A group of American scientists reveals that Facebook is willing to go a long way in the battle to score even more billions from advertisers who would like to pay big bucks to hit you with tailor-made ads.
Online social networking services have become the gate- way to the Internet for millions of users, accumulat- ing rich databases of user data that form the basis of their powerful advertising platforms. Today, these ser- vices frequently collect various kinds of personally iden- tifying information (PII), such as phone numbers, email addresses, and names and dates of birth.
Since this PII often represents extremely accurate, unique, and veri- fied user data, these services have the incentive to ex- ploit it for other purposes, including to provide advertis- ers with more accurate targeting. Indeed, most popular services have launched PII-based targeting features that allow advertisers to target users with ads directly by up- loading the intended targets’ PII. Unfortunately, these services often do not make such usage clear to users, and it is often impossible for users to determine how they are actually being targeted by advertisers.
In this paper, we focus on Facebook and investigate the sources of PII used for its PII-based targeted adver- tising feature. We develop a novel technique that uses Facebook’s advertiser interface to check whether a given piece of PII can be used to target some Facebook user, and use this technique to study how Facebook’s adver- tising service obtains users’ PII.
We investigate a range of potential sources of PII, finding that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor au- thentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Face- book to allow advertisers to target users.
These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings. Over- all, our paper highlights the need for the careful design of usable privacy controls for, and detailed disclosure about, the use of sensitive PII in targeted advertising.
Read More (PDF)