Marketing Land
Exclusive: Facebook will no longer show audience reach estimates for Custom Audiences after vulnerability detected
Researchers were able to infer attributes of individuals using the tools.
Ginny Marvin on March 23, 2018 at 5:32 pm
Exclusive: Facebook said Friday that it will stop showing audience reach estimates in any campaign using Custom Audience targeting.
The move comes after a research team from Northeastern University notified the company through Facebook’s Bug Bounty program about a potential privacy vulnerability it identified with Custom Audiences.
The research team from Northeastern University and MPI-SWS is the same group that identified another exploit with Custom Audiences leaking user phone numbers in December. In response, Facebook removed reach estimates for campaigns using customer data. It added back in March.
“In the meantime, we’ve been looking at other features in the advertising interface and how they might be misused,” Alan Mislove, a professor at Northeastern and faculty advisor on the team, told us by phone Friday afternoon.
The vulnerability
The team found an exploit in which it could infer attributes of an individual included in an uploaded Custom Audience list of emails, addresses or other personally identifiable information (PII) using the estimated reach reporting available in the advertising interface.
It turns out there is a rounding threshold in those estimates. Once that’s identified, an advertiser could potentially upload a list of emails right on the rounding threshold, for example, and then add one email (or “victim”) to the list. If the reach estimates change when a targeting attribute is selected, the advertiser can infer that person has that attribute. And vice versa, if it doesn’t change, then it can be inferred the person does not have that attribute.
Facebook will no longer show potential reach in campaigns using Custom Audiences for targeting.
For example, Mislove explained, if he wanted to determine my gender, he could add my email to a list that’s right on the rounding threshold. If he then selected “female,” he would see the reach estimates round up. If he selected “male, ” the estimates wouldn’t change.
Essentially, it would be possible to infer each of the 1,200 or so targeting attributes available in Facebook that come from users and third-party data brokers and build comprehensive profiles of individuals.
Mislove pointed out that the user would never know this was happening, as it is done entirely in Facebook’s advertising interface, and at no charge to the advertiser.
The team alerted Facebook about the issue this week and is being rewarded through the bug bounty program. Given the week Facebook is having in the fallout of the Cambridge Analytica data crisis, it’s perhaps not surprising the company is taking quick action.
“We’re grateful to the researchers who found this issue, and we’ve suspended this feature to fix it. People’s privacy and security is incredibly important to Facebook, which is why we take any potential abuse of our service very seriously,” said Mary Ku, product management director at Facebook.
The fix
Potential Reach numbers will not be provided in any campaign set up that uses Custom Audiences, including to build lookalike audiences from an uploaded list, until a fix has been developed.
Facebook says it is investigating but so far has not found any evidence that its tools were used in this way. It’s not clear how Facebook would actually be able to determine that.
A spokesperson reiterated that keeping people’s information safe is critical and that’s why it has moved quickly to address this potential vulnerability.
Facebook will also be notifying advertisers of the change Friday afternoon.
The research team included faculty advisors Mislove and Krishna Gummadi, head of Networked Systems Research Group at MPI-SWS, and researchers Giridhari Venkatadri, a Northeastern University Ph.D. student, and visiting researcher Elena Lucherini.
About The Author
Ginny Marvin
Ginny Marvin is Third Door Media's Associate Editor, assisting with the day to day editorial operations across all publications and overseeing paid media coverage. Ginny Marvin writes about paid online marketing topics including paid search, paid social, display and retargeting for Search Engine Land and Marketing Land. With more than 15 years of marketing experience, Ginny has held both in-house and agency management positions. She can be found on Twitter as @ginnymarvin.
Popular Stories
Related Topics
Channel: Social Media Marketing
We're listening.
Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.
Attend Our Conferences
Gain new strategies and insights at the intersection of marketing, technology, and management. Our next conference will be held:
April 23-25, 2018: San Jose
Oct 1-3, 2018: Boston
June 11-13, 2018: SMX Advanced
White Papers
5 Tips to Better B2B
Unleash the power of 1st and 3rd party data
2018 Marketing Technology & Operations Salary Survey
The 5 Big Disruptions to Marketing in 2018
Relevant Reach
Webinars
Omnichannel Personalization at Scale: How leading brands drive sales across channels
The 5 Big Disruptions to Marketing in 2018
Shop ‘til You Click: Creating Shopping Campaigns at Scale
Research Reports
B2B Marketing Automation Platforms
Integration Platform as a Service (iPaaS)
Enterprise SEO Platforms
Call Analytics Platforms
Paid Media Campaign Management Platforms
Local Marketing Automation Tools
MarTech Salary Survey
Sign up for our daily newsletter
Marketing Land
Download the Marketing Land app on iTunes
Download the Marketing Land App on Google Play
Follow Us
© 2018 Third Door Media, Inc. All rights reserved.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment