Category: Advertising (Page 1 of 3)

Shooting for the World

April 7, 2026 / Doc Searls / 1 Comment

There is no organisation on Earth with a more audacious purpose than this one:

From Customer Commons’ current index page.

This isn’t shooting for the Moon. It’s shooting for the whole world of business.

What Customer Commons wants to restore isn’t just what was lost when the Internet got real. (For example, privacy.) Customer Commons also wants to restore personal agency that was lost when Industry won the Industrial Revolution. That’s when jobs replaced work, labour replaced teams, and customers became consumers.

That last shift, Jerry Michalski explains, was from human beings to “gullets with wallets and eyeballs.” After that shift, freedom of contract in marketplaces was enjoyed only by businesses. Not by gullets.

Customer Commons was created to change that. It was spun out of ProjectVRM as a 501(c)3 nonprofit in 2013, shortly after Harvard Business Review Press published The Intention Economy: When Customers Take Charge. That book specifically gave Customer Commons the job of doing for personal privacy terms what Creative Commons did for personal copyright. And to do it by making privacy a contract between customers and businesses, rather than a “consent” to whatever the hell businesses wanted to shove down our gullets. (For example, with interruptive cookie “choices” that really aren’t and leave no audit trail.)

Work on that began in 2017, when the IEEE approached Customer Commons with an offer to host development of a standard for machine-readable personal privacy terms. That standard, officially called IEEE 7012-2025, and nicknamed MyTerms, was published this past January, concluding nine years of work.

Now what?

MyTerms is a great start toward completing Customer Commons’ audacious mission. Here are some goals we will achieve when that mission is accomplished:

VRM will be a business category, welcomed and engaged by CRM and CX functions on the sell sides of markets.
We will have proof that free customers are worth more than captive ones—to companies they engage, to whole markets, and to themselves. This was ProjectVRM’s original mission in 2006.
The intention economy will materialize when voluntary signaling from customers to companies outperforms and obsolesces surveillance as the primary means for companies to obtain data about customers.

MyTerms is required for all three, because a contract is the only way for companies to commit to respecting personal privacy, and MyTerms is the standard for doing that.

So the first challenge is to make Customer Commons viable as the first mover in establishing MyTerms in the world.

The second challenge is to make Customer Commons substantial enough to lead work toward all three of the challenges listed above. Customer Commons won’t be the only entity working on those. In the U.S., Consumer Reports has already stepped forward as a natural ally. MyData Global is partnering with Customer Commons in standing up the MyTerms Alliance, which is HQ’d in Europe. There are many other potential partners, such as Mozilla and the EFF.

There is development work on MyTerms already. You can learn more about those at VRM Day, IIW, and AIW, which run M-F through the last week of this month (April 27 to May 1) at the Computer History Museum in Silicon Valley.

Here are other ideas that have been floated in the past for Customer Commons:

Customers Union. Being for customers what the AARP is for retired people. Only bigger, because it would include everybody who is a customer of anything. This isn’t far from Consumers Union, which begat Consumer Reports, and is now its advocacy group.
CustomerCon. A trade show with company booths run by customers, to which companies are invited as guests. Key feature: no complaining. Guest companies are treated only to positive and constructive ideas. HT to Tim Hwang for helping come up with that one.
Omie. A tablet with apps free of Google and Apple. HT to Iain Henderson.
The ByWay, a new path for local e-commerce.
The Free Customer Award. This would be given to companies that value free customers and do nothing to entrap them. The canonical example described in The Intention Economy is Trader Joe’s. But there are others. In-N-Out Burger, for example.

I share those only to give you an idea of how big and influential Customer Commons might be, and how it’s possible to have fun making a new and better economy happen.

We’re not at Square One. Customer Commons is an extant nonprofit, has an energetic board, and a huge accomplishment by getting MyTerms finished. What it needs now is to build out a working organisation. How can we do that?

Let’s look at how Creative Commons got rolling in 2002 and kept moving after that. Here is what I’ve found in diggings so far—

The History of Creative Commons in Wired (December 2011) says, “An hour after the court’s decision was announced, the William and Flora Hewlett Foundation presented Creative Commons with $1,000,000 to launch the movement.” The case was Eldred v. Ashcroft.
In 2008, there was a successful funding challenge from Hewlett: “The 5×5 challenge, issued in honor of Creative Commons’ fifth birthday, called for the organization to find five funders to each promise five years of support at $500,000 per year. In addition to the Hewlett Foundation, Creative Commons received pledges of $500,000 in yearly support for five years from Omidyar Network, as well as from an anonymous European trust. Google has pledged $300,000 in support renewable for five years, while Mozilla and Red Hat have each pledged to contribute $100,000 annually for five years. The final block of support comes from the board of Creative Commons, which has promised to personally raise or contribute $500,000 to the organization annually for five years.”(Source: Creative Commons Newsletter No.5, February 2008)
A Creative Commons announcement in April 2008 said, “We’re thrilled about a major new grant of $4 million from the William and Flora Hewlett Foundation, consisting of $2.5 million to provide general support to Creative Commons over five years, as well as $1.5 million to support ccLearn.”
A MacArthur grant search reports a total of $3,225,000 provided between 2002 and 2022:
- $750,000 in 2005 to support general operations for three years
- $500,000 in 2007 to support Science Commons for two years
- $700,000 in2008 to support general operations and an endowment campaign for three years
- $25,000 in 2015 to provide travel and other support for attendees of the Creative Commons Global Summit in South Korea, for two months. The meeting was also funded in part by the Institute for Museu m and Library Services and th e Gates Foundation, and by the Korean Ministry of Culture, Sports and Tourism ($25,000), Mozilla ($10,000), and the Wikimedia Foundation ($10,000).
- $50,000 in 2022 to support dedicated programming on open journalism issues at the 2023 Global Summit, “which is an annual event that brings together educators, artists, technologists, legal experts, and activists to promote the power of open licensing and global access.”

So, by inference, the phases were roughly this:

Launch (2001–2002) $1M of initial funding
Early build-out (2002–2004) +$1–3M with additional foundation support
Continuous operations (2005 onward) at ~$1–3M/year

That gives us an idea of what we need to raise. (Given inflation, multiply those numbers by 1.5x.)

I’ll tell you more when I find out more. Meanwhile, watch this space. Better yet, jump in and help out.

Without Privacy, VRM Can’t Happen

March 27, 2026 / Doc Searls / 0 Comments

Nor can CRM. Not really. The middle name of both is Relationship, and those require respect for each other’s boundaries. We don’t have that yet online, and can’t without working standards (hello MyTerms), tech, and norms. In fact, the opposite prevails: extreme exploitation of absent personal privacy.

Helen Nissenbaum has been teaching us that for decades, and working on solutions. One is Adnauseum, which may be on your browser already. It works (says that last link) “by automating ad clicks universally and blindly on behalf of its users. Built atop uBlock Origin, AdNauseam quietly clicks on every blocked ad, registering a visit on ad networks’ databases. As the collected data gathered shows an omnivorous click-stream, user tracking, targeting and surveillance become futile.” In another word, obfuscation.

And that’s what Helen will unpack when she speaks in our salon series here at Indiana University next Tuesday at 4 pm Eastern, and on Zoom. Her title is Why Obfuscation is (still) Needed (more than ever). Here’s the flyer, with the registration and Zoom links:

And in case you don’t click on that, here it is again.

See you there.

When Branding Means Relating

December 22, 2025 / Doc Searls / 5 Comments

What is your best friend’s personal brand? How about your spouse’s?

Those questions came to mind as I read through The Death of Merchandising in an Online World, by Dana Blankenhorn, who is reliably wise. In that post, Dana correctly observes that brand value is declining as merchandising shifts from stores to online services, and to influencers who are also stores.

I think there’s also something else going on at the same time: the shift in media from real advertising to the online equivalent of junk mail, which is what you see with nearly every ad you encounter on your browsers and apps. To marketers, browsers and apps are boxes for junk mail, which at its most ideal is personalized by surveillance. As I put it in Separating Advertising’s Wheat and Chaff, ” Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.”

I wrote that a decade ago. With AI today, that alien replica is the real thing. Madison Avenue is now AM radio, with a whip antenna and tail fins.

Brand advertising worked best when “the media” were mostly print and broadcast. Sources of both were so few that they all fit on a newsstand and the dials of radios and TVs. To operate a source of either, you needed a printing plant or transmitting towers. Publishers and broadcasters are still around, but now their goods are mostly distributed over the Internet and consumed through glowing rectangles. And they’re competing in a world where the abundance of other sources of content is incalculably vast. In that world, the only places you can still reliably create and maintain brands is by sponsoring live events. Especially sports. That’s why I know fifteen minutes will save me fifteen percent with Geico, even though Geico stopped saying that years ago. I also know that you only pay for what you need with Liberty Mutual. And I’ll never get the Shaefer Beer jingle out of my mind.

On the whole, however, branding has finished running the same course as the broadcasting it paid for.

It helps to remember that the words brand and branding were borrowed from ranching. They applied especially well when people had few choices of media, and few if any ways to avoid ads meant to burn the names of companies and products onto mental hides.

What we really (or at least should) mean by brand today is reputation. How a business obtains that in our still-new Digital Age (now with AI!) is an open question.

I believe the answer will come from the natural world, where markets have been working far longer than we’ve had digital media, broadcasting, or print. It was in the natural world that two very different people—one an athiest and the other a pastor—separately explained to me, not long after The Cluetrain Manifesto came out, that markets are not just about transactions and (as Cluetrain insisted) conversations. They are about relationships.

Marketing prevents those. Or shortcuts them. Especially as it continues to devolve into funnels at the bottom end of which are transactions alone, or entrapment in a company’s “loyalty” system.

The Internet and the Web were both designed to support maximum agency and independence for every entity using them. We can have far better markets and marketing if demand and supply both work with maximized agency, and scale in ways that are good for both. That’s the idea behind market intelligence that flows both ways.

Making and maintaining those kinds of relationships will be VRM+CRM, What those together will make are wholes that exceed the sum of either part.

Blocking Tracking ≠ Blocking Ads

February 8, 2025 / Doc Searls / 0 Comments

I started reading BoiongBoing when it was a ‘zine back in the last millennium. I stopped when I began hitting this:

boingboing popover

In fact I don’t block ads. I block tracking, specifically with Privacy Badger, from the EFF.

But BoingBoing, like countless other websites, confuses tracking protection with ad blocking. This is because they are in the surveillance-aimed advertising business, aka adtech.

It’s essential to know that adtech is descended from the junk mail business, euphemistically called “direct response marketing.” As I put it in Separating Advertising’s Wheat and Chaff,

Remember the movie “Invasion of the Body Snatchers?” (Or the remake by the same name?) Same thing here. Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.

As surveillance-based publications go, BoingBoing is especially bad. Here is a PageXray of BoingBoing.net:

And here is a PageXray of the same page’s URL, to which tracking cruft from the email I opened was appended:

Look at that: 461 adserver requests, 426 tracking requests, and 199 other requests, which BoingBoing is glad to provide. (Pro tip: always strip tracking cruft from URLs that feature a “?” plus lots of alphanumeric jive after the final / of the URL itself. Take out the “?” and everything after it. )

Here is a close-up of one small part of that vast spread of routes down which data about you flows:

Some sites, such as FlightAware, interrupt your experience with a notice that kindly features an X in a corner, so you can make it go away:

Which I do.

But BoingBoing doesn’t. Its policy is “Subscribe or pay with lost privacy.” So I go away.

Other sites use cookie notices that give you options such as these from a Disney company (I forget which):

Nice that you can Reject All. Which I do.

This one from imgur let’s you “manage” your “options.” Those, if they are kept anywhere (you can’t tell), are in some place you can’t reach or use to see what your setting was, or if they haven’t violated your privacy:

This one at Claude defaults to no tracking for marketing purposes (analytics and marketing switches are set to Off):

TED here also lets you Accept All or Reject All:

ted-cookie

I’ve noticed that Reject All tends to be a much more prominent option lately. This makes me think a lot of these sites should be ready for IEEE P7012, nicknamed MyTerms, which we expect to become a working standard sometime this year. (I chair the working group.) I believe MyTerms is the most important standard in development today because it gets rid of this shit—at least for sites that respect the Reject All signal, plus the millions (perhaps billions?) of sites that don’t participate in the surveillance economy.

With MyTerms, sites and services agree to your terms—not the other way around. And it’s a contract. Also, both sides record the agreement, so either can audit compliance later.

Your agent (typically your browser, through an extension or a header) will choose to proffer one of a small list of contractual agreements maintained by a disinterested nonprofit. Customer Commons was created for this purpose (as a spin-off of ProjectVRM). It will be for your terms what Creative Commons is for your copyright licenses.

Customer Commons also welcomes help standing up the system—and, of course, getting it funded. If you’re interested in working on either or both, talk to me. I’m first name at last name dot com. Thanks!

Coming soon to a radio near you: Personalized ads

September 25, 2023 / Doc Searls / 2 Comments

And privacy be damned.

See, there is an iron law for every new technology: What can be done will be done. And a corollary that says, —until it’s clear what shouldn’t be done. Let’s call those Stage One and Stage Two.

With respect to safety from surveillance in our cars, we’re at Stage One.

For Exhibit A, read what Ray Schultz says in Can Radio Time Be Bought With Real-Time Bidding? iHeartMedia is Working On It:

HeartMedia hopes to offer real-time bidding for its 860+ radio stations in 160 markets, enabling media buyers to buy audio ads the way they now buy digital.

“We’re going to have the capabilities to do real-time bidding and programmatic on the broadcast side,” said Rich Bressler, president and COO of iHeart Media, during the Goldman Sachs Communacopia + Technology Conference, according to Radio Insider.

Bressler did not offer specifics or a timeline. He added: “If you look at broadcasters in general, whether they’re video or audio, I don’t think anyone else is going to have those capabilities out there.”

“The ability, whenever it comes, would include data-infused buying, programmatic trading and attribution,” the report adds.

The Trade Desk lists iHeart Media as one of its programmatic audio partners.

Audio advertising allows users to integrate their brands into their audiences’ “everyday routines in a distraction-free environment, creating a uniquely personalized ad experience around their interests,” the Trade Desk says.

The Trade Desk “specializes in real-time programmatic marketing automation technologies, products, and services, designed to personalize digital content delivery to users.” Translation: “We’re in the surveillance business.”

Never mind that there is negative demand for surveillance by the surveilled. Push-back has been going on for decades. Here are 154 pieces I’ve written on the topic since 2008.

One might think radio is ill-suited for surveillance because it’s an offline medium. Peopler listen more to actual radios than to computers or phones. Yes, some listening is online; but not much, relatively speaking. For example, here is the bottom of the current radio ratings for the San Francisco market:

Those numbers are fractions of one percent of total listening in the country’s most streaming-oriented market.

So how are iHeart and The Trade Desk going to personalize radio ads? Well, here is a meaningful excerpt from iHeart To Offer Real-Time Bidding For Its Broadcast Ad Inventory, which ran earlier this month at Inside Radio:

The biggest challenge at iHeartMedia isn’t attracting new listeners, it’s doing a better job monetizing the sprawling audience it already has. As part of ongoing efforts to sell advertising the way marketers want to transact, it now plans to bring real-time bidding to its 850 broadcast radio stations, top company management said Thursday.

“We’re going to have the capabilities to do real-time bidding and programmatic on the broadcast side,” President and COO Rich Bressler said during an appearance at the Goldman Sachs Communacopia + Technology Conference. “If you look at broadcasters in general, whether they’re video or audio, I don’t think anyone else is going to have those capabilities out there.”

Real-time bidding is a subcategory of programmatic media buying in which ads are bought and sold in real time on a per-impression basis in an instant auction. Pittman and Bressler didn’t offer specifics on how this would be accomplished other than to say the company is currently building out the technology as part of a multi-year effort to allow advertisers to buy iHeart inventory the way they buy digital media advertising. That involves data-infused buying and programmatic trading, along with ad targeting and campaign attribution.

Radio’s largest group has also moved away from selling based on rating points to transacting on audience impressions, and migrated from traditional demographics to audiences or cohorts. It now offers advertisers 800 different prepopulated audience segments, ranging from auto intenders to moms that had a baby in the last six months…

Advertisers buy iHeart’s ad inventory “in pieces,” Pittman explained, leaving “holes in between” that go unsold. “Digital-like buying for broadcast radio is the key to filling in those holes,” he added…

…there has been no degradation in the reach of broadcast radio. The degradation has been in a lot of other media, but not radio. And the reason is because what we do is fundamentally more important than it’s ever been: we keep people company.”

Buried in that rah-rah is a plan to spy on people in their cars. Because surveillance systems are built into every new car sold. In Privacy Nightmare on Wheels’: Every Car Brand Reviewed By Mozilla — Including Ford, Volkswagen and Toyota — Flunks Privacy Test, Mozilla pulls together a mountain of findings about just how much modern cars spy on their drivers and passengers, and then pass personal information on to many other parties. Here is one relevant screen grab:

As for consent? When you’re using a browser or an app, you’re on the global Internet, where the GDPR, the CCPA, and other privacy laws apply, meaning that websites and apps have to make a show of requiring consent to what you don’t want. But cars have no UI for that. All their computing is behind the dashboard where you can’t see it and can’t control it. So the car makers can go nuts gathering fuck-all, while you’re almost completely in the dark about having your clueless ass sorted into one or more of Bob Pittman’s 800 target categories. Or worse, typified personally as a category of one.

Of course, the car makers won’t cop to any of this. On the contrary, they’ll pretend they are clean as can be. Here is how Mozilla describes the situation:

Many car brands engage in “privacy washing.” Privacy washing is the act of pretending to protect consumers’ privacy while not actually doing so — and many brands are guilty of this. For example, several have signed on to the automotive Consumer Privacy Protection Principles. But these principles are nonbinding and created by the automakers themselves. Further, signatories don’t even follow their own principles, like Data Minimization (i.e. collecting only the data that is needed).

Meaningful consent is nonexistent. Often, “consent” to collect personal data is presumed by simply being a passenger in the car. For example, Subaru states that by being a passenger, you are considered a user — and by being a user, you have consented to their privacy policy. Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle’s privacy policies.

Autos’ privacy policies and processes are especially bad. Legible privacy policies are uncommon, but they’re exceptionally rare in the automotive industry. Brands like Audi and Tesla feature policies that are confusing, lengthy, and vague. Some brands have more than five different privacy policy documents, an unreasonable number for consumers to engage with; Toyota has 12. Meanwhile, it’s difficult to find a contact with whom to discuss privacy concerns. Indeed, 12 companies representing 20 car brands didn’t even respond to emails from Mozilla researchers.

And, “Nineteen (76%) of the car companies we looked at say they can sell your personal data.”

To iHeart? Why not? They’re in the market.

And, of course, you are not.

Hell, you have access to none of that data. There’s what the dashboard tells you, and that’s it.

As for advice? For now, all I have is this: buy an old car.

Markets vs. Marketing in the Age of AI

May 15, 2023 / Doc Searls / 6 Comments

Maybe history will defeat itself.

Remember FreePC? It was a thing, briefly, at the end of the last millennium, right before Y2K pooped the biggest excuse for a party in a thousand years. This may help. The idea was to put ads in the corner of your PC’s screen. The market gave it zero stars, and it failed.

And now comes Telly, hawking free TVs with ads in a corner, and a promise to “optimize your ad experience.” As if anybody wants an ad experience other than no advertising at all.

Negative demand for advertising has been well advertised by both ad blocking (the biggest boycott in human history) and ad-free “prestige” TV, (or SVOD— Subscription Video On Demand). With those we gladly pay—a lot— not to see advertising. (See numbers here.)

But the advertising business (in the mines of which I toiled for too much of my adult life) has always smoked its own exhaust and excels best at getting high with generous funders. (Yeah, some advertising works, but on the whole people still hate it on the receiving end.)

The fun will come when our own personal AI bots, working for our own asses, do battle with the robot Nazgûls of marketing — and win, because we’re on the Demand side of the marketplace, and we’ll do a better job of knowing what we want and don’t want to buy than marketing’s surveillant AI robots can guess at. Supply will survive, of course. But markets will defeat marketing by taking out the middle creep.

The end state will be one Cluetrain forecast in 1999, Linux Journal named in 2006, the VRM community started working on that same year, and The Intention Economy detailed in 2012. The only thing all of them missed was how customer intentions might be helped by personal AI.

Personal, not personalized.

Markets will become new and better dances between Demand and Supply, simply because Demand will have better ways to take the lead, and not just follow all the time. Simple as that.

*For more on how this will work, see Individual Empowerment and Agency on a Scale We’ve Never Seen Before.

As an aside, the mouth in whch BUY!!! appears is mine. The gold crowns were provided by students of the UNC School of Dentistry, under the direction of Dr. Clinton Max Studevant for just $25 each, half a century ago. The original photo is here on Flickr, was shot with a Sony camcorder that could take low-res stills, and has had more than 80,000 views, which is way more than any of the 80,000 other photos I have on Flickr. I don’t know why.

Toward a lexicon for advertising in both directions

June 9, 2022 / Doc Searls / 0 Comments

We need a lexicon for the different ways buyers and sellers express their intentions to each other. Or, one might say, advertise.

On the demand side (⊂) we have what in ProjectVRM we’ve called intentcasting and (earlier) personal RFP. Scott Adams calls it broadcast shopping and John Hagel and David Siegel both (in books by that title) call it pull.

On the sell side (⊃) I can list at least six kinds of advertising alone that desperately need distinctive labels. To pull them apart, these are:

Brand advertising. This kind is aimed at populations. All of it is contextual, meaning placed in media, TV or radio programs, or publications, that appeal broadly or narrowly to a categorized audience. None of it is tracking-based, and none of it is personal. Little of it wants a direct response. It simply means to impress. This is also the form of advertising that burned every brand you can name into your brain. In fact the word brand itself was borrowed from the cattle industry by Procter & Gamble in the 1930s, when it also funded the golden age of radio. Today it is also what sponsors all of sports broadcasting and pays most sports stars their massive salaries.
Search advertising. This is what shows up with search results. There are two very different kinds here:
1. Context-based. Not based on tracking. This is what DuckDuckGo does.
2. Context+tracking based. This is what Google and Bing do.
Tracking-based advertising. I’ve called this adtech. Cory Doctorow calls it ad-tech. Others call it ad tech. Some euphemize it as behavioral, relevant, interest-based, or personalized. Shoshana Zuboff says all of them are based on surveillance, which they are. So many critics speak of it as surveillance-based advertising.
Advertising that’s both contextual and personal—but only in the sense that a highly characterized individual falls within a group, or a collection of overlapping groups, chosen by the advertiser. These are Facebook’s Core, Custom and Look-Alike audiences. Talk to Facebook and they’ll tell you these ads are not meant to be personal, though you should not be surprised to see ads for shoes when you have made clear to Facebook’s trackers (on the site, the apps, and wherever the company’s tentacles reach) that you might be in the market for shoes. Still, since Facebook characterizes every face in its audience in almost countless ways, it’s easy to call this form of advertising tracking-based.
Interactive advertising. Vaguely defined by Wikipedia here, and sometimes called conversational advertising, the purpose is to get an interactive response from people. The expression is not much used today, even though the Interactive Advertising Bureau (IAB) is the leading trade association in the tracking-based advertising field and its primary proponent.
Native advertising, also called sponsored content, is advertising made to look like ordinary editorial material.

The list is actually much longer. But the distinction that matters is between advertising that is tracking-based and the advertising that is not. As I put it in Brands need to fire adtech,

Let’s be clear about all the differences between adtech and real advertising. It’s adtech that spies on people and violates their privacy. It’s adtech that’s full of fraud and a vector for malware. It’s adtech that incentivizes publications to prioritize “content generation” over journalism. It’s adtech that gives fake news a business model, because fake news is easier to produce than the real kind, and adtech will pay anybody a bounty for hauling in eyeballs.

Real advertising doesn’t do any of those things, because it’s not personal. It is aimed at populations selected by the media they choose to watch, listen to or read. To reach those people with real ads, you buy space or time on those media. You sponsor those media because those media also have brand value.

With real advertising, you have brands supporting brands.

Brands can’t sponsor media through adtech because adtech isn’t built for that. On the contrary, adtech is built to undermine the brand value of all the media it uses, because it cares about eyeballs more than media.

Adtech is magic in this literal sense: it’s all about misdirection. You think you’re getting one thing while you’re really getting another. It’s why brands think they’re placing ads in media, while the systems they hire chase eyeballs. Since adtech systems are automated and biased toward finding the cheapest ways to hit sought-after eyeballs with ads, some ads show up on unsavory sites. And, let’s face it, even good eyeballs go to bad places.

This is why the media, the UK government, the brands, and even Google are all shocked. They all think adtech is advertising. Which makes sense: it looks like advertising and gets called advertising. But it is profoundly different in almost every other respect. I explain those differences in Separating Advertising’s Wheat and Chaff:

…advertising today is also digital. That fact makes advertising much more data-driven, tracking-based and personal. Nearly all the buzz and science in advertising today flies around the data-driven, tracking-based stuff generally called adtech. This form of digital advertising has turned into a massive industry, driven by an assumption that the best advertising is also the most targeted, the most real-time, the most data-driven, the most personal — and that old-fashioned brand advertising is hopelessly retro.

In terms of actual value to the marketplace, however, the old-fashioned stuff is wheat and the new-fashioned stuff is chaff. In fact, the chaff was only grafted on recently.

See, adtech did not spring from the loins of Madison Avenue. Instead its direct ancestor is what’s called direct response marketing. Before that, it was called direct mail, or junk mail. In metrics, methods and manners, it is little different from its closest relative, spam.

Direct response marketing has always wanted to get personal, has always been data-driven, has never attracted the creative talent for which Madison Avenue has been rightly famous. Look up best ads of all time and you’ll find nothing but wheat. No direct response or adtech postings, mailings or ad placements on phones or websites.

Yes, brand advertising has always been data-driven too, but the data that mattered was how many people were exposed to an ad, not how many clicked on one — or whether you, personally, did anything.

And yes, a lot of brand advertising is annoying. But at least we know it pays for the TV programs we watch and the publications we read. Wheat-producing advertisers are called “sponsors” for a reason.

So how did direct response marketing get to be called advertising ? By looking the same. Online it’s hard to tell the difference between a wheat ad and a chaff one.

Remember the movie “Invasion of the Body Snatchers?” (Or the remake by the same name?) Same thing here. Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.

This whole problem wouldn’t exist if the alien replica wasn’t chasing spied-on eyeballs, and if advertisers still sponsored desirable media the old-fashioned way.

Bonus link.

I wrote that in 2017. The GDPR became enforceable in 2018 and the CCPA in 2020. Today more laws and regulations are being instituted to fight tracking-based advertising, yet the whole advertising industry remains drunk on digital, deeply corrupt and delusional, and growing like a Stage IV cancer.

We live digital lives now, and most of the advertising we see and hear is on or through glowing digital rectangles. Most of those are personal as well. So, naturally, most advertising on those media is personal—or wishes it was. Regulations that require “consent” for the tracking that personalization requires do not make the practice less hostile to personal privacy. They just make the whole mess easier to rationalize.

So I’m trying to do two things here.

One is to make clearer the distinctions between real advertising and direct marketing.

The other is to suggest that better signaling from demand to supply, starting with intentcasting, may serve as chemo for the cancer that adtech has become. It will do that by simply making clear to sellers what buyers actually want and don’t want.

Shall we commit advercide?

January 4, 2022 / Doc Searls / 0 Comments

On our mailing list, there is a suggestion that we need a browser that kills all the advertising it sees on the Web. Not just the rude kind, or the tracking-based kind. The idea is to waste it all. The business model is, “$10 a month for a browser which guarantees no adverts, ever. If you see an advert, you file a bug report.”

I dismissed the idea a few years ago, when it first came up, for what seemed good and obvious reasons: that lots of advertising is informative and useful, that good and honest (e.g. non-tracking-based) advertising supports most of the world’s journalism, and so on.

But now most advertising on the Web is tracking-based (“programmatic” mostly means tracking-based), and most of the businesses involved seem hellbent on keeping it that way.

As for regulations, the GDPR and CCPA mean well, but they’ve done little to stop tracking, and much to make it worse. Search for gdpr+compliance on Google and right now and see how many results you get. (I get way over a billion.) Nearly all of the finds you’ll see are pitches for ways sites and services can obey the letter of the GDPR while screwing its spirit. In other words, the GDPR and the CCPA have created a giant market for working around them.

Clearly the final market for goods and services on the Net—that’s you and me, ordinary human beings—don’t like being tracked like marked animals, and all the lost privacy that tracking involves. And hell, ad blocking alone was the biggest boycott in world history, way back in 2015. That says plenty.

So why not give our market a way to speak? Why not incentivize publishers to start making money in ways that respect everyone’s privacy?

Also, we’re not alone. Dig CheckMyAds.org and their efforts, such as this one.

Comments work on this blog again, so feel free to weigh in.

QR codes are becoming fishhooks

July 28, 2021 / Doc Searls / 0 Comments

We’ve been very bullish on QR codes here, because they’re an excellent way for customers and vendors to shake hands, to start doing business, and to form constructive relationships.

Alas, they have become bait for tracking by marketers. In QR Codes Are Here to Stay. So Is the Tracking They Allow, Erin Woo (@erinkwoo) of the NY Times explains how:

Restaurants have adopted them en masse, retailers including CVS and Foot Locker have added them to checkout registers, and marketers have splashed them all over retail packaging, direct mail, billboards and TV advertisements.

But the spread of the codes has also let businesses integrate more tools for tracking, targeting and analytics, raising red flags for privacy experts. That’s because QR codes can store digital information such as when, where and how often a scan occurs. They can also open an app or a website that then tracks people’s personal information or requires them to input it.

As a result, QR codes have allowed some restaurants to build a database of their customers’ order histories and contact information. At retail chains, people may soon be confronted by personalized offers and incentives marketed within QR code payment systems.

“People don’t understand that when you use a QR code, it inserts the entire apparatus of online tracking between you and your meal,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union. “Suddenly your offline activity of sitting down for a meal has become part of the online advertising empire.”

So that’s one more thing to fix in our apps and browsers. But how?

Obviously, we can try to avoid QR codes; but there are a growing number of places where that’s not possible.

Providing ways to opt out is a giant non-starter, as we’ve learned at great pain on the Web. (Do you have any record at all of the separate privacy settings you’ve made at all the sites and services where those choices have been provided? Of course not.)

We need at least two things here, and fast.

One is some way, in our phones or browsers, to prevent QR code scanning on phones from turning into tracking. Are you listening, Apple and Google? Plus everybody else in the QR code business?

The other is regulation. And I hate to say that, because too many regulations protect yesterday from last Thursday, and distort markets in ways seen and unseen for decades to come. But this is a case where we really need it.

[Two days later…]

There has been much follow-up to this piece. If you’re interested in that, start with this clip rom Wednesday;s FLOSS Weekly podcast, where Jonathan Bennett (@JP_Bennett) provides some excellent answers to questions raised here and elsewhere.

On Twitter, @QRcodeART has some good follow-up under an @TWiT tweet pointing to that clip. In that thread I stand accused of “pure babbling,” to which I plead guilty (providing, as I do, an example of how, as Garrison Keillor once put it, “English is the preacher’s language because it allows you to talk until you think of what to say”).

The main point in the thread is that QR codes are essentially “innocent.” Also, “#Bluetooth is much worse! Creative names, unique IDs (!) and such and usually open and “seeable” for everybody. Similar to your #Wifi searching always for a #WLan in the perimeter. Unique funny names and identifiable MAC addresses. Think about that !”

Good advice. Clearly, there are concerns for all the tech we use, especially the networked kind. If we fail to take precautions such as those Jonathan recommends, we’re likely being tracked in ways we wouldn’t welcome if we knew about it. Returning to the metaphor, everything you carry, scan or click on can be a fishhook. And, to the hookers, you’re just a fish.

What law might clear the way for VRM/Me2B development?

September 16, 2019 / Doc Searls / 1 Comment

VRM/Me2B developers shouldn’t have to wait for laws to pave the way through a wall-like status quo. (And we say that in our Privacy Manifesto.) But a good law or two should help.

That was I had hoped—even expected—the GDPR to do. Specifically, I called it “the world’s most heavily weaponized law protecting personal privacy,” said it was “aimed at companies that track people without asking” and that it would “blow away the (mostly US-based) surveillance economy, especially tracking-based ‘adtech,’ which supports most commercial publishing online.”

That hasn’t happened.

It has been sixteen months since the GDPR went into effect (May 2018), and violation of personal privacy online today remains as pervasive as ever. Worse, violators take advantage of a loophole* in the GDPR that allows them to continue tracking people by requiring (or appearing to require) “consent” to cookies and other means of tracking (so you can get “personalized,” “interest-based” or “relevant” advertising, the perpetrators say). As long as various EU countries’ Data Protection Authorities (who enforce the GDPR) fail to focus on simple fact that nearly every website and its third parties are doing the same bad things Google and Facebook are accused of doing, the practice will continue, and the GDPR will remain a failure at stopping widespread spying-based adtech.

Meanwhile, many privacy advocates in the U.S. (including me) have invested hope in the California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020. I invite you to visit the operative language in that law, starting here. As legalese goes, it’s remarkably readable. Meanwhile, Wikipedia compresses these rather well under the heading Intentions of the Act:

The intentions of the Act are to provide California residents with the right to:

Know what personal data is being collected about them.

Know whether their personal data is sold or disclosed and to whom.

Say no to the sale of personal data.

Access their personal data.

Request a business to delete any personal information about a consumer collected from that consumer.

Not be discriminated against for exercising their privacy rights.

Note that this presumes that nearly all agency resides on the data collectors’ side, and that the only agency possible on the individual’s side is asking to know or say no to what others who collected personal data can do with it.

That’s not enough.

Making matters worse is that we are mere “consumers” to the CCPA, “data subjects” to the GDPR and “users” to the computer industry—in each case with no more freedom and agency than what potential violators of our privacy (e.g. the websites and services of the world) separately grant us, through their countless, lengthy and infinitely varied privacy policies, terms and “agreements.”

In other words, we’re still at Square Zero, and Square One is neither the CCPA nor the GDPR. Those are relevant in the ways that guard rails are relevant to a winding road; but we don’t have the road yet.

While I’ve made it clear elsewhere that we need tech more than policy (because tech of our own—VRM tech—gives us agency), it will sure help to have policy that guides the deployment of that tech.

So, what law might actually open the way for VRM development, preferably by simply giving individuals a new power they’ve been lacking, such as real control over just one aspect of their privacy: what Louis Brandeis and Samuel Warren called “the right to be let alone” when we’re online?

I like two.

First is the Do-Not-Track Act of 2019. It’s model legislation from DuckDuckGo, and explained this way:

When you turn on the setting in your browser that says “Do Not Track”, you probably expect to no longer be tracked on most websites you visit. Right? Well, you would be wrong. But don’t worry, you’re not alone.

Our recent study on the Do Not Track (DNT) browser setting indicated that about a quarter of people have turned on this setting, and most were unaware big sites do not respect it. That means approximately 75 million Americans, 115 million citizens of the European Union, and many more people worldwide are, right now, broadcasting a DNT signal.

All of these people are actively asking the sites they visit to not track them. Unfortunately, no law requires websites to respect your Do Not Track signals, and the vast majority of sites, including most all of the big tech companies, sadly choose to simply ignore them.

Let’s change that now. Let’s put teeth behind this widely used browser setting by making a law that would align with current consumer expectations and empower people to more easily regain control of their online privacy.

While DuckDuckGo actively supports the passing of strong, comprehensive privacy laws, we also recognize that it will take time for them to take effect worldwide. In the meantime, governments can provide immediate relief by enacting separate, simpler Do Not Track legislation.

It is extremely rare to have such an exciting legislative opportunity like this, where the hardest work — coordinated mainstream technical implementation and widespread consumer adoption — is already done.

That’s why we’re announcing draft legislation that can serve as a starting point for legislators in America and beyond. It’s entitled the “Do-Not-Track Act of 2019” and, if it were to be enacted, would require sites to respect the Do Not Track browser setting in this manner:

No third-party tracking by default. Data brokers would no longer be legally able to use hidden trackers to slurp up your personal information from the sites you visit. And the companies that deploy the most trackers across the web — led by Google, Facebook, and Twitter — would no longer be able to collect and use your browsing history without your permission.

No first-party tracking outside what the user expects. For example, if you use Whatsapp, its parent company (Facebook) wouldn’t be able to use your data from Whatsapp in unrelated situations (like for advertising on Instagram, also owned by Facebook). As another example, if you go to a weather site, it could give you the local forecast, but not share or sell your location history.

Under this proposed law, these restrictions would only come into play if a consumer has turned on the Do Not Track signal for their Internet traffic. To keep the Internet from breaking, these restrictions would have very narrowly tailored exceptions for debugging, auditing, security, non-commercial security research, and reporting, and further limited by mandated data-minimization requirements.

In particular, each of these narrow exceptions would only apply if a site adopts strict data-minimization practices, such as using the least amount of personal information needed, and anonymizing it whenever possible. And importantly, this draft legislation takes a more realistic view of what constitutes anonymous data vs. de-identified data. Legislators need to appreciate that users can be re-identified unless companies implement extra measures of protection.

Katherine Druckman and I also talked about this a bit with Gabriel Weinberg, CEO and founder of DuckDuckGo, in our Reality 2.0 podcast with him last month.

The other is Adrian Gropper‘s Patient Privacy Rights Information Governance Label. It says,

Patient Privacy Rights Information Governance Label August 19, 2019 Note: 0-to-5 of the boxes to be checked by the application, device, or service provider.1. No sharing: The data is never shared with any external entities. It is not even shared in de-identified form.

2. No aggregation: The data is never aggregated with other types of input or data from external sources. This includes mixing the data gathered via The Service with other data, such as patient-reported outcomes.

3. Always voluntary self-identification: The user of The Service is able to choose their own identity. The user does not need to have their identity verified unless required by law.

4. Digital agent support: The user is able to specify a digital agent, trustee, or equivalent information manager, and this specified agent will not be subject to certification or censorship.

5. No vendor lock-in: The Service is easily and conveniently substitutable, so the user can easily move their data to another vendor providing a similar service. This prevents vendor lock-in and is often accomplished using Open Standards. Indications for Use: The five separately self-asserted statements on the PPR Information Governance Label are subject to legal enforcement as would the privacy policy associated with The Service.

While not proposed as a law, it would be good to have a law that imposes those requirements, and leaves room for individuals to provide for exceptions, for example when they have working relationships with a service provider.

Maciej Ceglowski also has some good suggestions.

*Part 1 under Article 6 of the GDPR, covering the “Lawfulness of processing,” says, “Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Hence the consent notices with an “accept” button in front of websites. These are most often presented as “cookie notices.” (Which are actually required by earlier EU law that was to some degree ignored until the GDPR came along.)

Whether a notice on the front of a website talks cookies or not, it usually means the site is obtaining your consent to being tracked “to personalize content and advertising” (or whatever) by spying on you. I’ve been told by GDPR experts that this really isn’t a loophole, and that most of these consent notices actually violate the GDPR’s letter and not just its spirit. Still, while that might be true, violation of the GDPR’s spirit remains normative.