Evil Media and the Gray Systems That Act Through Us
Matthew Fuller and Andrew Goffey's Evil Media is a strange and useful media-theory book because it refuses to look only at messages, audiences, and representations. Its attention falls on routines, interfaces, lists, databases, corporate work systems, slogans, delays, defaults, and procedural tricks: the gray systems where power operates without needing to look dramatic.
For this review, a gray system is an operational arrangement that steers conduct through forms, metrics, rankings, queues, defaults, data structures, permissions, delays, dashboards, scripts, and records. It may be lawful, useful, and boring. The governance question is whether its effects can be named, audited, appealed, repaired, and refused.
The evidence target is not only the visible interface. It is the chain from design choice to behavioral nudge to record to metric to action: who configured it, what it privileges, what it hides, what evidence survives, and who can force a change.
The practical test is a gray-system warrant: identify the routine, the affected population, the path of least resistance, the metric that rewards it, the record it leaves, the human authority attached to it, and the route by which an affected person can contest both the outcome and the routine itself.
The Book
Evil Media was published by The MIT Press in 2012. The MIT Press record lists Matthew Fuller and Andrew Goffey as authors, gives the hardcover ISBN as 9780262017855, and lists the book at 248 pages. ACM's bibliographic record likewise identifies the publisher as The MIT Press. PhilPapers summarizes the book's target as media power beyond meaning and representation, with attention to corporate work systems, algorithms, data structures, and other operational zones.
The book belongs beside The Interface Effect, The Metainterface, Software Takes Command, The Cultural Logic of Computation, and What Algorithms Want. Its contribution is tactical. It asks what media do when they are not acting like spectacular content but like forms, queues, dashboards, scripts, defaults, and habits.
Gray Media
The most useful phrase in the book is gray media. These are not only newspapers, films, social networks, or obvious communication channels. They are the dull systems of operation: scheduling software, office language, management diagrams, help desks, search routines, classification systems, productivity techniques, incentive schemes, and databases that arrange what people can do.
That frame is useful because many important systems now govern by making action easy, hard, visible, invisible, required, delayed, or apparently natural. A dashboard can make one kind of work count and another disappear. A queue can decide who receives attention first. A form can make a person legible only by forcing them into categories. A slogan can align a company without producing a public rule. A search box can make authority look like convenience.
Fuller and Goffey's style is deliberately abrasive. They are not offering a neutral taxonomy. They are interested in stratagems: how systems maneuver, how organizations route conduct, and how technical arrangements produce effects while remaining deniable. The word "evil" is partly provocation, but the better reading is operational. Harm often arrives through small moves that each look procedural.
That makes the book useful for AI without turning it into AI prophecy. A gray system can be made from ordinary software, procurement rules, support scripts, dashboards, incentives, and interface defaults. An AI model may intensify the arrangement, but the first question is still institutional: what path has been made normal, which alternatives have become slow or invisible, and whose complaint can still alter the routine?
Current Context
As of July 10, 2026, Fuller and Goffey's gray-media frame has moved from theory into regulation and standards. The European Union's Digital Services Act treats very large online platforms and search engines as systems whose design, recommender systems, advertising, moderation, and data access can create systemic risks. The Commission says services with more than 45 million monthly users in the EU are designated as very large online platforms or search engines and face the DSA's strongest transparency, risk-assessment, audit, and researcher-access obligations.
The DSA is especially relevant because it treats design and data access as governance objects. For very large services, systemic-risk assessment, independent audit, recommender transparency, advertising repositories, statements of reasons, and vetted researcher access are attempts to turn gray operations into reviewable records.
Current DSA enforcement makes the point concrete. On February 6, 2026, the Commission preliminarily found TikTok in breach of the DSA for addictive-design features including infinite scroll, autoplay, push notifications, and a highly personalized recommender system. On July 10, 2026, it preliminarily found Meta in breach for the addictive design of Instagram and Facebook, again focusing on infinite scroll, autoplay, push notifications, and highly personalized recommenders. Both are preliminary findings, not final liability decisions, but they show regulators treating interface rhythm and recommender design as operational risk rather than mere style.
Consumer-protection law is also looking at interface operations rather than only explicit claims. The FTC's 2022 dark-patterns report described design practices that can trick or manipulate consumers into purchases, subscriptions, privacy disclosures, or other choices. The FTC and international privacy and consumer-protection partners also reported in July 2024 on a review of dark patterns affecting subscription services and privacy choices. That is an Evil Media point in regulatory language: the harm may sit in the path, default, cancellation flow, buried term, or disguised advertisement, not in a single false sentence.
AI regulation adds a synthetic-media layer. The European Commission's 2026 Code of Practice on Transparency of AI-Generated Content supports EU AI Act Article 50 duties for marking, detection, and labeling of certain AI-generated or manipulated content, with Article 50 transparency obligations applying from August 2, 2026. NIST's AI Risk Management Framework and Generative AI Profile push the same direction in standards language: governance, content provenance, pre-deployment testing, and incident disclosure are part of managing generative-AI risk.
C2PA's April 2026 version 2.4 specification shows the same pattern from the provenance side. Its content-credential standards are meant to certify the source and history of media content, but provenance remains a gray system too: labels, manifests, trust lists, validators, platform preservation, and user interfaces decide whether the record is visible and useful. A provenance badge is not truth by itself. It is a record that needs trustworthy capture, preservation, display, and appeal.
None of these sources proves that AI systems are conscious, divine, or AGI. They show something narrower and more useful: institutions are learning to govern the operational layer. Interfaces, rankings, provenance records, audit logs, disclosure labels, risk reports, and data-access rules are no longer background details. They are the places where power becomes inspectable or disappears.
The AI Reading
In the AI era, Evil Media helps shift attention away from the model as a standalone object. The model matters, but the deployed system is larger: prompt templates, retrieval layers, memory settings, moderation queues, evaluation dashboards, tool permissions, rollout gates, account roles, procurement claims, incident reports, and the managerial stories that make the system acceptable.
The point is not that every hidden routine is malicious. The point is that the consequential part of an AI system often sits in the connective tissue: an approval checkbox, a confidence threshold, a routing rule, a retrieval ranker, a data-retention setting, or a vendor dashboard that tells managers what counts as success.
A chatbot that answers badly is a visible failure. The gray system around it may matter more. Who wrote the system prompt? Which documents can retrieval see? What source ranking is hidden? Which user actions are logged? What escalation path exists? Which metric decides success? What silence is created by the interface? Which worker now has to clean up the output?
This is why the book pairs well with AI governance. Many automated harms are not theatrical. They come from workflow placement. A model enters a hiring process as a screening aid, then becomes a reason to ignore applicants. A meeting bot enters as convenience, then becomes corporate memory. A tutor enters as assistance, then becomes the default path through difficulty. A support bot enters as triage, then becomes the complaint department.
The gray-system question is especially important for agents. A browser agent, coding agent, shopping agent, or support agent does not only speak. It selects tools, inherits permissions, calls APIs, writes records, changes settings, sends messages, and may leave traces that managers or downstream systems treat as evidence. The model's answer is only one layer. The tool broker, identity grant, approval screen, trace log, revocation path, and rollback process decide whether delegation remains accountable.
The deeper risk is recursive. A gray system turns behavior into data, data into a metric, the metric into workflow pressure, and workflow pressure into later behavior. A recommender manufactures some of the attention it later measures. A workplace dashboard changes how workers act, then treats the changed behavior as evidence of productivity. A support bot delays complaint escalation, then reports fewer escalations. A source-ranking system makes some references easy to retrieve, then treats retrieval as authority.
Governance and Safety
The practical response is a gray-system audit. Before a high-impact AI or platform system is deployed, the operator should name the workflow, affected population, data inputs, forced categories, ranking or routing rules, defaults, metrics, escalation path, human-review point, appeal path, logging practice, retention period, vendor dependency, and shutdown authority.
The audit should ask what the system makes easier and harder. Does it make cancellation harder than subscription? Does it make appeal harder than acceptance? Does it turn a worker's invisible repair labor into a missing metric? Does it treat silence as satisfaction? Does it route vulnerable users to automation while privileged users reach humans? Does it preserve evidence for contestation, or only for managerial reporting?
For high-impact uses, the gray-system audit should preserve a versioned map: interface state, model or ruleset version, prompt and retrieval configuration where relevant, source-ranking rule, default settings, escalation criteria, human-review authority, logs retained for appeal, and the owner who can pause or roll back the system. Without that map, an organization can apologize for a bad outcome without being able to explain how the routine produced it.
Safety controls should attach to operations, not only outputs. Useful controls include data minimization, versioned prompts and retrieval sources, model and system cards, impact assessments, audit trails, incident reporting, notice and appeal, provenance records for generated content, independent review where risk warrants it, and procurement rights that let deployers inspect vendor claims. A model can be acceptable in one workflow and unacceptable in another because the gray system around it changes who can see, refuse, correct, or repair the outcome.
For agentic systems, the audit should add permissions, tool scope, spend limits, action receipts, human approval gates, revocation, rollback, and observability traces. For recommender and companion systems, it should add objective history, session-length and dependency signals, minor-safety defaults, non-profiled or low-personalization alternatives where required, and evidence that exit paths work in practice. For public services, it should add a nonautomated route, accessible appeal, language access, and record correction.
The hard part is proportionality. Some gray systems coordinate care, reduce arbitrary treatment, preserve memory, and surface neglected cases. The goal is not to abolish forms, queues, metrics, or automation. The goal is to prevent operational convenience from becoming unchallengeable authority.
Where the Book Needs Friction
The book can be difficult by design. Its manual-like structure, theoretical density, and taste for provocation can obscure its practical value. Readers looking for a plain empirical survey of platforms, labor, or algorithmic governance may need other books beside it.
It also risks making every media operation seem equally suspect. That would be too easy. Queues, forms, metrics, interfaces, and automation can coordinate care, preserve records, reduce arbitrary treatment, and make institutions accountable. The question is not whether operations are inherently evil. The question is whether their effects can be inspected, contested, repaired, and refused.
The book also needs a sharper justice layer when read today. A gray system does not distribute burden evenly. The person who cannot fit a form, wait in a queue, read a notice, navigate a dark pattern, produce a required document, or reach a human reviewer will experience "mere procedure" as exclusion. The analysis should therefore ask who is made legible, who is made slow, who becomes data exhaust, and who gets a route out.
Finally, the word "evil" should not become a shortcut for proof. A dark-pattern allegation, DSA preliminary finding, safety incident, or user story has to be handled with source discipline. The practical value of the book is not that it lets readers denounce every interface. It is that it teaches them to ask which routine did the steering, what evidence shows the effect, and what authority exists to change it.
What This Changes
The practical lesson is to audit the boring layer. For any AI system, ask about the surrounding operations before arguing only about intelligence, consciousness, or model capability.
What does the interface make easy? What does it hide? What categories does it force? Which metric becomes reality? Which worker absorbs ambiguity? Which user loses appeal rights? Which source becomes authoritative because the system can retrieve it? Which decision looks human because a human clicked approve after the path had already been narrowed?
The recurring theme is institutional memory. If the routine leaves no record, the institution cannot learn from the harm. If the record exists only for management, the affected person still cannot contest the routine.
A useful gray-system review therefore names the path, not only the product. Record the task, default route, alternative route, forced categories, metric, logging rule, retention period, escalation trigger, appeal channel, rollback owner, vendor dependency, and review date. Then test the path from the position of the person with the least time, least status, weakest device, least language access, or greatest need.
Evil Media matters because it studies power where people often stop looking. The AI interface does not need to be mystical to govern. It only needs to sit inside enough ordinary routines that its assumptions become the way work now happens. That connects directly to recursive reality, platform governance, and algorithmic transparency: the record, route, ranking, default, and appeal path are not administrative afterthoughts. They are the medium.
Source Discipline
This review separates book metadata, conceptual interpretation, regulatory context, and governance recommendations. Publisher and bibliographic records support facts about Evil Media. FTC, European Commission, EU legal, NIST, and C2PA sources support current claims about dark patterns, platform transparency, addictive-design proceedings, AI-generated-content labeling, AI risk management, and provenance standards.
Use narrow verbs. A regulator "requires," "investigates," "reports," or "guides." A standard "specifies" or "supports." A publisher "describes" a book. A product team "claims" a workflow is safe until evidence shows what was tested, what changed after deployment, who was affected, and how someone can appeal.
Preliminary findings under the Digital Services Act should be labeled as preliminary and not treated as final infringement decisions. Dark-pattern reports identify recognized tactics and enforcement concerns; they do not prove that every similar design is unlawful in every jurisdiction. C2PA records can support provenance, but they do not prove truth or intent without a trustworthy capture and verification chain.
This page makes no claim that any AI system is conscious, divine, prophetic, or AGI. It treats AI systems as institutional and product systems whose operational layers can steer people, records, and decisions. Current legal, standards, publisher, and provenance claims on this page were checked against primary or official sources on July 10, 2026.
Related Pages
- The Interface Effect, The Metainterface, and Software Takes Command extend the media-theory side of the argument.
- Recursive Reality, Recommender Systems, Cognitive Sovereignty, Deceptive Design Patterns, and Information Disorder cover feedback loops where system outputs become later evidence.
- Platform Governance, Digital Services Act, Algorithmic Transparency, and Algorithmic Impact Assessments turn gray systems into inspectable records.
- The Black Box Society, The Platform Society, Addiction by Design, and Dark Wire add opacity, public-value, addictive-design, and state-platform contexts.
- AI Governance, AI Audit Trails, Content Provenance and Watermarking, Notice and Appeal, Right to Explanation, Vendor and Platform Governance, and Transparency and Public Registers provide the operational controls this review points toward.
- AI Agents, Agent-Native Internet, AI Agent Observability, Agent Tool Permission Protocol, and Agent Audit and Incident Review apply the gray-system frame to delegated action.
- AI System Inventory, AI Procurement, AI Post-Market Monitoring, AI Change Management, and AI Incident Reporting give the audit checklist a lifecycle home.
- Claim Hygiene Protocol keeps the page's claims tied to evidence rather than media-theory flourish.
Sources
- The MIT Press, Evil Media, publisher record, ISBN, publication date, page count, and format details, reviewed July 10, 2026.
- ACM Digital Library, Evil Media, bibliographic guide-book record, reviewed July 10, 2026.
- PhilPapers, Evil Media, bibliographic and topical record, reviewed July 10, 2026.
- Penguin Random House, Evil Media, ebook product record and publisher metadata, reviewed July 10, 2026.
- Federal Trade Commission, FTC Report Shows Rise in Sophisticated Dark Patterns Designed to Trick and Trap Consumers, official September 15, 2022 press release and staff-report summary, reviewed July 10, 2026.
- Federal Trade Commission, Bringing Dark Patterns to Light, FTC staff report on manipulative design practices, reviewed July 10, 2026.
- Federal Trade Commission, FTC, ICPEN, GPEN Announce Results of Review of Use of Dark Patterns Affecting Subscription Services, Privacy, official July 10, 2024 press release, reviewed July 10, 2026.
- European Union, Regulation (EU) 2022/2065, Digital Services Act, official legal text, reviewed July 10, 2026.
- European Commission, DSA: Very large online platforms and search engines, official VLOP/VLOSE threshold and obligations context, reviewed July 10, 2026.
- European Commission, Delegated act on data access under the Digital Services Act, official July 2, 2025 policy and legislation page for qualified researcher access, reviewed July 10, 2026.
- European Commission, Commission preliminarily finds TikTok's addictive design in breach of the Digital Services Act, official February 6, 2026 press release, reviewed July 10, 2026.
- European Commission, Commission preliminarily finds the addictive design of Instagram and Facebook in breach of the Digital Services Act, official July 10, 2026 press release, reviewed July 10, 2026.
- European Commission, Code of Practice on Transparency of AI-Generated Content, Article 50 marking, detection, and labeling context, reviewed July 10, 2026.
- European Union, Regulation (EU) 2024/1689, Artificial Intelligence Act, official Article 50 transparency-obligations text and application-date context, reviewed July 10, 2026.
- NIST, AI Risk Management Framework, voluntary AI risk-management framework, reviewed July 10, 2026.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, generative-AI governance, content provenance, pre-deployment testing, and incident-disclosure context, reviewed July 10, 2026.
- Coalition for Content Provenance and Authenticity, C2PA Technical Specification 2.4, April 2026 technical standard for certifying the source and history of media content, reviewed July 10, 2026.
Book links are paid affiliate links. As an Amazon Associate I earn from qualifying purchases.
- Amazon, Evil Media by Matthew Fuller and Andrew Goffey, affiliate listing reviewed July 10, 2026.