Exclusive: Facebook said Friday that it will stop showing audience reach estimates in any campaign using Custom Audience targeting.
The move comes after a research team from Northeastern University notified the company through Facebook’s Bug Bounty program about a potential privacy vulnerability it identified with Custom Audiences.
The research team from Northeastern University and MPI-SWS is the same group that identified another exploit with Custom Audiences leaking user phone numbers in December. In response, Facebook removed reach estimates for campaigns using customer data. It added back in March.
“In the meantime, we’ve been looking at other features in the advertising interface and how they might be misused,” Alan Mislove, a professor at Northeastern and faculty advisor on the team, told us by phone Friday afternoon.
The vulnerability
The team found an exploit in which it could infer attributes of an individual included in an uploaded Custom Audience list of emails, addresses or other personally identifiable information (PII) using the estimated reach reporting available in the advertising interface.
It turns out there is a rounding threshold in those estimates. Once that’s identified, an advertiser could potentially upload a list of emails right on the rounding threshold, for example, and then add one email (or “victim”) to the list. If the reach estimates change when a targeting attribute is selected, the advertiser can infer that person has that attribute. And vice versa, if it doesn’t change, then it can be inferred the person does not have that attribute.
For example, Mislove explained, if he wanted to determine my gender, he could add my email to a list that’s right on the rounding threshold. If he then selected “female,” he would see the reach estimates round up. If he selected “male, ” the estimates wouldn’t change.
Essentially, it would be possible to infer each of the 1,200 or so targeting attributes available in Facebook that come from users and third-party data brokers and build comprehensive profiles of individuals.
Mislove pointed out that the user would never know this was happening, as it is done entirely in Facebook’s advertising interface, and at no charge to the advertiser.
The team alerted Facebook about the issue this week and is being rewarded through the bug bounty program. Given the week Facebook is having in the fallout of the Cambridge Analytica data crisis, it’s perhaps not surprising the company is taking quick action.
“We’re grateful to the researchers who found this issue, and we’ve suspended this feature to fix it. People’s privacy and security is incredibly important to Facebook, which is why we take any potential abuse of our service very seriously,” said Mary Ku, product management director at Facebook.
The fix
Potential Reach numbers will not be provided in any campaign set up that uses Custom Audiences, including to build lookalike audiences from an uploaded list, until a fix has been developed.
Facebook says it is investigating but so far has not found any evidence that its tools were used in this way. It’s not clear how Facebook would actually be able to determine that.
A spokesperson reiterated that keeping people’s information safe is critical and that’s why it has moved quickly to address this potential vulnerability.
Facebook will also be notifying advertisers of the change Friday afternoon.
The research team included faculty advisors Mislove and Krishna Gummadi, head of Networked Systems Research Group at MPI-SWS, and researchers Giridhari Venkatadri, a Northeastern University Ph.D. student, and visiting researcher Elena Lucherini.