The citizens of the European Union (EU) have demonstrated serious concerns regarding the management of personal information by online services. The 2015 Eurobarometer about data protection reveals that: 53% of EU citizens do not like that Internet companies use their personal information in tailored advertising. The EU reacted to citizens’ concerns with the approval of the General Data Protection Regulation (GDPR), which defines a new legislative framework for the management of personal information, which was enforced before in May 2018.
The GDPR defines some categories of personal data as sensitive and prohibits processing them with limited exceptions (e.g., the user provides explicit consent to process that data for a specific purpose). These categories of data are referred to as “Specially Protected Data”, “Special Categories of Personal Data” or “Sensitive Data”. The GDPR defines as sensitive personal data: “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
HOW DOES FACEBOOK ADS MANAGER WORK?
Advertisers configure their ads campaigns through the Facebook (FB) Ads Manager. It allows advertisers to define the audience, they want to target with their advertising campaigns. The FB Ads Manager offers advertisers a wide range of configuration parameters such as: location, behaviors (mobile device, OS and/or web browser used, traveling frequency, etc.), and interests (sports, food, cars, beauty, etc.).
The interest parameter includes hundreds of thousands of possibilities for capturing users’ interest of any type. The FB Ads Manager offers a Detailed Targeting search bar where users can type any free text and it suggests interests linked to such text.
Advertisers can configure their target audiences based on any combination of the described parameters. An example of an audience could be “Users living in Italy, ranging between 30 and 40 years old, male and interested in Fast Food”.
Finally, the FB Ads Manager provides detailed information about the configured audience, such as the Potential Reach. It reports the number of monthly active FB users matching the defined audience.
FACEBOOK ADS PREFERENCES
FB assigns to each user a set of ad preferences, i.e., a set of interests, from the activity of the user on FB and external websites, apps and online services where FB is present. These ads preferences are the interests offered to advertisers in the FB Ads Manager to configure their audiences. Therefore, if a user is assigned “Watches” within her list of ad preferences, she will be a potential target of any FB advertising campaign configured to reach users interested in watches.
Any user can access and edit his/her ads preferences, but only few users are aware of this option. When a user positions the mouse over a specific ad preference item, a pop-up indicates why the user has been assigned this ad preference. By examining 5.5M ad preferences assigned to FDVT users (see Sub- section 2.3), we have found 6 reasons for the assignment of ad preferences: (i) This is a preference you added, (ii) You have this preference because we think it may be relevant to you based on what you do on Facebook, such as pages you’ve liked or ads you’ve clicked, (iii) You have this preference because you clicked on an ad related to…, (iv) You have this preference because you installed the app…, (v) You have this preference because you liked a Page related to…, (vi) You have this preference because of comments, posts, shares or reactions you made related to…
DATA VALUATION TOOL FOR FACEBOOK USERS
The Data Valuation Tool for Facebook Users (FDVT) is a web browser extension currently available for Google Chrome and Mozilla Firefox. It provides FB users with a real-time estimation of the revenue they are generating for Facebook according to their profile and the number of ads they see and click during a Facebook session. More than 6K users have installed the FDVT between its public release in October 2016 and February 2018. The FDVT collects the ad preferences FB assigns to the user. We leverage this information to identify potentially sensitive ad preferences assigned to users that have installed the FDVT.
WHAT ABOUT ETHICS CONSIDERATIONS?
After the analyses of 126K unique ad preferences that had been assigned to more than 4500 FB users, it was found that 2092 ad preferences were potentially sensitive according the GDPR definition of sensitive data. This suggests that a very significant part of the EU population can be targeted by advertising campaigns based on potentially sensitive personal data.
There is possibility of reaching users labeled with potentially sensitive personal data enables the use of FB ads campaigns to attack specific groups of people based on sensitive personal data (race, sexual orientation, religious beliefs, etc.).
An attacker could create hate speech campaigns using sensitive ad preferences representative of a specific sensitive social group within its target audience. Hate speech campaigns can reach thousands of users at a very low cost (e.g., we reached more than 26K FB users spending only 35euros in FB ads campaigns).
An attacker can use FB to identify citizens belonging to a sensitive social group defined by its religious belief, sexual orientation, political preference, etc. To this end, an attacker just needs to replicate a phishing-like attack. The attacker would configure a campaign targeting a sensitive audience using a fancy advertisement that serves as bait to attract the targeted users to the attacker’s webpage. If the user clicks on the ad, he/she will be redirected to the attacker’s webpage. For instance, in the example of the iPhone X giveaway, the landing page can show a message congratulating the user for winning the phone requesting that the user provides personal data (name, address, phone number, etc.) for shipping purposes.
The findings suggest that Facebook commercially exploited potentially sensitive personal data for advertising purposes through the ad preferences that it assigns to its users. Facebook has already been fined in Spain and France for this practice. The study reveals that the portion of affected EU FB users is as high as 73% (40% of EU citizens). The results of our study urge a quick reaction from Facebook to eliminate all ad preferences that can be used to infer the political orientation, sexual orientation, health conditions, religious beliefs or ethnic origin of a user for two reasons: (i) this may avoid Facebook running afoul of Article 9 of the GDPR, and (ii) it may protect users from threats that exploit this sensitive data.
Written by: Ángel Cuevas, Rubén Cuevas and José González Cabañas
NOTE: Most of the content included in this blog entry has been obtained from the research article accessible through this link https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-cabanas.pdf.