It was a Davos for digital hucksters. One day last June, scammers from around the world gathered for a conference at a renovated 19th century train station in Berlin. All the most popular hustles were there: miracle diet pills, instant muscle builders, brain boosters, male enhancers. The “You Won an iPhone” companies had display booths, and the “Your Computer May Be Infected” folks sent salesmen. Russia was represented by the promoters of a black-mask face peel, and Canada made a showing with bot-infested dating sites.
They’d come to mingle with thousands of affiliate marketers—middlemen who buy online ad space in bulk, run their campaigns, and earn commissions for each sale they generate. Affiliates promote some legitimate businesses, such as Amazon.com Inc. and EBay Inc., but they’re also behind many of the shady and misleading ads that pollute Facebook, Instagram, Twitter, and the rest of the internet.
The Berlin conference was hosted by an online forum called Stack That Money, but a newcomer could be forgiven for wondering if it was somehow sponsored by Facebook Inc. Saleswomen from the company held court onstage, introducing speakers and moderating panel discussions. After the show, Facebook representatives flew to Ibiza on a plane rented by Stack That Money to party with some of the top affiliates.
Granted anonymity, affiliates were happy to detail their tricks. They told me that Facebook had revolutionized scamming. The company built tools with its trove of user data that made it the go-to platform for big brands. Affiliates hijacked them. Facebook’s targeting algorithm is so powerful, they said, they don’t need to identify suckers themselves—Facebook does it automatically. And they boasted that Russia’s dezinformatsiya agents were using tactics their community had pioneered.
When I asked who was at the heart of this game, someone who could explain how the pieces fit together, the affiliates kept nominating the same person. He was a Pole who’d started out as an affiliate himself, they said, before creating a software program called Voluum—an indispensable tool they all use to track their campaigns, defeat the ad networks’ token defenses, and make their fortunes. His name was Robert Gryn.
Gryn strutted into Station Berlin like a celebrity, wearing a trim gray suit, a shiny gold watch, and gold-rimmed mirrored sunglasses. He was trailed by a personal videographer, and men he didn’t recognize ran up to him for bro hugs.
Only a few years ago, Gryn was just another user posting on Stack That Money. Now, at 31, he’s one of the wealthiest men in Poland, with a net worth estimated by Forbes at $180 million. On Instagram, he posts pictures of himself flying on private jets, spearfishing, flexing his abs, and thinking deep thoughts. Last year he posed for the cover of Puls Biznesu, a Polish financial newspaper, with his face, neck, and ears painted gold. Gryn’s prominent cheekbones, toned biceps and forearms, perfectly gelled pompadour, and practiced smile lend him a resemblance to his favorite movie character: Patrick Bateman, the murderous investment banker played by Christian Bale in American Psycho.
“I’m Robert Gryn, and when I’m not playing games or trying to build billion-dollar startups, I like to live life to the fullest,” he tells the camera in the trailer for his vlog, drinking from a mug that says “I’M A F—ING UNICORN.”
When I introduced myself in Berlin, Gryn suggested we decamp to a nearby bar, saying he was tired of getting so much attention. His online bravado was just an act, he said; in person, he preferred to affect a humble naiveté, as if he couldn’t believe where luck had taken him. He told me that having money taught him that materialism is unfulfilling. “Life is like the most beautiful game,” he said, sipping a beer in the sun, speaking in unaccented English he’d learned in international schools. “Money is just the high score.”
Gryn estimated that users of his tracking software place $400 million worth of ads a year on Facebook and an additional $1.3 billion elsewhere. (He later showed me reports that roughly support those figures.) It’s not just affiliates who think Gryn is at the pinnacle of the industry. In June, just before the conference, Facebook’s newly installed executive in charge of fighting shady ads, Rob Leathern, had invited him to the company’s London office to explain the latest affiliate tricks.
The basic process isn’t complicated. For example: A maker of bogus diet pills wants to sell them for $100 a month and doesn’t care how it’s done. The pill vendor approaches a broker, called an affiliate network, and offers to pay a $60 commission per sign-up. The network spreads the word to affiliates, who design ads and pay to place them on Facebook and other places in hopes of earning the commissions. The affiliate takes a risk, paying to run ads without knowing if they’ll work, but if even a small percentage of the people who see them become buyers, the profits can be huge.
Affiliates once had to guess what kind of person might fall for their unsophisticated cons, targeting ads by age, geography, or interests. Now Facebook does that work for them. The social network tracks who clicks on the ad and who buys the pills, then starts targeting others whom its algorithm thinks are likely to buy. Affiliates describe watching their ad campaigns lose money for a few days as Facebook gathers data through trial and error, then seeing the sales take off exponentially. “They go out and find the morons for me,” I was told by an affiliate who sells deceptively priced skin-care creams with fake endorsements from Chelsea Clinton.
Facebook has recently put more resources into weeding out scams. But for years, even as the company’s total ad revenue reached into the billions, it assigned few engineers to the matter. Ben Dowling, one of only three such employees when he was hired in 2012, says Facebook was focused on checking whether ads followed policies about things such as the percentage of text and images, and not on catching people with bad intentions. “They definitely didn’t want them, that was totally clear,” Dowling says, but “they weren’t particularly effective at stopping them.” (He left Facebook in 2014.) The company hired a few dozen reviewers in Austin and Hyderabad, India, to look over ads that users or algorithms had flagged as questionable and ban accounts that broke the rules. But affiliates evaded them using a subterfuge they call “cloaking.” It was easy, especially if you were running Voluum.
Gryn’s software allows affiliates to tailor the content they deliver according to a number of factors, including the location or IP address associated with a user. The feature is useful for ad targeting—for example, showing Spanish speakers a message in their native language. But it’s also a simple matter to identify the addresses of Facebook’s ad reviewers and program campaigns to show them, and only them, harmless content.
Those who were caught and banned found that this was only a minor setback—they just opened new Facebook accounts under different names. Some affiliates would buy clean profiles from “farmers,” spending as much as $1,000 per. Others would rent accounts from strangers or cut deals with underhanded advertising agencies to find other solutions.
Affiliates say Facebook has sent mixed signals over the years. Their accounts would get banned, but company salespeople would also come to their meetups and parties and encourage them to buy more ads. Two former Facebook employees who worked in the Toronto sales office said it was common knowledge there that some of their best clients were affiliates who used deception. Still, the sources said, salespeople were instructed to push them to spend more, and the rep who handled the dirtiest accounts had a quota of tens of millions of dollars per quarter. (He left Facebook last year.)
“We are deeply committed to enforcement against malicious advertisers and protection of people’s data,” David Fischer, Facebook’s vice president for business and marketing partnerships, said in a statement. “We require all employees to follow our code of conduct and act in the best interest of both people and advertisers on Facebook.” In February 2017, the company hired Leathern, a 43-year-old South African ad startup founder, who’d drawn attention for writing a series of online posts about what he described as “subprime ads.” His work for Facebook has progressed amid unceasing criticism that the social network is helping create a society in which little can be trusted—a fever that reached a new intensity with the disclosure that a Trump-connected consulting firm, Cambridge Analytica, acquired the data of 50 million userswithout their permission.
In a sense, affiliate scammers are much like Cambridge Analytica. Because Facebook is so effective at vacuuming up people and information about them, anyone who lacks scruples and knows how to access the system can begin to wreak havoc or earn money at astonishing scale.
Leathern’s job is to police a $40 billion-a-year ad platform that malicious players are constantly trying to subvert. In August he announced Facebook would start using artificial intelligence to disrupt cloaking. He declined to describe the process, saying he didn’t want to give tips to bad actors, but he said the practice has been reduced by two-thirds. Facebook is adding 1,000 people to its ad review team, and it’s banned ads for cryptocurrencies, which were popular with affiliates. Leathern has started engaging with journalists on Twitter—and occasionally he reaches out to individual users. “Thanks for letting us know about this,” he wrote to William Shatner on March 21, after the actor complained about an ad that claimed he was dead. (“I’m not planning on dying,” the actor replied to Leathern, “so please continue to block those kinds of ads.”)
The majority of deceptive advertisers are caught in the review process, Leathern said, and Facebook has no interest in profiting from those who slip through. “We are working hard to get these people off the platform,” he told me. “Winter is coming. They may get away with it for a while, but the party’s not going to last.”
I caught up with Gryn a second time in January in Santa Monica, Calif. He’d moved from Krakow to a $20,000-a-month beachfront apartment two months earlier and had already embraced the lifestyle, with a collection of flat-brimmed hats, a bike for riding on the boardwalk, and a ketogenic diet that forbade eating outside a single four-hour window.
Gryn employs 88 programmers nine time zones away in Poland, and when I visited, he’d fulfilled his management responsibilities by 9 a.m. as usual. He told me he’d decided to share his story because he felt a duty to show young Poles that they can succeed as entrepreneurs without relying on government graft. “This postcommunist mentality—I’m shattering that, unshackling part of our society from that trapped thinking,” he said. “It’s insane, really. It scares me sometimes.”
He said he’d grown up among Poland’s elite, the son of a mobile phone executive, with a beach home in Spain and a cabin outside Warsaw where his grandmother taught him to forage for mushrooms. But he was depressed as a child, and when he was older, he had to be taught how to smile. Nothing he learned in school excited him. He paid even less attention in college and graduate school, though he obtained a master’s in marketing. His real education came on the internet.
Around 2009, Gryn moved to Prague to intern at a company called Elephant Orchestra, which specialized in selling ads on misspelled domain names such as facebok.com. Elephant Orchestra was so profitable that its founder, then about 26, produced a feature-length movie about typo domains and got Václav Havel, the former Czech president and anti-communist hero, to make a cameo. The company’s customers were affiliates. Soon, Gryn discovered Stack That Money and other forums where they posted about their millions. The posters were people like Ryan Eagle, who’d made a fortune as a teenager in suburban Chicago and acquired a chrome-covered Bentley, iced-out watches, a diamond-encrusted chain-mail mask—and a nasty drug habit. (“When you’re a real douche bag,” says Eagle, now 30 and sober, “the douchey things find you.”) Other posters came from the world of professional pickup artists—people such as Mark van Stratum, who wrote a memoir called Drug of Choice: The Inspiring True Story of the One-Armed Criminal Who Mastered Love and Made Millions.
Once Gryn realized that what the affiliates were doing wasn’t hard, the possibilities excited him so much that he sometimes couldn’t sleep. “It’s like striking gold,” he said. “You almost panic.”
Gryn found the affiliates at a moment when they were discovering social media. They’d begun applying tricks on Facebook that had been invented by email spammers, who’d in turn borrowed the tactics of fax spammers in the 1980s and ’90s. New forms of media have always been hijacked by misleading advertising: 19th century American newspapers were funded in part by dishonest patent medicine ads. Within days of Abraham Lincoln’s inauguration, the makers of Bellingham’s Onguent were placing ads claiming the president had used their product to grow his trendy whiskers.
Fake personal endorsements and news reports are still the most effective tricks. Dr. Oz, the Shark Tank judges, and Fixer Upper co-host Joanna Gaines are among the most popular imprimaturs, though Eagle favored Kim Kardashian. After she complained to TMZ that her name was being used without permission to promote colon cleanses, he bragged on an affiliate forum in 2009 that the ads were his.
The latest products include Enhance Mind IQ—or Elon’s Smart Pills, as they were called in a recent Facebook ad falsely suggesting that the Tesla Inc. co-founder had talked them up on 60 Minutes. The checkout page says the pills are free, though buyers must still submit a credit card number. Online reviews are full of victims complaining of the subsequent recurring $89-a-month charges. Other affiliates use deceptive pictures to sell junky watches, dresses, and flashlights from Chinese factories. Shark Tank’s Barbara Corcoran says she frequently fields complaints from people duped by skin-cream ads on Facebook featuring her face. Two of her own sisters fell for the scam, Corcoran told me. “I send out so many cease-and-desist letters,” she said. “But it’s very hard to track down the source.”
Around 2011, Gryn started running a “Free iPhone” offer in Poland. It was his breakthrough. The lottery had real winners, but entrants had to agree to be billed a few zlotys ($1 or so) a week. It brought in more money than Gryn was earning at Elephant Orchestra, and he quit to do affiliate marketing full time. In 2012, when he was 24, his revenue hit $1 million. The next year his broker flew him to Las Vegas to celebrate with other affiliates. Photos show a nerdy-looking Gryn smiling next to an Oompa Loompa his hosts had hired for a candy-themed party. The group paid thousands of dollars at a club to chug vodka from light-up multiliter bottles as big as beagles. Gryn felt awkward and shy, but he knew he wanted more. “It was absolute decadence,” he said. “I just wanted to ride that wave.”
Also in 2013, Gryn bought out Codewise, a web development company in Krakow he’d hired to create a campaign-tracking tool. The software had modest but supremely useful features, such as tracking campaigns on multiple platforms—Facebook, Google, Twitter, etc.—in one place and altering content based on a user’s country. Gryn branded it Voluum and began offering it to other affiliates. On the first day of sales, 1,000 customers signed up, at a minimum of $99 a month. (Gryn said some clients now pay thousands of dollars a year, based on usage.) He and his employees donned suits for the occasion, spraying Champagne around the office as the Twista song Sunshine played on repeat.
Voluum is intended for ad tracking and targeting, not trickery, Gryn said. Dishonest affiliates could apply other software to the same ends. “We’re not in the business of policing the internet,” he said. “If we ban people from Voluum, they’d be doing the same thing somewhere else the next day. At least we consolidate the bad apples in one place.”
As affiliate marketing boomed, so did Codewise. Revenue reached $39 million in 2015, according to a statement Gryn provided me. Google banned Voluum over cloaking concerns, but that didn’t derail the company—Facebook was where the action was. In January 2016, Gryn met with American investment bankers who told him they could get $200 million or more for Codewise, which he owns outright. He turned them down.
Gryn hired a public-relations agency and developed an online persona in keeping with his newfound wealth. For his 30th birthday, he rented a villa in Ibiza, hired 15 “pool girls” as entertainment, and flew in eight of his friends on a private jet for a weeklong party that cost $250,000. When he got back to Poland, he rented a giant billboard in Krakow and put up an ad with his face and the message “Don’t Be a Corporate Slave. Join Poland’s Fastest Growing Startup.” In February 2017, Forbes put him on the cover of its Polish edition, naming him the country’s 57th-richest man. He started getting recognized around Krakow and receiving fan mail from young people inspired by his story.
Inevitably, there was a backlash. One writer for a technology website called Spider’s Web said Gryn’s company facilitated fraud and scams. Others made fun of his Instagram account and its evident lack of self-awareness. Gryn fired his PR shop and called his critics “gypsies” in an online post. He posted a slogan on his office wall: “If nobody is criticizing you, you’re not doing anything extraordinary.”
Still, the disapproval hurt. He went to Phuket, Thailand, cleared his mind by training as a Muay Thai fighter for three weeks, and decided to move to California, where he’d fit in better. “In Poland, people can’t stomach success,” he said. “They associate it with stealing or thievery.”
Sitting on a bench on the Santa Monica pier after a ride on the Ferris wheel, I asked Gryn about the ethics of affiliate marketing. He said he’d stopped doing it himself, because he started to get handwritten complaints from people who’d entered his iPhone sweepstakes and couldn’t figure out how to cancel the recurring charges. “I had no idea that this is what it’s doing to people,” he said. “As an affiliate marketer, you just look at the numbers. You don’t see the faces. You don’t see the people that you’re potentially financially hurting. It just sucks money out of the poorest people.”
But affiliates, he continued, aren’t really to blame. They’re just taking advantage of opportunities created by large corporations in a capitalistic system built around persuading people to buy things they don’t need. Gryn said he daydreams about changing directions and doing something positive for the world. He’s considering investing in sustainable fish farming or going back to school to study mushrooms, like the ones he used to forage for with his grandmother. “Everything I do is futile,” he said, staring out at the ocean, listening to seagulls caw. “No matter how successful a company I build in this space, I am facilitating what I deeply believe is a poorly designed system.”
The moment passed quickly. “You can’t abandon the skill set that makes you successful,” he said. “You’d have to be some sort of hippie.” As we walked back along the boardwalk to his apartment, he talked about his plan to raise tens of millions of dollars for Codewise by creating a cryptocurrency. Gryn said the token will enable him to revolutionize the affiliate-marketing business, cut out other middlemen, and build a billion-dollar company. Also, there was his 32nd birthday to plan. He was thinking of going back to Ibiza.
Google knows where you’ve been
Google stores your location (if you have location tracking turned on) every time you turn on your phone. You can see a timeline of where you’ve been from the very first day you started using Google on your phone.
Click on this link to see your own data: google.com/maps/timeline?…
Here is every place I have been in the last 12 months in Ireland. You can see the time of day that I was in the location and how long it took me to get to that location from my previous one.
Google knows everything you’ve ever searched – and deleted
Google stores search history across all your devices. That can mean that, even if you delete your search history and phone history on one device, it may still have data saved from other devices.
Click on this link to see your own data: myactivity.google.com/myactivity
Google creates an advertisement profile based on your information, including your location, gender, age, hobbies, career, interests, relationship status, possible weight (need to lose 10lb in one day?) and income. Click on this link to see your own data: google.com/settings/ads/
Google knows all the apps you use
Google stores information on every app and extension you use. They know how often you use them, where you use them, and who you use them to interact with. That means they know who you talk to on Facebook, what countries are you speaking with, what time you go to sleep. Click on this link to see your own data: security.google.com/settings/secur…
Google has all of your YouTube history
Google stores all of your YouTube history, so they probably know whether you’re going to be a parent soon, if you’re a conservative, if you’re a progressive, if you’re Jewish, Christian, or Muslim, if you’re feeling depressed or suicidal, if you’re anorexic … Click on this link to see your own data: youtube.com/feed/history/s…
The data Google has on you can fill millions of Word documents
Google offers an option to download all of the data it stores about you. I’ve requested to download it and the file is 5.5GB big, which is roughly 3m Word documents.
Manage to gain access to someone’s Google account? Perfect, you have a diary of everything that person has done
This link includes your bookmarks, emails, contacts, your Google Drive files, all of the above information, your YouTube videos, the photos you’ve taken on your phone, the businesses you’ve bought from, the products you’ve bought through Google …
They also have data from your calendar, your Google hangout sessions, your location history, the music you listen to, the Google books you’ve purchased, the Google groups you’re in, the websites you’ve created, the phones you’ve owned, the pages you’ve shared, how many steps you walk in a day …
Click on this link to see your own data: google.com/takeout
Facebook has reams and reams of data on you, too
Facebook offers a similar option to download all your information. Mine was roughly 600MB, which is roughly 400,000 Word documents.
This includes every message you’ve ever sent or been sent, every file you’ve ever sent or been sent, all the contacts in your phone, and all the audio messages you’ve ever sent or been sent.
Click here to see your data: https://www.facebook.com/help/131112897028467
Facebook stores everything from your stickers to your login location
Facebook also stores what it thinks you might be interested in based off the things you’ve liked and what you and your friends talk about (I apparently like the topic “girl”).
Somewhat pointlessly, they also store all the stickers you’ve ever sent on Facebook (I have no idea why they do this. It’s just a joke at this stage).
They also store every time you log in to Facebook, where you logged in from, what time, and from what device.
And they store all the applications you’ve ever had connected to your Facebook account, so they can guess I’m interested in politics and web and graphic design, that I was single between X and Y period with the installation of Tinder, and I got a HTC phone in November.
(Side note, if you have Windows 10 installed, this is a picture of just the privacy options with 16 different sub-menus, which have all of the options enabled by default when you install Windows 10)
They can access your webcam and microphone
The data they collect includes tracking where you are, what applications you have installed, when you use them, what you use them for, access to your webcam and microphone at any time, your contacts, your emails, your calendar, your call history, the messages you send and receive, the files you download, the games you play, your photos and videos, your music, your search history, your browsing history, even what radio stations you listen to.
Here are some of the different ways Google gets your data
I got the Google Takeout document with all my information, and this is a breakdown of all the different ways they get your information.
Here’s the search history document, which has 90,000 different entries, even showing the images I downloaded and the websites I accessed (I showed the Pirate Bay section to show how much damage this information can do).
Google knows which events you attended, and when
Here’s my Google Calendar broken down, showing all the events I’ve ever added, whether I actually attended them, and what time I attended them at (this part is when I went for an interview for a marketing job, and what time I arrived).
And Google has information you deleted
This is my Google Drive, which includes files I explicitly deleted including my résumé, my monthly budget, and all the code, files and websites I’ve ever made, and even my PGP private key, which I deleted, that I use to encrypt emails.
Google can know your workout routine
This is my Google Fit, which shows all of the steps I’ve ever taken, any time I walked anywhere, and all the times I’ve recorded any meditation/yoga/workouts I’ve done (I deleted this information and revoked Google Fit’s permissions).
And they have years’ worth of photos
This is all the photos ever taken with my phone, broken down by year, and includes metadata of when and where I took the photos
Google has every email you ever sent
Every email I’ve ever sent, that’s been sent to me, including the ones I deleted or were categorised as spam.
And there is more
I’ll just do a short summary of what’s in the thousands of files I received under my Google Activity.
First, every Google Ad I’ve ever viewed or clicked on, every app I’ve ever launched or used and when I did it, every website I’ve ever visited and what time I did it at, and every app I’ve ever installed or searched for.
They also have every image I’ve ever searched for and saved, every location I’ve ever searched for or clicked on, every news article I’ve ever searched for or read, and every single Google search I’ve made since 2009. And then finally, every YouTube video I’ve ever searched for or viewed, since 2008.
This information has millions of nefarious uses. You say you’re not a terrorist. Then how come you were googling Isis? Work at Google and you’re suspicious of your wife? Perfect, just look up her location and search history for the last 10 years. Manage to gain access to someone’s Google account? Perfect, you have a chronological diary of everything that person has done for the last 10 years.
This is one of the craziest things about the modern age. We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us. But we just went ahead and did it ourselves because – to hell with it! – I want to watch cute dog videos.
• A caption was corrected on 28 March 2018 to replace “privacy options in Facebook” with “privacy options in Windows 10”.
Dylan Curran is a data consultant and web developer, who does extensive research into spreading technical awareness and improving digital etiquette