Cory Doctorow on the dysfunctional online advertising industry. The interesting thing here, which I didn’t really know but which makes sense, is the concept of the “ad counter”. Basically, because advertising click-fraud is so rife, ad-sellers don’t trust publisher stats on how often their ads have been seen. So they rely on third parties, the ad counters, to tell them. Of course, what “ad counters” really are, are commercial surveillance entities, though we tend to call them “data brokers”; basically, the track every single thing you do on the internet (or at least, on every page their widgets are embedded on, which are a lot), then sell that information to anyone who wants to buy it. This is, yanno, the sort of behaviour that causes civil wars when governments do it, but apparently when it’s done in the name of capitalism, it’s an a-okay business model.1

Incidentally, Doctorow’s “solution” to this problem, the idea of having some kind of non-data-gathering TTP to replace the ad counters, is a terrible. Like, worse even that the problem. TTPs are a thing that comes out of the crypto world, and the thing you need to know about crypto, is that it’s like 99% populated by people who love pure mathematics so much they wouldn’t know human behaviour if they tripped over it. Which is why nearly all vulnerabilities in cryptosystems have to do with human behaviour, specifically with human behaviour varying from the mathematical models needed to make crypto work in the first place.2

Crypto sucks, in other words, and TTPs are a symptom of that suckage. There are situations where they do or can work, but then there are things like public Certificate Authorities. What Doctorow is proposing is essentially a CA for ad clicks, and that’s… yeah, nah bro. The PKI of pretty much the entire internet–specifically, the stuff that powers HTTPS, or that green padlock you get in your browser sometimes–is uselessly broken because CAs are run by humans and humans are terrible.3 And Doctorow thinks we should replicate this system, but with advertising? C’mon.

I mean, I guess he needs the second half for his problem-solution essay, so whatever. Guy’s gotta pay the bills. But… ugh.

  1. Actually, this isn’t true: it’s an a-okay business model in the United States, because the US has fucked-up privacy laws. In other countries that don’t, notably the EU, this behaviour is illegal, and there are, in fact, currently court cases going on about it. If you’ve ever seen a website that gives you one of those “guh, EU law says we have to tell you we use cookies how lame amirite” banners? Yeah, this is actually what that’s about; trying to get some kind of transparency on sites that sell your personal data, for money, without your consent. []
  2. Compared to shitty human implementations, actual mathematical vulnerabilities in crypto are pretty rare, and mostly have to do with current computational power exceeding the expectations of whomever designed any one particular algorithm like thirty-plus years ago. []
  3. Case in point, answer me this: what is SSL/TLS actually designed to do? If you answered “encryption” or “privacy” or “protect my information”, bzzt! wrong. And also, congratulations! You’ve either been duped by hacks who don’t know squat about INFOSEC, or are such a hack yourself. The first I can forgive. The second, go take a bootcamp or something and stop fucking up the internet. []