Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Boffins find new ways to slurp private info from Facebook addicts using precision-targeted ads

Income, pregnancies, personal activities, all up for grabs

Facebook’s advertising platform is riddled with loopholes that can help miscreants obtain private information on individual users, according to a recent study.

Personally identifiable details – such as someone's email address, full name, date of birth, and home address – are used with their likes and dislikes to slot them into categories for targeted adverts. That means advertisers can zero in on their products' ideal buyers, and, say, sling expensive pet food ads at rich dog owners. However, these systems can also be exploited by scumbags to potentially slurp sensitive records.

Researchers at the University of Southern California, in the US, studied Facebook’s targeted advertising capabilities in detail, and published their findings in a paper late last month.

“We focus on three downsides: privacy violations, microtargeting (i.e., the ability to reach a specific individual or individuals without their explicit knowledge that they are the only ones an ad reaches) and ease of reaching marginalized groups,” the pair, Irfan Faizullabhoy and Aleksandra Korolova, stated in their paper's abstract.

How it works

Anyone with a Facebook profile can set up what's called a custom audience that defines a particular demographic for ad targeting. The trick here is to provide just enough information, and game the system, to narrow down the audience search results not to a select bunch of people, but down to just one unlucky person on the social network.

Although Facebook treats that as an invalid demographic, its other tool, audience insights, which lets advertisers learn more about groups of netizens reached by adverts, can be used with that tiny custom audience to reveal that one person's private information.

It means a miscreant can go on a fishing expedition, looking for a particular person or type of person, and extract private information, such as that person's age, income, how many people they live with, their personal activities, and so on, by combining the custom audience search function and the audience insights analytics.

It seemingly gives anyone the power to learn more about strangers' lives – and there are more than 2,000 types of information that can be discerned per individual user. The researchers experimented with the analytics functions with the consent of their Facebook friends, who they asked to temporarily unfriend them. The duo found the audience insights results to be “highly accurate” when pulling up data on their pals.

Information that can be gleaned from that tiny audience of one can range from hobbies to their family's details.

“Questions such as, 'is this person [or] their wife pregnant?' 'how old are their children?' 'do they like to gamble?' 'are they living at home, or with roommates?' 'do they hunt?' can all be answered, efficiently and at no cost, by anyone,” Faizullabhoy and Korolova warned.

The minimum number of people in a custom audience is, right now, 20. It’s a low number compared to 1,000 for Google, 300 for LinkedIn, and 500 for Twitter. By peppering in 19 fake or complicit accounts, for example, advertisers, and anyone else curious, can narrowly target and snoop on just a single person, or a group of people by going through them one at a time.

Another potential flaw relates to Facebook allowing advertisers to refine their audience by location to within a one-mile radius. Small areas or even single houses can be targeted, as long as there are at least 20 users that match the advert’s criteria. It’s particularly concerning if those areas include vulnerable people who frequent planned parenthood clinics, rehab centers, or medical facilities, as they might be more easily picked out by ad campaigns.

“It's difficult to predict how such a powerful tool can be abused by a clever and resourceful adversary, especially because neither researchers nor users have full transparency into what is feasible using Facebook's advertising platform and what data about them is being used when ad matching and reporting is performed,” Korolova, an assistant professor of computer science, told The Register.

Facebook’s response: Do as little as possible

When the researchers alerted Facebook to these vulnerabilities, they were stonewall. At one point, though, Facebook agreed to increase the number of people able to be targeted using the custom audience tool and audience insights analytics from one to 20. The researchers were required to submit video proof of the network's shortcomings, and were awarded $2,000 from the website's bug bounty program.

FACEPALM

Facebook admits: Apps were given users' permission to go into their inboxes

READ MORE

When the duo asked Facebook to increase the custom audience size to somewhere between 500 and 1,000, the Silicon Valley giant ignored the request, and still hasn't addressed it. For the geolocation targeting issue, the researchers were asked to “clarify how this bug is able to compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook’s infrastructure.”

After the pair replied, Facebook did not respond, and even closed the bug bounty report, so that they could no longer engage in any sort of dialog.

In the paper, Faizullabhoy and Korolova said they believed the reason why it was so easy to snoop on people via Facebook's ad platform was down to the website's careless approach to privacy. Facebook simply doesn’t care, they stated, to put it bluntly.

“Facebook’s response to our white hat reports of 'single person targeting' that 'this is working as designed' shows an apathy toward micro-targeting and circumventions of the rudimentary micro-targeting protections Facebook has put in place,” the duo stated in their paper.

Facebook declined to comment. Even when appearing before US Congress this week, CEO Mark Zuckerberg continued to dodge questions about the true nature of Facebook’s abilities to silently and secretly track millions of people’s online and offline activities, and how it that information may be passed to third parties with dodgy intentions. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like