blog: Don Marti


bringing in the email harvest

24 October 2021

(This is rough, still trying to figure this out. Based on a thread in a surveillance marketing forum.)

Here's a surveillance marketing problem: some company gets a web site visitor, but can't identify them. They want to target the same person with Facebook ads or email spam.

For the company, one solution is to put some third-party JavaScript on the page that generates an email address for an anonymous visitor. Examples:

  • LeadPost leverages a network of match providers to convert your anonymous bounces into actionable leads. All lead data includes fully verified name, address and email and may be used for unlimited marketing purposes.

  • GetEmails offers Anonymous Website Visitor Identification, best explained in their video, How it Works In the Kitchen. We hash the email addresses in the huge f'n database, we then match the hashed email addresses in the cookies to the hashed email addresses in the big f'n database, and we pass you a record. It is magic.

There's a book about this technique, by Adam Robinson, founder of GetEmails. Permission (Sh)marketing: How the world's fastest-growing companies legally retarget website visitors using email without permission (and how you can too).

On the identification side, we could use existing technology to identify up to about 35 percent of US traffic. On the data side, we could compile an enormous list of third-party opt-ins through business developement with lead generation companies. We connected the two parts together, and lo and behold, it worked. Email-Based Retargeting was born.

This might be why I sometimes get completely inexplicable companies showing up as Advertisers using your activity or information in Facebook Ad Preferences. What if this happened?

  1. User A visits a web site with some email-finding JavaScript on it.

  2. Email-finding JavaScript misidentifies User A as User B.

  3. Company adds User B's info to their CRM system and uses it to send spam (generally, CAN-SPAM compliant email that is spam according to norms and reputable mail server ToSs, not spam according to US Federal law) to User B, and adds User B to a Facebook Custom Audience (not a Website Custom Audience like they would have gotten by using the Facebook pixel, a Customer List Custom Audience as if they had gotten the email with consent.)

The problem is: what happens if User B had Global Privacy Control turned on? The company would have picked up on it, and set the "Do Not Sell" flag to apply to User B's information, but User B didn't visit the company's site. User A did. So now User B sees their info in a place it shouldn't be, and the company is in CCPA trouble for mishandling the information of someone who never even came to their site.

Part of the solution seems to be for the third-party vendor to keep track of everyone they have seen a Global Privacy Control for on any site, and never return that person's info in step 2 above. But I'm not sure if this covers it. Anyway, this might just be more about what the heck is that company I've never heard of doing in Facebook Ad Preferences? than anything too significant.

Or I'm seeing those weird Facebook ads because the company just bought an old spam CD and made custom audiences out of that. Probably easier.

Researchers show Facebook’s ad tools can target a single user

How brands are getting tricked into advertising on The Daily Wire

‘Grab ‘em by the pageviews’: Growth hacking to nowhere

Adland is an island

The errors of efficiency

Democratic group poses as conservative PAC to block Youngkin support