Privacy and Online Ads

Without ads monetizing the content of public computer networks, a service that is now low cost would be much more expensive. I’m willing to accept that. But there is something sinister in the online ad business.

Today, “monetize” usually means to change something that is popular in the digital world into a money-maker for someone. Online ads monetize most of what we think of as the internet. Google makes most of their money from online ads as does Facebook. Amazon makes their money from selling things, but their online ads are a crucial part of their business plan.

The ad business has changed

Remember “banner ads”? A seller like Rolex will be glad to pay a premium for a banner ad on a site like the New Yorker that has wide circulation and a good reputation among people with money to spend on luxury watches.

But the banner ad is an endangered species from the age of paper advertising. They are based on high-end, intelligent marketing that made many careers in the 20th Century. But no longer.

21st Century digital advertisers have facts. Traditional marketers knew that New Yorker readers were affluent and well-educated, but they were short on specifics on who was buying and why. Digital marketers today can tell you who sees an ad, how often viewers click on an ad, and, for digital sales, how often they spend money. And they know the age, location, income bracket, and browsing habits of most potential customers. They can target ads to the most likely customers and know exactly how the ads perform.

How do online ads work?

Traditionally, a big city daily newspaper could charge more for their ads than a community weekly because a seller could expect more people to see an ad in the big city daily and act on the ad. Sellers measure the effectiveness of ads by “return on investment” (ROI). If a seller invests $50 in an ad in a community fish wrapper and sees a $100 increase in sales, they get a 200% return. ($100 return/$50 investment = 200%. Sometimes a low-cost ad has better ROI, usually not.

Some businesses occasionally use advertising to improve their image or convey information, but the everyday advertising goal is ROI, using ads to make more sales. The lure of digital advertising is that digital advertising can be fine-tuned to increase ROI by reducing costs and increasing returns.

Digital advertisers can count how many times the ad was seen (impressions) and was followed (clicks). If the transaction is digital, they can count the number of times the ad resulted in a sale. Traditional paper advertising only knows how many copies of the ad were circulated, not how often the ad was seen and only generalities about readers.

The network collects information on buyers that can be used to target advertising toward people likely to buy. For example, people who don’t have cars are unlikely to buy car polish. Therefore, car polish sellers can improve their advertising ROI by directing their ads to car owners and ignoring people without cars.

Who are the players in the online ad biz?

  • Customers. That’s you.
  • The ad publishers. Google, Facebook, Amazon, etc. Ad publishers put the ads in front of potential customers.
  • Ad networks and exchanges. The folks in the background who match likely buyers to sellers and maximize the vigorish. When you open a web page with slots for ad, the slots are often auctioned off highest bidder in milliseconds. The bidders use information about you, to decide how much to bid. You may be familiar with some of these players like “DoubleClick” whose addresses flash by as you enter a site.
  • Ad agencies. Those waggish artists who think up cunning ads for the advertisers. These companies usually have bland names like “WPP Group.”
  • Data brokers. The vacuum cleaners that suck up data and sort it into a commodity they can sell to advertisers, ad agencies, networks, and exchanges. These are companies like Blue Kai or Live Ramp, whom you may not have heard of.

Except for customers, the players are often combined. There are one-stop shops that combine all the functions and boutiques that specialize in a narrow aspect of the process.

The network never forgets

The data collected on buying habits has grown rapidly in the last few years. If you do something on the network, someone, somewhere, has taken a note. The more we use computer networks, the more data is amassed on us. “Big data” arose to process the mountains of accumulated data.

Today, electronic payment is common, and many customers get discounts by identifying themselves when they purchase. Consequently, grocery store managers may know more about your food buying habits than you do. They can use that information to offer the items you want, but they also use it to find and persuade you to buy more profitable items. They can appeal to habits you may not even know you have. Online sales are even more effective at collecting data on customers.

Although you may not enjoy being manipulated in this way, most people still choose to use payment methods that identify themselves and trade their phone number at the point-of-sale for reduced prices. A lot of people feel that the convenience of electronic payment and a reduced price are reasonable tradeoff for subjecting themselves to manipulation by their sellers.

Why do online ads make me feel uneasy?

Using network habits to target ads is occasionally annoying. My grandfather died of colon cancer after a colostomy fifty years ago. Recently I wondered how those ugly colostomy bags had changed. I searched online. What a mistake! I still occasionally get an ad for disposable bags in cheery prints.

Creepy, yes, but not threatening. I, thank Heavens, am not remotely likely to purchase a colostomy bag according to my gastroenterologist. The sellers have made a mistake, but it only costs them a few cents and they certainly get a worthwhile ROI on their ads, winning the numbers game. And I get annoying ads. Nothing to lose sleep over.

Misuse of personal profiles

But let’s change the story some. Suppose you looked up alcoholism treatment out of curiosity. And the user of your profile was not an alcoholism treatment center selling their services, but an investigative agency running a check for a potential employer to whom you sent an application. Maybe the job was important to you and you were well-qualified, but your application was tossed on the first round because you were flagged as an alcoholic.

Do you see how the situation changed? A seller looking at ROI doesn’t grudge a fried fig for a few ads sent to the wrong place. A loss of a few cents to misdirected ads is nothing compared to all those colostomy bag sales. But you lost a job that you may have wanted, even needed, badly. And the potential employer lost a brilliant prospect. This happens when a personal profile is used in a scenario where much harm can result from inferences that are perfectly valid in other circumstances.

The danger is that the profiles will applied wrongly when they are harmless and useful in most circumstances. That is sinister.

Equifax Dumpster Fire

Brian Krebs called it a dumpster fire, and I agree. I can’t add any facts to Krebs’ report on the Equifax breach. It happened, and it is bad. The current number of people said to be affected is 176 million and I doubt that number is final. Equifax’s response has not been good.

Self-dealing response

First, there was a long delay between discovery of the breach and informing the public. The delay gave several Equifax insiders an opportunity to dump shares before the inevitable fall in Equifax stock prices. More on that below.

Second, the response has been weak and possibly self-dealing. Equifax is offering a free year of credit monitoring. Many experts, including Krebs and myself, feel that an individual can do a better job of monitoring their own credit than any service if they are willing to make the effort. Credit monitoring is simply watching your accounts for unexpected activity. The services use algorithms to detect unexpected activity, but you know what is happening on your accounts better than any algorithm and you are more likely to catch something out of order than the service. But you have to review account activity frequently— daily is great, weekly is good, monthly at a bare minimum.

The nasty part of the Equifax response is that it is only for a year. The data that was stolen will be useful to crooks for years, perhaps decades. The offer, at least at this writing, is only for a year and they will start to bill you when the year is up. Yes, Equifax’s credit monitoring service may have a windfall of new paying customers a year from now.

Just a bit self-serving, wouldn’t you say?

Potential for mayhem

The credit reporting services (Equifax, TransUnion, Experian, and Innovis) collect data on credit activity and assign individuals credit ratings that your creditors use to decide risks and rates for extending credit to you. If you have a credit card, buy on credit, or have a mortgage, you have a credit rating with the reporting services and they have your data. You don’t send the information to the service, your creditors do. An individual has little control of the data collected by these services. To protect yourself, you should request a credit report at least once a year and check it for accuracy. You might find, for example, that your credit rating has been dinged because a creditor neglected to report that you paid your bill. Honest mistakes happen, and it is up to you to get them corrected.

The point here is that the data is collected without your approval. Credit ratings are not “opt in.” In fact, you can’t opt out. In my opinion, that places extra responsibility on the credit reporting services to keep the data accurate and private, although credit reporting services are largely unregulated. From the reports I have seen on the breach, Equifax was not following best security practices and I am not surprised that hackers got in. That is bad. I will not expect the picture of extent of the breach to be complete for weeks or even months to come.

This breach could force the entire credit industry to change its practices. Certainly, this is a warning shot across the bow to the other credit reporting services. The data that was stolen, names, addresses, phone numbers, credit card numbers, and driver’s license and social security numbers are everything a criminal needs to steal your identity, rack up phony credit purchases, and file a fake tax return in your name. Who knows what other damages the dark side will hatch from this treasure trove. The potential for mayhem is staggering, and the public outcry could equal that over the Enron debacle or the junk mortgage bubble, both of which inspired new regulations that changed corporate governance.

Insider trading and Sarbanes-Oxley

Now back to accusations of insider trading. I have no idea what the insiders knew or did not know, but I have some familiarity with the Sarbanes-Oxley Act which assigns criminal liability to corporate executives and officers who neglect critical security controls. The act, often called SOX, was in response to the Enron collapse of 2001. One of the security controls that SOX often demands is rapid notification of executive management of critical security lapses. If SOX applies, the corporate insiders who dumped their stock could face jail time for not knowing about the breach as soon as it was detected. If they knew about the breach, they are guilty of insider trading. If they didn’t know, they are in violation of SOX. This is something for the SEC to sort out. I find it hard to believe that they were that benighted, but the possibilities for negligence surrounding this event are goggling.

Advice

Krebs recommends that everyone should put a security freeze on their credit reports from each of the big four. I agree, but I also caution that a security freeze is a hassle; you must temporarily unfreeze and refreeze whenever you want to get a loan or open a new line of credit, but it does stop some of the most devastating attacks. Nevertheless, a freeze is not complete protection. You still must keep a hawk eye on your accounts, get your tax returns in early, and monitor your credit rating reports. That does not guarantee you won’t be hit, but it will make you safer than most.

Service in Business, Computing, and the Cloud

I am a longtime enthusiast of the IT Infrastructure Library (ITIL). I was first introduced to ITIL in the mid-nineties by a support architect from the Netherlands. Their practices seemed overly complex, but I was pleased to see that the ITIL approach to service desk management was similar to the methodology built into the Network Management Forum trouble ticketing standard that I had worked on a few years before.

Business Services

ITIL places a heavy emphasis on managing IT as a system of services. Service is an important concept in both business and computing architecture.  In business, a service comes into being when a buyer purchases an action, often contrasted with a transaction in which the buyer purchases goods, i.e. things. Hence the phrase “goods and services.”  An important part of the notion of “service” in business is that services always have a buyer and a seller. There are always two participants in the transaction. I can wash my clothes myself, or I can purchase laundry service from a laundry. When I wash them myself, it is just me grabbing a box of detergent. When I subscribe to a laundry service, it is me and the laundry.

In an IT department, I can acquire help desk software, hire support analysts and managers, and run my own help desk, or I can subscribe to a help desk service. This is exactly like choosing to subscribe to a laundry service.   In both cases, I have decided to have something done for me instead of doing it myself. This is a business decision, not a technical decision, although deciding between  building a help desk or subscribing to a service involves a choice between technologies.

Software Services

I can do the same thing in software. Suppose I want to perform arithmetic calculations in a program. I could write a function to do it. Or I might find a library with a function to link into my program. In both cases, my program would be doing the calculation on my machine. Alternatively I could use a different software architecture and call the Google calculator web service. If I chose the service, my program would become a consumer of a Google cloud service and the calculation would be done in one of Google’s warehouse scale computers. I could choose to call Google’s REST API or SOAP API, but no matter which I chose, my program would still be a consumer of Google’s service.

Cloud Services

Cloud computing is based on a great divide between consumers and providers, both in a business and a programmatic sense. A great divide between customers and vendors can lead to conflicts and severed relations, but the divide between consumers and providers  is division by choice for more efficient  allocation of resources and may well result in improved relations.

Managerial and Functional Interfaces To Services

In writing Cloud Standards, I  spent more time than I expected working on a good description of the distinction between functional and managerial interfaces to services. I referred to management and functional interfaces recently in a blog on the CA Cloud Storm Chasers site. I’ll say a little more here.

Functional versus managerial are clearly separate in my head, but stating the difference succinctly is to not so easy.  I’ve got it down to “a managerial interface manages the delivery of a service to the consumer and a functional interface delivers the service functionality.” I say much more about it in the book.

Distinguishing functional from managerial is important because  standardization of managerial interfaces plays differently than standardization of functional interfaces.

Word processing functional interface

There is no limiting or predicting functional interfaces as they change and respond to technology and consumer taste. For at least a decade, word processors sported a narrow strip menu on top of a big more-or-less WYSIWYG (What You See Is What You Get)  entry pane. There were minor variations between the contenders, but that was what a word processor looked like.

If it isn’t broke, don’t fix it, right?

So what did the leading word processor development team do to their 2007 version? They switched to a ribbon menu at the top. Not a big change, but enough to generate confusion and grumbling from experienced users. New functionality? Not much. I certainly uttered a few choice words about gratuitous change when the CA IT department installed a copy on my work laptop. But that’s the way with functional interfaces. Somebody always has a sleeker, jazzier idea.

And that is as it should be.  A few years later, I am used to the ribbon and have grown to prefer it. When I switch to an open source word processor on Linux, I miss that once-hated ribbon. Redmond scores! I hope the ribbon is not tied up tightly in patents because I want the open source word processors to adopt it. Then I can install a ribbon menu word processor on my Linux boxes.

Managerial interfaces

Management interfaces are different. Often they are APIs. They tend to change only when technology changes and they are often  held in line by standards organizations that intentionally tamp down variations that do not confer clear benefits. This prevents unnecessary breakage of other applications that use the managerial interfaces.  We are less likely to see the equivalent of an apparently quixotic change to ribbon menus on the managerial side.

Distinguishing functional from managerial encourages both innovative functionality and stable integration. It makes life easier for everyone.