Slashdot Mirror
Facebook Ads Could 'Out' Gay Users
itwbennett writes "Researchers at Microsoft Research India and the Max Planck Institute for Software Systems in Germany have written a paper showing that a users may be inadvertently revealing their sexual preference to advertisers. 'One example was an advertisement for a nursing program at a medical college in Florida, which was only shown to gay men. The researchers said that persons seeing the ad would not know that it had been exclusively aimed at them solely based on their sexuality, nor would they realize that clicking on the ad would reveal to the advertiser, by implication, their sexual preference in addition to other information they might expect to be sent, such as their IP (Internet Protocol) address.' For its part, Facebook 'downplayed the study, saying that the site does not pass any personally identifiable information back to an advertiser.'"
Never put anything on Facebook that you would not tell your parents and your boss.
If I were God, wouldn't I protect my churches from acts of me?
The ads were served to males who declared themselves to be interested in other males, and females who declared themselves to be interested in other females.
Exactly where is the problem here? The users are outing themselves. Shouldn't this be filed under, "...and water is wet"?
No, you don't understand. Facebook has a policy saying they won't disclose personal info, like what age you are.
Now, suppose an advertiser says "target this ad at people born in October of 1978" ... Facebook says "OK". So all of these people's birth months are revealed to the advertiser, in violation of the policy. Thru essentially costless micro-targeting, advertisers (or any attacker with $) can dig out whatever info they want. There's a simple and obvious way for an attacker to get a list of people based on a piece of information Facebook has said they're keeping private.
There is a big difference between someone clicking on an ad for, say, a gay-dating site -- when you click on an ad, you know you are implicitly signaling some level of interest in its content to the advertiser -- and clicking on an ad (*any* ad, it could be for a car or for dog food ... the content of the ad could have *nothing* to do with the audience targeting) that happens to be targeted based on a specific database query.
If a piece of information is promised to be kept private, private should not equal "disclosed to third parties who pay us."
Facebook DOES pass personally identifiable information, albeit inadvertently.
As a Facebook Ads user, I have tracked down people who have clicked my ads EASILY.
How?
Your unique Facebook user ID is passed through the refer string each and every time you click on an ad.
Simply copy down this ID and paste it in the USERID variable below.
http://www.facebook.com/profile.php?id=USERID
Tada.
I sometimes hang out on a web forum, and they have a special forum where you could post anonymously - it's not really anonymous, as you still need to login and post, but the postings do not show your user id or IP addresses, so it appears totally anonymous, except to the web admins. So people post a lot of random crazy stuff there which would embarrass themselves if it had not been anonymous.
Then one day the forum upgraded their software, and due to a bug, all posts inside that anonymous forum suddenly showed all user IDs - including the old ones. That quickly turned into a sh*tstorm as people ran around screaming in panic with their underwear.
The lesson: do not post anything if you don't want others to find out it's you.