The newest development with regard to Facebook services is that they are planning to stop sharing audience reach estimates in any campaign that employs Custom Audience targeting.
A research team from Northeastern University and MPI-SWS unearthed this susceptibility and found that there was a clear misuse in the sharing of private data of the individuals in an already uploaded Custom Audience list. The same team had already found an exploit last December where advertisers were able to get the phone number of users who had visited a particular web page.
Here is what Audience Reach estimates show advertisers:
Email addresses, names and other personally identifiable information could be discovered using the estimated reach methods available. Then, by using these findings, a rounding threshold can be identified. An advertiser could possibly upload a list of emails on the rounding threshold and then add one email to the list. If the reach estimates change when a targeted attribute is selected, the advertiser can infer that person has that attribute. If it doesn’t change, then it can be understood that the person does not have that attribute.
The gender of the users could also be deduced because of this vulnerability. An email has to be added to a list that is on the rounding threshold and ‘female’ could be selected, for example. If the reach numbers increase, it is a woman who has been added to the list. If ‘male’ is selected, the estimates wouldn’t increase.
What’s more, no one would know any of this was happening because it was happening within Facebook’s own advertising portal and without the knowledge of the advertiser.
The team at Facebook became aware of this folly by receiving the lead through their own Bug Bounty program. Facebook did act quickly to minimise the damage, stating that “keeping people’s information safe is critical and that’s why it has moved quickly to address this potential vulnerability”. They are currently trying to find evidence regarding the misuse of this tool.
Facebook has decided to implement this new change shortly and is in the process of notifying advertisers about this development.
If you wish to read the original article, click here.