Targeted Marketing Considered Harmful

I’m concerned that the trend of monetization on the Web and in the Android ecosystem is overwhelmingly based on marketing revenue for free services. In these transactions, the product is not the app or website. You are the product being sold. The product you use is the bait to aggregate a lot of attention on the advertising that is sold and displayed through the app or website. The more information the tech company that is offering the free service knows about you, the more precisely they can target advertisements and the larger fee they can command for impressions.

This is bad for us as users.

I’m not particularly concerned about privacy today. Not yet. There may come a day when passive data about your online behavior informs things like what insurance or jobs you are eligible for. That’s not the problem I’m talking about. I’m concerned about something more insidious. What if the marketing works?

In fact, I’m sure that it does work. In order for this model of free services with advertising to work out financially, the cost of the service must be vastly smaller than the cost of the products you buy because of the marketing. Otherwise, the companies doing the marketing would not see a return on investment (ROI) commensurate with the cost of placing the advertising. The fact is, ad-supported services exist because the value of what you purchase due to being exposed to the advertising is far, far greater than the cost of the service in the first place.

The basic premise of advertising is to sell you something that you would not otherwise have purchased. It works by making you feel want something you didn’t want before. In other words, it affects your well-being and happiness. Because you want this new thing, you are less happy until you buy it.

The basic transaction of a free, ad-supported service is not trading “your attention for a free service” as suggested by Leo Laporte. The transaction is that you are trading your sense well-being and (in aggregate) your money – indirectly – for a free service. In aggregate, this is a significant effect but we don’t notice because we are constantly bombarded with advertising. The better and more targeted the advertising, the worse it is. The assertion that more targeted advertising is better for both advertiser and recipient is totally wrong. Its better for the advertiser and worse for the recipient because it is more effective at making you want the thing and therefore less happy with what you have and who you are today.

I noticed this for the first time when I returned to the US from Africa after Peace Corps where I was exposed to essentially zero advertising. I have found that I have been able to greatly reduce stress and anxiety in my own life by doing simple things to limit my exposure to advertising – the most basic was deciding to eliminate cable and broadcast television 12 years ago. We still enjoy TV shows but we buy them on DVD or Amazon streaming which are both essentially ad-free platforms. In general, I prefer freemium services like Flickr or outright pay-for services and apps because the relationship that I want is to be the customer and not the product. With the exception of digital periodicals like the Economist and NY Times apps, pay-for services are almost exclusively ad-free. That makes sense because the user is the customer not the product.

I think its high time the Internet business community comes up with some new and better strategies for monetization than tracking and ever more targeted advertising. Ad-supported is not purely benign. It’s a strategy that turns your users into your product. It puts internet companies in the business of ever more invasive profiling of their users. The pressure to aggregate data about users inevitably leads to breaches of trust and repeated bad press. After a sufficient kerfuffle, governments get involved and will start imposing regulations. Ultimately, it’s a very dangerous game.


How to Infuriate Your Custom Software Client in Three Easy Steps

locked-mysqlMy wife just asked me to take a peek at database application that her organization had custom developed using a local Ghanaian consultant, “Andy”. They have some issues with excruciatingly slow reports and an arduous data cleaning workflow that involves exporting to Excel to find errors and then picking through screens to fix them in the software. The application is a WAMP stack web app and running standalone on a single analyst’s Windows desktop and the data set is pretty small. They need a much more efficient batch data access mechanism and they need to be able to run ad-hoc queries from time-to-time without signing a new support agreement to have additional features baked into the system. It is a custom-built system that was bought and paid for over a year ago.

My idea was to set up MySQL Workbench so that they could do some back-end data cleanup in a spreadsheet-style view of the data tables. This would also allow them to issue ad-hoc SQL queries to so that they can respond quickly to requests to slice-n-dice their data in new and interesting ways. Unfortunately, it turned out to be not so easy because Andy has done everything in his power to lock his clients out of the data system they paid him to develop.

#1: Gratuitously Encrypt the Source Code

Despite having been contractually obligated to provide complete source code, Andy encrypted the entire application with SourceGuardian. This is deeply uncool to do to a pure custom software consulting client and also an explicit breech of Andy’s terms of reference. Furthermore, the application is 99% Pear PHP modules. It’s just a login to an Access-like switchboard with what appears to be one data entry screen per table and one export-to-CSV per table. Most of what is encrypted is Pear modules and just a handful of PHP scripts for the data entry screens.

#2: Hold Your Client’s Data and Configuration Hostage

Andy the Consultant set up the WAMP stack on the Windows box and installed the application. He did not give anyone the root password for MySQL. Among the pile of encrypted PHP is the uselessly named config.php which probably has the database connection string in it and if not there in one of its siblings. There’s no way to know a priori if Andy has created an account for the application or if his application is using the root account without resetting the root account experimentally and seeing if it breaks the app.

#3: Refuse Access to Both Source Code and Data

My wife called Andy to get the MySQL root password and he refused, citing professional IT ethics and a technicality of the reporting structure of his contractual agreement: to wit, my wife is the project deputy director but Andy is a second-tier subcontractor so his agreement is technically with a subcontractor working for my wife’s company and hence it is unethical to release any information directly to the management of the company overseeing said subcontractor. What?!

This is egregiously forced lock-in. The data and source code are hostage to the whim of the development consultant who has made himself irreplaceable as long as the data has value.


There is an effort underway to apply some Ghanaian social pressure to Andy as well as the implied threat that he is risking freezing himself out of the USAID and foreign donor market in general. That said, as an owner of a software company that does commercial custom development, I myself am deeply offended. Even if Andy had an agreement where his entire work product remained proprietary there is just no circumstance I can envision in which it is ethical to lock up a customer’s data.

In any case, this data isn’t going to stay locked up. If Andy doesn’t cough up the MySQL password, I’m just going to capture it out of the raw packet frames using RawCap and open the resulting capture into WireShark to take advantage of the built-in MySQL protocol filters.

Don’t Let this Happen to You

Word to the wise. When having custom software work done—especially in an emerging market context—you need some Independent Verification and Validation that you got what you paid for because you have very little leverage over your consultant after he has been paid.

Bruce Schneier: U.S. enables Chinese hacking of Google

Notable cryptographer and security expert Bruce Schneier has a new essay up at CNN.

In order to comply with government search warrants on user data,Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

This problem isn’t going away. Every year brings more Internet censorship and control, not just in countries like China and Iran but in the U.S., the U.K., Canada and other free countries, egged on by both law enforcement trying to catch terrorists, child pornographers and other criminals and by media companies trying to stop file sharers.

The problem is that such control makes us all less safe. Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it’s bad civic hygiene to build technologies that could someday be used to facilitate a police state.

Read the entire article at This essay is a follow-up to a previous Schneier essay, “Technology Shouldn’t Give Big Brother a Head Start”.


Schneier is the inventor of the Blowfish and TwoFish block cypher algorithms as well as the Solitair cypher used in Neil Stephenson’s Cryptonomicon. TwoFish was a finalist to become the NSA’s advanced encryption standard (AES) but ultimately lost the competition to Rijndael.

Barack’s people are tracking clicks

Emails sent by Barack Obama’s people often have URLs in them.


That’s fine but Mr. Obama’s people use a phishing technique where the link displayed is not the real link. My mail reader converts the emails to plain text by default, so it is obvious.


The text “” is actually linked to some obscure URL at This URL probably encodes information about the page to display as well as my identity. It is almost certainly there so that the people running can track my behavior if I were to click this link.

This is nothing new. Mr. Obama’s people have been doing things this way since the campaign and it is a common technique for tracking the behavior of people in email marketing campaigns. It has always bugged me, though, that Barack Obama does this.

Facebook is utterly untrustworthy

Here are a few things to consider before putting any of your data into Facebook:

  1. Under the aegis of “we’re making some changes to give you more control,” Facebook is taking advantage of standard user click-though terms of service behavior to make your profile data public. (via Jason Calicanis)
  2. Whenever you take a Facebook quiz or use a Facebook plugin game, everything in your profile is available to the publisher of the quiz or game. Further, everything in the private profiles of all your friends is available to the widget publisher as well. The data collected by the publisher can be sold, resold or released in any way the publisher of the quiz or widget chooses. (via ACLU)
  3. The privacy controls in Facebook are deceptive and there is no way to opt out of sharing private data with Facebook apps. (via Electronic Frontier Foundation) Also, there is no screening process required for app developers. Anyone with a Facebook account can be an app developer.

Why would Facebook leak its users private data in this way? Well, they may be incompetent but it is not a compelling argument since they have built the worlds largest social network. The other possibility is that they want to convert the data in their systems into money. The leaking of private profile data to app publishers makes Facebook a wonderful platform for targeted marketing. It is particularly insidious because your data can be leaked even if you yourself are very careful but any of your friends uses any Facebook app.

Similarly, Jason Calicanis points out that the more data that is public on Facebook, the more it can be indexed by Google, Bing and Yahoo! to drive search traffic to Facebook. That traffic is monetized by selling ads.

Facebook shows an astonishing disregard for the privacy of its users. It appears to believe that its membership is too stupid to notice or care about the way that it is abusing their private data. It is amazing because the original value proposition of Facebook over MySpace was that Facebook had privacy controls. Clearly Facebook is not concerned with keeping its users data private. They are concerned with monetizing Facebook in advance of their IPO.

Perhaps it is time to send Facebook a message and delete your account.

Of course, you still have to trust Facebook to actually delete your data and they are utterly untrustworthy.

%d bloggers like this: