CyberWisdom Safe Harbor Commentary on Facebook Custom Audiences
Exclusive: Facebook said on Friday that it will stop showing its estimates to any audience using custom audience targeting.
The move was initiated after a research team at Northeastern University notified the company through Facebook’s Bug Bounty program about potential privacy holes in its custom audience identification.
The research team from Northeastern University and MPI-SWS discovered another vulnerability in December that used Custom Audiences to leak user phone numbers. In response, Facebook has removed coverage estimates for campaigns that use customer data. It returned in March.
“At the same time, we have been studying other features in the ad interface and how they have been misused,” Alan Mislove, a professor at Northeastern University and a teacher advisor for the group, told us by telephone on Friday afternoon.
The Custom Audiences vulnerability
The team discovered a vulnerability that could be used to infer the properties of a personal email, address, or other personally identifiable information (PII) list contained in an uploaded custom audience using the estimated reach report provided in the ad interface.
Originally there was a rounding threshold in these estimates. Once identified, for example, an advertiser may correctly upload an email list on a rounding boundary and then add an email (or “victim”) to the list. If the coverage estimate changes when the targeting attribute is selected, the advertiser can infer that the person owns the attribute. And vice versa, if it does not change, then it can be inferred that this person does not have that attribute.
Facebook will no longer show potential reach in campaigns that use custom audience targeting.
For example, Mislove explained that if he wants to determine my gender, he can add my email to the correct homecoming list. If he chooses “female,” he will see the entire range of estimates. If he chooses “male”, it is estimated that it will not change.
Essentially, it can be inferred that each of the 1,200 or so target attributes available in Facebook comes from users and third-party data mediators and builds a comprehensive personal profile.
Mislove pointed out that the user will never know that this is happening because it is done entirely on Facebook’s advertising interface and does not charge advertisers.
The team informed Facebook of this issue this week and was rewarded with a bug rewards program. Considering that Facebook appeared for a week under the influence of the Cambridge analyst data crisis, it is perhaps not surprising that the company is taking quick action.
“We are very grateful to the researchers who discovered this issue, and we suspended this feature to address this issue. People’s privacy and security are very important to Facebook, which is why we attach great importance to any potential abuse of the service,” Facebook Mary Ku, product management director, said.
Custom Audiences Repair
Custom AudiencesNo potential reach will be available in any campaign that uses custom audience settings, including building a similar audience from the uploaded list until a fix is created.
Facebook said it is investigating, but so far has not found any evidence that its tools are used in this way. It is not yet clear how Facebook can really determine this.
A spokesperson reiterated that the protection of people’s information security is crucial, which is why it has acted quickly to resolve this potential vulnerability.
Facebook will also notify advertisers of this change on Friday afternoon.
The research team includes Prof. Mislove and Prof. Krishna Gummadi, who are leaders of the MPI-SWS network system research group, and Giridhari Venkatadri, a doctoral student at Northeastern University. Students and visiting researcher Elena Lucherini.
Exclusive: Facebook said Friday that it will stop showing audience reach estimates in any campaign using Custom Audience targeting. The move comes after a research team from Northeastern University notified the company through Facebook’s Bug Bounty program about a potential privacy vulnerability it identified with Custom Audiences. The research team from Northeastern University and MPI-SWS is the same group that identified another exploit with Custom Audiences leaking user phone numbers in December. In response, Facebook removed reach estimates for campaigns using customer data. It added back in March. “In the meantime, we’ve been looking at other features in the advertising interface and how they might be misused,” Alan Mislove, a professor at Northeastern and faculty advisor on the team, told us by phone Friday afternoon. Engaging post, Read More…
thumbnail courtesy of marketingland.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »