#ad-tech | Explore Tumblr Posts and Blogs

mostlysignssomeportents · 1 year

Text

This is your brain on fraud apologetics

In 1998, two Stanford students published a paper in Computer Networks entitled “The Anatomy of a Large-Scale Hypertextual Web Search Engine,” in which they wrote, “Advertising funded search engines will be inherently biased towards the advertisers and away from the needs of consumers.”

https://research.google/pubs/pub334/

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/02/24/passive-income/#swiss-cheese-security

The co-authors were Lawrence Page and Sergey Brin, and the “large-scale hypertextual web search-engine” they were describing was their new project, which they called “Google.” They were 100% correct — prescient, even!

On Wednesday night, a friend came over to watch some TV with us. We ordered out. We got scammed. We searched for a great local Thai place we like called Kiin and clicked a sponsored link for a Wix site called “Kiinthaila.com.” We should have clicked the third link down (kiinthaiburbank.com).

We got scammed. The Wix site was a lookalike for Kiin Thai, which marked up their prices by 15% and relayed the order to our local, mom-and-pop, one-branch restaurant. The restaurant knew it, too — they called us and told us they were canceling the order, and said we could still come get our food, but we’d have to call Amex to reverse the charge.

As it turned out, the scammers double-billed us for our order. I called Amex, who advised us to call back in a couple days when the charge posted to cancel it — in other words, they were treating it as a regular customer dispute, and not a systemic, widespread fraud (there’s no way this scammer is just doing this for one restaurant).

In the grand scheme of things, this is a minor hassle, but boy, it’s haunting to watch the quarter-century old prophecy of Brin and Page coming true. Search Google for carpenters, plumbers, gas-stations, locksmiths, concert tickets, entry visas, jobs at the US Post Office or (not making this up) tech support for Google products, and the top result will be a paid ad for a scam. Sometimes it’s several of the top ads.

This kind of “intermediation” business is actually revered in business-schools. As Douglas Rushkoff has written, the modern business wisdom reveres “going meta” — not doing anything useful, but rather, creating a chokepoint between people who do useful things and people who want to pay for those things, and squatting there, collecting rent:

https://rushkoff.medium.com/going-meta-d42c6a09225e

It’s the ultimate passive income/rise and grind side-hustle: It wouldn’t surprise me in the least to discover a whole festering nest of creeps on Tiktok talking about how they pay Mechanical Turks to produce these lookalike sites at scale.

This mindset is so pervasive that people running companies with billions in revenue and massive hoards of venture capital run exactly the same scam. During lockdown, companies like Doordash, Grubhub and Uber Eats stood up predatory lookalike websites for local restaurants, without their consent, and played monster-in-the-middle, tricking diners into ordering through them:

https://pluralistic.net/2020/09/19/we-are-beautiful/#man-in-the-middle

These delivery app companies were playing a classic enshittification game: first they directed surpluses to customers to lock them in (heavily discounting food), then they directed surplus to restaurants (preferential search results, free delivery, low commissions) — then, having locked in both consumers and producers, they harvested the surplus for themselves.

Today, delivery apps charge massive premiums to both eaters and restaurants, load up every order with junk fees, and clone the most successful restaurants out of ghost kitchens — shipping containers in parking lots crammed with low-waged workers cranking out orders for 15 different fake “virtual restaurants”:

https://pluralistic.net/2020/12/01/autophagic-buckeyes/#subsidized-autophagia

Delivery apps speedran the enshittification cycle, but Google took a slower path to get there. The company has locked in billions of users (e.g. by paying billions to be the default search on Safari and Firefox and using legal bullying to block third party Android device-makers from pre-installing browsers other than Chrome). For years, it’s been leveraging our lock-in to prey on small businesses, getting them to set up Google Business Profiles.

These profiles are supposed to help Google distinguish between real sellers and scammers. But Kiin Thai has a Google Business Profile, and searching for “kiin thai burbank” brings up a “Knowledge Panel” with the correct website address — on a page that is headed with a link to a scam website for the same business. Google, in other words, has everything it needs to flag lookalike sites and confirm them with their registered owners. It would cost Google money to do this — engineer-time to build and maintain the system, content moderator time to manually check flagged listings, and lost ad-revenue from scammers — but letting the scams flourish makes Google money, at the expense of Google users and Google business customers.

Now, Google has an answer for this: they tell merchants who are being impersonated by ad-buying scammers that all they need to do is outbid them for the top ad-spot. This is a common approach — Amazon has a $31b/year “ad business” that’s mostly its own platform sellers bidding against each other to show you fake results for your query. The first five screens of Amazon search results are 50% ads:

https://pluralistic.net/2022/11/28/enshittification/#relentless-payola

This is “going meta,” so naturally, Meta is doing it too: Facebook and Instagram have announced a $12/month “verification” badge that will let you report impersonation and tweak the algorithm to make it more likely that the posts you make are shown to the people who explicitly asked to see them:

https://www.vox.com/recode/2023/2/21/23609375/meta-verified-twitter-blue-checkmark-badge-instagram-facebook

The corollary of this, of course, is that if you don’t pay, they won’t police your impersonators, and they won’t show your posts to the people who asked to see them. This is pure enshittification — the surplus from users and business customers is harvested for the benefit of the platform owners:

https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys

The idea that merchants should master the platforms as a means of keeping us safe from their impersonators is a hollow joke. For one thing, the rules change all the time, as the platforms endlessly twiddle the knobs that determine what gets shown to whom:

https://doctorow.medium.com/twiddler-1b5c9690cce6

And they refuse to tell anyone what the rules are, because if they told you what the rules were, you’d be able to bypass them. Content moderation is the only infosec domain where “security through obscurity” doesn’t get laughed out of the room:

https://doctorow.medium.com/como-is-infosec-307f87004563

Worse: the one thing the platforms do hunt down and exterminate with extreme prejudice is anything that users or business-customers use to twiddle back — add-ons and plugins and jailbreaks that override their poor choices with better ones:

https://www.theverge.com/2022/9/29/23378541/the-og-app-instagram-clone-pulled-from-app-store

As I was submitting complaints about the fake Kiin scam-site (and Amex’s handling of my fraud call) to the FTC, the California Attorney General, the Consumer Finance Protection Bureau and Wix, I wrote a little Twitter thread about what a gross scam this is:

https://twitter.com/doctorow/status/1628948906657878016

The thread got more than two million reads and got picked up by Hacker News and other sites. While most of the responses evinced solidarity and frustration and recounted similar incidents in other domains, a significant plurality of the replies were scam apologetics — messages from people who wanted to explain why this wasn’t a problem after all.

The most common of these was victim-blaming: “you should have used an adblocker” or “never click the sponsored link.” Of course, I do use an ad-blocker — but this order was placed with a mobile browser, after an absentminded query into the Google search-box permanently placed on the home screen, which opens results in Chrome (where I don’t have an ad-blocker, so I can see material behind an ad-blocker-blocker), not Firefox (which does have an ad-blocker).

Now, I also have a PiHole on my home LAN, which blocks most ads even in a default browser — but earlier this day, I’d been on a public wifi network that was erroneously blocking a website (the always excellent superpunch.net) so I’d turned my wifi off, which meant the connection came over my phone’s 5G connection, bypassing the PiHole:

https://pluralistic.net/2022/04/28/shut-yer-pi-hole/

“Don’t click a sponsored link” — well, the irony here is that if you habitually use a browser with an ad-blocker, and you backstop it with a PiHole, you never see sponsored links, so it’s easy to miss the tiny “Sponsored” notification beside the search result. That goes double if you’re relaxing with a dinner guest on the sofa and ordering dinner while chatting.

There’s a name for this kind of security failure: the Swiss Cheese Model. We all have multiple defenses (in my case: foreknowledge of Google’s ad-scam problem, an ad-blocker in my browser, LAN-wide ad sinkholing). We also have multiple vulnerabilities (in my case: forgetting I was on 5G, being distracted by conversation, using a mobile device with a permanent insecure search bar on the homescreen, and being so accustomed to ad-blocked results that I got out of the habit of checking whether a result was an ad).

If you think you aren’t vulnerable to scams, you’re wrong — and your confidence in your invulnerability actually increases your risk. This isn’t the first time I’ve been scammed, and it won’t be the last — and every time, it’s been a Swiss Cheese failure, where all the holes in all my defenses lined up for a brief instant and left me vulnerable:

https://locusmag.com/2010/05/cory-doctorow-persistence-pays-parasites/

Other apologetics: “just call the restaurant rather than using its website.” Look, I know the people who say this don’t think I have a time-machine I can use to travel back to the 1980s and retrieve a Yellow Pages, but it’s hard not to snark at them, just the same. Scammers don’t just set up fake websites for your local businesses — they staff them with fake call-centers, too. The same search that takes you to a fake website will also take you to a fake phone number.

Finally, there’s “What do you expect Google to do? They can’t possibly detect this kind of scam.” But they can. Indeed, they are better situated to discover these scams than anyone else, because they have their business profiles, with verified contact information for the merchants being impersonated. When they get an ad that seems to be for the same business but to a different website, they could interrupt the ad process to confirm it with their verified contact info.

Instead, they choose to avoid the expense, and pocket the ad revenue. If a company promises to “to organize the world’s information and make it universally accessible and useful,” I think we have the right to demand these kinds of basic countermeasures:

https://www.google.com/search/howsearchworks/our-approach/

The same goes for Amex: when a merchant is scamming customers, they shouldn’t treat complaints as “chargebacks” — they should treat them as reports of a crime in progress. Amex has the bird’s eye view of their transaction flow and when a customer reports a scam, they can backtrack it to see if the same scammer is doing this with other merchants — but the credit card companies make money by not chasing down fraud:

https://www.buzzfeednews.com/article/rosalindadams/mastercard-visa-fraud

Wix also has platform-scale analytics that they could use to detect and interdict this kind of fraud — when a scammer creates a hundred lookalike websites for restaurants and uses Wix’s merchant services to process payments for them, that could trigger human review — but it didn’t.

Where do all of these apologetics come from? Why are people so eager to leap to the defense of scammers and their adtech and fintech enablers? Why is there such an impulse to victim-blame?

I think it’s fear: in their hearts, people — especially techies — know that they, too, are vulnerable to these ripoffs, but they don’t want to admit it. They want to convince themselves that the person who got scammed made an easily avoidable mistake, and that they themselves will never make a similar mistake.

This is doubly true for readerships on tech-heavy forums like Twitter or (especially) Hacker News. These readers know just how many vulnerabilities there are — how many holes are in their Swiss cheese — and they are also overexposed to rise-and-grind/passive income rhetoric.

This produces a powerful cognitive dissonance: “If all the ‘entrepreneurs’ I worship are just laying traps for the unwary, and if I am sometimes unwary, then I’m cheering on the authors of my future enduring misery.” The only way to resolve this dissonance — short of re-evaluating your view of platform capitalism or questioning your own immunity to scams — is to blame the victim.

The median Hacker News reader has to somehow resolve the tension between “just install an adblocker” and “Chrome’s extension sandbox is a dumpster fire and it’s basically impossible to know whether any add-on you install can steal every keystroke and all your other data”:

https://mattfrisbie.substack.com/p/spy-chrome-extension

In my Twitter thread, I called this “the worst of all possible timelines.” Everything we do is mediated by gigantic, surveillant monopolists that spy on us comprehensively from asshole to appetite — but none of them, not a 20th century payment giant nor a 21st century search giant — can bestir itself to use that data to keep us safe from scams.

Next Thu (Mar 2) I'll be in Brussels for Antitrust, Regulation and the Political Economy, along with a who's-who of European and US trustbusters. It's livestreamed, and both in-person and virtual attendance are free:

https://www.brusselsconference.com/registration

On Fri (Mar 3), I'll be in Graz for the Elevate Festival:

https://elevate.at/diskurs/programm/event/e23doctorow/

[Image ID: A modified version of Hieronymus Bosch's painting 'The Conjurer,' which depicts a scam artist playing a shell-game for a group of gawking rubes. The image has been modified so that the scam artist's table has a Google logo and the pea he is triumphantly holding aloft bears the 'Sponsored' wordmark that appears alongside Google search results.]

#pluralistic #victim blaming #fraud #going meta #douglas rushkoff #ad-tech #local search #wix #amex #thai food #business #rent-seeking #entrepreneurship #passive income #chokepoint capitalism #platform lawyers

2K notes · View notes

mostlysignssomeportents · 7 months

Text

The surveillance advertising to financial fraud pipeline

Monday (October 2), I'll be in Boise to host an event with VE Schwab. On October 7–8, I'm in Milan to keynote Wired Nextfest.

Being watched sucks. Of all the parenting mistakes I've made, none haunt me more than the times my daughter caught me watching her while she was learning to do something, discovered she was being observed in a vulnerable moment, and abandoned her attempt:

https://www.theguardian.com/technology/blog/2014/may/09/cybersecurity-begins-with-integrity-not-surveillance

It's hard to be your authentic self while you're under surveillance. For that reason alone, the rise and rise of the surveillance industry – an unholy public-private partnership between cops, spooks, and ad-tech scum – is a plague on humanity and a scourge on the Earth:

https://pluralistic.net/2023/08/16/the-second-best-time-is-now/#the-point-of-a-system-is-what-it-does

But beyond the psychic damage surveillance metes out, there are immediate, concrete ways in which surveillance brings us to harm. Ad-tech follows us into abortion clinics and then sells the info to the cops back home in the forced birth states run by Handmaid's Tale LARPers:

https://pluralistic.net/2022/06/29/no-i-in-uter-us/#egged-on

And even if you have the good fortune to live in a state whose motto isn't "There's no 'I" in uter-US," ad-tech also lets anti-abortion propagandists trick you into visiting fake "clinics" who defraud you into giving birth by running out the clock on terminating your pregnancy:

https://pluralistic.net/2023/06/15/paid-medical-disinformation/#crisis-pregnancy-centers

The commercial surveillance industry fuels SWATting, where sociopaths who don't like your internet opinions or are steamed because you beat them at Call of Duty trick the cops into thinking that there's an "active shooter" at your house, provoking the kind of American policing autoimmune reaction that can get you killed:

https://www.cnn.com/2019/09/14/us/swatting-sentence-casey-viner/index.html

There's just a lot of ways that compiling deep, nonconsensual, population-scale surveillance dossiers can bring safety and financial harm to the unwilling subjects of our experiment in digital spying. The wave of "business email compromises" (the infosec term for impersonating your boss to you and tricking you into cleaning out the company bank accounts)? They start with spear phishing, a phishing attack that uses personal information – bought from commercial sources or ganked from leaks – to craft a virtual Big Store con:

https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise

It's not just spear-phishers. There are plenty of financial predators who run petty grifts – stock swindles, identity theft, and other petty cons. These scams depend on commercial surveillance, both to target victims (e.g. buying Facebook ads targeting people struggling with medical debt and worried about losing their homes) and to run the con itself (by getting the information needed to pull of a successful identity theft).

In "Consumer Surveillance and Financial Fraud," a new National Bureau of Academic Research paper, a trio of business-school profs – Bo Bian (UBC), Michaela Pagel (WUSTL) and Huan Tang (Wharton) quantify the commercial surveillance industry's relationship to finance crimes:

https://www.nber.org/papers/w31692

The authors take advantage of a time-series of ZIP-code-accurate fraud complaint data from the Consumer Finance Protection Board, supplemented by complaints from the FTC, along with Apple's rollout of App Tracking Transparency, a change to app-based tracking on Apple mobile devices that turned of third-party commercial surveillance unless users explicitly opted into being spied on. More than 96% of Apple users blocked spying:

https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/

In other words, they were able to see, neighborhood by neighborhood, what happened to financial fraud when users were able to block commercial surveillance.

What happened is, fraud plunged. Deprived of the raw material for committing fraud, criminals were substantially hampered in their ability to steal from internet users.

While this is something that security professionals have understood for years, this study puts some empirical spine into the large corpus of qualitative accounts of the surveillance-to-fraud pipeline.

As the authors note in their conclusion, this analysis is timely. Google has just rolled out a new surveillance system, the deceptively named "Privacy Sandbox," that every Chrome user is being opted in to unless they find and untick three separate preference tickboxes. You should find and untick these boxes:

https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should

Google has spun, lied and bullied Privacy Sandbox into existence; whenever this program draws enough fire, they rename it (it used to be called FLoC). But as the Apple example showed, no one wants to be spied on – that's why Google makes you find and untick three boxes to opt out of this new form of surveillance.

There is no consensual basis for mass commercial surveillance. The story that "people don't mind ads so long as they're relevant" is a lie. But even if it was true, it wouldn't be enough, because beyond the harms to being our authentic selves that come from the knowledge that we're being observed, surveillance data is a crucial ingredient for all kinds of crime, harassment, and deception.

We can't rely on companies to spy on us responsibly. Apple may have blocked third-party app spying, but they effect nonconsensual, continuous surveillance of every Apple mobile device user, and lie about it:

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

That's why we should ban commercial surveillance. We should outlaw surveillance advertising. Period:

https://www.eff.org/deeplinks/2022/03/ban-online-behavioral-advertising

Contrary to the claims of surveillance profiteers, this wouldn't reduce the income to ad-supported news and other media – it would increase their revenues, by letting them place ads without relying on the surveillance troves assembled by the Google/Meta ad-tech duopoly, who take the majority of ad-revenue:

https://www.eff.org/deeplinks/2023/05/save-news-we-must-ban-surveillance-advertising

We're 30 years into the commercial surveillance pandemic and Congress still hasn't passed a federal privacy law with a private right of action. But other agencies aren't waiting for Congress. The FTC and DoJ Antitrust Divsision have proposed new merger guidelines that allow regulators to consider privacy harms when companies merge:

https://www.regulations.gov/comment/FTC-2023-0043-1569

Think here of how Google devoured Fitbit and claimed massive troves of extremely personal data, much of which was collected because employers required workers to wear biometric trackers to get the best deal on health care:

https://www.eff.org/deeplinks/2020/04/google-fitbit-merger-would-cement-googles-data-empire

Companies can't be trusted to collect, retain or use our personal data wisely. The right "balance" here is to simply ban that collection, without an explicit opt-in. The way this should work is that companies can't collect private data unless users hunt down and untick three "don't spy on me" boxes. After all, that's the standard that Google has set.

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/09/29/ban-surveillance-ads/#sucker-funnel

Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en

#pluralistic #commercial surveillance #surveillance #surveillance advertising #ad-tech #behavioral advertising #ads #privacy #fraud #targeting #ad targeting #scams #scholarship #nber #merger guidelines #ftc #doj

286 notes · View notes