Every time I sign up for a service using our company card, with our company address and company email I feel like I'm pretty open about who the buyer is.
Wouldn't a some kind of certified bank card be an even better proof of corporate identity than a copy of someones ID?
IDs needs to be verified against articles of incorporation. For larger companies it will definitely be a hassle to get the CFO to submit their proof of identity for a purchase that is normally delegated way down in the organisation.
The announcement provides a short overview, there is a help page that describes the process in more detail [0]. It' only for american companies at this time, but I imagine that it won't get less complicated when it's rolled out for 180 countries with different corporate and legal systems...
The document states that you have to show that you are an authorized representative of the company. I am not that familiar with US law, but in many countries that means one of the signatories of the company, usually someone like the CEO or the CFO.
My point is that it makes sense that you are able to show that you have the right to act on the company's behalf in this matter. I just think that since the company trusts you with it's credit card and there already are systems in place to authorize expenditures, it would be logical to tie the proof that you represent the company to the card in this case.
A US company will typically have a lot of employees with signatory power, not just CEO+CFO. However not nearly as many people as are issued corp cards. That is often an incredibly low barrier (e.g. at my company I believe literally every employee can get a corp card).
And it's an important legal distinction. If I sign a contract with a company and it's signed by someone with signing power, I can assume that this will have the company's backing (unless I was aware of fraud). I don't have to care if the employee got the right approval for that, the company will have to fulfill their obligations. That cannot be said for any decisions made by anyone in the company.
I believe any country knows the system of signing power. And that can usually be proven by documents. They need to publish guidelines for every country but the system stands that a company can delegate signing of any contracts to some employees.
But contrary to popular opinion, tech companies are not a branch of the police force. So they have no obligation to help the police prosecute people without a warrant.
>So they have no legal obligation to help the police prosecute people without a warrant.
FTFY. They may not have a legal obligation to help prevent or prosecute crimes, but there is definitely a moral obligation to not knowingly allow your product to become an easy accessory to crime. Lots of tech companies abdicate that moral responsibility.
Some propose that but in practice that requirement isn't sane. Carmakers can't stop their cars from being used to run people down and the [[ https://en.m.wikipedia.org/wiki/Evil_bit Evil Bit]] was a joke. Many downright reject the "permission first/absolutr safety" standard as harmful and impossible.
If you mean libel, it's only a crime if what you claim is false. In the US, anyway. From what I understand, in some countries in Europe it only has to be an attempt to defame someone, whether it's true or not.
Search ads have been the canonical leading way my clients have ever seen malware. I find Google search ads less regulated and less filtered than spam emails.
I'm really glad they're finally doing this, but it still feels way too irresponsibly late considering the amount of damage they've caused.
And Google is still one of the least affected markets. If you look at other ad marketplaces, they often tend to have larger amounts of malware spread through their system. Mostly because Google at least has somewhat decent detection algorithms and a large enough team that can take down large scale malware 24x7.
>The names of the companies or people behind ads, as well as their countries of origin, will begin appearing on Google ads this summer, starting with several thousand advertisers a month in the United States before expanding worldwide. The measure, which could take years to implement, is designed as a defense against businesses and individuals who misrepresent themselves in paid online promotions, Google said.
lol so a tiny crypto exchange can req. ID docs but a huge trillion dollar company will take years>
A tiny crypto exchange is probably in a position where they can easily get existing employees to manually verify the documents without a significant impact on their business.
In addition to needing to verify orders of magnitude more entities, google likely has many layers of both human and technical abstraction to deal with.
This isn’t new technology by any stretch of the imagination. Banks have been required to do some version of this since the 70s. I wouldn’t buy this excuse coming from the management and technology clusterfuck that is Wells Fargo and I certainly wouldn’t buy it from Google.
Every bank in the US supports verifying identities in every country whether or not they have global operations. Your friendly neighborhood credit union can verify foreign identities. The only exception might be for individuals/entities in places like North Korea or Syria where it doesn’t make sense to bother with individual verification because their location alone prohibits an account.
Of course, all global banks need to verify business identification from pretty much any country worldwide. It's a manual process with large specialists teams but it's possible.
Yup. The account with my good bank is about 25 years old. Some time in the 2010s they sent me a letter. Basic thrust was: You have six months to provide us with documents to meet current KYC regulations or ask for more time, and if you ask for more time we'll give you another six months, and then finally we'll just cut you a cheque and close the account because we don't want to do business with you if you can't meet those regulations.
And they were clearly sending these out in waves, I wouldn't be surprised if the project took 3-5 years from "Oops, we aren't doing enough KYC and our parent bank just got hit with another multi-billion dollar fine" to completion.
How was this not already a thing? How does Google not already have a billing address on file for all the advertisers they're accepting money from? It seems like this shouldn't have ever been "voluntary information".
The reason it isn't already a thing is because it would require a law on the books across all scales for business records with compliance costs - down to Billy Bob's Billboards where he takes cash for ad postings. The legal system is still based on assumptions of the government not having default access to all financial transactions as not only would it have been just useless abusable spam but it would have generated massive expenses for little gain and drawn considerable ire. Plus said proposal would trigger every Revelations literalist about "the number of the Beast" as well as privacy advocates and businessess upset at increased compliance costs and liability. Until the Fake News rise approaching moral panic absolutely nobody would be for it.
Hell if they were to try to codify such requirements it may not even survive the supreme court.
but...waving hands vaguely, what about banks and "know your customer"? If it's possible to regulate them, why not Google?
Not making an airtight detailed argument, but I feel like you must be misguided because your tone suggests that a massive societal upheaval is necessary for the sort of controls we already take for granted in certain areas.
THey have a payment method as well which is definitely identity verification. Don't expect this to filter everyone hiding behind fronts and shell orgs, but it's a step towards that.
No, the point is that they may already be advising someone on how to manage a brand for a business, a business that potentially they didn't really know if that someone is actually a representative of the brand? They may be granting access to AdWords accounts to be managed by third parties, and they don't know if those third parties are who they say they are, or actually a representative of the brand they are managing? Their job is just to rake in payments from people they don't actually know? Again, did they not already have methods in place to establish some level of trust that the person on the other end is who they say they are?
Google already had a "Verify your local business" option, I wonder if this data was integrated into AdWords accounts as well. https://support.google.com/business/answer/7107242?hl=en It seems like this data should already be on file and verified if you are business advertising with AdWords.
This is like “Know Your Customer” (KYC) rules required by banks and financial companies. So many online providers ask for it, and it’s so stupidly easy to bypass through stolen documents it’s meaningless. I’ve even seen customers setup booths where they pay people in slums for their documents and go through a “live” KYC in-app process to generate more accounts.
> I’ve even seen customers setup booths where they pay people in slums for their documents
and here I am with my GPU's heating my apartment with Deep Fake scripts to pass Binance Fake-YC after buying FULLZ off of Empire when I could just be paying people in the tents outside of the ground floor apartments.
I always felt like I was getting out of touch after the guy was passing out 'Elitest Tech Scum' collectible pins at Zeitgeist, but I thought it was just ironic until this very moment.
Exactly. It's a big fallacy to think, "this security measure can be circumvented by a sufficiently capable and motivated attacker, therefore it is pointless."
Another huge aspect, and this is why EV certificates are not only a good thing, but should be forced on PKI, not deprecated out: It adds burden and expense to acting fraudulently which makes it more prohibitive to do at scale. If there's one thing to me that discredits security expertise, it's the suggestion that things like EV certs and other forms of KYC are wholly ineffective because it's technically possible to trick them.
In turn, it makes efforts to police fraud more effective, because the cost each time a fraudulent actor's credentials are burned higher.
This is actually a really good point for a different reason: if google can add verification that depends on other infrastructure/parties, this will shift the attack vector from just google to other players. So say they require some paperwork or organizational registration, now the badies focus on "how do we generate fake credentials at scale" - which means less work for google.
No EV is largely pointless because it relies on humans and it's fascinating how few people understand that.
For every single HTTPS transaction (and there may be dozens involved in even fairly mundane seeming activities) the browser is able to compare the SAN dnsName (or rarely ipAddress) to the host named in the HTTPS URL. It does this unblinkingly every single time, and if it fails then (in the best case) the transaction just fails entirely or (in the less good legacy case) there's some sort of "Oops, something bad happened, don't trust this" behaviour.
But whereas SAN dnsNames and ipAddresses are something a machine can compare to the host in a URL, the EV identity is something only humans have opinions about and humans don't want to make dozens of such decisions when they click on a funny video of a cat.
Is it OK that this funny cat video is from "Alphabet Inc." ? How about "XXVI Holdings Inc." ? Why is that OK but "Funny Cat Videos Ltd." isn't? How about "You Tube" of Austin, Texas, is that OK? How do I know? More importantly why is it suddenly my problem when the computer was previously able to get this stuff right?
One of the most obvious things to do if you suppose that well, any fool can get the DV certificate for realbank.example but that's fine because only the Real Bank can get an EV certificate for Real Bank and that'll protect you is this:
Mallory gets an account with Real Bank and watches protocol flow. They don't care about most actions but are very interested in login timing. Mallory obtains one of these certs for realbank.example but for an organisation name they control like "Mallory Inc."
Now Mallory MITMs a valuable customer of Real Bank. During login they passively pass back and forth every step until the POST where the customer's password and OTP code are supplied. For that POST Mallory interposes supplying that Mallory Inc. certificate. The browser has no idea what "Real Bank" is but it can see this is a realbank.example certificate, so that's fine, the password and OTP code are delivered to Mallory.
Probably this works seamlessly, and Mallory steals the customer's money with no evidence of how it happened.
BUT if the customer was really trying hard to obey this crazy "Check EV because that's secure" they will see this - but only when their page renders, which is after their password and OTP code were delivered to Mallory.
They get to excitedly tell their bank that they've detected a successful attack - after it worked. If they're lucky the bank might even give them the money back, but probably not because it looks exactly like they're committing fraud.
"Relying on humans" is the only way real security is ever going to work. Because humans are the people using computers, and the people who mistype the site in their browser or click on a malicious Google ad at the top of the page that "looks right". Anything that doesn't depend on humans is just as usable by malicious actors as real ones. Let's Encrypt may be just as happy to issue a microsfht.com cert as a microsoft.com one: An EV cert is going to be a lot more challenging to achieve, and even if you get a EV cert for microsfht, it's going to cost a lot more effort, which you have to start over when your site gets banned and you need to spin up micoshft.com and a cert for it.
Security based solely on automation will continue to fail and lead to exploit after exploit because it ignores the human factor, despite that being the primary place security breaks down. It's refreshing to see proof of identity requirements finally coming to ads, and hopefully it will lead to a change in understanding, that PKI is also useless without EV.
The honest truth that people seem to fail to understand is that security doesn't scale. The more you scale, the worse your security is, and that will always continue to be true. The more manual, the more humans required in a process, the safer it will be.
You've taken exactly the wrong lesson from this. It actually reminds me of the Southall Rail Crash. What we actually did after Southall was mandate Automatic Warning System for passenger trains. Faulty AWS? Train can't enter passenger service. Driver isn't paying attention? AWS brakes the train to a full stop. But what the unions wanted instead was to add more drivers. Sure, the unionised driver was inattentive, but if we have two, or three drivers in each train that'll be mitigated. Your reasoning is like theirs "Let's do the thing that failed even more until it works".
Security based on the automation works really well. How well? Google drove phishing of its employees to zero. Not just technical employees like my friends, but random sales people and other non-tech roles, because they were mandated to use Google's security that relies on automation and not a vague human judgement. They don't need to know why it's safer, they don't need to pay attention in a class, the automation doesn't care why they aren't supposed to give their Google credentials to "Oogle" or "Goggle" or "Gøøgle" it's just designed to not work when things don't match.
I'm not a Google employee, I'm just a user, let's walk through what happens to see how automation saves us every single time, resolutely and without fail.
I visit google.com which is really Google and I sign in. I am prompted to press the button on my Security Key (a physical object). Since I'm at google.com the Key will present credentials for google.com proving I've still got that key to google.com
Later I am fooled (maybe by a malicious ad) into visiting a site that is not google.com but I think it is, my adversary is very sophisticated and resourceful. The site looks 100% the same as the real one, but of course this is not google.com. It might be anything else except google.com, but for the sake of clarity let's say it's crooks.example
I try to sign in. The crooks have two options:
1. They claim to be google.com, which they aren't, the automation rejects this and they get an error, if they like they can present me with the error, but neither of us can do anything with it except say "Huh, that's an error".
2. They admit they are crooks.example, which is true. The Key happily gives them credentials for crooks.example, because that's who they are. But these credentials are useless for attacking my Google account, why did they bother getting them?
Notice there's no human judgement involved. This system is equally happy to present credentials to nazi-scumbags.example or cat-videos.example. But what it refuses to do is give the nazi-scumbags.example credentials to cat-videos.example or vice versa no matter how much the user is convinced it's fine. There's no "Are you sure?" dialog, there is no "Press OK to proceed" step, it just does not work.
An insistence that we should just add more humans, like at Southall, is simply motivated reasoning, and has no basis in the observed facts. Automation works. You should resort to human judgement when automation isn't an option, it should never be your first choice.
> Security based on the automation works really well. How well? Google drove phishing of its employees to zero.
It's funny Google solved the problem so well for itself, despite it's utter inability to do it for others. The challenge is preventing phishing of Google employees is a single domain problem. Google knows everything about Google.
But Google woefully fails to have a solution that even starts to work for consumer Gmail or other companies they export their services to. My Gmail account got a phishing email today from Google Forms about a transaction. Google didn't understand it was spam, it came straight from Google, but it was definitely a scam.
Another great example is Google Voice, the source of 9 out of every 10 spam calls I receive. I could write a single line filter that would block all of the spam calls: I'd block all calls from my Google Voice number's own area code (which is different from my own real area code). But Google doesn't give me the tools to do that, it uses it's own automated system, fails spectacularly, and my spam calls continue. Automation has failed because one competent human wasn't allowed or empowered to act.
Automation can get things right 95% of the time, but will never understand the other 5%. And the big problem is, Google refuses to adopt human judgment: It insists automation is good enough, and rarely allows you to reach a human at all, even in an appeals process. When Google's automation decides to cut you out of their system, when it fails to judge correctly, you're just gone, often with no recourse.
Prediction: It'll be surprisingly difficult for Mom and Pop to provide sufficient proof of identity and surprisingly easy for mega corporations to do so. There will be a way to report suspected abusers that heavily skews in this direction. It'll basically be like IP enforcement on YouTube.
Not likely, but the problem requires context that Google isn't going to share.
In the past few years we've seen bad actors basically automate their process. They expect to be banned. They spin up an account, run scams and malware, get blacklisted, rinse and repeat with a new domain, account, and just enough changes to beat the automated filters within an hour later.
What this does is add a ton of friction to that game. It doesn't even have to be perfect to make a huge difference, it just needs to be difficult to rotate at scale.
The government shouldn't lean on a company to throw barriers in the way of speech. I really don't care what people want to pay to say, even if it is the horrible "fake news" which some seem to think is a new invention.
Why does anyone need to know who paid for all advertising?
But it's not just about you. Speech, however it gets categorized, affects people and influences society. You can still say what you want (to the extent allowed by ad platform rules and legal limits on commercial speech) but you should also be accountable for what you say.
That's an appealing image, but we can see which of the those is easier to legislate... my instinct is the populace will voluntarily educate themselves only if they can feel the negative effects of 'fake news' in their lives in the short term. Given that we haven't seen much of an uptick in educated discourse online, I would hazard a guess that hasn't happened yet.
Society can set rules on how it’s used. And it pushes “unspoken ones” constantly.
There are exactly zero laws of physics that dictate the mathematical shape of our finance system. It’s all human negotiated grift to funnel the value of effort at scale into ephemeral objects we fetishize collectively
Like sky wizards
This isn’t sitting in a room talking to your friends about whatever you want
Anyone can still do that
Politically, free speech to me is emitting whatever syntax I want, and not obliging others to any discoverable semantic meaning they find, and having the same returned
Too often free speech = I’m owed being who I want 24/7 in all contexts
That’s a gross over simplification. Such a life is impossible to achieve without society picking up a whole lot of burden
And really to regurgitate your last line: why do you care how private entities choose to do business?
There's only one sure way to eliminate fraud in advertising: stop advertising. Google is attempting to make it more difficult for malefactors to use its systems, but this disregards the fact that advertising is not a socially beneficial activity and all advertising is an attempt to psychologically manipulate the public.
Therefore, a harm reduction justification is insufficient as it presumes there is some benefit worth the harms being introduced. In fact, there is no benefit and Google is only reducing harm slightly.
> the fact that advertising is not a socially beneficial activity and all advertising is an attempt to psychologically manipulate the public
That's not a fact, that's your opinion. Advertising is a form of communication and like most communication, the person originating the communication often has a goal or desired outcome in mind. That you or me might not like their goals or the message that they communicate doesn't mean that no one finds it valuable, nor does it mean that we should ban all communication.
> Advertising is a form of communication and like most communication, the person originating the communication often has a goal or desired outcome in mind.
So what? It's still "an attempt to psychologically manipulate the public". Advertising is adversarial, it's fundamentally bullshit.
Leela : Didn't you have ads in the 21st century?"
Fry : Well sure, but not in our dreams. Only on TV and radio, and in magazines, and movies, and at ball games... and on buses and milk cartons and t-shirts, and bananas and written on the sky. But not in dreams, no siree.
HN has balanced discussions because of the voting system, moderators (banning voting rings and spammers) and that anyone can voice their counter-arguments.
Advertising on the other hand is one-sided. If there was a universal ad platform where people could vote on ads (where overly negative feedback would get the ad taken down) and comment below them then it wouldn’t be that much of a problem.
Finally HN is something you choose to participate in in your own time. Advertising doesn’t give you a choice on whether you want to see it.
Most ad platforms allow anyone to submit an add. Most add platforms are moderated.
> Advertising doesn’t give you a choice on whether you want to see it.
Of course it does. When I'm reading a book I don't see advertisements. They aren't beamed into my brain, they're the price of admission for certain services I gain value from
I can submit another ad but I can't make it appear right below the previous ad I would like to "comment" on.
> Most add platforms are moderated
What about fake technical support numbers, or the variety of scams/quack products on Facebook that make impossible claims and prey on the vulnerable/stupid?
> When I'm reading a book I don't see advertisements
When I take public transport I see ads regardless. Same applies to a lot of services that are near-essential nowadays. Certain government agencies sell your details to spam operations (also a certain form of advertising) and you can't opt out. Most commercial products include spyware which track you and rat you out to ad platforms regardless of whether you even see any ads directly.
As far as I know most locations have rules on what a sign can look like and what it can do. I don't think it would be legal to have a sign with a powerful strobe lamp, one that shoots lasers in people's eyes to attract their attention or one that blasts loud music (which would be the equivalent of flashy, distracting ads that we see on the web).
Also with a restaurant sign there's a business behind it with someone that can be held accountable for it. If you see an obvious scam or a fraudulent service advertised you can complain to them or the authorities and get it shut down. With online ads they can be purchased either completely anonymously (maybe even with a stolen credit card) or by a shell company somewhere on the other side of the world where you would have no recourse.
> As far as I know most locations have rules on what a sign can look like and what it can do. I don't think it would be legal to have a sign with a powerful strobe lamp, one that shoots lasers in people's eyes to attract their attention or one that blasts loud music
Most ad groups have regulations on what ads can and cannot do.
> With online ads they can be purchased either completely anonymously (maybe even with a stolen credit card) or by a shell company somewhere on the other side of the world where you would have no recourse.
Check the thread you're in. It's about an ad network addressing this specific problem.
> Most ad groups have regulations on what ads can and cannot do.
How do you explain Facebook ads for scams that claim price X but actually hammer your payment cards with multiple X * 10 charges until it declines? A friend got caught by that, we ended up doing a chargeback but Facebook didn't get punished in any way despite their complicity in this fraud.
How do you explain tech support scam ads?
How do you explain "chumboxes" like Outbrain/Taboola as in here: https://www.theawl.com/2015/06/a-complete-taxonomy-of-intern... (the image URLs are broken, you need to manually get the image's URLs, change the protocol to HTTPS and open the resulting link to see them).
Maybe some ad groups have internal regulations, but I as a user have no control of which ad networks I'm exposed to. On the other hand, in the street, all businesses have to comply with local laws and given that I don't see scam tech support banners or credit card scams advertised on storefronts I guess the laws are working, and if they aren't, laws can be amended if there's enough public support for it (some locations completely banned billboards for example).
> Check the thread you're in. It's about an ad network addressing this specific problem.
"Google will suspend the accounts of advertisers that do not provide proof of identity, including W9 forms, passports and other personal identification and business incorporation files"
Seems like a pretty low bar to clear with either forged documents (again, someone already breaking the law with scam or spam ads isn't going to be deterred by this), paying vulnerable people in a slum for scans of their passports or just using a string of shell companies to muddy the trail.
Fraud is a hard problem. It's fairly easy to find individual examples of malfeasance, the relevant question is what percentage of online ads are scams, compared to ads in other media.
I'll also note that you're now no longer arguing that advertisements are unethical, but that online advertisements are unethical, and not because they're "an attempt to psychologically manipulate the public" as was originally stated, or even because, as you originally claimed "Advertising doesn’t give you a choice on whether you want to see it."
We've moved the goalposts quite a bit. And I'm not interested in an in the weeds argument about the challenges of online fraud prevention. It won't be fruitful for anyone. I've proven my original point: you don't line online advertisements (and that's OK!), but you also don't have a clear reason that they're uniquely different than any other form of advertising, and you don't believe that advertising, in general, is unethical.
Persuasive essays aren't shoved everywhere you go in an attempt to separate you from your money, usually via deceit, at least in the US. Just look at how they all have asterisks and fine print unable to be read. Also I can choose not to read an essay, it's harder to tune out all advertising.
There are many groups out there dedicated to spreading their ideals and ideas as well. Religions, paleo diets, and fringe political ideas are shoved at you everywhere you go as well without any monetary transactions involved with advertising, let alone the single party ones like business signage. I am afraid advertising isn't unique in those objections.
> In the mid-twentieth century, courts applying the antitrust laws held that such persuasive advertising is anticompetitive and harmful to consumers, but the Federal Trade Commission (FTC) was unable to pursue an antitrust campaign against persuasive advertising for fear of de-priving consumers of advertising’s information value. Now that the information function of most advertising is obsolete, the FTC should renew its campaign against persuasive advertising by treating all advertising beyond the minimum required to ensure that product information is available to online searchers as monopolization in violation of section 2 of the Sherman Act.
To be fair, when it comes to being valuable, criminals consider violence like armed robbery and murder valuable because it helps them achieve their goals, and yet we agree that those things are not a benefit to society and created laws to discourage and punish such acts.
Certainly the criminals doesn't agree don't you think ? One side just happen to have more power to forced the other side to comply. There is no agreement. The more powerfull one get to decide what the law is.
Wouldn't a some kind of certified bank card be an even better proof of corporate identity than a copy of someones ID?
IDs needs to be verified against articles of incorporation. For larger companies it will definitely be a hassle to get the CFO to submit their proof of identity for a purchase that is normally delegated way down in the organisation.