Monday 26 March 2018

Marketing Land/Ginny Marvin: Exclusive: Facebook will no longer show audience reach estimates for Custom Audiences after vulnerability detected

Marketing Land
   
Exclusive: Facebook will no longer show audience reach estimates for Custom Audiences after vulnerability detected
Researchers were able to infer attributes of individuals using the tools.
Ginny Marvin on March 23, 2018 at 5:32 pm

Exclusive: Facebook said Friday that it will stop showing audience reach estimates in any campaign using Custom Audience targeting.

The move comes after a research team from Northeastern University notified the company through Facebook’s Bug Bounty program about a potential privacy vulnerability it identified with Custom Audiences.

The research team from Northeastern University and MPI-SWS is the same group that identified another exploit with Custom Audiences leaking user phone numbers in December. In response, Facebook removed reach estimates for campaigns using customer data. It added back in March.

“In the meantime, we’ve been looking at other features in the advertising interface and how they might be misused,” Alan Mislove, a professor at Northeastern and faculty advisor on the team, told us by phone Friday afternoon.
The vulnerability

The team found an exploit in which it could infer attributes of an individual included in an uploaded Custom Audience list of emails, addresses or other personally identifiable information (PII) using the estimated reach reporting available in the advertising interface.

It turns out there is a rounding threshold in those estimates. Once that’s identified, an advertiser could potentially upload a list of emails right on the rounding threshold, for example, and then add one email (or “victim”) to the list. If the reach estimates change when a targeting attribute is selected, the advertiser can infer that person has that attribute. And vice versa, if it doesn’t change, then it can be inferred the person does not have that attribute.

Facebook will no longer show potential reach in campaigns using Custom Audiences for targeting.

For example, Mislove explained, if he wanted to determine my gender, he could add my email to a list that’s right on the rounding threshold. If he then selected “female,” he would see the reach estimates round up.  If he selected “male, ” the estimates wouldn’t change.

Essentially, it would be possible to infer each of the 1,200 or so targeting attributes available in Facebook that come from users and third-party data brokers and build comprehensive profiles of individuals.

Mislove pointed out that the user would never know this was happening, as it is done entirely in Facebook’s advertising interface, and at no charge to the advertiser.

The team alerted Facebook about the issue this week and is being rewarded through the bug bounty program. Given the week Facebook is having in the fallout of the Cambridge Analytica data crisis, it’s perhaps not surprising the company is taking quick action.

“We’re grateful to the researchers who found this issue, and we’ve suspended this feature to fix it. People’s privacy and security is incredibly important to Facebook, which is why we take any potential abuse of our service very seriously,” said Mary Ku, product management director at Facebook.
The fix

Potential Reach numbers will not be provided in any campaign set up that uses Custom Audiences, including to build lookalike audiences from an uploaded list, until a fix has been developed.

Facebook says it is investigating but so far has not found any evidence that its tools were used in this way. It’s not clear how Facebook would actually be able to determine that.

A spokesperson reiterated that keeping people’s information safe is critical and that’s why it has moved quickly to address this potential vulnerability.

Facebook will also be notifying advertisers of the change Friday afternoon.

The research team included faculty advisors Mislove and Krishna Gummadi, head of Networked Systems Research Group at MPI-SWS, and researchers Giridhari Venkatadri, a Northeastern University Ph.D. student, and visiting researcher Elena Lucherini.

About The Author
Ginny Marvin
Ginny Marvin is Third Door Media's Associate Editor, assisting with the day to day editorial operations across all publications and overseeing paid media coverage. Ginny Marvin writes about paid online marketing topics including paid search, paid social, display and retargeting for Search Engine Land and Marketing Land. With more than 15 years of marketing experience, Ginny has held both in-house and agency management positions. She can be found on Twitter as @ginnymarvin.

Popular Stories
Related Topics
Channel: Social Media Marketing

We're listening.

Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.
Attend Our Conferences

Gain new strategies and insights at the intersection of marketing, technology, and management. Our next conference will be held:

April 23-25, 2018: San Jose

Oct 1-3, 2018: Boston


June 11-13, 2018: SMX Advanced
White Papers

    5 Tips to Better B2B
    Unleash the power of 1st and 3rd party data
    2018 Marketing Technology & Operations Salary Survey
    The 5 Big Disruptions to Marketing in 2018
    Relevant Reach

Webinars

    Omnichannel Personalization at Scale: How leading brands drive sales across channels
    The 5 Big Disruptions to Marketing in 2018
    Shop ‘til You Click: Creating Shopping Campaigns at Scale

Research Reports

    B2B Marketing Automation Platforms
    Integration Platform as a Service (iPaaS)
    Enterprise SEO Platforms
    Call Analytics Platforms
    Paid Media Campaign Management Platforms
    Local Marketing Automation Tools

MarTech Salary Survey
Sign up for our daily newsletter
Marketing Land
Download the Marketing Land app on iTunes
Download the Marketing Land App on Google Play
Follow Us

© 2018 Third Door Media, Inc. All rights reserved.

No comments: