I’ve recently delved into Google’s exciting release of Ads API version 24.1, and it’s packed with valuable updates for advertisers. This version brings us advanced reporting capabilities, expanded AI campaign testing, and improved security measures.
In this update, Google has prepared us for their upcoming data retention policy changes, which will commence next year—something I believe every developer should be ready for.
Why we care. The latest release highlights three crucial areas: performance visibility, creative control, and testing automation, which are becoming vital for advertisers like me.
What’s more, brands now have greater control over creative displays in Demand Gen campaigns, overcoming the typical limits imposed by automation. It’s a significant update that I’m excited to explore further.
Those of us who lean heavily on reporting infrastructures should also be mindful of Google’s impending 37-month data retention limit, set to impact historical performance analysis come 2026.
Mobile reporting gets more granular. One of the features I’m most thrilled about is the new mobile device platform segment that allows for reporting by operating system.
With the new segments.mobile_device_platform field, I’m able to differentiate performance across iOS and Android, a game-changer for app marketers and ecommerce advertisers alike.
Demand Gen adds classic image support. I love how Google is providing us with more creative control in Demand Gen campaigns, specifically through the classic_display_images field.
This new field allows us to upload and display static image ads exactly as designed, which is perfect for maintaining branding consistency without AI alterations.
Passkeys come to Google Ads. Security is always a top concern of mine, so I’m pleased to see the inclusion of the passkey_enabled field to boost account security through passwordless authentication.
Experiment support expands. I’ve noticed that Google has significantly enhanced the support for Experiments, allowing us to run and analyze tests across AI Max, Video, Demand Gen, and Performance Max campaigns.
This update also enables us to view metrics such as clicks and conversions more transparently, making experiment analysis straightforward and insightful.
A major data retention change is coming. From June 1st, Google Ads and related APIs will enforce a 37-month data retention limit, something I must prepare for to avoid disruptions in performance analytics.
The release includes a new error code: DateRangeError.REQUESTED_DATE_GRANULARITY_NOT_SUPPORTED, and it’s essential that I update reporting workflows accordingly.
What’s next. I’ve already checked out the updated client libraries and code samples for v24.1, and I plan to participate in Google’s live walkthrough on Discord, YouTube Live, and LinkedIn Live for additional insights.
I’ve noticed that more and more of us are finding ourselves suddenly and, at times, permanently locked out of our Facebook accounts. What used to be just an occasional issue has turned into a widespread frustration impacting not only everyday users but creators and business owners as well.
So, what’s driving this increase? It’s a mix of AI moderation, enhanced security protocols, platform dynamics, and changing user habits. Let’s dive into the underlying factors behind this trend.
The rise of AI moderation — and its tradeoffs
At the core of this issue is Meta, Facebook’s parent company, which relies heavily on artificial intelligence to oversee user activities across billions of accounts. These AI systems are tasked with:
Identifying harmful content,
Thwarting scams and abuse,
Enforcing community standards at scale.
However, there’s a significant tradeoff with AI moderation. Unlike humans, AI struggles to grasp context and nuance, which often leads to:
Flagging normal behavior as suspicious,
Misinterpreting the context of communications,
Imposing account restrictions based on patterns instead of intentions.
This has triggered an increase in false positives, where users find themselves unjustly locked out. Reports of wrongful account deactivation are rampant, typically due to AI-only moderation with little human oversight. Astonishingly, appeals can sometimes be resolved immediately, hinting at minimal human involvement despite official policies.
Account takeovers are increasing
With the surge in cybercrime over recent years, social media platforms have increased their security measures. Facebook now deploys more aggressive signals to spot:
Logins from unfamiliar locations or new devices,
Frequent changes to account settings,
Unusual messaging or posting patterns.
While these steps aim to block malicious actors, they also come with unintended side effects:
Travel, using a VPN, or device changes can cause lockouts,
Legitimate users may be snared alongside malefactors.
When hackers access an account, they often alter the registered email and password, activating security alerts and locking the original owner out entirely. From Facebook’s viewpoint, the account is indeed compromised; however, recovery processes don’t always fast-track access back to the rightful owner.
The role of new features and identity verification
In recent years, Facebook has introduced new security layers, including:
Two-factor authentication,
Identity verification checks,
Paid support options connected to account verification.
While these features enhance security, they also introduce complications, making account recovery more cumbersome:
Adding steps to recover accounts,
Creating barriers for users who struggle with identity verification,
Causing lockouts when verification fails.
Some users report being asked to submit identification several times without resolution, escalating the frustration.
The business incentive behind platform changes
Meta’s motivations for investing in AI moderation and automated enforcement boil down to cost-effectiveness. Automation provides instant scalability, reduces operational expenses, and manages ‘standard’ cases effectively. However, this efficiency comes at a price. For those outside agencies or larger entities operating within Business Manager, finding significant support can be a challenge — leaving some of us without a clear path for escalation.
Meta’s commanding position in the social media advertising space, coupled with robust financial performance and political influence, leads to minimal external pressure to reform its support systems. Meanwhile, search queries related to account recovery are often dominated by Meta’s resources, directing users back into the same narrow support ecosystem, even when alternative solutions might exist.
Platform scale is working against users
One can’t ignore the sheer enormity of Facebook’s operations. With a global user base of billions, even minor error rates can affect millions of individuals. Consequently, Meta’s support systems can’t possibly offer personalized support to everyone, leading to automation as the norm, despite its imperfections.
Additionally, internal fragmentation complicates matters further. Facebook isn’t a singular system — it’s an expansive ecosystem including personal profiles, Pages, ad accounts, Business Manager, and platforms like Instagram, Threads, and WhatsApp. Each operates with distinct rules and support channels. When issues traverse multiple systems — as they often do — no single team fully ‘owns’ the problem, making resolutions slower, more complex, and harder to navigate.
What can seem like a deeply personal problem is often the result of a system optimized for global efficiency, sometimes at the expense of individual support. Facebook aims to minimize risk on a large scale, which can clash directly with the need for prompt, personalized support.
Lack of human support and regaining access
One of the ongoing frustrations isn’t just the lockouts but what follows them. Many users, including myself, face challenges such as:
Limited access to human support,
Automated replies that fail to address the issue,
Confusing or ineffective recovery workflows.
Although Meta is introducing new support tools, much of the assistance process remains automated. If your problem doesn’t fit perfectly into one of their defined categories, resolution becomes even more challenging.
This is primarily because Facebook’s support system is structured around rigid, predefined pathways like “my account was hacked,” “I can’t log in,” or “my ad was rejected.” But most issues don’t neatly fit into one of these categories. They’re often multifaceted: part hack, part lockout, or linked to both personal and Business Manager accounts, further complicated by unclear or incorrect policy flags.
When my situation doesn’t match a single category, the system struggles to process it correctly. Instead of progressing towards a solution, I’m often routed through repetitive workflows — submitting forms that don’t entirely apply — leaving me trapped in exhausting loops without a clear way forward.
William Jennings, who runs WKJ Consulting, a social account recovery consultancy, has observed how these gaps have led to an underground recovery market. Some dubious services even exploit locked-out users by demanding payments through unconventional means like game credits — a problem that persists because legitimate recovery channels remain limited.
Accounts that link through Meta’s Account Center (including Facebook and Instagram) generally have a more straightforward recovery process. Sometimes, users can subscribe to Meta Verified on a linked Instagram account to access chat support and initiate an administrative claim.
Jennings highlights that:
“Meta Verified acts almost like paid protection — approximately 90% effective in preventing wrongful restrictions or disabling, though it doesn’t offer a guarantee if the rules are violated.”
A well-structured recovery method often involves:
Subscribing to Meta Verified to gain chat support,
Filing an administrative dispute with necessary documentation (such as error screenshots, emails, account URL, and ID verification),
Escalating to legal support in more acute scenarios.
It’s crucial that hacked accounts follow dedicated channels like facebook.com/hacked or instagram.com/hacked, and it’s far more effective to focus on prevention than recovery.
After regaining access, it’s essential to undertake steps like enabling two-factor authentication, saving recovery codes, and adopting advanced security measures.
Enforcement has scaled — recovery hasn’t
Facebook lockouts are an inherent consequence of the platform’s development. As Meta continues to emphasize automation and efficiency, many of us engage with systems built for speed, security, and risk minimization.
Most of the time, these systems function silently in the background. But when they falter, it feels abrupt, opaque, and incredibly hard to navigate.
Access to meaningful support often correlates with high ad spend, established business accounts, and tied to paid verification products. This leads to an unbalanced support landscape where major advertisers receive better assistance, leaving individuals and small businesses with fewer options.
For a platform operating on a global scale, this setup is intentional. But for those entangled in the process, it’s incredibly frustrating.
Have you ever wondered how Google is ensuring the authenticity of AI bots? I recently stumbled upon Google’s latest experimental method, Web Bot Auth, which aims to address exactly that. This project is currently in a limited testing phase, specifically for AI agents hosted on Google’s infrastructure, but it could be expanded in the future.
In Google’s new help document, they clarify that Web Bot Auth is a “new cryptographic protocol that helps websites validate that bots are authentic.” This innovative approach is designed to automate the authentication of AI Agent bots, distinguishing between genuine and fraudulent bots.
Limited test phase: Google’s team mentions they are “testing the protocol with some AI agents hosted on Google infrastructure.” It’s important to note that not all Google user agents are currently using Web Bot Auth, and the company isn’t signing every bot request with this protocol just yet.
What is Web Bot Auth? Defined as “an experimental cryptographic protocol used to authenticate requests sent by bots,” this method moves away from self-reported headers and IP addresses. Instead, it allows agents to sign their requests cryptographically.
According to Google, Web Bot Auth offers several benefits:
Future-proofing: Supporting a trusted environment where agent providers and websites can mutually verify access.
Cryptographic certainty: Transitioning from easily falsified headers to a verified identity, separate from IP addresses.
Better observability: Gaining clear insights into agent interactions with your content.
Why this matters to us: As AI agents continue to proliferate online, managing access to our sites becomes increasingly complex. This new authentication method could effectively distinguish credible AI agents from deceptive ones, ensuring the right entities access our data.
Since Web Bot Auth is still “experimental,” I’ll be keeping an eye on its development. It might just transform how we manage AI bot access in the future.
I’ve recently discovered that Google has introduced some exciting AI safety features in their Ads Advisor, which could really transform how we manage campaigns. This update promises to automate policy fixes, enhance security, and expedite certifications, all to help us run our campaigns more efficiently.
As someone who spends a lot of time tackling policy issues and managing certifications, this news is music to my ears. With advertising campaigns becoming increasingly complex, having AI handle these time-consuming tasks could significantly boost our productivity and performance.
What’s New. The latest update brings proactive troubleshooting, continuous security monitoring, and immediate certifications. Thanks to AI and Google’s Gemini capabilities, these features promise to be a real game-changer.
Zoom In:
Ads Advisor can now automatically flag and resolve policy violations before they even catch our attention. This proactive approach ensures we stay ahead of potential issues.
The new security dashboard is always on the lookout for risks such as suspicious domains or dormant users. It’s like having an ever-vigilant guard protecting our accounts 24/7.
Imagine getting certifications that used to take weeks, approved instantly with just a click. This means we can focus on strategy rather than paperwork.
How It Works. Ads Advisor proactively scans accounts and sites, offering up fixes and confirming resolutions without the need for manual intervention. On the security front, it continuously checks account health and even supports passkey use, reducing our dependency on passwords.
Why We Care. These features save us hours that were once spent fixing issues, upping our security game, and dealing with certifications. This proactive system reduces delays and risks, ultimately enhancing campaign speed and efficiency.
What to Watch. Google plans to roll out these features for English-speaking accounts over the coming months, with additional languages to follow.
As someone who frequently works with Google’s advertising tools, I know firsthand how crucial security is. Starting April 21, Google is implementing a mandatory multi-factor authentication (MFA) requirement for its Ads API. This is a significant move towards enhancing security, but it’s one that might need us to rethink our authentication workflows.
Driving the news. Google will gradually enforce mandatory MFA for the Ads API, aiming for complete roll-out just weeks after the initial date. This means we all need to be prepared.
This update directly impacts those of us generating new OAuth 2.0 refresh tokens, as it mandates a more secure authentication process.
What’s changing. We’ll now need to add another step in verifying our identity. This could be in the form of a phone prompt or an authenticator app, alongside the usual password.
Existing OAuth tokens we’re already using will stay unaffected, but for any fresh authentications, MFA will become the default requirement. If we’re not yet using two-step verification, it’s time to set it up.
Why we care. This shift influences how we manage and access our Google Ads data through various APIs and connected tools. While it undeniably enhances security and mitigates unauthorized access risks, it could also require us to adjust existing workflows, especially when generating new credentials often. Preemptive preparation can save us from potential disruptions.
Who’s affected. If your applications or workflows rely on user-based authentication, you’re in for some changes.
User authentication workflows: These will need MFA for new token setups.
Service account workflows: Thankfully, these remain untouched. They’re actually recommended for automated or offline scenarios.
The requirement isn’t limited to the API alone. We’ll also see it in tools like Google Ads Editor, Scripts, BigQuery Data Transfer, and Data Studio.
The big picture. As we lean more heavily on ad platforms for sensitive data and automation, security can’t be pushed aside. This need grows as API access proliferates across various teams, tools, and integrations.
Yes, but. While boosting security against unauthorized intrusions is welcome, we must consider the challenges it introduces. Especially for teams like ours that often create new credentials or depend on manual authentication flows.
I recently discovered that Google has released a new guidance document for passkeys in Google Ads. This move couldn’t have come at a better time, considering how frequent account hacks have become.
Understanding how passkeys work within Google Ads is crucial, particularly with the uptick in phishing attempts targeting advertisers like us.
What’s Happening. According to the new help page, passkeys offer a password-free and phishing-resistant login method in Google Ads. Google outlines when these keys are essential, such as during user access changes and account linking updates.
The document guides us through the necessary device requirements, setup steps, and other security considerations to ensure we’re fully protected.
Why We Care. In today’s digital age, our ad accounts are prime targets for cyber attackers. These threats can lead to budget theft, disruptions in campaigns, and even data loss. Having clear guidance from Google is incredibly valuable, offering us a straightforward path to fortify our account security just when it’s needed the most.
The Bottom Line. With the increasing frequency of account takeovers, learning how to effectively use security tools like passkeys is a smart move. It’s all about securing our access and minimizing risks.
I recently discovered an exciting update from Google Ads that promises to enhance the security of high-risk account changes. They have silently introduced a multi-party approval feature that ensures a second administrator must approve specific actions before they are finalized. This step adds a critical layer of protection against unauthorized or malicious changes, enhancing the overall safety of our accounts.
This new feature is particularly important as our ad accounts grow larger and carry more value. A single unauthorized change can quickly disrupt campaigns and even affect our billing. By requiring approval from another administrator, this feature effectively reduces such risks without hindering our regular campaign management processes.
For agencies and large teams like mine, this tool becomes invaluable. It helps us avoid costly mistakes and significantly bolsters our account security. I appreciate how Google is responding to the increasing necessity for robust access control.
Here’s how it works: when I, as an admin, initiate a sensitive change, Google Ads automatically sends an approval request to other eligible admins. This request is delivered as an in-product notification, requiring an action within 20 days—either approval or denial—otherwise, it simply expires, and the change will not be implemented.
Moreover, tracking the status of these requests is hassle-free. Each change request is tagged as Complete, Denied, or Expired, allowing my team to easily monitor and review our account changes.
To manage these approval requests, we can head over to the Access and security section within the Admin menu. It’s quite straightforward and keeps us in the loop with all ongoing requests.
This update points to a growing concern about account security, especially for advertisers managing large teams with multiple user permissions. With reports of expensive hacks escalating, this added security is a much-welcomed relief for us.
In the end, although multi-party approval may add a bit of friction to the process, it’s definitely a good kind. It grants us more control over who can make vital changes to our accounts, thus protecting them from unauthorized access. In my opinion, it’s a prudent step towards safer, more secure ad management.
I’ve always been fascinated by how companies navigate complex regulatory landscapes. Recently, TikTok made headlines with the launch of a new U.S.-controlled joint venture, a decisive move aimed at aligning with American national security rules.
To ensure that TikTok can continue serving its vast user base of over 200 million Americans, the company established TikTok USDS Joint Venture LLC. This step was officially taken following an executive order from President Trump on September 25, 2025.
The big picture. This joint venture stands out because it’s primarily owned by American interests, functioning independently concerning U.S. user data, content moderation, and algorithm security. While ByteDance maintains a 19.9% stake, this remains under the level that’s often scrutinized for national security.
This initiative leverages TikTok’s already established U.S. Data Security (USDS) program, aiming to protect sensitive information from foreign interference.
Why it matters to me. As someone who appreciates the dynamic between technology and regulation, this joint venture is a significant test of whether TikTok can continue its operations in the U.S. without facing bans or demands to sell its U.S. assets. It effectively transfers control of key operational areas to American oversight, addressing long-standing security concerns.
For creators and advertisers like me who rely on TikTok, this development signifies a potential blueprint for future regulations of foreign tech by the U.S.
Understanding the safeguards. User data from the U.S. will be securely stored in Oracle’s cloud infrastructure in the U.S., with rigorous audits and third-party cybersecurity certifications to ensure adherence to federal and industry standards like NIST, ISO 27001, and CISA.
The content recommendation algorithm for U.S. users will also be adapted and tested using U.S. data within Oracle’s systems, ensuring robust security through continuous source code evaluations under software assurance protocols.
Trust, safety, and content moderation at the forefront. The joint venture now holds the decision-making power over trust, safety policies, and content moderation for U.S. users, further reducing foreign influence over crucial decisions.
Balancing global reach with U.S. control. While U.S.-based security and safety controls are tightened, TikTok’s global entities still handle interoperability and commercial activities like advertising and e-commerce, supporting worldwide visibility for American creators and businesses.
Governance and leadership. The joint venture is led by a seven-member board predominantly composed of Americans, including executives from Silver Lake, Oracle, Susquehanna International Group, and MGX. Adam Presser serves as CEO, with Will Farrell as Chief Security Officer, and Raul Fernandez, CEO of DXC Technology, chairs the board’s security committee.
Ownership details. Silver Lake, Oracle, and MGX are the cornerstone investors, each with a 15% stake. Other investors include entities linked to Michael Dell, General Atlantic, Dragoneer, and Xavier Niel. These safeguards also cover CapCut, Lemon8, and other TikTok-associated apps in the U.S.
What comes next. TikTok USDS Joint Venture positions itself as a definitive response to U.S. regulatory pressures. It remains to be seen whether it will fully placate lawmakers and security agencies, ultimately securing TikTok’s future in the U.S. as scrutiny begins.
Catch-up. A $14 billion arrangement keeps TikTok operational in the U.S.
As I delve into the recent statements from Google, I am struck by the urgency in Elizabeth Reid’s affidavit. She warns us that if Google is compelled by the court to share its search index and ranking data, it could seriously jeopardize user privacy, potentially inviting spam abuse.
Reid, who heads Google’s Search department, presented her affidavit as part of Google’s motion to pause the implementation of some antitrust remedies. Her warning highlights the potential “immediate and irreparable harm” that such data sharing could cause to both Google and its users.
What strikes me is how Reid articulates the danger of exposing Google’s sensitive Search assets, which could lead to reverse engineering and an escalation in spam.
Imagine, for a moment, how revealing the web search index could become problematic. Under the court’s Section IV ruling, Google might have to provide competitors with crucial web index data. This includes every URL in Google’s index, a DocID-to-URL map, and more. For us at Google, this just seems like handing over the results of 25 years of meticulous work.
Reid explains that the web index is born from proprietary systems that decide the inclusion of pages in Google Search. Knowing which URLs are indexed by Google could allow potential competitors to bypass comprehensive crawling, thereby gaining undue advantage.
Further adding to the complexity, metadata like crawl frequency offers insight into how Google prioritizes content, which again, could provide competitors with unfair advantages if unveiled.
Reid’s affidavit includes images illustrating Google’s processes. One notably shows most webpages labeled as “Spam, Duplicates, & Low Quality Pages,” an insight into how meticulous our web crawling is. It’s fascinating to think that as of 2020, Google’s index boasted around 400 billion documents.
There is also a dire warning about exposing spam scores. Such a leak could greatly weaken Google’s spam-fighting mechanisms, making it harder to protect users from low-quality content.
In terms of user data, the transparency required by the judgment would mean sharing extensive search logs used by Google’s Glue and RankEmbed models, including detailed user interactions. This suggests a large-scale disclosure of Google’s proprietary data signals, something Reid is quite concerned about.
Finally, the requirement to syndicate Google’s core search results to competitors for five years poses a significant challenge. Despite contractual limits, our control over our systems would diminish, with possible data misuse or leaks.
Reid’s testimony underscores her knowledge and dedication as she stands by Google’s motion to stay antitrust remedies while the appeal is pending. If you’re interested, you can explore Reid’s affidavit further.
Since July 1, I’ve been closely following Cloudflare’s battle against AI bots. Our CEO, Matthew Prince, recently shared that we have successfully blocked 416 billion AI bot requests for our customers during this time.
This insight sheds light on Google’s significant advantage in AI. They’re currently capable of viewing 3.2 times more web pages than OpenAI, underlining the challenge smaller AI companies face.
Why this matters. The flood of AI systems consuming vast amounts of web content is concerning, especially without a mechanism for publishers to counteract this. Our statistics at Cloudflare show just how aggressively these AI bots are searching for data.
The current scenario. Ever since we launched our pay-per-crawl initiative on July 1, our clients have been automatically blocking AI crawlers. At the recent WIRED Big Interview event, Prince highlighted that so far, 416 billion AI bot requests have been turned away.
Analyzing Cloudflare’s data reveals that Google sees:
3.2 times more webpages than OpenAI.
4.6 times more than Microsoft.
4.8 times more than Anthropic or Meta.
As Prince mentioned, Google enjoys “this incredibly privileged access.”
The bigger picture. As it stands, Google offers publishers a difficult choice: either block AI training and risk disappearing from Google Search or allow it and accept AI scraping.
Prince said, “You can’t opt out of one without opting out of both, which is crazy. You shouldn’t get to use your monopoly of yesterday to secure a monopoly of tomorrow.”
Cloudflare aims to prevent market consolidation, ensuring the web remains open while assisting creators and businesses in adapting to this shift.
Encouragingly, publishers that already block AI crawlers report positive results, Prince noted.
Looking ahead. As AI models pursue superior training data, the worth of “creative, original human thought” will climb, potentially leading to opportunities in paid licensing, Prince forecasted. Meanwhile, Cloudflare is advocating for AI giants, particularly Google, to distinguish between search and AI crawling.
Prince asserted, “Google is the problem here. It is the company that is keeping us from going forward on the internet, and until we force them – or hopefully convince them – that they should play by the same rules as everyone else and split their crawlers up between search and AI, I think we’re going to have a hard time completely locking all the content down.”
