banning surveillance advertising

23 January 2022

(update 21 Mar 2022: Add another link, edit down and simplify)

(update 26 Jan 2022: Add links, edit some material on subsection b)

New bill in Congress: the Banning Surveillance Advertising Act of 2022. Ambitious goal. May not get far this Congress, but it's good to have a destination in mind. As Allison Schiff wrote on AdExchanger, Even If Targeted Online Advertising Isn’t Banned – Take Note Of Which Way The Wind Is Blowing. Remember, it took the EPA 23 years to get to the (almost) Final Step in Phaseout of Leaded Gasoline.

We can ignore the first round of industry group freakouts over the bill. It's unrealistic to play the bad for small business card this early. Even though a lot of small businesses use surveillance ads today, legit small businesses could end up better off after a ban if they don't have to keep playing negative-sum games against scammers trying to pick off their customers. Hard to predict the impact of any policy change on any advertiser until you know what they're contending with in the existing system. (Yes, the 1971 ban on cigarette ads on TV seems to have had two effects: a short-term increase in profits for all tobacco firms, and an increase in concentration of profits for the largest brands. However the cigarette market was essentially all legal product vs. legal product competition, and not a single market including both honest and deceptive advertisers like today's social media advertising.)

A surveillance ad ban won't make people buy less stuff, but in the absence of surveillance ads, different gatekeepers will be more important. The big, obvious winners from a surveillance ad ban would be SEO, content marketing, affiliate programs, and search advertising. If you can't find Kevin, you have to make yourself as findable as possible when he tries to find you.

Another set of winners in the post-surveillance-advertising economy will be niche content sites, especially sites that cover shopping-friendly content categories (like travel, fashion, and home improvement) and sites that run product reviews and buyers' guides. Shopping help forums on general-interest sites, like /r/buildapc, will be more and more important for marketers to keep up with, and niche retailers with a curated selection will get a new amplification role in some categories. Measuring the effectiveness of non-surveillance advertising requires different skills, so that's an opportunity for some kinds of research firms. A not-so-surprising winner when you think about it will be multi-level marketing. MLM spreads person to person.

So is surveillance advertising going to take as long to get rid of as leaded gas did? Personally, I don't think so. The winners from the leaded gas ban were numerous but dispersed: people who live near a lot of motor vehicle traffic and people who might be crime victims. The leaded gas ban created no localized near-term big winner businesses, but there will be some for a surveillance ad ban. Expect a second round of industry group comments as the companies that will win from a ban get involved.

Time to look at some specific issues in the bill. Some suggestions.

Remove or limit the Custom Audiences exception. Subsection (b) has some language on Custom Audiences that provides some protection but not enough.

Paragraph (1) does not apply to the targeting of the dissemination of an advertisement based on information described in clauses (i) through (iv) of subparagraph (B) of such paragraph that is provided to an advertising facilitator by an advertiser or by a third party on behalf of an advertiser, if the advertising facilitator is provided a written attestation that the advertiser is not in violation of subsection (b) with respect to such information.

This is interesting in principle, but has a negative space problem. The larger a platform gets, and the more Custom Audiences it receives from more advertisers, the more that users can be targeted just based on which Custom Audiences they're not in. Even if no single advertiser's Custom Audience reveals membership in a protected class, the platform will be able to infer membership if it has enough lists of non-members.

For example, Facebook has an internal cascade of classifiers that use inputs from multiple sources to place both scam and non-scam ads. This placement decision happens per ad impression, in real time. As Facebook gets lists of finance publication readers and accredited investors as Custom Audiences, not only do the legit advertisers get the ability to target their audiences on Facebook, the system learns how better to match the precious metals scams with the most vulnerable targets. The Facebook database does not have to store a list of vulnerable targets for a scam. Vulnerable people receive the scam ads as the result of an on-the-fly decision, as the inevitable effect of not receiving the ads intended for members of the well-informed Custom Audiences.

Large platforms that receive lists of people who work in healthcare, or are interested in legit health content, end up targeting users with limited health knowledge for health-related disinformation. Well-intentioned NGOs, by using Custom Audiences listing their informed supporters and donors, are unavoidably helping to place disinfo and scam ads for the other side.

A law that addressed some older ad targeting practices while leaving Custom Audiences as an alternative could easily do more harm than good. And from a communications point of view, a Custom Audiences exception is confusing. Personally, the first question I generally get about any privacy law or tool is, Will this keep (some company) from sending my info to Facebook? Leaving an exception for just that means that this bill is letting through not just some of the highest-risk surveillance advertising practices, but some of the least accepted.

A minor problem with subsection (b) is that all an advertiser needs to supply is a written attestation. There are a lot of sketchy Facebook advertisers who will sign a written attestation about anything, and advertisers who are advertising in one jurisdiction from another jurisdiction, making it hard to enforce the law against them. Makes no sense to let a big platform avoid accountability because of one possibly meaningless document.

Conversion tracking is similar to Custom Audiences, but sends one customer record at a time instead of a list batched together. The law has to apply fairly to both.

Figure out how to allow user-configured profiles. Some ad platforms allow users to limit the number of gambling or alcohol ads they see, or to set other ad preferences. As long as profiles (along with surveys, preferences, and similar features) that affect ad selection are clearly under user control, it makes sense to allow them. Best to let the pro-personalization users get what they say they want, and don't tell people that they can't choose to avoid ads for a product category they have a problem with.

An ad can be personalized but not surveillance if it's matched to the person receiving it based on information that the person intentionally supplied, knowing that it is being used for advertising, and with the option not to do it. This might be a reader survey, add this topic to my interests button, or some other feature. The personalization section of the law will need some careful work, because there is a risk that a large platform could end up with too many non-members of protected classes with personalization turned on, causing legit advertisers to go for the personalizers and leaving the non-personalizers to the scammers. A trustworthy content site with a high response rate to its reader survey might be able to safely use profiles for ad placement while some larger, lower-trust sites might not.

In the future, some users might choose to have their browser share an interest profile with some sites they visit. If a browser team can make a profile sharing feature, and fairly convice some users to turn it on, there should be a way to make it legal. (Browsers sending profile identifiers to sites without the user's knowledge: still bad.)

Reform 47 U.S. Code § 230 to exclude surveillance advertising facilitators and providers of algorithmic social feeds from the definition of interactive computer service. This safe harbor was passed in the days of Usenet and simple mailing lists and web boards, which were interactive under control of the user or the user's manually maintained subscription and block lists. Safe harbor is appropriate for content hosting or store-and-forward, but it was never intended for the kind of active selection and promotion of messages that surveillance advertising firms do.

Phase the ban in. If small businesses take longer to adjust to technical changes, give them longer, just like the EPA gave small refineries additional time to phase out lead in the gasoline they produce. Smaller databases present less risk, and larger companies have more technical capacity to comply with a ban. Possibly apply the ban in year 1 to companies with 100 million or more records of PII, then 10 million or more in year 2, 1 million in year 3, and so on. By the time it gets down to a small company's list, post-surveillance tools and services will be well-tested and easy to switch to.

Running more productive CEO hearings

There are probably going to be committee hearings about all this at some point, but nobody wants another, I'll have my staff get the answer to that hearing with minimally useful testimony from big platform CEOs. No CEO is going to be able to answer the important questions about how this stuff works in reality without preparation. Instead, please share some material in advance.

Ask constituents for screenshots of scam ads, along with their identifying info and permission for the company that placed the ad to look up how they got the ad and discuss it with member of Congress and staff.
Share a selection of scam screenshots and user info with the platform CEOs in advance. Let them know that you are going to ask, how did this exact person end up getting this exact ad? so that they can bring the answer to the hearing.
When they're in the hearing, live, the answer will give you a better idea of how the system works.

Some work is still needed to figure out the possible loopholes in a surveillance ad ban, so it would be good to get some reformed surveillance advertising pros to go over it a bunch of times and game it out. I'm sure that I have only thought of a few parts of what needs to be done here.

Microtargeting as Information Warfare (PDF)

European Parliament approves initial proposal to ban some targeted ads - The Verge

Federal Trade Commission Rulemaking Petition to Prohibit Surveillance Advertising

Facebook Charged Biden a Higher Price Than Trump for Campaign Ads

Ban Online Behavioral Advertising | Electronic Frontier Foundation