An important note to all developers, network-stakeholders, and intellectuals about algorithmic abuse (a post-hoc analysis of a case of Facebook Ads abuse)

Allow me to preface this article by saying, you don’t need knowledge of every word to understand my overall point. If you bind up on a term, try Googling it, or ask for clarity. Leave a comment at the bottom if you find anything confusing. I will clarify it for the next person.

For TLDR, in this article, I have bolded my top 3 main points.

Introduction

I just noticed, about a month ago, I made a comment in a software developer subreddit, and it was downvoted to -6. It was in reply to this post: How A Software Engineer Used Facebook Ads To Land An Interview at Reddit (Source: https://www.reddit.com/r/ExperiencedDevs/comments/hmivns/how_a_software_engineer_used_facebook_ads_to_land/)

I said,

I like to see this algorithmic abuse phenomenon circulating more.

This is a clever use of calculus to push data into the CEO’s closure. Such a prime filter seems to be a derivative.

Note, a closure is simply an enclosed area — in this case, the CEO’s life.

In that above reply, I forgot to include why I said “I like to see this”, and I think my reasoning is extremely important to make better-known.

Following this is my reasoning in expanded form.

Analysis

I don’t like to see unethical behaviour such as using a back-door to force some CEO to see something; what I like to see is discussion around this usage of literally Calculus to take a shortcut somewhere precise using what is available. I like to see discussion around the abuse of algorithms because I see so much algorithmic abuse. We need low-level discussions like this to understand how we can fix such a rampant societal problem.

The Calculus here is this:

the limit of the result set being a specific CEO approaches 100% probability as the set of filter criterions approaches a specific set.

The abuse is that Facebook doesn’t/didn’t seem to have a concept of public/private properties of users with respect to ad-filtering logic with respect to the user’s authorization-level, or the abuse is that the “create ad function” allowed an arbitrary user to cross an ethical boundary. For example, if a person can transform themselves into a vehicle’s interior, the door locks are simply an inadequate solution while an exterior person has permission to execute the unbounded transformation function. Something additional is needed, but we need to first identify the transformation function in order to block its use effectively. Generally, everything well-characterized can be well-solved by engineers.

Here, I don’t propose a solution, but I continue to be impressed by the fact that someone derived pure logic that cuts through network behaviour and security boundaries in order to use equational reasoning with the right-side of the equation being = Ronald McDonald CEO of McDonalds.

The abuser derived the left-side of the equation.

To me it highlights a class of InfoSec attack vectors that I call algorithmic abuse. An algorithm exists, and someone took advantage of its rigid behaviour to derive an advantageous outcome (ie: a selfish objective with negative externalitiesthe CEO was forced to smell hot garbage).

My warning — that I totally failed to describe in my comment a month ago — is that this occurs elsewhere too, in other forms. YouTube and Reddit display the greatest-upvoted comments on a node to all users, so if a person wants all users to view their bad actor content, the person uses VPNs and bots to fraudulently upvote their node-comment in a manner that YouTube and Reddit can’t detect.

This line of reasoning goes straight into graph theory and AI, and my warning is that we are still in infantile days, so these abuses of algorithms occur in large numbers everywhere; therefore, I like to see the idea of algorithmic abuse discussed and propagated, and I want to see all socially-important types of abuse identified and commonly known. This is certainly a branch of science: the study of algorithmic abuse. I don’t know if that exists yet in the precise form. Legislation should exist to force websites to adhere to network logic that prevents all forms of abuse. We should make this easy for them.

If you create a new website now that has an upvote mechanism, you are instantly vulnerable to VPNs and bots that take advantage of your lack of protection against not only that mechanism but also every known abuse type on every mechanism used by your website — including externally-controlled mechanisms. The loser in this? Every person that makes contact with fraudulent content.

As one example, it should be mandatory for elementary school students to identify by name all types of abuse that will occur to them in their formative years. The authority of YouTube is one coefficient, but the authority of a YouTube commenter is zero in that interface. At what level of education is ‘authoritative sources’ learned? For me it was grade 12 or first year of university. Without that learning, public is subject to digital grifters that are spraying entropy into society from their outlets.

Conclusion

By all means, please digest what I’m saying and produce downstream public articles, videos, and legislation that makes these attack vectors commonly known. People can use their domain-expertise to identify types of algorithmic abuse, and people can catalogue them by name. Our digital immune system is not developed enough.

The first step is awareness. The next step is solution. We can accelerate progress if the majority of people are on the look-out for specific types of threats. I might even argue that knowing something about algorithmic abuse is the contemporary version of ‘looking both ways before crossing the street’.

In many ways, the digital world runs parallel to the real world. While we are looking for ways to sanitize public areas in the real world, we should be using this pandemic to look for ways to sanitize the internet too. How different is coughing on someone in the real world compared to displaying a fake product review on Amazon that is upvoted by bots? In both cases, they can experience bad news later. Remember, what has been seen cannot be unseen. Viral data can create a chemical reaction in your thinking processes.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Mackintosh

Adam Mackintosh

I prefer to work near ES6+, node.js, microservices, Neo4j, React, React Native; I compose functions and avoid classes unless private state is desired.