google went this way, actually - I’d have thought a less-harmful way of protecting users’ privacy with balancing the need for attribution in advertising could be accomplished by, for example, auto-nuking cross-domain cookies after 24-hours.

Google hasn't _really_ committed to a 3p cookie deprecation plan. They just kicked the deadline forward another year or two while they test out alternatives.
> Google hasn't _really_ committed to a 3p cookie deprecation plan

I'd say it's pretty dang official now: https://digiday.com/marketing/cheat-sheet-google-extends-coo...

Don't forget the actions of other browser-vendors too, like Apple's Safari and Mozilla's Firefox, both of which have severely curtailed third-party cookies - and Google Chrome's Incognito mode also disables all third-party cookies.

> They just kicked the deadline forward another year or two while they test out alternatives.

Right, but the deadline still exists.

I mean, it doesn't really exist, because the 2022 deadline got pushed when it became clear there wasn't another alternative ready. This one could just as easily slip.
> DoubleClick became the world’s largest web ad broker and was bought by Google

Do you _really_ thing the OP didn't know that???

I don't know how this shit works. But earlier this month I was showing my girlfriend a Halloween costume I googled on my phone. I visited the website for maybe 10 seconds, I did not log in or create an account. A few days later I got an email from PayPal offering me a $5 coupon for that website. WTFFFF. It made me want to go full-nuclear on the privacy front.
10 seconds is plenty of time to record IP addresses, do pixel tracking etc. Combine with data from a data broker and you probably have contact detail attribution.

heck, the payment processor plugin probably on that costume's site that's all they needed considering the email came from Paypal, which I assume you have an account with. an IP address lookup table internal to Paypal would do it alone.

Companies give Google and friends free unfettered access to your highly specific usage data that can be used to uniquely identify you, all without your consent or knowledge, and no way to opt out. In exchange, said companies get metrics on how well their ads are doing.

It's ingenious. The incentives are set up entirely against you. The people who know and care the least about privacy decide what to do with your data, and they are enticed to hand it over by the promise of tracking ad spend, i.e. the promise of making their jobs easier and of making their success quantifiable.

How could this be combatted? I assume just through legislation and possibly some type of random audit or bounty system to catch violators?

Or could it be beaten by high privacy browsers like Brave and a system of shuffling through and sharing random anonymous online identities with strangers like Tor does with IP?

Just to confuse the hell out of the ad platforms…

What would the legislation even be though?

https://adnauseam.io/ is meant to screw with data collection, albeit only at a personal level; one could imagine more sophisticated tools that did things like randomly run Google searches for arbitrary topics to confuse things further, but I'm not aware of any implementations
Serious question, why is this bad? As far as email advertisements go, is this worse than untargeted Viagra and porn?

fyi I work at Google but not on Ads.

Well, even if we cant describe why it is 'bad', we can observe that it is a form of anti-social behaviour by these companies.

People don't like it - people don't like that form of targeting. It may not be clear why they have issues with it, but they do.

At my kids school, if someone is repeatedly doing something to you that you don't like, then it is classed as a form of bullying.

That's a good analogy, but it illustrates the problem. Just because you don't like something, does not by itself make it antisocial.

If someone at your kid's school told you that the teacher repeatedly made them do homework, would that be bullying? Of course not. Just because some people don't like targeted ads does not make it antisocial. You just don't like it, which is fine. Don't read the email.

Yes. Ads good, privacy bad. Keep working at Google.

By the way, I may or may not have placed a bunch of hidden cameras in your house. What's that, antisocial? No, no. I swear it's going to be convenient for you. You may get a disturbing email from a company I sell the footage to at some point, by the way. Just don't read that email, ok?

This one is pretty easy though. Forget the camera, we have a pervasive norm that you can't be in my house without my permission. With or without cameras, you've violated the norm, and in this case also the law.

I'm not arguing that all data collection is ok. I'm just arguing against the point that all data collection is not ok.

If you approach norms purely from a "what does the law say about X" perspective, sure. But laws can change, and before we wrote it down in a book with legal constructs, a lot of people were not OK with the concept of "murder", "theft", etc. I think that from the comments here, you'll learn that a lot of people are not OK with some of the things your employer does either.

I do respect you for telling people here that you work for them, though. I just hope you will ask yourself every now and then if it still feels ok to do so. That's often a pretty good indicator of whether or not it is ok. Sometimes a better indicator than the law, even.

(comment deleted)
> we have a pervasive norm that you can't be in my house without my permission. With or without cameras, you've violated the norm

Well, I also do my Internet browsing from home. What are you doing in my house with your ads and trackers?

Adtech industry is stepping on quite a lot of norms indeed. Not surveilling people in their homes is one that's commonly violated. That a HTTP user agent is free to interpret and present the response from a HTTP server in any way it (and the user) sees fit is another, this one frequently fretted about, and users are being bullied over it.

(Another one would be consent - this one got enshrined into law in the EU. It annoys adtech people so much that they deploy every possible psychological manipulation trick to deprive users of their agency without crossing the legal line - and quite often with blatantly illegal practices. When confronted, they try to shift the blame for their techniques to regulators who are "forcing" them.)

Corporations are stalking human beings on a massive scale, recording everything they do and selling access to dossiers more detailed than police background checks.
I don't think it's the advertisement itself, I believe it's the method and data they collected to target it.

They may not use it for nefarious reasons (one can argue if unwanted targeted ads is or isn't) but that data may leak either directly or via a 3rd party who purchased it.

Then you have a situation where you have all this product and personal history which could be embarrassing and be used for blackmail.

Can you delete this data? Do you know everything they are tracking?

Someone else said it best, this is a cyber stalking industry.

Among other things, it puts users at risk of having their highly personal data exposed during a hack/exfiltration/subpoena, or to a malicious internal actor.
Realistically, I think most of the time, if the ad is targeted well, there are no issues. I see a good amount of ads, and the most annoying ones, to me, are the most poorly targeted ones.

However, I do think there is an inherent creepiness involved in the amount of tracking involved to achieve that level of targeting. Normally, as a person who is not terribly privacy minded, I'm not thinking about this tracking that watches everything I do. That is, until I had an experience like the top comment. I ripped the mic out of my Amazon FireTV remote that day. It made me uncomfortable that my conversation left the room without my knowledge or consent. (I realize this was Amazon, not Google, but they all do this sort of thing.)

Edit: I think ad targeting has to achieve a delicate balance of serving potentially helpful ads, while not alerting the target that they are part of the Matrix.

>I think ad targeting has to achieve a delicate balance of serving potentially helpful ads, while not alerting the target that they are part of the Matrix.

It is a great ideal but this narrative is pretty much anti HN sentiment on Ads.

The reason I prefer untargeted ads is that targeted ads make me more likely to spend money. I don’t want to part with my money over junk I don’t need, so I’d rather see irrelevant ads that won’t persuade me to spend.
Yeah this is at least a rational viewpoint. You have beliefs and preferences, and under those beliefs and preferences you are better off without targeted ads.

Unfortunately most other arguments against targeted ads don't have these properties and just restate the arguers convictions in various ways, with increasing levels of anger and certainty.

...As opposed to arguments in favor of tracking, which are totally rational and novel every time?
People make bad arguments in both directions.

Here's how I think about it though. Targeted advertising allows some businesses to exist that otherwise would not exist. In order to justify banning it or labeling it as unethical, we should show that there is some harm done that outweighs the benefits in terms of job creation and innovation. So far the examples of tangible harm I'm familiar with are rare and far less in magnitude than the value creation enabled by targeted advertising. What's more , all those harms can be mitigated, and it's in the best interest of large advertising platforms to mitigate so they they have better products. That's why Facebook and Google have spent more on basic research into privacy preserving computation and analytics than any other company.

It's not that all targeted ads are bad or good. It's that we can make them good and keep the benefits without any of the harm. I don't see examples like "I got a personalized email" as inherently harmful, so I'm looking for justification specifically for beliefs like that one.

> Targeted advertising allows some businesses to exist that otherwise would not exist.

Unfortunately it also funnels billions of dollars into hate sites ($2.6bn+ in the article I saw last week)

It also funds schemes like this that may be technically brilliant contribute little to the web, and extract money from advertisers without giving much back

https://mobile.twitter.com/TedFrench/status/1425414187455496...

(buy's old domains names with good ranking, recreates the site, rewrites the content to boost it's ranking, runs ads and then sells it)

Why is the example you linked a bad thing? He spent months writing hundreds of articles of good content. If you trust the metrics, it looks like a lot of people were reading the articles and finding real value. From the thread:

"I’m far from a copywriter, but the content added was informative & above everything else, answered the search query in full. I can blitz out 10k words a day of garbage content easily, but it’s worth putting in extra effort and writing better content, even if there's less of it."

This isn't an example of somebody taking advantage of ads to scam anyone. Maybe you disagree, but my take is that this is a legitimate business that provided real value to it's users and happened to use some gray hat SEO to grow.

There's an assumption being made here that I've seen many people treat as an axiom. You say:

> Targeted advertising allows some businesses to exist that otherwise would not exist.

That's true, but in the argument, it carries the implicit assumption that those businesses existing is a good thing. But this is often not the case. Plenty of businesses exist only because they can dupe enough people with hyper-targeted ads.

More importantly, though, advertising is an ecosystem. Companies buying ads are only part of the money flow. The more problematic part are the companies showing those ads. There you can find many[0] examples of companies that should not exist, and yet they do, because there's money in showing ads. Those companies always have some kind of bait to lure viewers onto their sites, where they'll be subject to ads. Because of the ad money, those sites displace legitimate efforts that try to provide actual value in the same space the ad-powered sites just use as their bait.

It's a long topic, and this is just one small aspect of it.

--

[0] - In my personal opinion, it's vast majority of sites displaying ads.

Scams like the one you're describing don't really benefit from targeted ads. Any ads will do. In fact, bans on targeting may be better for those sites since they would stand out less when platforms look at ctr or other engagement statistics.
Are those my only two choices? Tracking based targeted emails or untargeted Viagra and porn?

How about neither?

The reason is simple, it removes your control over your information (to an extent, obviously most site collect internal metrics and logs), right now via browsers and network filtering you can essentially cut off tracking and ads to (excluding fingerprinting) a large degree because you are in control of your browser and network.

Moving all of the tracking and data sharing server-side means there is nothing you can do to stop it other than simply not visit sites that use it and even that isn't so simple because how are you supposed to know if they have implemented server-side tracking other than maybe a vague mention in the ToS or PP?

How would you feel about advertiser showing booze ads to recovering alcoholics because they're recovering alcoholics? At some point the amount of fine tuned emotional manipulation that ads can exert on people becomes downright creepy. Like dealing with an expert con artist except everywhere and all the time.
To play devil's advocate, what if you trusted the ad platform (ha! bear with me. it's a hypothetical) to use that data point to block alcohol advertisers from showing ads to a recovering alcoholic.

In a world with personalized advertising, you can avoid those ads forever. In mediums without personalized advertising, you can't watch a sporting event without seeing a beer ad.

Then again, personalized exclusion opens the door to many types of discrimination - like not showing job or housing ads to people with certain traits.

All that to say, the tech can be used for both good and evil. It needs to be managed by regulation, and not by technical feasibility.

There is no single ad platform but a dozen+ large ones across the web. Probably thousands+ if you include all the real time bidding players. In no world would all of them be honest and many would be dishonest in subtle ways. Modern capitalism is all about hiding the externalities.

The regulation people want, such as even stronger GDPR, is effectively almost a technical feasibility block on these things. Any other attempt is always going to be behind the technology curve and thus significantly less useful. Moreover politicians will add in exceptions for their top donors and friends. This is harder is regulation that doesn't get into deep weeds.

Well, in that hypothetical reality, I'd submit a dossier about myself to the ad platform. It would simplify so many things for everyone. If I could trust the advertisers, they wouldn't have to spy on me to learn about my habits - I would just volunteer them. My likes and dislikes, my dreams and my deep problems.

Alas, this is not how the real world works. Everyone on the advertising side has an incentive to exploit my weak sides, so I can't trust advertisers in general. And so they spy on me, and I'm desperately trying to protect myself.

Your hypothetical reality is an unstable equilibrium. Our actual reality is a stable one. So even if, by some miracle, the stars aligned and the hypothetical suddenly became real, it would very quickly degenerate into our current reality. "In paradise, the first one to pick up a stone becomes Genghis Khan", and all that.

So, in conclusion, adtech industry needs to be burned out by regulatory means like the cancer it is, until what remains can be reshaped into a construct that provides value to the society.

As someone who quit a project after, much to my shame, successfully delivering personalized alcohol ads to heavy drinkers, you're right. This industry sucks balls. The default for any content platform should be something like "do not show ads" and only if people want then they could switch on personalized ads. But that would really drive down their value so it's not happening.
Because it's not just the ADs.

For getting good targeted ads, you need to know a lot about targets. And that knowledge can be used for other things than just selling ads.

It can be used by politicians to target specific groups, it can be used by scam artist to get access to more susceptible people. It can be used by business, like payday loans, cc companies, lotteries, etc. to target people that are in already bad place, to dig a hole even deeper (and that already happens today). It can be used to target people who are whales in one microtransaction whatever, to spend on some other etc. It can be used by bad governments to target people with specific viewpoints, smear campaigns, find dissidents etc.

They all need same kind of data. And even if you collect that data for one purpose today, doesn't mean it cant be used for something else in 10 years time. Just because Google might not sell that data right now, doesn't mean it wont in the future.

I would have a lot less problems it it was just ads, but it's really not.

I’ve had this general experience many times. It’s so bad. How can they claim this tracking crap actually helps increase sales! It just infuriates people
It infuriates some people. Others will say "oh neat, I was thinking about buying a costume from that site and now I can save $5" and buy it.

This stuff is done because it works.

Yeah, and some of those others will later discover they didn't actually save $5.

> This stuff is done because it works.

Yes. Annoying some people is only an externality. It's cheaper to apply those techniques to everyone, even if the actual target is a small subset of people vulnerable to being exploited.

But, as always, just because you can, doesn't mean you should. Just because it works, doesn't mean it's right.

Likely a Gmail retargeting ad that looks like an email in the promotions tab
Just by accessing an Web site for the first time, it has access to all HTTP headers used to build all requests required for the page, your IP address and a couple of other metadata.

That can be combined with other sources that the Web site vendors have contract with, including so called knowledge databases, that can correlate such information.

People that keep arguing for native being less secure than Web, just because they can use telemetry, have no idea to what extent marketing engines are able to extract information from each HTTP request.

As long as you don't have a unique IP address, this data doesn't seem enough to uniquely identify you. HTTP headers reveal your OS and browser, but not much more than that, and they should be mostly the same for all people with the same OS/browser.
Depends how much you interact with the site.

Additionally, if you ever log in, correlation can be made with older stored logs, thus even if surf anonymously afterwards, the same IP range can be mapped to you, even if it isn't guaranteed to be correct.

But does your browser block third-party cookies? If it doesn't, then ad networks are able to easily track all your online activity and connect it to your identity because most of the websites on the web have tracking scripts like Google Analytics.
This is nothing new. We were sharing impression data with client partners from the server side years ago.
How in the world does this satisfy the advertisers? They send the personal identifying details of each customer to Google/FB, and then Google/FB tells them "oh yeah, that guy totally saw an ad"? The ad giants would never lie about such a thing... they will just fix all of the bugs that under report and just not have the time to get to all of those pesky over-reporting bugs.
It doesn't.

For the ad platforms, this lets them optimize their ads for better performance when they know which user profiles converted.

For advertisers, it's used for directional guidance on the platform, e.g. ad campaign A converts at 3x the rate of ad campaign B.

The famous quote in the industry is "Half the money I spend on advertising is wasted; the trouble is I don't know which half." This method gives you a better idea of which money is wasted, at least compared to something like a TV or a print ad.

It gets more complex when you're advertising on multiple channels. For instance, if you see an ad on FB, Google the product, then buy it, both will take credit for a conversion even though your business only had one sale. There are more scientific methods for modeling advertising results from multiple channels [1], that leverage control groups (say you run a Google ad in New York and a TV ad in California and monitor which market sees a bigger spike in sales).

[1] https://en.wikipedia.org/wiki/Marketing_mix_modeling

An advertiser knows exactly how many clicks and revenue they get from facebook or google campaigns (the click url includes that as query params). Down to the campaign level. That's not what this is about. This is about Facebook and Google being able to give even more detailed information on that revenue (ie: predicted view attribution, revenue by product shown, revenue by search term, etc.) and do even better automated targeting on those campaigns.
For those who are referencing tracking pixels and say this isn't anything new, it's important to understand that this is the next evolution of that technology as a result of government regulations around privacy and browser/OS ecosystem changes from Google, Apple, and Mozilla. This data transfer won't occur at the browser layer for much longer - it won't be as technically feasible without cookies and it may not be legal given consent/opt-out requirements. Instead the data will pass directly from the advertiser's server to the ad platform's server. Of course this tech has existed for a long time - it's a basic API call - but it hasn't been widely adopted in the ad tech industry, while millions of websites are using tracking pixels.

It is not a 1:1 replacement for tracking pixels and lacks some of those creepy features (you're unlikely to get tagged if you simply browse a website without giving up any personal info), but it offers new ones as well (the ability to send arbitrary data to an ad platform).

> and it may not be legal given consent/opt-out requirements.

It would be a remarkably narrow law that made it illegal to do something client-side but not server-side. AFAIK it's usually about what data you collect and how you use it, not precise details about how it was collected and stored along the way.

The laws are around consent and the ability to revoke it, which can vary by the continent/country/state/city you're in as well as some other characteristics that may not be known at the time that the client-side code would execute.

Server-side allows businesses to defer the data transfer until it's known whether specific consent is granted or revoked. It also allows you to more easily keep a record of the data shared with other parties in the event that a user withdraws prior consent or invokes a right to be forgotten. You then have the ability to tell your partners to also delete those data points.

> “The server-side option was built as part of our ongoing work to give advertisers more control over their users’ data,” said a Google spokesperson

Wait. Whose data is it, Google?

does blocking 3rd party cookies suffice to get rid of this ?
No, but it will decrease its effectiveness to some extent. One of the reasons this tech is gaining adoption is that it removes ad tech's dependence on 3P cookies.
I have this setup for our clients on FB.

The reported ROAS is all over the place on FB right now. It goes from previously 1 = 100% return on investment. Now it sometimes says 10X numbers like 70, which I assume is of the data they could measure 70% roi.

It seems to 'automagically' combine the offline conversion data with standard FBQ but I have no idea the match rates for the server-server data I send in and also importantly if it de-dupes.

I've tried to experiment with voting data in the past, I want to try that more this election. Run get out the vote ads and optimize for actual early votes.

(comment deleted)
It is another example how Web apps are apparently more secure than native ones.