Bob Sullivan

One click, 1,000 spies – Debugger podcast: The Third-party Problem No One is Talking About

This is a transcript from The Debugger podcast of Bob Sullivan found on The Red Tape Chronicles

Apple’s ad is an all-too-real demonstration

I like a good challenge as a storyteller.  And let me tell you, making “third-party code” sound sexy is a challenge.  But that recent Apple ad showing an army of people following a cell phone user around, cataloging his every move — well, that’s real.  It’s hard to believe, but the commercial actually understates the problem.

Every day, with every click you make and every app you swipe, a virtual army of companies you’ve never heard of are tracking you.  Their 1×1 pixels and browser fingerprints lurk in every corner of the Internet, privacy landmines vacuuming up data about every aspect of your life.

I know you’ve heard this before, and I’ll bet you assume companies like Facebook and Google are tracking you to this degree — but you probably don’t realize, or don’t think about, the hundreds of small companies that attach themselves to name-brand websites like which track you in the same way.

Why do they do that? So later, the billions of pieces of information collected about us can be married to billions of dollars being spent trying to get our attention.  Over and over and over: a mindless search for anxiety medicine or sexual dysfunction is auctioned off to the highest bidder, and shared with thousands of other firms. The result? A gigantic one-way mirror that not only intrudes on our most intimate thoughts but logs them forever, making them easy prey for murky data brokers and creepy hackers alike. For the rest of Internet time.

That’s what this podcast is about.  The Internet has a third-party problem — a number of third-party problems, really — and it’s time we talked about them.

To help me with this storytelling problem, I’ve enlisted the help of some real experts for this podcast — including Jeff Orlowski, director of the hit Netflix docu-drama The Social Dilemma. Orlowski certainly succeeded in making technology and privacy conflicts sexy. Also, you’ll hear from Chris Olson of The Media Trust; Jason Kint from Digital Content Next; and Jolynn Dellinger from Duke University. Debugger is brought to you by Duke University’s Sanford School of Public Policy and the Kenan Institute for Ethics.

Please listen to the podcast: If you prefer, a transcript of the show is below. If a play button doesn’t appear for you, click this link to listen.


Podcast Transcript


Chris Olson: Imagine this: it’s the beginning of Spring, and you’re excited to begin a long-needed home renovation project. You select Bob, a trusted and well-known contractor.

On the first day, Bob shows up with a handful of subcontractors, many of them expected. But as the days wear on, the number of subcontractors grows substantially, several of them questionable in need, skill, and character. Even if you fire the bad ones, new ones appear. By the end of the following week, your property is littered with trash, the newly installed toilets aren’t working, and things are starting to go missing—silverware, jewelry, and even a painting.

By the end of the month, the unvetted subcontractors that Bob brought to your home are knocking on your door daily trying to sell you things. Even worse, they’ve sold your address to others who are also calling on you with unrelated offers. It’s clear that Bob hasn’t done a great job vetting his subcontractors ….

BOB SULLIVAN: Welcome to Debugger, a podcast where we ask the big questions about technology. It’s brought to you by the Duke University’s Sanford School of Public Policy and the Keenan Institute for Ethics. I’m your host, Bob Sullivan. And we begin with that extended metaphor because today we’re going to talk about how web pages are built.  Sort of.

BOB : You’re not going to believe this but….most of the time you are visiting websites or firing up apps on your phone, you aren’t visiting the company the you *think* you are.  Really.  Imagine if you were at the mall, and you walked into a Macy’s to buy some shoes….but the second you stepped in, you weren’t *really* at Macy’s. You were really at Ace’s Gender Information Collection Company. And Bob’s Income Estimators Inc. And Charlie’s One Stop Shop for Likely Diabetics. Pretty soon I’m going to run out of the alphabet here.  There might be hundreds of others.

That’s what your life as a consumer is really like. Really.  Just one example: When you visit a site like CNN, you imagine you are getting information from CNN…FROM a bunch of computers sitting somewhere in the CNN center in Atlanta, or at least controlled by someone in the CNN Center in Atlanta.

BOB  : But when I visited just now, I was really visiting….Outbrain. And Bounce Exchange. And Integral Ad Science. And Salesforce. And Onetag. And Sourcepoint. And appnexus. [speeding up] And the Rubicon Project. And Criteo. And Quantcast International. And Nati. And Axciom. And the Trade Desk.  And Sharethrough Inc.  And Oracle.  And Pubmatic Inc. And Mediamath. [Can barely make it out here] And RTL Group. And Openx software. And dyonomi. And Rhytmone. And Iponweb. And Openxsoftware. And Zeta Global.

BOB : And you thought you were just getting some headlines and checking on your stocks.

BOB : You might not have heard of any of these companies, but they sure have heard of you.  In fact every one of these companies knows you really well, maybe better than you know yourself, thanks to all these opportunities they get to learn about you.  But if you haven’t heard of them, don’t feel bad.  Most of the people who work for the brand-name websites you *think* you are visiting probably haven’t heard of them, either. Fully 90% — maybe more! — of the computer code that lands on your computer when you open up a website *isn’t* written by people at that website.  It comes from third party companies, like the ones I just listed. THAT…is how web pages are built. One strange company you’ve never heard of before at a time. 

As you might imagine, that’s a big risk for the brand-name companies you *think* you are visiting, like CNN as it would be for that imaginary construction company at the beginning of this podcast. Chris Olson runs a company named The Media Trust, which tries to help companies deal with this third-party risk. That was him reading the opening metaphor about housing contractors. But in real life…real, virtual life…it’s his job to protect companies from getting in bed with the wrong sub-contractors.  And he’s … seen a lot of things. The world he works in is….amazing. Here, he tries to explain the morass to me

Bob: of the first things you said, which I think would surprise most listeners, is that you help digital companies maintain control of their websites, their digital assets. How did they lose control of them?

Chris: Great question. When you go you as a consumer, you visit a website or an app, what renders on your device, it’s not what you see that that is rendering on your device, but really the backend of that website, all of the source code. … The place where control all has been lost and it’s almost in its entirety, um, uh, for most companies, is that 20 years, 20%, roughly of all of the source code that rendered on you was third or fourth or fifth party.

The transition and where control has been lost is that that 20% of third fourth party is now 90 95 on news or information websites.

It’s often 98 or 99% of what actually renders on the consumer. The application security teams remain the same. Meaning, they still cover the owned and operated portion of the consumer’s device experience. Um, but that leaves roughly 90 to 95% open to thousands of third parties that are looking to gain access to the consumer.

So that, that idea of third-party code, is where the control has been lost and really where that battle, I think is, is, is really raging today.

Bob: Uh, this sounds crazy. 99% of the stuff that’s on a webpage. I look at when I go to look at a major news site is written by somebody else?

Chris: The source code.

BOB : So, let’s talk about what I think of as the third-party problem. Actually, on the Internet, you have a lot of third-party problems.  Third party code can be behind all kinds of malicious attacks — ransomware for example – and we’ll talk about those in future episodes. But today we’re going to talk about third-party tracking, just to illustrate the problem.  You think you are visiting, but you are really getting code from Secretive Data Collection Inc. on your computer.  You think you are buying from, but you are really telling BigPharma Inc. how likely it is that you are a diabetic.  You think you have a relationship with CNN, when you really have a relationship — a rather one-sided relationship — with Acxiom and all the rest. Every day, with every click, or every smartphone swipe, you are letting hundreds and hundreds of strange subcontractors into your life, into you digital home. And you have no idea who they are.

BOB : Of course, companies aren’t invading your space like this this for fun. They’re doing it for data.  The Web is awash in mysterious companies that sneak onto your laptops and smartphones, watching your every move.

BOB : At this point, you might be thinking, ‘the joke is on them.’ You’re just reading stories with headlines like “29 Optical Illusions to Kill Time” or “Dealing with cat depression.”  Who cares?  Well, these companies don’t just follow your click-trail around CNN. They follow you all over the web. Your next click, and your next, and your next, building an ever more detailed profile about you.

BOB : They do this by implementing a series of trackers. Not just cookies, which you might have heard of, but all kinds of hidden tracking tools. Browser fingerprints. 1×1 pixel images. MAC addresses.  All because the most essential element of all this data collection is that it can be tied back to you, specifically…your device, anyway.  The Electronic Frontier Foundation has called this a “One Way Mirror” and in a recent report, argued that trackers are hiding in nearly every corner of today’s Internet.  Placed there, like privacy land mines, by companies you’ve never heard of.  The only time you might become aware of their presence? When you get an ad that seems….just perfect for you.

BOB : Ever wonder why you get that ad for a power nap pillow (with pockets for your hands!) right as you’re about to nod off at your desk?  Jeff Orlowski, Director of The Social Dilemma has noticed this phenomenon.

JEFF ORLOWSKI: I’m no longer on Facebook. I stopped using it while making this film, but when I was on Facebook, I was a very, very heavy user of it. And I remember seeing countless cinematography tools being targeted.

Specifically to me, some that I actively bought and regretted purchasing some that were like terrible waste of money, but were effective at convincing me to buy them. Um, for me personally, the ads were effective. Um, there was a, there’s a skateboard thing that I saw that was like, it totally figured me out.

It knew that I was into adventurous sports. It was this one wheel, um, a skateboard platform. You could take it on trails, you could take it off road. It looked like a really fun thing. And then when they started showing me ads of using it as a cinematography platform, there were people in the ads like using it to get really awesome shots in places that you couldn’t get like it totally reverse engineered me and I freaking cracked.

Right. I bought the thing and I don’t use it ever anymore.

BOB : These ads appear thanks to a rapacious ecosystem fueled by thousands of companies and billions of dollars that relentlessly tracks you everywhere you go. At the visible part of this iceberg are companies like Google and Facebook, and the money they make from your data is…..incredible.  Google generates $183 billion in revenue annually — about $150 billion of that from advertising. That’s more money…just from showing ephemeral, digital ads, than General Motors generates from selling cars all over the world. And Facebook, well it’s annual revenue is $87 billion — nearly all of it, $84 billion is from ads.

BOB : But under the surface of this iceberg are thousands of third-party companies which are playing the same game. Tracking you.  Most of them would fit neatly under the broad descriptor of “data brokers.” And the obvious problem is that if you’ve never heard of them, you have no way of knowing what they know about you.  Whether it’s right or wrong, whether it’s hurting your ability to rent a home, or get a job, or even get a fair price.

JEFF O: And once again, it’s not the ads themselves that are the problem. It’s everything that incentivizes them, leads up to the need to show you that ad at that moment in time, you know, every time you do a search on Google, An auction is being run on you. There are 40,000 Google searches that happen every second.

So there are 40,000 auctions of human interaction happening every single second on Google. And the question is like, who’s willing to spend the most money to put something in front of your eyes right now, in that particular case, like those cinematography, platforms were the thing that, that people were spending money to get in front of me.

And that could be something used very innocently and innocuously to sell a product to me, or it could be something that is very maliciously being used to put a political ideology in front of me. Like it’s the same tools that do that same work. Um, and so it becomes an incredibly slippery slope.

BOB : 40,000 Google searches a second….all generating ads hand-picked….or AI picked…for you.  It sounds almost nonsensical, that there is a place in the world where the billions of pieces of information known and stored about us is married to the billions of dollars chasing out attention…wll, there isn’t a place exactly, but there is a process. It’s called RTB, or real time bidding.  Estimates are that a billion times a day — a billion times a day! — all this data and all those dollars are throw into a virtual trading floor and out comes …a lot of personalized ads.  As Privacy International puts it, ” If you’re reading an article about erectile dysfunction, depression or self-harm, chances are high, that this will be broadcast to thousands of companies. If you’re booking a table at a restaurant, purchased an item at an online retailer, searched for a flight, or read the news, this will also likely be shared with ad exchanges.”  Your most intimate information, shared thousands of times per second, without thousands of companies, all in an effort to sell you a desk nap pillow.

BOB : Underneath all this is advertising technology — AdTech — that makes order out of this chaos.  There’s DSPs and SSPs and DMPs and CMPs….and…suffice to say that people who want to place ads use DSP software — demand side platforms — to bid on people and places they want to put ads, while publishers use SSPs — supply side platforms — to hawk their available ad inventory.  Each platform might talk to thousands of brands and websites, constantly, marrying desk nap pillows with tired, high income office workers.

And for this we let them know every click we make and every app we open?

CHRIS: I would say that maybe the easiest way for a consumer to just kind of come to the final answer. Is that we are at a stage now where every single individual’s experience on the world wide web is different than every other individuals. Every experience you have is tailored to you. Everywhere wants to know you and everywhere wants to bring you back to something, whether it’s convincing you of an idea, um, having you buy other products and services making you stay there. So you click, click, click and drive more ad impressions, maybe a purely economic reason. Uh, that is the predominance of source code that is executing on everyone’s devices.

And right now society is looking at this saying all of those terrible companies are doing these, you know, these [00:44:00] things. Well, it’s happening under all of our noses on our stuff. Right. I think those companies are geared toward delivering what we’re asking them to give. Um, and it’s just now that, that people are really sort of starting to say, no, wait, what, what’s the bigger impact of this.

BOB :  What’s the bigger impact of this? It’s incredible, the amount of companies inlved in delivering this…”experience” … to you.

CHRIS: So essentially the ecosystem, um, has access to your device. And it’s bringing you things that make it money or that they think are interesting to you, basically, whatever it perceives to be the ideal experience, um, in context of dollars that they can make. Um, and at the same time, it’s learning all about you. So that happens when things like data management platforms run. Um, if you look at a large ad supported website, You may have 15 different data management platforms rendering on one page view because it’s not just the websites DMP that’s arriving. It’s the DMP of each of the advertiser or the mechanism that brings the advertiser, the targeting mechanism, whatever that might be.

So lots of different data transactions are occurring. This is how the digital ecosystem learns about you. From there as you start to move different parts of that ecosystem have access to your behavior on the actual site. If you click on shoes, maybe only the website itself has access to know that you like shoes, maybe third parties know that you like shoes, right?

So that is one of the places where, um, the website owner or operators should know who’s on the site. What are they allowed to access? Why are they here? Right. So it’s in their best interest to have this, by the way, not just your best interest. I think from there, as you move through a purchase funnel on a retail site, all sorts of other, um, executions that are occurring as you run through, um, to the page, I would, I’d say that that’s very, um, important, um, is that most companies today that are on.

The digital ecosystem, meaning they have a website or an app, um, for all intents and purposes, our media companies, they just haven’t admitted it yet, or they haven’t figured it out yet. So if you’re a retail company, just like an ad supported newspaper right or a new site, or a social media platform, a significant part of your job and a major part of what executes on the consumer is you acting like a media company….more or less in real time

BOB :  One thing I think about a lot….despite all this technology, billions of dollars changing hands…I still often get what I call the worst ads ever designed in the history of advertising.  When I search online for a new drum kit, and then buy, I am then stalked by ads for that very drum kit…the one I just bought…for weeks, or longer.  What’s worse than an ad for something I just bought!!! I have a friend who recently posted that her dad had died more than 10 years ago, but still, she gets pummeled with ads for Father’s Day every year. You’d think this system which delivers personalized ads for everything, all the time….wouldn’t get things so wrong. 

I asked Jason Kint about this. He’s the CEO of Digital Content Next, a trade group that adcates for content companies. He’s also a frequent critic of Facebook and Google

Bob: I mean, it’d be one thing if it was very, very effective, you know, maybe you could talk me into surrendering my privacy for that. But if people are just collecting all this data about me and storing it somewhere where it’s eventually gonna do no good it’ll be hacked or something. I mean, well, the ads I get still stink, that seems like a really bad bargain.

Jason Kint: It is a bad bargain. And I think it’s why you’re seeing both from policy changes. Yeah. And technology changes a shift towards what’s often called first-party data, but a shift towards data that’s being collected in the context of what the user’s trying to do at the moment, the site that they’re visiting the app that they’re using and that data being allowed as part of the experience.

Bob: Billions of dollars is being spent tracking me. And yet I still get really stupid ads. So what’s the explanation for that?

Jason Kint: I mean, it is one of the fallacies, I think, you know, in some way we have a whole generational change that has defined relevance based on, you know, based on the individual that’s being targeted and whether or not they’re going to click on the ad or respond to it in that moment in time.

Rather than, you know, we have centuries of research on, on advertising and, and relevancy is much broader than that. It can be done based on the context of the, the entertainment or the news you’re looking at. Right. Um, or it can be done on, you know, on the context of where your state of mind is at that moment.

And, you know, just trying to create some desire, deman for the advertisers product that may be actionable down the road. And so. This idea that, that we need this kind of third-party data from tracking in order to be relevant as is. I think it’s false. And I think the faster we get past that it actually will probably be good for the advertisers to, um, who have kind of moved down this stream of using digital advertising almost entirely for kind of performance-based media direct response.

The equivalent of junk mail in our mailbox rather than really shaping minds and creating desire for products. Like they, you know, they do on a lot of other means.

BOB: Okay. I have not heard someone say that before, and I think it’s quite brilliant. What we’re looking at is digital junk mail all the time.

Jason Kint: Yeah. It’s a lot of it is now. Within the video space, you know, there’s, there’s advertising that resembles almost the commercials on television that, that do make us stop and think and do create, you know, that that relationship or consideration of a brand that are more are more, um, than I think that equivalent to junk mail, but, but a lot of the impressions on the internet are entirely focused on getting somebody to convert…that’s where creative is lost

BOB:  Great!  We’ve spent perhaps trillions of dollars building the world’s most powerful data collection system, the universe’s best tool for slinging fake news around the world…all so we can fill our every waking second with digital junk mail from thousands of companies we’ve never heard of.  Human achievement unlocked!!!

But, there is hope. I’ve already said I think a lot of this problems stems from the third-party nature of these relationships. After all, if did something that pissed you off, you could just go to’s website.  That’s capitalism. But if the real culprit is Spooky Data Broker Inc….and Spooky Data Broker Inc gets information from every news website…what is a consumer supposed to do?  That’s the difference between a first party and a third party relationship. But lately…there’s been a shift in the winds thanks to projects underway at Apple and Google.  They are both taking measures to insulate users from third party companies – Apple, by requiring that apps like Facebook now get explicit opt-in from users for some kinds of tracking… And Google with its program called Privacy Sandbox, which theoretically will prevent third-party cookies from stalking Chrome users.  Now, these projects are by no means perfect…people are rightly worried they will entrench Big Tech companies and give them even more power… but, at least they are getting people talking about the third-party problem, and that’s great.

BOB : But I don’t think it’s a great idea to rely on the largesse of two or three large tech companies to fix this problem.  If we want to get all these anonymous subcontractors swinging hammers out of our homes…I think we’re going to have to call the cops. We’re going to need a federal law, with teeth, that lets people take back control of who gets in their living rooms, and their hearts and minds. Here’s Duke University professor Jolynn Dellinger – we’ve heard from her a couple of times on Debugger

Jolynn: I will say I’d like to underscore that we do have a system that in my view has been tilted in far of business. And companies for the past 20, some years, this notice and consent, each company basically makes its own decision about how it’s going to treat data and maybe, or maybe not gives you the option to opt out.

And I feel that’s one way to look at it. We’ve done that. We’ve tried that out now in my view with not great consequences. And so what about the idea of opt-in. What about if a company’s out there and they have a great idea and a million reasons why you should use their service or their product persuade us of that.

And then we’ll opt in and we’ll say, Oh, that sounds fun. I like to use that service. I think it’s possible [00:39:00] that the internet won’t break. I think it’s possible that we won’t lose all innovators and technologists. I think maybe we will even find, I mean, there was a recent great article about. Uh, a company like the BBC, I think it’s called the NPO and another one’s that’s gotten rid of behavioral advertising.

It’s gone back to contextual advertising and their revenues went up. Right. And maybe that will happen. Um, maybe there are other ways there are other business models. There are other things that we could do that more accurately reflect. Our values as people. And that’s what I guess I just want to keep coming back to is all of this is choice.

Our legislation is choice. Our actions are choice, and we want to get back to a point where citizens are making choices and the more I’m surveilled and the more my data is [00:40:00] collected and used in ways. I don’t understand the less choice and the less agency I have. And that’s what we have to rely on.

Keeping this stuff …human.

BOB : But before we go too far down the  ‘how do we fix this road,’ I think it’s worth spending some time better understanding how we got to this crazy situation in the first place. You know me, I love history lessons. So we’re going to dive into what I think might be the craziest history lesson of all, a story about where all these thousands of anonymous data collection companies come from.  We’re going to dive into the history of data brokers. It’s a dark, secretive tale.  I mean, what else would the history of data brokers be? That’s our next special feature, on Debugger. (And then, after that, we’ll talk about the risk to national security that data brokers pose….)

Listen in on The Red Tape Chronicles (link:

© 2021 Bob Sullivan.