I’m writing to let you know that you’ve accidentally dropped ‘f.txt’ onto my computer.
Here is what happened: I remembered that Google had reminded me a few days ago that Doctor Who was back on. I don’t trust Google Now with show timings, so I verified by Googling ‘doctor who’ to see if it really was back on. Turns out it really is back on. In excitement, I ctrl-T’d my way onto Amazon to stream it. In the fifth of a second that I waited for the page to load, I pictured myself 15 minutes in the future, washed over with the story of an engineer. An engineer who is called ‘Doctor’ . Sometimes The Doctor saves people, sometimes he saves humanity, but rarely is he doing things that a doctor would be doing, he seems more like an engineer to me. Anyways, here I am now, writing a post about the impact of small mistakes that engineers can make which end up impacting large populations of people.
After I searched for ‘Doctor Who’ on your website, you sent me to your results page, and then you made my browser download a file called ‘f.txt’.
Sure, my mom might have shrugged it off as yet another thing that technology does that she doesn’t understand. But anyone who understands how the web is supposed to work would have been appalled. They would know that websites on this side of the web aren’t supposed to download files onto their computers without consent. You shouldn’t be putting files on my computer without my permission, Amazon.
I know it was an accident. I know that you know that this shouldn’t happen. You dropped it. It was an accident. I get it. In fact, there must only be one other person who gets it as much as I do, and that is the engineer who wrote the buggy code which did this. I get it because I made the same damn mistake myself.
A few years ago, I was working at an ad tech company. I helped build a system which was similar to the postal mail system, except the only thing it delivered was tracking devices into your browser. People who wanted to track you on the web would pay for this system to do it. This system had incredible reach — if you live in the U.S., it’s more likely than not that it is tracking you right now.
It turns out advertisers really wanted to use systems like these, they pay a lot of money to track you on the web. Did you know that over 90% of Facebook’s and Google’s income comes from advertising? That’s a lot of money. It pays for the web.
The system wasn’t about sending people ads. In fact, the user is never even suppose to notice they were receiving anything. These tracking devices are basically like silent brands individualized for the user. “Brand” as in “branding a cow”, not as in “Coke-a-cola is a brand”. The “branding” of the users would allow the advertiser to track them across the web. These things are also called ‘cookies’, a much friendlier term, but it doesn’t really make sense.
Anyways, it turned out that a certain producer of sugary water drinks wanted to use our system so that they could track people online more effectively. They wanted to get to know their users better. It was a one-sided relationship in which the advertiser got to know the user but the user usually had no idea that this was happening. When this is done with people, it’s considered “stalking”, when it’s done by companies it’s considered “behavioral advertising”.
Companies are obviously not people, so they can’t be held to the same standards. People have emotions and being part of a one-sided-relationship when there are emotions involved usually results in an abuse of power. I think we consider it OK to be in one-sided-relationships with companies because they have no ‘emotions’ and therefore no capacity for ‘abuse’. Their power in the one-sided-relationships they form, no matter how harmful it may be, is considered innocuous.
Well, I made a mistake when building this system. I was supposed to type in one thing in code, but I wrote another instead. I was supposed to test it, but I forgot. This system touched millions of people when it was running on this buggy code. Instead of branding the user with a unique identifier for tracking, my mistake caused the code to download a seemingly random file. This happened very rarely, most times it worked as intended. It only malfunctioned if the user had engaged an obscure feature in their browser (“disable JavaScript”). For these users, the system accidentally had them download a random file, instead of giving them ‘cookies’. This was an honest mistake, my stomach sank when we finally discovered it… a year later.
One year after I made this mistake, we got a complaint from our sugar-water-producing client that some users were complaining of unwanted file downloads when they visited their website. They determined it was our fault, the system I had built which they then put on their website. They were right: It was our fault. It was my fault.
I found the mistake quickly. There are only a few things which could cause a browser to download a file, so I knew where to look. A part of the code which was written by one-year-prior me, said ‘plain/text’ instead of ‘text/plain’. This was the silly mistake which caused it to misbehave and download files instead of placing cookies. This was why Coke was upset that their users were reporting files being downloaded onto their computers. I fixed it. Our account managers managed the account. I was honest with my projections on how many people were affected by the bug, but I doubt those numbers ever got back to the client, there was no reason for that. We made a mistake, we fixed it.
You made a mistake, Amazon. You allowed computers from Google’s Advertising System to cause my browser to download a file I didn’t want when I was looking at your results page for ‘Doctor Who’. An engineer at Google also made a mistake, he or she accidentally wrote one thing instead of another, then they forgot to test it. It was probably an honest mistake. There were probably many people affected, but the file was harmless — just code to track the user across the web, no harm done. You probably fixed it by now.
I love the web, Amazon, and I want it to be a good place to visit. My mom visits the web and I don’t want the places she visits to be putting random files onto her computer — she downloads enough random shit for me to worry about already.
Let me add a bit more perspective on why I care:
A few years ago, someone managed to gain access to the computer of one our employees and they added a virus to an ad. This virus-laden ad was then served to many, many people. It reached so many people that it was a U.S. Government security agency who notified us of the problem.
It was easy to identify the malicious ad and remove it from the system, but the damage was done, and no one was held accountable (who would be?). This whole thing probably occurred because that employee made a silly mistake. In the same way some engineer made a silly mistake here.
These systems are powerful, and they have incredible reach. At the end of the day, these systems allow for the mistakes or maliciousness of a few people to affect the many.
I wanted to let you know that you dropped a file onto my computer without my permission because I think you made a mistake. I know that you will fix this mistake, and prevent it from occurring again, because I know how important your relationship with your clients (like my mom) is to you.
Good luck, Amazon.
Ozan
Addendum, 2 days later
I google’d “amazon.com f.txt” to check the status of the issue and found this:
Amyface, I’m sorry I wasn’t clear: I am very concerned about Amazon distributing malware. I’ve briefly looked through f.txt, and from my experience (and I happen to have a lot of experience in this specific matter), f.txt looks like it’s a script for advertisers to track you, not the sort of malware you’re concerned about. You wouldn’t know that you downloaded something if it was a more insidious type of malware.
I am concerned that these systems can be used to distribute malware, because that has happened many times before. I’m also concerned that while you care so much about the (slim) chance of a virus download, yet you don’t seem concerned about the fact your behavior online is tracked by people you don’t know. Yes, the harm isn’t as obvious when it comes to tracking, but it’s a little disturbing if you’re not concerned about it at all.
If anything, consider that the system by which you’re threatened with computer viruses wherever you go online exists only because of something that seems far more benign: tracking your actions in order to serve you relevant ads.
