Futurology, Software, Technology

Hyperinflation in the attention economy: what succeeds adverts?


Lots of people block them because they’re really really annoying. (Also a major security risk that slows down your browsing experience, but I doubt that’s the main reason.)

Because adverts are executable (who thought that was a good idea?), they also get used for cryptocurrency mining. Really inefficient cryptocurrency mining, but still.

Because they cost money, there is a financial incentive to systematically defraud advertisers by showing lots of real, paid-for, adverts to lots of fake users. (See also: adverts are executable. Can one advert download ten more? Even sneakily in the background will do, the user doesn’t need to see them.)

Because of the faked consumption (amongst other reasons), advertisers don’t get good value for money, lowering demand; because of lowered demand, websites get less money than they would under an efficient system; because of something which seems analogous to hyperinflation (but affecting the supply of spaces in which to advertise rather than the supply of money), websites are crowded with adverts; because of the excess of adverts, lots of people block them.

What if there was a better way?

Cut out the middle man, explicitly fund your website with your own cryptocurrency mining? Users see no adverts, don’t have their attention syphoned away.

Challenge: the problem I’m calling hyperinflation of attention (probably inaccurately, but it’s a good metaphor) would still apply with cryptocurrency mining resource supply. This is already a separate problem with cryptocurrency mining — way too many people are spending way too many resources on something which is only counting and storing value but without fundamentally adding value to the system.

Potential solution: a better cryptocurrency, one which actually does something useful. Useful work such as SETI@home or folding@home — if it must be a currency, then perhaps one where each unit of useful work gets exchanged for a token which can be traded or redeemed with the organisation which produced it, in much the same way that banknotes could, for a long time, be taken to a central bank and exchanged for gold. And the token could be redeemed for whatever is economically useful — a user may perform 1e9 operations now in exchange for a token which would given them 2e9 floating point operations in five years (by which time floating point operations should be 10 times cheaper); or the user decodes two human genomes now in exchange for a token to decode one of their choice later; or whatever.

A separate, but solvable, issue is that the only things I can think of which are processing-power-limited right now are research (climate forecasts, particle physics, brain simulation, simulated drug testing, AI), or used directly by the consumer (video game graphics), or are a colossal waste of resources (bitcoin, spam) — I’ll freely admit this list may be just down to ignorance on my part — so far as I can see, the only one of those which pairs website visitors with actual income would be the video games… but even then it would be utter insanity for the paid customers to have their image rendering offloaded onto the non-payers. The clear solution to this is the same sort of mechanism that currently “solves” advertising: automated auction by those who want to buy your CPU time and websites that want to sell access to your CPU time.

Downside: this will kill you batteries if you don’t disable JavaScript.


Executable images

Twenty years ago, back in 1997, there was an urban legend that some images contained viruses.

“Absurd!” thought the teenage me, “Images are just data, they can’t do anything!”

Well, I was wrong. In 2004, researchers found a bug in a Microsoft JPEG library which allowed a well-crafted .jpg to totally compromise a computer — file system, arbitrary code, administrator access, everything. Obviously that particular bug has now been fixed, but it did make me realise quite how badly broken things can be.

Despite all the tools that help us software engineers solve problems, reduce our bug count, secure our software, and develop things faster, we still don’t seem to have this as our mindset. We have professional groups, but membership of them is not needed for jobs. Automated tests exist, but knowledge of them is limited and use even more limited (for example, I wish I could say I had professional experience of them since university, but no such luck). We don’t have anything like a medical licence (or even just the hippocratic oath), there is nothing to stop people practicing code without a licence the way people are prevented from practicing law without a licence.

And now, we’re making a world where A.I. replaces humans. Automation is fine, nothing wrong with it… but if you assume the computer is either always right or that the errors are purely random, you will be blind to problems this causes.


I can’t say that I have “a hacker mentality”, but mainly because the phrase means completely different things to different people, so I will say this: I see loopholes everywhere, systems that can be exploited by malevolent or selfish people, not just accidentally by those who can’t follow instructions.

How many people, I wonder, travel on fake rail tickets or bus passes that came out of their home printers? How many, when faced with a self-service checkout, will tell the terminal that their expensive fancy foreign cheese is actually loose onions?

This sort of thing is dealt with at the moment by humans — it was a human who realised it was odd that one particular gentleman kept buying onions, given the store had run out some time ago, for instance — but the more humans fall out of the loop, the easier it is to exploit machines.

This brings me to QR codes. QR codes are somewhat stupid, in that they are just some text encoded in a way that a computer can read easily, with some error-correction codes so it can survive a bit of dirt or a bad reflection. This is stupid, partly because it really hasn’t taken long to make A.I. which can read text from photos just fine (making the codes redundant), but mainly because humans can’t read the codes (making them dangerous).

Dangerous? Well, just as with URL-shorteners, you may find yourself looking at a shock site rather than the promised content… but that’s not really the big problem.

If you can, try to scan this QR code. No goats, lemons, or tubs, I assure you (and if you don’t know what those three words have in common, you may want to retain your innocence), but please do scan this code:

Executable QR code

What does it do for you? I’m curious.

If you don’t have a QR code scanner, I’ll tell you what it says:

data:text/html;,alert("Your QR code scanner is hackable")

That is literally what it says, because a QR code is just text that’s easy for a computer to read. This is a data URI, which contains some JavaScript, which opens an alert message. If you want, copy it into the address bar of your browser, just as if it were a website — press return or “go” or whatever works on your system.

It’s an executable image. Nothing nefarious, just proof of concept.

What does that mean for the world? Well, what do people do with QR codes? Well, not people, people don’t use them… what do businesses do with QR codes? Mine is a harmless example, but what happens if UK Limited Company Number 10542519 makes a QR code from their name… and it shows up in the vision system of a computer that, owing to our profession’s move-fast-and-break-things attitude, naïvely trusts input without anyone having considered that could be a bad thing?

Some social networks know (and complain) if I try to use a profile photo that doesn’t have a face in it. If that’s a general-purpose computer vision system, it may well also recognises QR codes (because QR codes are easy to recognise, and because “more features!” is a business plan). If your business can’t resist a Bobby Drop Tables username, it won’t be in business for very long — but the same may happen to Bobby Drop Table faces, if you’re not careful.

Governments are all over the place when it comes to security, just like the private sector. What happens if a wanted criminal wears a face mask that is the QR code version of Bobby Drop Tables?

Robert'); DROP TABLE criminals;--

And suddenly, no more criminal record? Well, not in that jurisdiction anyway.