[Cryptography] Comey: targeted ads => plaintext access

Jerry Leichter leichter at lrw.com
Thu Sep 17 07:09:38 EDT 2015 

> [Theoretical anonymous ad protocol]

> But why wouldn't the ad broker engage in a sibyl attack?  It's in
> his economic interest to know EXACTLY who's getting his ads, because
> that list of names/addresses is one of the things he sells.  In this
> era the consumer IS the product.
> 
> Heck, he'll even serve up ads that prompt internet requests to his
> own servers to get one-pixel graphics just to see where the requests
> come from, if we don't give him an easier way to find out.
The "anonymous ad" protocol is an attempt to do what we often do in crypto:  Replace a straightforward protocol based on a trusted third party with some complicated protocol that does pretty much the same thing without trusting anyone.  It's always interesting  from an intellectual point of view to do something of this sort; sometimes we learn something from the effort.  Whether it's of any practical interest is a whole other question.

Google today implements exactly such an "anonymous ad" protocol (though it's repeatedly misunderstood).  Advertisers buy the right to send their ads to people who match certain classes of descriptions; they provide the ads, Google forwards them to people who match the descriptions.  Google never provides information about the people to whom the ads have been sent.

Of course, nothing *in the technology* prevents an advertiser from using the tricks described to figure out who has received the ads.  But to do so would be to breach the contract Google has its advertisers sign, and if found out they would quickly be banned from the Google networks.  Google's pretty aggressive about enforcing this.  An advertiser could get away with it on a small scale, but it's unlikely they could do so for long at a scale that would make it worth their while.

You can argue about whether Google does this to maintain user privacy, or to keep their most valuable asset (the database of users and their characteristics) from walking out the door:  If an advertiser could get the contact information for those who match its ads, why bother placing more ads - just contact the people involved directly?  And of course even the privacy aspect can be seen "just as a way to keep people from complaining about what Google does" (though they do a remarkably poor job of explaining to people how this works).  Still, in the end, would you rather trust Google to do the right thing "just because that's what they do" or because their economic best interests align with what you want them to do?

Of course, Google's competitors do the same things, for the same reasons.  They all want to remain in the middle of interactions between their users and their advertisers, even though the advertisers would love to push them out.  You can even see analogous things - for similarly ambiguous and complex reasons - in Apple's App Store:  App sellers are given no information about their customers, and indeed are forbidden (on pain of quick banishment from the store) from initiating contacts with their customers or even providing any kind of direct pathway from customers back to them.  For example, apps can't provide a way to report problems directly back to their makers.

So ... if you replace one piece of the protocol (anonymity in sending the ads out) with an equivalent one with no TTP, it should come as no surprise that the existing "deanonymization" techniques continue to be available and will need a solution.  The existing solutions are all based on a TTP; whether there's some way to turn them with something with distributed/minimal trust is another fine (intellectual) crypto challenge....

                                                        -- Jerry

More information about the cryptography mailing list