Facebook will no longer show audience reach estimates for Custom Audiences after vulnerability detected
Researchers were able to infer attributes of individuals using the tools.
Exclusive: Facebook said Friday that it will stop showing audience reach estimates in any campaign using Custom Audience targeting.
The move comes after a research team from Northeastern University notified the company through Facebookâs Bug Bounty program about a potential privacy vulnerability it identified with Custom Audiences.
The research team from Northeastern University and MPI-SWS is the same group that identified another exploit with Custom Audiences leaking user phone numbers in December. In response, Facebook removed reach estimates for campaigns using customer data. It added back in March.
âIn the meantime, weâve been looking at other features in the advertising interface and how they might be misused,â Alan Mislove, a professor at Northeastern and faculty advisor on the team, told us by phone Friday afternoon.
The vulnerability
The team found an exploit in which it could infer attributes of an individual included in an uploaded Custom Audience list of emails, addresses or other personally identifiable information (PII) using the estimated reach reporting available in the advertising interface.
It turns out there is a rounding threshold in those estimates. Once thatâs identified, an advertiser could potentially upload a list of emails right on the rounding threshold, for example, and then add one email (or âvictimâ) to the list. If the reach estimates change when a targeting attribute is selected, the advertiser can infer that person has that attribute. And vice versa, if it doesnât change, then it can be inferred the person does not have that attribute.
For example, Mislove explained, if he wanted to determine my gender, he could add my email to a list thatâs right on the rounding threshold. If he then selected âfemale,â he would see the reach estimates round up. If he selected âmale, â the estimates wouldnât change.
Essentially, it would be possible to infer each of the 1,200 or so targeting attributes available in Facebook that come from users and third-party data brokers, which account for roughly half of the total, says Mislove, and build comprehensive profiles of individuals.
Mislove pointed out that the user would never know this was happening, as it is done entirely in Facebookâs advertising interface, and at no charge to the advertiser.
The team alerted Facebook about the issue this week and is being rewarded through the bug bounty program. Given the week Facebook is having in the fallout of the Cambridge Analytica data crisis, itâs perhaps not surprising the company is taking quick action.
âWeâre grateful to the researchers who found this issue, and weâve suspended this feature to fix it. Peopleâs privacy and security is incredibly important to Facebook, which is why we take any potential abuse of our service very seriously,â said Mary Ku, product management director at Facebook.
The fix
Potential Reach numbers will not be provided in any campaign set up that uses Custom Audiences, including to build lookalike audiences from an uploaded list, until a fix has been developed.
Facebook says it is investigating but so far has not found any evidence that its tools were used in this way. Itâs not clear how Facebook would actually be able to determine that.
A spokesperson reiterated that keeping peopleâs information safe is critical and thatâs why it has moved quickly to address this potential vulnerability.
Facebook will also be notifying advertisers of the change Friday afternoon.
The research team included faculty advisors Mislove and Krishna Gummadi, head of Networked Systems Research Group at MPI-SWS, and researchers Giridhari Venkatadri, a Northeastern University Ph.D. student, and visiting researcher Elena Lucherini.
Marketing Land – Internet Marketing News, Strategies & Tips
(48)