attentionmachine.org

The Attention Machine

← The Attention Machine

Advertising & Surveillance

The platforms are free. You are the product — in a more specific sense than the phrase usually suggests.

How to read this page. Tap any underlined word to see the precise academic term and a short definition. Expand any "Deeper" box for the evidence and contested points. The main text works on its own — you can skip both and still get the whole argument.

How it started

DoubleClick was founded in 1996 and began tracking users across websites using cookies — the first large-scale behavioural profiling of internet users for commercial purposes. In 1999, it acquired Abacus Direct, an offline data broker with records of real-world consumer purchases. Privacy advocates immediately raised alarm: combining anonymous online browsing with personally identifiable purchase history would create something qualitatively new. The FTC investigated and closed the file in 2001 without finding a violation.

Google acquired DoubleClick in 2007. By 2009, Google launched interest-based advertising — precisely the combination of online behaviour and identity profiling that advocates had warned about a decade earlier. The concern was documented, regulated, and then set aside. The industry grew.

Real-time bidding: the auction you never see

When you visit a website, an auction takes place in the time it takes the page to load — typically 100 milliseconds. Your behavioural profile is broadcast to hundreds of advertising companies simultaneously. They bid for the right to show you an ad. The winner's ad appears. The auction is complete before you have finished reading the headline.

This system is called real-time bidding (RTB). According to research by the Irish Council for Civil Liberties (ICCL), the average EU internet user has their data broadcast to advertisers 376 times per day. In the United States, the figure is 747 times per day. Not to the winning bidder. To all bidders — every company that receives the broadcast retains a copy of your profile data, regardless of whether they win the auction.

The Belgian Data Protection Authority and the Court of Justice of the European Union have found that RTB, as currently practised, likely violates the GDPR. The system continues to operate.

What the profile contains

The data broadcast in an RTB auction typically includes: your approximate location, the device you are using, the time and date, the site you are visiting, and — critically — your inferred characteristics. These are not facts about you. They are inferences drawn from your behaviour across thousands of sites over months and years: your likely income bracket, your health concerns, your political leanings, your relationship status, your anxieties.

×

Inferred data

Data you never provided, generated by predicting your attributes from your behaviour — for example inferring a health condition from the articles you read. Under European data-protection law, inferences about you can be personal data, but you rarely know they exist, cannot see them, and cannot easily correct them. The profile that decides what you are shown is one you have no access to.

Sources

Shoshana Zuboff, in The Age of Surveillance Capitalism (2019), describes this as a fundamental reorientation of the internet's economic logic: human experience is raw material, processed into behavioural prediction products, sold to whoever will pay. The product is not the platform. The product is you — specifically, the predictive model of what you will do next.

×

Behavioural surplus

Zuboff's term for the behavioural data left over after a service has been delivered to you — the click patterns, locations, and timings that aren't needed to run the product, but are captured anyway and fed into prediction. This surplus is the raw material of the business: it is refined into predictions about your future behaviour and sold in markets you never see.

Sources

  • Zuboff, S. (2019), The Age of Surveillance Capitalism, PublicAffairs.

Device fingerprinting: the surveillance that survives

Most people know about cookies and delete them or accept cookie banners. Device fingerprinting is different. It identifies your device by combining dozens of technical characteristics — your browser version, screen resolution, installed fonts, graphics card behaviour, timezone, language settings — into a unique identifier that does not require storing anything on your device.

Fingerprinting cannot be defeated by clearing cookies, using private browsing mode, or most ad blockers. It is persistent across sessions and, combined with other signals, can identify you across devices.

In 2025, Google reversed its plan to deprecate third-party cookies — the tracking mechanism that had been under regulatory and public pressure for years — in favour of fingerprinting. The industry's response to pressure to stop one surveillance mechanism was to accelerate adoption of a more powerful one.

Cambridge Analytica: what this enables

In 2016, data from 87 million Facebook profiles was harvested without consent through a quiz app and used by Cambridge Analytica to build psychological profiles for political micro-targeting in the US presidential election. This is a confirmed fact, documented in the US Senate Intelligence Committee report, the Mueller Report, and Facebook's own Congressional testimony.

The Brexit referendum is a separate and more limited story. The UK Information Commissioner's Office investigated and concluded in 2020 that Cambridge Analytica was not involved in the referendum beyond initial inquiries, and that the harvested Facebook data — relating to US-registered voters — could not have been used in it. We note this precisely because the site's credibility depends on not overstating even a convenient claim.

The effectiveness of the targeting on election outcomes is genuinely contested by political scientists — the claim that Cambridge Analytica determined results is not well-supported. What is not contested is that the infrastructure existed, was used, and was legal under the rules in place at the time. The data protection framework came later.

What you can do

No individual action defeats the RTB system — it operates at the infrastructure level. Partial defences exist: uBlock Origin (the most effective ad and tracker blocker), Firefox with enhanced tracking protection, or Brave browser. The EFF's Cover Your Tracks tool at coveryourtracks.eff.org shows you what your browser reveals to trackers. Knowing is the first step; structural regulation is the complete solution.

How we know — the RTB figures, the GDPR rulings, and what's contested about Cambridge Analytica

The 376 (EU) and 747 (US) daily figures come from the ICCL's analysis of industry data on how often a typical user's profile is broadcast in RTB auctions. They measure broadcast frequency, not proven misuse — but the point stands: every bidder that receives a broadcast keeps a copy whether or not it wins, so the data spreads far beyond any single transaction.

The legal status. The Belgian Data Protection Authority found IAB Europe's Transparency and Consent Framework — the consent layer underpinning much of RTB — in breach of the GDPR (Decision 21/2022). On referral, the Court of Justice of the EU (Case C-604/22, 2024) confirmed key parts of that reasoning, including that a "TC String" can be personal data. The system nonetheless continues to operate while the framework is reworked.

Cambridge Analytica — holding the line on what's proven. Confirmed: harvesting of ~87 million profiles, use for US micro-targeting, the legality of the infrastructure at the time. Contested: whether the targeting changed election outcomes — political scientists are sceptical that micro-targeting has the decisive persuasive power often claimed. Refuted: the common claim that Cambridge Analytica swung Brexit — the UK ICO's investigation found the harvested US-voter data could not have been used in the referendum. We keep these three buckets separate on purpose.

Sources

See it live: Under the Hood →
Laws & Regulation: GDPR →
Digital Services Act →