blog: Don Marti


some ways that Facebook ads are optimized for deceptive advertising

29 December 2020

(updated 7 Jan 2021: added intermediary for Custom Audiences trick)

Why are there so many scam ads on Facebook? The over-simplified answer is that Facebook just doesn't have enough ad reviewers for the number of ads they get. Since basically anyone with a credit card can advertise, and advertisers have access to tools for making huge numbers of ad variations, then of course lots of scam ads are going to get through.

Facebook is also more attractive to scammers than other ad media. Deceptive advertisers already get more value from highly targetable ad media than honest advertisers do, because targeting gives the deceptive advertiser an additional benefit. Besides helping to reach possible buyers, a deceptive advertiser can also use targeting to avoid enforcers of laws and norms.

Understaffing and targeting are only parts of the story, though. Some of the deliberate design decisions that went into Facebook ads are making things easier for deceptive advertisers at the expense of users and legit advertisers.

Custom Audiences don't support list seeding. Until Facebook, every direct marketing medium has supported "seed" records, which look like ordinary records but get delivered back to the list owner or someone they know, so that they can monitor usage of the list. (I used them for a biotech company's postal and email lists, even though we never sold or shared the list. Just to be on the safe side.) Using seed records is a basic direct marketing best practice and deters people who might see your list from misusing it.

Facebook Custom Audiences are a way for scammers to use a stolen list without detection. Facebook Ad Settings lets a user see if they personally are in someone else's Custom Audience, but there's no way for a list owner to check if the seed records from their list ended up on one. Someone who steals a mailing list can sneak it into a new Custom Audience without getting caught by the list owner. Legit direct marketers who want to protect their lists would pay for the ability to use seed accounts on Facebook, but this functionality would interfere with Facebook's support for scam advertisers, so they don't offer it, or even allow anyone else to provide seed accounts. (A limited number of Test Users are allowed for app development, but these are not usable as seeds. Facebook uses the term "seeds" differently from the conventional meaning, to mean the starting names for a Lookalike Audience)

Users can be blocked from seeing the company that really controls the targeting lists that they're on. Suppost that a dishonest advertiser wants to use a California resident's PII, but they don't want to have to honor CCPA opt outs or register with the state. Facebook promises transparency and allows users to see who has uploaded their info.
But the dishonest advertiser can simply send the hashed versions of the PII on their list to an intermediary firm, and have that firm transfer the PII to Facebook. Now when someone who is on the list goes to "Advertisers using your activity or information" on Facebook, they see the name of the intermediary firm instead. Even if a bunch of people on the list do opt out, the deceptive advertiser's own copy of the list is intact. When they switch to a different intermediary firm later, there are no opt-outs associated with the list. This also seems to be a good way for extremely suspicious-looking advertisers to hide from people who might report or investigate them. If I check Facebook for exclusion lists used by scammers who think I might report them, I see only the name of a generic-sounding targeted ad company, not the actual dishonest Facebook page.

Ad Library helps hide deceptive ads when risk of discovery is high. Facebook's Ad Library is designed to show only "active" ads, those that are running this very minute. A deceptive advertiser using a trademark or a person's likeness without permission can simply turn their ad on and off based on when the victim is likely to be checking the Ad Library. For example, a seller of infringing knock-offs of a European brand can run the ads when European marketers, lawyers, and regulators are asleep but people in the Americas or Asia are awake and shopping. Ad Library makes it easier for scammers to copy honest advertisers than the other way around.

Independent crawling of ads is blocked by policy. On the web outside of "walled garden" environments, online ads can be crawled and logged by independent companies. This service is needed in order to check for malvertising and other problem ads. Inside the Facebook environment, however, independent checking on ads is prohibited. Facebook puts the goal of hiding problem ads ahead of facilitating the kinds of services that could help fix the situation.


It's not clear why a large company would choose to support deceptive advertisers. This decision might have to do with the fact that Facebook has lots of eyeball-minutes that are hard to sell to the legit market. As Bob Hoffman has been saying for a while, the ad business has a long-running problem of avoiding advertising to older people. Any online forum except the youngest and hottest is going to fill up with older users whose ad impressions are less valuable to marketers. Facebook could be making a short-term revenue-maximizing decision to try to monetize these users better by temporarily filling up the ad spots with scams, and only cleaning up bit by bit when they have to.

There are some lessons here for the rest of us. When designing new post-cookie ads for the web in general, though, it will be more and more important to avoid the kind of design decisions that Facebook has made. Facebook is highly profitable running deceptive ads today, but as a single company they can unilaterally change their system relatively quickly. All three items above would be small code or policy changes whenever they decide to cut down on scams. For the open web, fixes that need to involve code and business agreements from more companies would be harder.

Oracle’s Hidden Hand Is Behind the Google Antitrust Lawsuits

Anti-Facebook agitators see their moment under Biden

Facebook/Apple Spat

Nice Try, Facebook. iOS Changes Aren’t Bad For Small Businesses, by Dipayan Ghosh, Wired

A Sneak Peek at the Apple Feature That Keeps Facebook Up at Night

Facebook Managers Trash Their Own Ad Targeting in Unsealed Remarks

Google, Facebook Agreed to Team Up Against Possible Antitrust Action

Here’s How Shopping Scams On Facebook Are Ripping Off Thousands of Customers, With The Money Flowing Overseas

★ Facebook: Free as in Bullshit

The battle between Facebook and Apple over privacy is about more than just ads — it's about the future of how we interact with tech

Should There Be Limits on Persuasive Technologies?