Facebook classifies users by their interests. If a company wants to put ads to someone who likes motorcycles, be vegan, drink beer and spend the summer on the beaches, Facebook allows it. Now a new investigation just showed that those interests can be added until the final audience of an ad is a single user. A group of Spanish academics has seen for the first time how simple and cheap it is to reduce the potential audience to a minimum. So they can turn an advertising tool into a privacy nightmare.
Other studies had already shown that a small group of everyday activities (location, card purchases) can identify a single person. Interests on Facebook also allow it: with only 4 interests rare o 22 generals, an ad can be sent to a single person among the more than 2 billion Facebook users in the world. The interests rare They include, for example, being a fan of the Puerta Bonita football club in the Madrid neighborhood of Carabanchel or a minor musical group from the 90s and a generic one is Real Madrid, coffee or Italian food.
The novelty of this study is the ease with which an advertisement can be sent to a specific individual. “I was not very surprised by the number of interests required to identify a user,” says David García, professor at the Graz University of Technology. “What surprised me very much is that we could do a campaign for only one individual. I expected Facebook to have a lot of controls, but the truth is that it was too easy, “he adds.
Privacy experts have read the results of the investigation with fright. They also did not believe that it was possible to reach such small groups of users. “It is one of the top ten privacy scientific papers of the decade so far,” says Lukasz Olejnik, independent privacy consultant and researcher. Facebook allowed for micro-segmentation by sharply defining audiences. This experiment proves that it also enables nanosegmentation and minimizes audiences. “My surprise is due to the fact that I did not believe that this type of segmentation was already possible: I believed that the minimum audience would be greater than one, and that it would be limited”, adds Olejnik.
What dangers does this have? Imagination can fly. In the article they cite a case of a man who sent messages to his partner a decade ago, but the same could happen in unwanted messages of this type and where communication through other channels is cut off or blocked. Ángel Cuevas, a researcher at the Carlos III University of Madrid and also a co-author of the article, gives this example. “If I have a client who might be thinking of changing providers, now I can send him a series of messages through Facebook, putting the competition in a bad place,” he says. “They are more surgical things and do not necessarily have to invade privacy. It can be used to blackmail with a Facebook ad instead of phishing, and say I have recorded you watching porn and you live in such a place ‘. Seeing that on Facebook would be shocking, “he adds.
Politics is another obvious candidate, where minimal audiences can be activated with more targeted messages, according to Olejnik. ”It could range from political advertising to disinformation to hack, from something innocent to cyber wars ”, he adds. The possible problem is the ideas that can be come up with people dedicated to these matters. “One thing is for sure,” says Olejnik. ” People with knowledge of how to exceed the minimum audience size will have some really valuable knowledge. They will make consultations for a lot of money ”. The authors are skeptical for now but have already held conferences with large US companies and AI departments.
The small-scale ghost of something like Cambridge Analytica also floats. “Since that scandal where apparently psychological profiling was used to manipulate, we believe it or not, there is a sector of the world of privacy and marketing that says that this is the case, that it has the ability to reach one because it is easier to manipulate one only. There are studies that affirm that the probability that a user clicks on an ad when the campaign is highly targeted for that user grows significantly ”, Cuevas explains.
Campaigns almost free
How much does it cost to run campaigns like this? Cents, even free. Facebook charges for the number of users reached and these campaigns promote the opposite. ”Some campaigns, especially the highly targeted ones, cost us a few cents. In some Facebook, he did not even charge us. When we combined seven interests instead they charged us a lot. In total, the expense was 309 euros, ”says Cuevas.
Regular Facebook users easily have a few hundred assigned interests. The database of interests of the authors of the article comes from a tool that they had for previous studies that Facebook users voluntarily installed in their browser. The median of interests of this group of users is 426 and they add up to a total of about 100,000 different ones.
The company sees a base “bug” in the article on how the ad system works. ”The list of interests that we associate with a person is not accessible to advertisers, unless that person decides to share them. Without that information or specific details that identify a person who saw an ad, the investigators’ method will be useless for an advertiser trying to break the rules, ”says a company spokeswoman. The researchers did the experiment on their accounts to check their success: they took all their interests, selected a random group and found that with 22 of them there was a 90% chance of seeing that ad.
Facebook is right that knowing the interests of any individual is equal to or more difficult than getting their email. But it does not take into account cases where someone is famous, known to the attacker, or the small target community is anonymous individually but identifiable as a group. The researchers also recall that they have been forced to “do the experiment with one hand tied behind their back,” says Cuevas: “It is done only with interests and the geographic scope is worldwide, but if I know age, gender, where you live or work, I can start from a much smaller base population by starting to add interest. With what I would need to know less about you ”, he adds.
Facebook warns advertisers if they choose too small an audience: “Try to make it wider” appears on the screen. “But that is only for information purposes, Facebook does not prevent the campaign from being carried out,” says Cuevas. Facebook should only effectively limit the minimum number of potential audience. In the results of the campaign is where they saw that their ad had been seen by “one” person. Facebook closed the researchers’ account a week after the experiment, in the fall of 2020.
The article does not have, according to its authors, a clear regulatory claim, but the implications of interests as personal data are evident. “This is personal data and should be included in the European Data Protection Regulation (RGPD), but our article does not pursue that,” says Cuevas. Other types of Facebook campaigns that use the users’ email or mobile phone do require their authorization, but not with interest targeting: ”At no time should you ask for permission to gather interests. We have not found it in the multitude of legal Facebook pages. From the point of view of the GDPR it is something else: if investigated by a data protection agency it can say that putting together 20 interests of a user means that you have to treat that as personally identifiable information. We have tried not to get bogged down in a debate on legal terms, ”Cuevas explains.
This specificity in the platforms is a field still to be explored, although the European Union is already debating the limitation of micro-segmentation in some areas. The amount of individual information that the main platforms have about their users allows them many options. “I don’t know if Amazon can do the same as we did on Facebook, but Amazon can have data to infer your interests to the point of identifying you individually, and then run a campaign on Facebook to advertise just for you,” says Garcia.
You can follow EL PAÍS TECNOLOGÍA at Facebook and Twitter or sign up here to receive our weekly newsletter.
Sign in to continue reading
Just by having an account you can read this article, it’s free
Thanks for reading EL PAÍS
#Facebook #tastes #show