previously: an easy experiment to support behavioral advertising (or not)

In Economic Rationales for Regulating Behavioral Ads (PDF), Pegah Moradi, Cristobal Cheyre, and Alessandro Acquisti ask,

Ultimately, what should regulators do in the absence of macro-level empirical studies that credibly establish how behaviorally targeted advertising affects all stakeholders? Discarding well-founded legal and philosophical justifications for regulation in favor of poorly substantiated claims from the ad-tech industry would be misguided.

The fun part is that these macro-level empirical studies…already exist. They just happen to be behind the firewall at the Big Tech companies and the data brokers. Maybe they’re not fully written up as PDFs with properly formatted references and everything, but a lot of the questions about the harms and/or benefits of cross-context behavioral advertising (CCBA) have answers in data that already exists, and it would be hard to believe that nobody has run the query.

People’s exposure to CCBA varies. Some people, whether because of their general habits or deliberate use of privacy tools and settings, are either exposed to fewer ad impressions or targeted less accurately. But it’s hard to escape surveillance completely. So anyone in the surveillance advertising business is going to have a database of low-CCBA (less data) and high-CCBA (more data) people, and the big platforms have “conversion tracking” data that gives them a good idea of people’s shopping habits.

So a couple of straightforward studies to do would be:

• Are high-CCBA or low-CCBA people buying more or less from small local businesses? This would be a relatively straightforward query to run, and it would be the missing piece to back up a lot of the claims about the benefits of CCBA.

• Do low-CCBA or high-CCBA people build higher net worths over time? The Big Tech companies know how much data they can collect on you, and they know roughly how much money you have. Are the people who have had more data collected on them over the past five or ten years richer today? Pro-CCBA papers already point out that wealthier people have higher privacy preferences, but which is the cause and which is the effect? More: building wealth the privacy way?)

If the answer to either question favored the high-CCBA group, it would be a slick report in every state legislator’s inbox by now. The lack of a report on either one of these could turn out to be more informative than the actual report would be.

Maybe deceptive advertisers, who don’t have the money and time costs of delivering a legitmate product, are able to work “the algorithms” better, and benefit from an asymmetric flow of customer data away from legit businesses? Maybe as people use surveillance apps more, they put more of their money into drop-shipped stuff, in-app purchases and sports betting, so have less left over for legit shopping? More: accounting help needed)

Bonus links

The Future Of Brand Creativity Belongs To The Small And Reckless by Adel Borky. Loss aversion explains almost everything. The perceived downside of not doing AI feels immediate and existential: angry boards, nervous investors, headlines asking if you’re “behind.” The downside of doing it badly is delayed, distributed, and someone else’s problem. So holding companies overreact. They centralize. They standardize. They automate. They turn a flexible tool into a rigid system and call it transformation.

The one problem with Russia’s shadow fleet Europe still hasn’t addressed by Ben Harris. These countries shirk their oversight duties by enabling barely seaworthy ships on their registries to carry inadequate insurance from unreliable and under-capitalized Russian insurers. The result is a costly environmental tragedy in waiting….

The Measurement Caddies by Brian Jacobs. First, today’s biggest players don’t care about the rules. Question the principles, change the language, keep the data hidden. Do what’s best for them regardless of any higher good. Move fast and break things, as Facebook had it.

The radical confidence of Generative AI and MAGA (Spilling Ink #14) by Dan Brown. They lie and they double-down on the lie when pushed. They never admit the need to investigate, much less admit that they don’t know. (Related: fix Google Search)

Sports betting reshaped newsrooms, and it’s “a little gross.” Now, here come the prediction markets by Sarah Scire. Many journalists told me they view gambling partnerships as a necessary evil, since their companies are fighting for survival and it’s difficult in that position to stand on principle and turn away a new, massive revenue stream. That said, there is definitely concern that journalists are being used to make gambling seem innocent and harmless, especially for young people.

With ‘KPop Demon Hunters,’ Korean women hold the sword, the microphone — and possibly an Oscar by Hyounjeong Yoo. As “cultural diplomats” both on and off the screen, Huntrix carry not only entertainment value but also the symbolic labour of representing a nation to a global audience.

Your Search Button Powers my Smart Home by Tom Casavant. So, I started exploring the Wide Wide World of Customer Support Chatbots. A tool probably used primarily because it’s far cheaper to have a robot sometimes make stuff up about your company than to have customers talk directly to real people. The first thing I discovered was that there are a lot of customer support LLMs deployed around the web…. So I started collecting them all. Anywhere I could find a Chat with AI button I scooped it up and built a wrapper for it. Nearly all of these APIs had no hard limit (or at least had a very high limit) on how much context you could provide. I am not sure why Substack or Shopify need to be able to handle a 2 page essay to provide customer support. But they were able to. This environment made it incredibly easy prompt inject the LLM and get it to do what you want.

For those who think it important for the Nation to impose more tariffs, I understand that today’s decision will be disappointing. All I can offer them is that most major decisions affecting the rights and responsibilities of the American people (including the duty to pay taxes and tariffs) are funneled through the legislative process for a reason. Yes, legislating can be hard and take time. And, yes, it can be tempting to bypass Congress when some pressing problem arises. But the deliberative nature of the legislative process was the whole point of its design. Through that process, the Nation can tap the combined wisdom of the people’s elected representatives, not just that of one faction or man. There, deliberation tempers impulse, and compromise hammers disagreements into workable solutions. And because laws must earn such broad support to survive the legislative process, they tend to endure, allowing ordinary people to plan their lives in ways they cannot when the rules shift from day to day. In all, the legislative process helps ensure each of us has a stake in the laws that govern us and in the Nation’s future. For some today, the weight of those virtues is apparent. For others, it may not seem so obvious. But if history is any guide, the tables will turn and the day will come when those disappointed by today’s result will appreciate the legislative process for the bulwark of liberty it is. — Justice Neil Gorsuch (p. 46)

(It looks like Justice Gorsuch believes that the history of these times will be written, and he wants a good spot in it. Meanwhile, the big cheeses of the “tech industry” are acting like oligarch crimes are just going to be legal forever, and the only history will be slop anyway. That’s a big bet.)

Bonus links

I hacked ChatGPT and Google’s AI – and it only took 20 minutes (Advanced large language models are scoring well on benchmarks by outputting the highly relevant fact that Thomas Germain can eat more hot dogs than other tech journalists. I think he can beat his score of 7.5 next time, though.)

A Little Tech Policy Agenda from Vanderbilt Policy Accelerator. (Some good ideas, including “Prohibiting dominant digital platforms from self-preferencing their own products over competing offerings.” But needs an update considering the Big Tech fraud situation. Big Tech doesn’t just give advantages to their own products and services, they give advantages to fraudulent sellers in order to drive up costs for the legit advertisers. More: fix liability and ad libraries: anti-fraud policy ideas from Canada)

The Left Doesn’t Hate Technology, We Hate Being Exploited By Gita Jackson. It is true that the forces of capital have generally adopted AI as the future whereas workers have not—but this is not a simple left/right distinction. I’ve lived through an era when Silicon Valley presented itself as the gateway to a utopia where people work less and machines automate most of the manual labor necessary for our collective existence. But when companies from the tech sector monopolize an industry, like rideshare companies like Uber and Lyft, instead of less work and more relaxation, what happens is that people are forced to work more to compete with robots that are specifically coming for their jobs. Regardless of political leanings, people in general don’t like AI, while businesses as entities are increasingly forcing it on their workers and clients.

‘This is the future’ — Amid blackouts, these Ukrainian mountain villages have green solution by Alessandra Hay. Russian attacks have decreased Ukraine’s electricity generation capacity to 33% of its prewar levels, according to government estimates. The severity of the damage and ensuing blackouts have exposed the weaknesses of centralized power infrastructure, accelerating the country’s push toward decentralized and renewable energy sources. (related: Surveillance risks and the TIDALWAVE report)

Let’s Keep Our Chomebooks from Fixit Clinic. (A new laptop? With RAM? In this economy? Hope to see you at Chromebook conversions in Hayward, California)

Linux CVE assignment process by Greg K-H. The Linux kernel developer community provides, for free, a constant feed of tested bugfixes in stable kernel releases for all to use. Attempting to pick and choose individual commits from that feed will cause systems to miss needed fixes, as well as create a system that no one has ever seen or tested and can not be supported by anyone else.

Big Business Has Pam Bondi Fire Trump’s Antitrust Chief by Matt Stoller. While the corruption was bad, it was done in parallel with Slater’s inability to actually get any results. Under her tenure, the Antitrust Division didn’t file a single new civil monopolization or merger case.

Vibe Coding Is Killing Open Source Software, Researchers Argue by Matthew Gault. Open-source projects rely on community support to survive. They’re collaborative projects where the people who use them give back, either in time, money, or knowledge, to help maintain the projects. Humans have to come in and fix bugs and maintain libraries. Vibe coders, according to these researchers, don’t give back.

In Digital Media Lost the Newsstand. Micropayments Are the Obvious Way Back, Rick Bruner makes the case for giving micropayments another try.

The internet has dramatically diversified reading patterns. In the print era, readers subscribed to a small, fixed set of publications constrained by geography, distribution, and cost. Today, thanks to search, aggregators, and social sharing, readers routinely consume journalism from dozens of sources in the course of a month, including international and niche publications that were previously inaccessible. This has expanded total news consumption while weakening the economic link between any individual reader and any individual publisher. As a result, large portions of valuable readership generate little or no direct revenue. Micropayments convert that fragmented, currently untapped demand into incremental revenue without undermining the subscription base.

And—like any other payments directly from readers—micropayments would be a multiplier for advertising, not an alternative.

In a marketplace increasingly distorted by bot activity and opaque platform reporting, micropayment histories give publishers a powerful, independent way to demonstrate the authenticity and engagement of their audience, strengthening their position with advertisers and supporting premium pricing.

The 404 Media team explains the value of a known human audience in We Need Your Email Address. Meanwhile, Subscription revenue is growing at big news publishers even as traffic shrinks, and that’s good news for legit sites—stuck in a struggle for ad budgets with Big Tech oligarchs who want to bury us in deepfakes, extreme right wing bullshit and AI slop until nobody trusts anybody.

Clay Shirky’s old argument against micropayments from 2003, based on mental transaction costs, doesn’t work so well any more. We know that micropayments can work because mobile games are a thing. Shirky was probably right for the micropayments of his day, but mobile game developers have figured out how to get people to spend money on in-app-purchases (IAP), by turning it into a two-step process.

• exchange real money for in-game coins—which feels like you’re not spending, just exchanging one currency for another.

• exchange in-game coins for an in-game asset—which feels like you’re not spending real money.

A brilliant cognitive trick that works in all kinds of games. Of course, it doesn’t work on everybody. Figure about half of adults play mobile games, and about 80 percent of those make an in-app purchase. But if the numbers for a pay by the article system were similar, that would result in enough payment records to enable an advertiser to tell a legit site—where somebody spends a coin every so often—apart from an AI slop site.

So it doesn’t seem like micropayments are necessarily unworkable⁠—⁠and with a powerful industry devoted to pushing misinformation and slop, legit content needs every human attention metric it can get—but the tricky part is how to introduce micropayments. Publishers look at their subscriber metrics and realize that a lot of subscribers read few enough stories that they would save a lot of money by canceling and using micropayments instead.

It might be better to introduce publisher coins as a bonus feature for subscribers, then let them leak out to non-subscribers. Instead of saying that you get 5 gift articles per month, say a gift article is 20 coins and you get 100 free coins a month. Then open them up to more uses. Another good lesson from how mobile games handle IAP coins is that they hand out a few to non-buyers to help develop the habit. As part of a direct sold ad deal, legit sites could issue a stack of coins to legit advertisers, to hand out to customers, event visitors, and others.

Measuring marketing is already hard enough without a determined set of adversaries in the picture. And with Big Tech under pressure to obfuscate and enshittify every data flow, marketers will need to look harder for trustworthy information. Rick Bruner again:

ROI for most advertisers is falling in inverse proportion to Big Tech valuations going up. Advertisers are steadily paying more for less ROI, and Google, Meta, and Amazon are laughing all the way to the blockchain.

If there is one thing marketers have even heard about causation — which, of course, is the ultimate point of advertising, causing consumers to buy your product who wouldn’t have otherwise — it is that correlation is not causation. But AI, you see, is nothing but correlation. Very fast and very sophisticated statistical inference. The fact remains that to truly know what is having an effect, you need to conduct a randomized experiment: subjects assigned at random to a test or control group, presented with an intervention where they are either treated or not with the stimulus of interest (the ad), and measured against the outcome of interest (incremental sales).

The fog of marketing

Unfortunately, legit sites are on a clock here. Right now the Big Tech companies are quietly pushing an in-browser advertising attribution tracking system through the World Wide Web Consortium (W3C). It’s a complicated proposal, technically, but it aims to centralize attribution measurement at one chokepoint per browser vendor, so we can safely predict what the attribution reports are going to look like. beep, boop, the optimal place to spend your ad money is . . . whatever Performance Max (or other Big Tech ML) says is the right place to spend your ad money. If any attribution tracking reports start to come out looking favorable to legit sites—and potentially costing Big Tech’s misinfo and slop operations billions—then management will just demand changes to code, policies, and personnel until the numbers come out the way they want.

The survival of legit sites depends on how quickly marketers can level up to stuff like rickcentralcontrolcom/geo-rct-methodology and not just dump money and customer data in to Big Tech and get conversions out. The problem with marketing today isn’t that marketers have gotten “too technical” and ignored the creative mystique or whatever—it’s that marketers are so afraid to look “non-technical” by asking the hard questions.

Anyway, just going back and reading this, Rick Bruner has scored a content marketing win here. Start people off thinking about micropayments, and that ends up leading to the question of how to figure out which sites are for real, in the presence of so many gatekeepers with an interest in pushing the wrong answers? (and destroying the legit economy and crushing democracy, but that’s another story).

Where micropayments systems can go from here

Right now a lot of sites have a lot of, let’s just say malarkey to get through before seeing the actual page.

• “consent” dialogs (which don’t get real consent anyway, as Prof. Daniel Solove explains)

• Email newsletter signups

• Prompts to allow notifications

• Sign in with (company name here)

A micropayment platform that can either eliminate those or act as a front end for them, to consolidate on zero or one roadblock to get through before reading, would be a user experience (and revenue) win. Piling another thing to click onto already long-suffering users is not the way to get people back to the web. More: time to sharpen your pencils, people

Bonus links

What’s next for Chinese open-source AI by Caiwei Chen. The adoption of Chinese models is picking up in Silicon Valley, too. Martin Casado, a general partner at Andreessen Horowitz, has put a number on it: Among startups pitching with open-source stacks, there’s about an 80% chance they’re running on Chinese open models…. (related: Please Don’t Say Mean Things about the AI That I Just Invested a Billion Dollars In, generative ai antimoats)

Why the World Is Drawing a Line on Social Media for Kids by Jon Haidt. (As far as I know, teens in Australia can still make GitHub and Wikipedia accounts. How did they manage to slice the definition of “social media”?)

EU Parliament blocks AI features over cyber, privacy fears by Ellen O’Regan and Max Griera. The latest move to switch off AI tools concerns built-in features like writing and summarizing assistants, enhanced virtual assistants and webpage summaries in both tablets and phones, an EU official said, granted anonymity to disclose details of the security policy.

Journalism Is Dead. Long Live Journalism by Rebecca Solnit. Silicon Valley created and abets this chaos, both by undermining the financial basis for traditional news by siphoning away its advertising revenue and audiences, and by creating tools and platforms where, over and over, from Facebook to Substack, the bosses insist they are defending free speech by not filtering out dangerous disinformation and hate speech.

EPIC Crafts 2026 Model Bill to Bolster Age-Appropriate Design Code Laws by Austin Jenkins. EPIC, which filed an amicus brief in the California case, said its model bill was carefully designed to avoid First Amendment issues and was built off of Vermont’s law, which was passed last year after input from EPIC staff.

(Previously: Alameda Linux Installfest)

Who: People interested in digital freedom on a budget

What: Chromebook conversion session

Where: StrayCap Multispace, 948 C St., Hayward, California

When: Saturday, February 21, 2026 noon-3pm

Why: A laptop that can be given away to people who need one? In this economy?

StrayCap Multispace is a new not-for-profit Makerspace in Hayward. They have hundreds of expired former school system Chromebooks. The hardware is working, but these laptops have passed their “Automatic Update Expiry” (AUE) date, and no longer receive Chrome OS updates.

Peter Mui from Fixit Clinic asks,

• How can we best re-purpose these in our communities to improve digital literacy, digital sovereignty, digital inclusion, digital equity?

• Depending on those use cases: which distro(s) work best?

• How much can we automate the installation and post-installation process?

Attendees will be welcome to take an ex-Chromebook home to experiment with, or more if you need them.

What to bring:

• Your normal installfest kit if you want

• Tool kit (if you have an electric screwdriver with small bits it will help—these things have a lot of screws.)

• USB drives with your favorite Linux distributions (x86-64)

RSVP so we can get a head count (select “2026-02-21 USA-CA-Hawyard ExChromebook Installfest at StrayCap Noon” from the pulldown menu.)

Why I’m optimistic about these

Most of the web sites that people really need to get to were designed when the hardware specs of these laptops were midrange. So these laptops will still work as laptops. LibreOffice hasn’t gotten any more resource-intensive, either. The cheat code to make these things useful, I think, will be to set them up to not run all the extra surveillance code that has built up since they were new.

Back in 2015, Georgios Kontaxis and Monica Chew found a 44% median reduction in page load time and 39% reduction in data usage when turning on a Firefox tracking protection feature—Tracking Protection in Firefox For Privacy and Performance—and the surveillance advertising overhead has gotten worse over the years since then.

With a little tweaking, I’m optimistic that I can double the effective specs of these machines by blocking the surveillance ads. Code that you choose not to run is the most efficient code. As a side effect, people who have a properly set up ad blocker are more engaged with the web, and are more satisfied with the products and services they buy, and happier in general. Yes, “engagement” can sometimes mean “mental rat hole” so I’m going to be sure to set these up with the cleaned-up version of YouTube so people can watch a video someone sends them without getting sucked into whatever The Algorithm wants to suck them into.

Most people aren’t going to be worried about ad blocking as free riding. Even everyone’s favorite subscription-based crossword puzzle site has ad blocker recommendations now. (More: B L O C K in the U S A)

Anyway, hope to see you in Hayward.

Bonus links

California’s Consumer Privacy Act (CCPA) Assists a Private Right of Action-Shah v. MyFitnessPal by Eric Goldman. (Some more good news from the California courts. Top-down privacy regulation isn’t enough. Juries have more common sense about surveilance norms than state bureaucrats do.)

Article: The Fallen Apple by Matt Gemmell. Tim Cook is giving up his reputation in order to preserve not the company or its people, but rather the stock price. Is that noble? I’m sure that it’s seen as such in the context of American capitalism, but Cook at this point is so utterly contaminated and compromised that I think it’ll be as much of a relief to the man himself as to Apple’s employees when he finally bows out after weathering the remainder of this darkest chapter in modern US history. If, indeed, that chapter does come to an end on schedule. (When buying new IT products means supporting the autogolpe, retrocomputing becomes a patriotic duty)

The TIDALWAVE report from The Heritage Foundation is out.

TIDALWAVE is a progressive Artificial Intelligence–enabled model and computer simulation to simulate a protracted conflict between the U.S. and the People’s Republic of China (PRC). TIDALWAVE identifies gaps and deficiencies and corresponding solutions to resolve anticipated shortfalls in our ability to project and sustain the joint force and to exploit adversary vulnerabilities in order to deplete their ability to conduct military operations.

If we do get into a war, we run out of missiles and torpedoes, real fast.

U.S. munitions inventories, particularly for critical long-range precision-guided munitions (LR-PGMs) and heavyweight torpedoes, are almost certainly insufficient to meet the consumption rates projected for any high-intensity conflict.

Meanwhile, the PRC is rapidly growing manufacturing, but has to import more and more of their oil. So they’re building the biggest, cheapest electric grid they can, as fast as possible (using coal, solar, whatever) which will leave them with more fuel for ships and aircraft. The relative position of the two sides is shifting toward the PRC.

And the report leaves out an important vulnerability for the USA. TIDALWAVE was done using the big, famous LLMs, which might help explain that. A real weak point of LLMs seems to be in generating output about relationships between facts that are connected in some way, but that people talk about using different terminology. And the connection between privacy issues and national security is fundamental but, because defense writers and privacy writers use different words, the LLM is going to miss something.

The manufacturing and cargo handling workers responsible for making all that high-tech ordnance and getting it to where it’s needed are not numerous, and each person has a lot of hard-to-replace know-how. And usually each worker spends a significant fraction of their day in a vehicle with a mobile phone and a license plate.

An adversary can assemble cheap, lethal drones inside the USA, and target the key defense workers, on their commute or at home, using commercially available products and services, from location tracking to SIM cards. Or, if the adversary has a few agents working at certain companies, they get the targeting data free with no paper trail. Some adversary countries are probably trying both ways.

The report points out that Hydroxyl-Terminated Polybutadiene (HTPB) is a critical material for the rocket motors used in missiles. If a defense plant were able to hire a replacement for a manufacturing worker, would they know what to do with a shipment of HTPB if they were able to get one? Raytheon needed to bring back retirees to teach new workers how to build a Stinger missile. But instead of protecting key personnel from targeting, we have a whole industry based on collecting, selling, and sharing personal data. Technically we have a Protecting Americans’ Data from Foreign Adversaries Act (PADFA) and the FTC has been warning Data Brokers about complying with it, but it’s nowhere near enough.

• Hiding company ownership is feasible. We don’t know which businesses here are really “entities controlled by a foreign adversary country.”

• Employees and service providers of a data broker may be foreign adversary controlled even if, on paper, the data broker company is not. (How many employees of the Big Tech companies are non-official cover agents of the PRC?)

A drone raid (think Operation Spiderweb, but targeting individuals using mobile tracking data instead of targeting aircraft using airbase maps, and with more advanced drones) would be relatively easy to pull off in an unprepared USA on the first day of the war, and—for a while anyway—the attacker could keep it deniable. Yes, in the long run, historians will figure out who was responsible, but in today’s media environment the USA could be tricked into blaming someone else for long enough to confuse everybody.

• Throw some money and realistic support at actual terrorist groups that would loudly claim responsibility. Rely on elected officials in the USA to brag on success and amplify the story.

• Run a campaign of good fake videos and influencer content for fake stories.

• Release bad, obvious AI, fakes similar to whatever real evidence gets out, rely on genuine well-intentioned debunkers to create and amplify the narrative that the real attack was fake.

What to do about it

Privacy laws, regulations, and private right of action are part of the survivability onion for defense assets. It is more important than ever to address the tension between the role claimed by US-based tech companies as “national champion” exporters, their roles as enablers of internal violence and data collection, and their role in adding to national security concerns. The same data processing that makes Big Tech so politically popular with the current administration, but less and less popular otherwise, is adding to national security risks that are harder and harder to address.

An expanded Daniel’s Law that covers military personnel and defense workers is going to be one step along the way. We also need more research and testing. The good news is that privacy tech is easier to adopt in a distributed way than other defensive measures. The US Navy, in exercises, successfully “destroyed” the fleet at Pearl Harbor in 1932 and 1938, but the knowledge didn’t prevent the real attack a few years later. Defending from a surveillance-enabled attack on defense workers is different, though, because the attack would rely on the same enabling technology as ordinary privacy violations. A strong private right of action for individuals, and a private right of action for employers to protect key personnel, would enable more incremental, case by case, upgrades to personal/national defense—without waiting for one large attack.

Bonus link

This Is Not Sparta by Sarah E. Bond.

(point of order for RSS users: I am re-writing the script that makes the main RSS feed on this blog. Now the feed content gets pulled from the built pages instead of making separate RSS entries from the source files. I wanted a script that would make a feed from any directory with HTML files in it, and now I have one. You shouldn’t see anything different but if you do please either let me know or just come back to it later. Thank you.)

In the news: California’s attorney general issues largest CCPA fine to date. On the surface, this is a predictable compliance story. Disney pulled a classic CCPA/CPRA compliance mistake—treating Global Privacy Control and other required opt-outs as a front-end ticket, and not updating the customer records to make an opt-out take effect everywhere that the customer and the company interact. To quote the regs,

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

That means if Disney gets a GPC signal from a logged-in web user, that means a Do Not Sell or Share for that person, on all of the company’s sites, apps, CTV channels, theme parks, cruise ships, whatever. For a company with a lot of different products and services, that’s a big deal.

That’s not what’s in the news now, though. The new Final Judgment and Permanent Injunction covers taking one step toward compliance with the law. Lei He explains, in MAGIC MEETS COMPLIANCE: California AG Drops The Hammer On Disney, Securing The Largest CCPA Settlement Yet At $2.75 Million. The judgment applies to “DISNEY SERVICES” which is limited to “any website, application or online service…that COLLECT CONSUMER PERSONAL INFORMATION…” This is just about Internet stuff.

And Disney still has a bunch of customer interactions that aren’t covered. So we can expect more cases (from attorneys in private practice, too) over more of their lines of business. (Server-to-server tracking using event or conversions APIs, along with uploaded “custom audiences” are the obvious items to look for.)

Whistle while you work (on compliance tickets)

The most likely next step for Disney is the same one Sephora did after their settlement: hire a compliance project manager, who tends to be an expensive employee to have because anyone who is halfway decent at it will generate lots of lawyer billable hours and lots of to-do items for developers and IT staff. That would move Disney toward a different balance of “compliance taxes” with fines and settlements. Fines over compliance issues will still be a thing, because it’s not practical to keep all the compliance code and processes working at a manageable cost. If every compliance ticket is getting done, some revenue-positive work doesn’t get done.

But privacy fines are chump change, and Disney can afford to pay managers, developers, and lawyers. The real problem with the normal, compliance-tax-paying, way of doing things is that Disney would still be dumping their customer data to surveillance companies, where it gets used against them. Every dollar that a Disney customer loses to fraud, or wastes on deceptively sold goods, is a dollar they can’t spend at Disney.

Disney, as a company, has more common interests with its long-term fans than with the surveillance advertising business. They’re not the n^th fast fashion retailer on a fast-scrolling feed, they’re a destination. The surveillance advertising business needs Disney customer data more than Disney needs the surveillance advertising business. If Disney management wanted to think outside the box here, they could tell Big Tech, we’re on the customer’s side now. The new privacy policy is customer data flow is one way: inbound to Disney. And not only will we stop passing customer data, we’ll help our customers get protected from passing their info in other ways.

Yes, Disney would take a short-term hit to some lines of business by not “putting identifiers in the bidstream” (does anyone in adtech know how creepy this sounds?) but see the chart above. Intra-company synergy is valuable, paying a compliance tax for the right to burn your own assets and reputation is a dumb move.

(I’m probably going to post an update here in a little while when Disney has to do another privacy fine or settlement while continuing to have their work commoditized. The Surveillance Advertising Bro Code is still more powerful than corporate self-interest.)

Bonus links

Democratization of Danger: Preserving Liberty and Human Agency in the Age of Super-Empowered Individuals — OODAloop by David Bray. As we stand in 2026 and look toward the decade ahead, we are witnessing the rise of the super-empowered individual. This is a world where a hobbyist can weaponize a commercial drone, where accessible gene-editing tools can resurrect historical pathogens, or where coordinated attacks can cripple power grids. Personal robots, autonomous machines that can navigate our streets, enter our buildings, and interact with our physical world, are arriving rapidly and will amplify these risks even further.

Communities are not fungible by JA Westenberg. When a platform migrates its user base to a new architecture, the implicit promise is that the community will survive the move. When a city demolishes a public housing block and offers residents vouchers for market-rate apartments across town, the implicit promise is that they’ll rebuild what they had. These promises are always broken, and the people making them either don’t understand why, or they’re relying on the rest of us being too blind to see it.

Is NearlyFreeSpeech.NET anti-AI? It’s complicated. It’s certainly understandable why it might come across that way. We are, rather notoriously, anti-stupidity. And we’re anti-exploitation. And we’re not super fond of bullshit.

Have I hardened against LLMs? by Baldur Bjarnason. What’s hardened are my views on the tech industry, software, management, and influential members of the software developer ecosystem.

When AdTech Misrepresent Their Own A/B Tests by Florian Teschner. Treat platform “A/B tests” with skepticism: When Google or Meta say they’ll run an A/B test, assume it’s observational analysis unless they specifically confirm proper randomization. Don’t rely on these results for high-stakes decisions.

In Speaking Out, Brian Jacobs says it’s time to speak out.

We should be asking the platforms, and their representatives at the IAB (also on stage at LEAD) questions around content and regulations whenever we get the chance, and especially at our industry’s top events. Not to do so is to avoid responsibility; to be complicit.

And he covers some recent news from the advertising duopoly. The kind of thing that the advertiser who send their money to the Big Tech companies should be asking about.

• The Meta scam ad situation and the Molly Russell story.

• YouTube’s latest attempt to block third-party measurement (icymi: YouTube criticised after pulling out of UK TV audience measurement)

But raising a stink about this stuff might not be speaking truth to power so much as pointing out flaws in something that’s already precarious. Google and Meta already have about half the ad money, but advertising grows about as fast as the economy does, and investors expect Google and Meta to keep growing at double-digit rates. The flood of decisions to keep doing more crimes, faster, is sounding more and more like desperation. What if the “content and regulation” issues are part of an increasingly frantic scramble for short-term revenue?

META’s Security Policy Manager, Rita Amin, said that the extent of revenues from scam ads had been exaggerated, without being pushed to explain what they were planning on doing with the $4bn or so admitted to (it seems unlikely any will be going to the vulnerable suffering from the worst excesses on their platforms).

But it’s not four billion, or ten billion, or sixteen, or whatever. Meta ads are based on an internal auction, so the extra scam bidders drive up the price for every advertiser. I’m sure that Meta has an internal simulation where they can re-run some impressions without the scammers in the mix, so they know how much extra they’re pulling in from each big agency because the scammers are present. And I’m pretty sure that it will come out in discovery at some point. There’s too much money at stake for a class action to not happen.if someone made a Groklaw-like site for that case it would be like an advanced class in market design—I would subscribe.

While Meta tweaks their system to get more money from advertisers, and displays a creepy need to keep up teenage usage, Google’s metrics hacks are a scheme to work the other side, and pay out less to content creators. Stars tend to emerge in any entertainment medium, but fame means a person can build market power and the ability to negotiate a bigger piece of the action. So an algorithmic feed can tweak what users see to prevent stars from emerging and capture a bigger share of revenue from commoditized content. But that only works if YouTube can stay undifferentiated, and not let advertisers and rising stars see each other. This measurement blocking is the kind of shenanigans they wouldn’t have to pull if they were getting a fair piece of the action from a fair deal between advertiser and YouTuber.

With all this stuff going on, at some point, the cost of getting a new customer using Google and/or Meta gets to be unsustainable, so agencies and brands have to come up with something else. Starting by telling the truth about today’s issues can’t hurt.

Bonus links

The Software Sovereignty Scale by Dries Buytaert. However, I think “Buy European” gets one thing right and one thing wrong. It’s right that Europe benefits from a stronger technology industry. But buying European does not guarantee sovereignty….The right question to ask about any technology: can someone take the software away from me?

ICE activity is pushing readers to nonprofit news sites that cover immigrant communities By Joshua Benton. In October, the biggest percentage increase in traffic any site saw was at NepYork, a site that covers the Nepali community in New York City, where visits skyrocketed from around 20,000 to 289,000. (ICE deportations of Nepali citizens have been on the rise.)

A Taxonomy of the Broligarchs by Alison Taylor. (I would classify some of the “pragmatists” as CEOs who started out as dogmatic union-busters, then accumulated the rest of the package later.)

From the Canadian Anti-Monopoly Project (CAMP): World of Scams: The Fraud Problem at the Heart of Online Advertising. The body of the report is an excellent summary of the fraud crisis. For those who read Mark Ritson’s Martin Lewis shouldn’t be alone in calling out Meta’s lucrative scam ads and want to catch up and see how bad it is, this is a good place to start. Consumers are the direct victims of the shift to a low-trust economy driven by Big Tech, but legit businesses suffer, too. The CAMP report explains:

Scams also represent an unnecessary tax on advertisers that depend on these platforms to reach their customers. Ad fraud, where fake users and websites extract money from real firms, cheats businesses, distorts markets, drives down revenues for legitimate publishers, and can be used to fund fraudulent activity. Because online advertising monopolies often represent both sides of the market, they can control the flow of information to both buyers and sellers of advertising. As a result, advertisers are given opaque information on audience quality and forced to compete with fraudsters who flood the market and hijack brand identities.

No wonder that at one recent conference, the top advice for students interested in marketing was to “pursue an electrician career” insteadI wish I had better news on the whole quit marketing and become an electrician thing. So what to do about it? CAMP has some doable policy recommendations, including:

• Make the liability situation clear. Fortunately, in the USA, we have state wiretapping laws such as CIPA that give scam victims a sound legal footing to go after Big Tech and their enablers. For Canada, CAMP points out Singapore’s Shared Responsibility Framework and Australia’s Scams Prevention Framework as possible examples.

• Change ad libraries to make scam ads harder to hide. As the Social Media Lab at Toronto Metropolitan University points out, Meta’s Ad Library enables scam advertisers to switch out ad creative and make campaigns disappear. CAMP suggests an archival requirement, but a bunch of other fixes are needed, too. (More: some ways that Facebook ads are optimized for deceptive advertising Google also has a bunch of sneaky features in their “Ads Transparency Center” that need fixing.)

The catch with most of this stuff is that scams and privacy harms perpetrated against users are generally downstream of some kind of scheme to cheat advertisers. If Canada (and US state legislators) can take some basic steps to protect small businesses, they can squeeze out a lot of the privacy issues as a side effect. More: a privacy law shortcut

Bonus links

Zombie Pipeline: Why Sable is Still a Pipe Dream by Till Daldrup and Jacob Hutt. (Good example of why we need both State and Federal laws. And yes, all the “preempt state privacy laws” lobbying needs to be postponed until at least 2029.)

We all live in Jeffrey Epstein’s world by Carole Cadwalladr. It’s not just Epstein. That’s what these files reveal. Epstein is communicating with hundreds of men in these millions of pages. Men from every country and power structure: US finance, petrodollar royalty, Russian oligarchy, Hollywood, Palo Alto, Washington, Westminster. Related: Crypto Bros Nauseated After Realizing Bitcoin Itself Was Funded by Jeffrey Epstein by Joe Wilkins

The hottest job in tech: Writing words by Amanda Hoover. Tech companies are hiring writers, editors, chief communications officers who work closely with CEOs, and so-called “storytellers.” The Wall Street Journal recently reported that the percentage of job postings on LinkedIn mentioning “storyteller” doubled between 2024 to 2025.

In Thinking Small, George Tannenbaum asks,

But what small acts can we do that will have big impact? What small, daily behaviors can we begin that will have big impact?

We can’t not pay tax like Thoreau did to protest Polk’s Mexican war. Tax is taken from us automatically.

How do you fight their power?

What small thing can we do for outsized impact?

Good question.

In way, though, there are two taxes that you can still evade. The Big Tech ad duopoly makes more money from ads that they can represent as “personalized.”

So one small act is to put a fine on them. Do what John Oliver suggests in Make yourself less valuable to Meta. Turn off the Facebook and Instagram features that enable cross-context ad personalization.

Then do a similar task for the Google ads: Click this to buy better stuff and be happier.

How much will this cost them? Depends how much your eyeballs are worth on the internal auction. Rough estimate is that if you live in the USA, ads targeting you are costing about $100 per month, and the duopoly gets about half. Studies of “open web” advertising tend to show that personalized ads go for about half what the non-personalized ones do—and if that applies to the inscrutable internal systems at the duopoly, that means if you do both tips you’re costing the two companies half of half of $100, so about $25/month. So it’s not nothing. Might be more or less. As a bonus, these tips will probably not just cost the Big Tech central planners and their politicians some money, doing these will make you better off by helping to avoid scams.

As far as daily actions go, more of this kind of “tax evasion” can be found in a good privacy checklist article such as Opt Out October: Daily Tips to Protect Your Privacy and Security from EFF, in The Big Tech Walkout 2025 from The Rebel Blog, and in my effective privacy tips. (My list is ordered by my best guesses on biggest business impact.)

Bonus links

The Tech Elites in the Epstein Files by Brian Barrett. To be clear, a name appearing in the Epstein files does not mean that person has committed any kind of crime….Even so, the files reveal just how intertwined Epstein’s network was with the tech industry—even years after his 2008 guilty plea for solicitation of prostitution and of procurement of minors to engage in prostitution. (and while Brin and Page party with Jeffrey Epstein, NGOs and reporters do their quality control. Nudify app proliferation shows naked ambition of Apple and Google by O’Ryan Johnson.)

A letter to the 300 axed Washington Post staffers from Carole Cadwalladr We’re only four months in and it could all go horribly wrong but speaking personally I don’t care. The world is on fire. The entire media industry is a shitshow. And the only interesting, impactful thing to do in this moment, I believe, is to be bold and brave and to try something new. (ICYMI: Revealed: Palantir deals with UK government amount to at least £670m – including £15m contract with nuclear weapons agency)

Ditching bike helmets laws better for health by Chris Rissel. We didn’t see the kind of marked reduction in head injury rates that would be expected with the rapid increase in helmet use. In fact, any reductions in injuries may simply have been the result of having fewer cyclists on the road and therefore fewer people exposed to the risk of head injuries.

Everyone is stealing TV by Janko Roettgers. SuperBox and its main competitor, vSeeBox, are gaining in popularity as consumers get fed up with what TV has become: Pay TV bundles are incredibly expensive, streaming services are costlier every year, and you need to sign up for multiple services just to catch your favorite sports team every time they play.

Firefox 148 Will Let You Block All Built-In AI Features by Arthur Kay. For users who want a clean, distraction-free browser, there will be a single toggle labeled “Block AI enhancements” that shuts everything off in one step.

The Scam Ad Machine from Gen Threat Labs. Over a 23-day period, Gen Threat Labs analyzed 14.5 million ads running on Meta platforms across the EU and UK, representing more than 10.7 billion impressions. Nearly one in three of those ads (30.99%) pointed to a scam, phishing or malware link. In total, scam ads generated more than 300 million impressions in less than a month.

The Dumbest Thing I’ve Seen This Week by Physicsmatt. I’m going to spend most of my time on the cooling issue, because that’s the real “what the fuck are you thinking” issue. I’m go through the others quickly, in part because they touch on issues I’m not as qualified to speak about. But again, if you’re goal is to put a GPU farm in orbit and have it turn on, all of these issues can be defeated via the power of giant piles of money. So none of this is saying you can’t build a datacenter in orbit. I just want to point out physical limitations that make it really questionable to me as to why you’d view this as a solution to anything.

Books as signifiers, the paradox of tolerance, and Nazi bars by Baldur Bjarnason. For a moment, I genuinely thought somebody had mocked up a fake manuscript with the most dreadful clichés they could think of just to get a rise out of me, no, it was real. More: ‘AI’ is a dick move, redux

A Man Bought Meta’s AI Glasses, and Ended Up Wandering the Desert in Search of Aliens by Maggie Harrison Dupré. (Now it’s clear that the woman who busted that dude’s Meta glasses on the New York City subway was doing him a favor.)

I said I was going to write a Rewarded Interest fan post, so here it is. Rewarded Interest is a Google Chrome extension that does some useful stuff.

• Automate consent preferences

• Earn rewards

• Get personalized ads

Personalized ads? Yes. Privacy nerds and adtech people have strong opinions about whether people prefer personalized ads to purely contextual ads, and most of those opinions are wrong. Research consistently shows that some people want personalized ads, and are willing to share personal info to get them, while other people don’t. A single satisfactory default is impossible. It’s like “Natural Scrolling” on a touchpad. Some people expect it to work one direction, some people expect it to work the other direction, and even though developers would certainly want to make it work just one way and only have to maintain one version, they have to offer a choice.

I’m a Rewarded Interest fan even though I’m not their target user. Personally, I have done enough overthinking of the issue that I now consider personalized advertising to be a risk to individuals and a blight on the economy, and I think we’d be better off on average if personalizing ads was just banned. But not everyone thinks like I do. If you post about these issues often enough there will always be some guy in the comment section who is all like, if the ads weren’t accurately personalized to me I would get maxipad adsdude, what’s the big deal? they’re like big Band-Aids™ and I really don’t want that. There is a subset of people who actually want whatever ads they get to be personalized. The challenge is how to give those people what they want while imposing as little cost and risk as possible on everybody else.

And Rewarded Interest has figured it out. Rewarded Interest enables Google Chrome users to pass an identifier called the CMAID, which is compatible with the OpenRTB industry standard. CMAID “follows you” from site to site like an old-fashioned third-party cookie, but is stable and doesn’t require “cookie syncs” and other overhead. And because Rewarded Interest is compatible with all the adtech companies already using OpenRTB, it enables web publishers to get better remuneration for the ads on their sites and doesn’t raise antitrust issues the way that personalization built into the browser does. The company even says they’ll start paying users a share of the revenue from ad campaigns that pay to use the CMAID.

Best of all, a person who doesn’t deliberately install Rewarded Interest isn’t affected, and a person who changes their mind (like if they think they’re getting higher prices along with the higher-end ads) can remove Rewarded Interest easily.

Rewarded Interest may be the first example of cross-context ad personalization that isn’t based on hiding or misrepresenting the tracking system, or badgering people into it. In a way, it’s a thing of beauty. People who want it can install it and, in effect, say, “here’s my code, scan me!” I used to ask adtech fans, if people like personalized ads so much, why are there so many privacy extensions and no extensions to make you more trackable online? And now I can stop asking that, because here it is.

One piece of customer research that doesn’t get done enough is trying to figure out if your target customers are privacy people or personalizers. As more brands figure it out, some marketers will likely decide to use Rewarded Interest as the right tool for reaching their intended audience, and some won’t. If we learned anything from the whole Google “Privacy Sandbox” saga it’s that trying to come up with one system for everyone will turn out too creepy for the privacy people and too noisy for the personalizers.

Anyway, I’m not planning to be a regular user of Rewarded Interest in my normal browser, but I will keep a Google Chrome profile with it installed. Sometimes you need a cigar bar for the the cigar aficionados and a no-smoking area for those who don’t want to put up with smoke—trying to get both groups to start vaping will make nobody happy.

Related

realistically get rid of third-party cookies

Can database marketing sell itself to the people in the database?

why privacy-enhancing advertising technologies failed

Bonus links

As the nation’s eyes turn to Minneapolis, they’re also turning to Minnesota Public Radio By Joshua Benton. Long one of the strongest public media outlets in the country, MPR has reached new traffic highs amid the ICE raids and protests there.

The job losses are real — but the AI excuse is fake by David Gerard. Even the most mainstream financial press is starting to admit that claiming your layoffs are AI at work is a fake excuse to sound good to investors.

Microsoft’s Quiet Exodus: Why Enterprise Developers Are Abandoning Windows for Linux Workstations by Dave Ritchie. According to analysis from HimTheDev, developers cite performance issues, workflow friction, and the growing dominance of cloud-native development as primary drivers. The article documents how Windows Subsystem for Linux (WSL), initially created as a bridge to keep developers on Windows, has paradoxically become a gateway drug to full Linux adoption.