It’s easy for anyone to disaggregate your data, and use it against youPatrick Berlinquette
Jan 31 · 9 min readIn December 2018, I wrote that when you click an online ad, your data passes through to Google, and a third-party marketer.This data includes your location, your age, your income, your web browsing history, where you work, the words you type into Google, the size of the company you work for, if you rent or own a home, if you’re married or single, if you have kids, how old your kids are, the apps you use, the YouTube videos you watch, if you’ve recently gone through a “major life event,” if you drive a Chevy (or prefer Ford), the degree you hold, whether or not you graduated high school, and so much more. The amount of data Google has on you has only increased since 2018. What hasn’t changed is that your data is in aggregate: it’s lumped in with the data of everyone else who clicked the same ad you did.* So if I’m targeting an ad to women who live in Park Slope, who are 30-years-old, and you fit those parameters, it’s hard for me to tease out who you are, because there are a lot of 30-year-old women in Park Slope.
For the 12 years that I’ve been a Google marketer, Google has never let me target you — and only you — with an ad. Because that would mean I would have a direct line to your data. That would make me less of a marketer, and more of a spy.
Every day, thousands of Mexican migrants tell Google about their intent to cross the border into the U.S.
Nevertheless, throughout 2019, I ran various experiments, trying to achieve this “one-to-one” ad targeting — the ability to serve just you an ad, and get just your data, disaggregated. (The current grail of privacy exploitation in the age of surveillance capitalism.)
In these experiments, I served ads to small populations who conduct niche Google searches. Small groups conducting themselves similarly online equals fewer clicks. Fewer clicks equals smaller datasets. It’s not hard to disaggregate sparse data. It’s not exactly one-to-one targeting, but it’s close.
I targeted ads to three such groups:
- People who live in Antarctica.
- Prisoners in San Quentin.
- Mexicans planning to cross the border into the U.S.
So what are people who live and work in Antarctica really like? What is their day to day? What do they get up to during the “winter-over” — those months of darkness and isolation? What do they do for fun? Why have they chosen to live in one of the world’s most unforgiving biomes? Are they allowed flamethrowers?
Google ad click data can give us a glimpse into their lives.Google has data on just 14,000 computers, cell phones, and tablets in Antarctica. To put this in perspective, Google has data on 267,000,000 people who live in the U.S.
During the summer, 1,000 people live in Antarctica. In the winter, 200 people live there. Targeting ads to the entire continent — each and every person using a device — lets us see their clicks, and therefore their data: their movements between devices, across apps and websites and Google channels.For example, by serving banner ads via Google’s “Display Network” on all mobile apps used by Antarcticans, I could see the exact apps they used, day to day. This included VPN apps, and also mobile games, gay dating apps, weather, and file transfer apps.
This app usage data is still in aggregate. But by segmenting genders and ages from this data, and then excluding some of these genders and ages from seeing the app ads, we can get a good idea, down to a much smaller subset of people, of the age, gender, etc., of who is using what app in Antarctica.
Although knowing that there is a person in Antarctica using a certain app has innocuous uses, you could not inflict much damage on someone with this information.But if we apply this same method on Google’s “Search network,” we can learn things that the ad clicker probably would not want us to know, information that could be used against them.
We can serve an ad on Google to someone in any very small population (small population + niche search = small dataset, easy to disaggregate) when they tell Google, for example, that they’re looking for underage porn. When they click the ad, we get the data.Here are some real word-for-word searches of people looking for underage porn on Google. These two men were among a small population in India who had clicked an ad offering free e-books about sexual psychotherapy. They clicked the ads after they searched Google for underage porn.
Of course, what we can know about small populations is not limited to their porn preferences.But I was able to run the experiment serving ads to Mexicans who told Google they intended to cross the border into the U.S. The ads were served to people who Googled phrases like “enter US without documentation,” “submit legal asylum claim,” “bypass border security,” and “methods of crossing border.”Thousands of migrant families surge into regions where the Trump administration is unable to devote sufficient resources. This has created a humanitarian challenge.
Border enforcement officers tell of processing centers filled to capacity. Border agents struggle to meet the medical needs of migrants. They are not adequately prepared, in part, because they can’t see the future. They don’t know migrants’ plans in advance.
How could they? Google ad click data, I’d argue.
With ad click data, we can know a migrant’s thinking before they move north.
Every day, thousands of Mexican migrants tell Google about their intent to cross the border into the U.S. The click data tells us how many migrants have children, or how many browse medical websites, or where they intend to cross, and with what documentation, and with what items on their person. It also reveals commonly asked questions that migrants have about the crossing process that, if answered beforehand with an ad, can save them a potentially deadly trip.
These experiments — serving ads to very small groups by population and search intent — were insightful. They allowed me a new way to think about these groups. But I ran these experiments in order to get closer to achieving one-to-one ad targeting and in that sense the work failed.
In order to truly spy on one person with an ad, and have the maximum potential to inflict real-life damage upon them, you would need to not only be sure you were serving just them an ad — you would also need to be able to follow them around with an ad forever.
The experiments I ran — even in the rare instances that I could be sure I was serving an ad to one person — only gave me one chance at the data. If I’m targeting a mass shooter in America with an ad (another niche group I’ve served ads to), and they search for the keywords “I am going to shoot up the school,” but they don’t click the ad and never make that search again, I lose.
But there is a way to target one person with an ad, and follow them around with ads indefinitely, all the while collecting their data. And it’s untraceable.It is done through Google’s Customer Match feature.Customer Match allows anyone to spy on one person for any length of time — not just within Google Search, but across all Google channels — Gmail, YouTube, apps, and websites within Google’s Display Network.
Potential applications of this:
- Plotting someone’s day-to-day movements over time.
- Doxxing someone based on their search or browsing history.
- Viewing the login portals someone accesses.
Here are the steps to achieve one-to-one targeting via Customer Match:1. Upload emails of people that live in, say, California.
2. Upload the email of “the target.”3. Exclude Californians from seeing ads.As long as the target is physically located outside of the excluded region, they will be the sole recipient of the ad. Their click data (now not in aggregate) passes through to the ad runner. Exclusions need not be limited by region. If those in the non-target email list belong to a single age group, gender, or income bracket, while the target belongs to another, the same results are achieved. It seems possible that Google would have an algorithm that would prevent this kind of targeting, but I have no evidence that Google has closed all the loopholes here. In 2017, a marketer named Michael Harf wrote about this kind of sniper targeting on Facebook. Two years went by before Facebook closed the loophole this marketer was exploiting.
With recent updates to Customer Match, Google has made this even easier. The target’s email isn’t even required — their phone number, or home address, will suffice. Non-target lists can be reused to spy subsequent targets, or more than one target concurrently. These lists don’t expire. The spying capabilities don’t either. The data accumulates as the target moves across the internet, day to day. There’s no concern of missing that “one shot” at the data.
A small circle of savvy marketers use this one-to-one targeting method to “ad snipe” — to get one person’s attention as quickly as possible with a personalized ad, such as an employer, or a lead who fell through the cracks.
More insidious use: upload the email of a politician, or a big CEO, and for the next few months, or years, shadow them across time and Google channels, siphoning the words they type into Google Search, the mobile apps they use, the websites they visit, the YouTube videos they watch — on top of being able to plot their physical location.
For years, I used ad click data — the most powerful dataset ever collected on humanity — to sell people stuff. It wasn’t hard to make advertisers (my clients) more money year over year, because people click on more ads every year while Google’s ad targeting precision improves.
Digital marketing is a rapidly growing bubble with weak, non-uniform walls.
Clicks amass the world’s thoughts in an indelible ledger, held by a corporation. Clicks are packaged into more precise ad targeting tools that Google hands off to marketers. These tools help refine who sees an ad, and create ads that attract more clicks.
Digital marketing is a rapidly growing bubble with weak, nonuniform walls. Google can no longer internally police their own ads system without help. They outsource that work to a support team who struggle to audit ad runners’ behavior.
Meanwhile, ad clicks make up 90% of Google’s revenue, which came in at more than $136 billion last year. To net bigger profits, I anticipate Google will not slow the unsustainable expansion of its ads system and will provide marketers with some hybrid of your personal identifiers and one-to-one targeting capabilities by 2023.
That we must find workarounds to conduct one-to-one is not because Google — a marketplace veiled as an information resource — is worried about your privacy. More likely, they don’t think the public is ready for this just yet.
More time is needed for privacy to erode at a rate that will not incite your refusal to continue to be raw material for surveillance capitalism. Until then, those of us determined to slip through the holes in the wall, to jailbreak the system so we can access these offerings now, will do so with little oversight.
When you click an ad, you can never know if you are, or have been, the only person on the other side of someone’s screen.
*(Personal identifiers like your name and phone number are scrubbed from this data, too. But there are workarounds to get this.)