Pluralistic: The surveillance advertising to financial fraud pipeline (29 Sept 2023)

Today's links

Hieronymus Bosch's painting 'The Conjurer,' which depicts a con artist playing a shell game with a bunch of gawping medieval yokels. The conjurer's head has been replaced with the menacing red eye of HAL 900 from Stanley Kubrick's '2001: A Space Odyssey.'

The surveillance advertising to financial fraud pipeline (permalink)

Being watched sucks. Of all the parenting mistakes I've made, none haunt me more than the times my daughter caught me watching her while she was learning to do something, discovered she was being observed in a vulnerable moment, and abandoned her attempt:

It's hard to be your authentic self while you're under surveillance. For that reason alone, the rise and rise of the surveillance industry – an unholy public-private partnership between cops, spooks, and ad-tech scum – is a plague on humanity and a scourge on the Earth:

But beyond the psychic damage surveillance metes out, there are immediate, concrete ways in which surveillance brings us to harm. Ad-tech follows us into abortion clinics and then sells the info to the cops back home in the forced birth states run by Handmaid's Tale LARPers:

And even if you have the good fortune to live in a state whose motto isn't "There's no 'I" in uter-US," ad-tech also lets anti-abortion propagandists trick you into visiting fake "clinics" who defraud you into giving birth by running out the clock on terminating your pregnancy:

The commercial surveillance industry fuels SWATting, where sociopaths who don't like your internet opinions or are steamed because you beat them at Call of Duty trick the cops into thinking that there's an "active shooter" at your house, provoking the kind of American policing autoimmune reaction that can get you killed:

There's just a lot of ways that compiling deep, nonconsensual, population-scale surveillance dossiers can bring safety and financial harm to the unwilling subjects of our experiment in digital spying. The wave of "business email compromises" (the infosec term for impersonating your boss to you and tricking you into cleaning out the company bank accounts)? They start with spear phishing, a phishing attack that uses personal information – bought from commercial sources or ganked from leaks – to craft a virtual Big Store con:

It's not just spear-phishers. There are plenty of financial predators who run petty grifts – stock swindles, identity theft, and other petty cons. These scams depend on commercial surveillance, both to target victims (e.g. buying Facebook ads targeting people struggling with medical debt and worried about losing their homes) and to run the con itself (by getting the information needed to pull off a successful identity theft).

In "Consumer Surveillance and Financial Fraud," a new National Bureau of Academic Research paper, a trio of business-school profs – Bo Bian (UBC), Michaela Pagel (WUSTL) and Huan Tang (Wharton) quantify the commercial surveillance industry's relationship to finance crimes:

The authors take advantage of a time-series of ZIP-code-accurate fraud complaint data from the Consumer Finance Protection Board, supplemented by complaints from the FTC, along with Apple's rollout of App Tracking Transparency, a change to app-based tracking on Apple mobile devices that turned off third-party commercial surveillance unless users explicitly opted into being spied on. More than 96% of Apple users blocked spying:

In other words, they were able to see, neighborhood by neighborhood, what happened to financial fraud when users were able to block commercial surveillance.

What happened is, fraud plunged. Deprived of the raw material for committing fraud, criminals were substantially hampered in their ability to steal from internet users.

While this is something that security professionals have understood for years, this study puts some empirical spine into the large corpus of qualitative accounts of the surveillance-to-fraud pipeline.

As the authors note in their conclusion, this analysis is timely. Google has just rolled out a new surveillance system, the deceptively named "Privacy Sandbox," that every Chrome user is being opted in to unless they find and untick three separate preference tickboxes. You should find and untick these boxes:

Google has spun, lied and bullied Privacy Sandbox into existence; whenever this program draws enough fire, they rename it (it used to be called FLoC). But as the Apple example showed, no one wants to be spied on – that's why Google makes you find and untick three boxes to opt out of this new form of surveillance.

There is no consensual basis for mass commercial surveillance. The story that "people don't mind ads so long as they're relevant" is a lie. But even if it was true, it wouldn't be enough, because beyond the harms to being our authentic selves that come from the knowledge that we're being observed, surveillance data is a crucial ingredient for all kinds of crime, harassment, and deception.

We can't rely on companies to spy on us responsibly. Apple may have blocked third-party app spying, but they effect nonconsensual, continuous surveillance of every Apple mobile device user, and lie about it:

That's why we should ban commercial surveillance. We should outlaw surveillance advertising. Period:

Contrary to the claims of surveillance profiteers, this wouldn't reduce the income to ad-supported news and other media – it would increase their revenues, by letting them place ads without relying on the surveillance troves assembled by the Google/Meta ad-tech duopoly, who take the majority of ad-revenue:

We're 30 years into the commercial surveillance pandemic and Congress still hasn't passed a federal privacy law with a private right of action. But other agencies aren't waiting for Congress. The FTC and DoJ Antitrust Divsision have proposed new merger guidelines that allow regulators to consider privacy harms when companies merge:

Think here of how Google devoured Fitbit and claimed massive troves of extremely personal data, much of which was collected because employers required workers to wear biometric trackers to get the best deal on health care:

Companies can't be trusted to collect, retain or use our personal data wisely. The right "balance" here is to simply ban that collection, without an explicit opt-in. The way this should work is that companies can't collect private data unless users hunt down and untick three "don't spy on me" boxes. After all, that's the standard that Google has set.

(Image: Cryteria, CC BY 3.0, modified)

Hey look at this (permalink)

A Wayback Machine banner.

This day in history (permalink)

#20yrsago Accenture puts Verisign in charge of US Internet voting

#15yrsago Olympics reach a new low: trademarking the Canadian national anthem and threatening lawsuits over competing uses

#15yrsago Philip Pullman on the futility and evil of banning books

#10yrsago No one harmed in Whac-a-Mole/Rock-a-Fire band warehouse explosion

#10yrsago Top UK cop calls for end to war on drugs, legalization of Class A substances

#5yrsago Twitter suspends academic who quoted feminist STEM research

#5yrsago Visualizing the relative evasiveness of Kavanaugh and Ford

#5yrsago A detailed anatomy of the hack that compromised Facebook's 50 million user breach

#5yrsago Facebook's spam filter blocked the most popular articles about its 50m user breach

#1yrago Porn on Tumblr is a complicated subject

Colophon (permalink)

Today's top sources: Naked Capitalism (

Currently writing:

  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FORTHCOMING TOR BOOKS FEB 2024

  • Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM

Latest podcast: How To Think About Scraping
Upcoming appearances:

Recent appearances:

Latest books:

Upcoming books:

  • The Lost Cause: a post-Green New Deal eco-topian novel about truth and reconciliation with white nationalist militias, Tor Books, November 2023

  • The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books, February 2024

  • Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025

  • Unauthorized Bread: a graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

(Latest Medium column: "How To Think About Scraping: In privacy and labor fights, copyright is a clumsy tool at best

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla