Facebook Ad Targeting: Researchers Show Single User Targeting Possible

Targeted Advertising and Individual Identification on Facebook

Recent research conducted by a collaborative team of academics from Spain and Austria reveals the feasibility of utilizing Facebook’s ad targeting capabilities to reach a single user. This is achievable when sufficient information regarding a user’s Facebook-assigned interests is known.

Research Methodology and Findings

The study, formally titled “Unique on Facebook: Formulation and Evidence of (Nano)targeting Individual Users with non-PII Data,” introduces a “data-driven model.” This model establishes a metric for determining the likelihood of uniquely identifying a Facebook user based on the interests associated with their profile by the advertising platform.

Researchers successfully employed Facebook’s Ads Manager to create and deploy advertisements specifically designed to reach only one intended recipient. Each ad campaign was configured to target a single, unique Facebook user.

Implications for Privacy and Data Processing

This research brings renewed attention to the potential for misuse of Facebook’s ad targeting functionalities. It also raises broader legal concerns regarding the tech company’s extensive personal data processing practices.

The ability to uniquely identify individuals based solely on their interests, even without using Personally Identifiable Information (PII), presents a significant privacy challenge. This capability allows for the isolation of users within the larger Facebook community.

Potential Regulatory Responses

These findings may intensify calls for legislative action to restrict or eliminate behavioral advertising. Concerns surrounding the individual and societal harms associated with this practice have been growing for years.

At a minimum, the study is expected to spur demands for stronger oversight and controls on the application of such intrusive targeting tools.

The Importance of Independent Research

The research highlights the crucial role of independent investigations into algorithmic adtech. It also reinforces the need for platforms to maintain open access for researchers.

Continued access is vital for ensuring transparency and accountability in the rapidly evolving landscape of online advertising.

• Key Finding: Facebook’s targeting tools can be used to reach a single individual.
• Methodology: A data-driven model was used to assess unique user identification.
• Concern: The ability to identify users based on interests raises privacy issues.

Facebook Interests Constitute Personal Data

Researchers have determined that a user’s interests, as categorized by Facebook, can be used to uniquely identify them with a high degree of probability. Specifically, possessing either a very rare interest or a substantial number of interests recognized by Facebook can render a user readily identifiable on the platform, even within its massive user base.

The study, conducted by researchers from University Carlos III in Madrid, Graz University of Technology in Austria, and GTD System & Software Engineering, represents, to the researchers’ knowledge, the first investigation into individual uniqueness at the scale of a global population.

This work provides initial evidence suggesting the potential for systematic exploitation of Facebook’s advertising platform to achieve highly focused advertising – termed “nanotargeting” – based on non-personally identifiable information (non-PII) like interests.

Previous concerns have arisen regarding Facebook’s ad platform being utilized for manipulative purposes. For example, a 2019 report detailed a company offering services to target emotionally manipulative advertisements at individuals’ spouses or partners.

The research also references a 2017 incident in U.K. politics where Labour Party officials reportedly leveraged Facebook’s Custom Audience tool to influence perceptions of then-leader Jeremy Corbyn, extending the targeting to his close associates and certain journalists.

The team’s findings demonstrate the feasibility of using Facebook’s Ads Manager to deliver advertisements to a single, specific Facebook user – a practice they define as “nanotargeting,” contrasting it with the more common “microtargeting” approach.

“Our experiment, conducted through 21 Facebook ad campaigns targeting three of the paper’s authors, proves that sufficient knowledge of a user’s interests allows systematic exploitation of the Facebook Advertising Platform to deliver ads exclusively to that user,” the researchers state, emphasizing this is the first empirical proof of systematically achievable one-to-one targeting.

The interest data utilized in the analysis was gathered from 2,390 Facebook users through a browser extension installed prior to January 2017.

This extension, known as Data Valuation Tool for Facebook Users, extracted each user’s Facebook ad preferences, compiling a list of assigned interests. It also estimated the revenue each user generates for Facebook based on ad exposure.

Although the initial data collection occurred before 2017, the experiments verifying the possibility of one-to-one targeting were conducted last year.

“We configured nanotargeting ad campaigns specifically targeting three authors of this paper,” the researchers explain. “We tested our data-driven model by creating custom audiences for each author, utilizing combinations of 5, 7, 9, 12, 18, 20, and 22 randomly selected interests from their Facebook profiles.

“Between October and November 2020, we executed 21 ad campaigns to demonstrate the viability of nanotargeting. Our experiment confirms the model’s results, indicating that knowing 18 or more random interests allows for highly probable nanotargeting. Specifically, 8 out of 9 campaigns employing 18+ interests successfully targeted the intended user.”

Therefore, possessing 18 or more recorded Facebook interests significantly increases an individual’s susceptibility to targeted manipulation.

Further Details on the Research

Understanding Nanotargeting

The concept of nanotargeting represents a shift from traditional advertising methods. It allows advertisers to focus on a single individual, rather than broader demographic groups.

Data Collection Methodology

• A browser extension was used to gather interest data.
• Data was collected from 2,390 Facebook users.
• The collection period ended in January 2017.

Experiment Design

The researchers ran 21 ad campaigns, targeting three authors of the study. These campaigns used varying combinations of interests to assess the accuracy of their model.

Key Findings

The study found that knowing 18 or more interests significantly increases the likelihood of successfully nanotargeting an individual.

Implications for Privacy

This research highlights the potential privacy risks associated with Facebook’s interest-based advertising system. It demonstrates how seemingly innocuous data can be used to uniquely identify and target individuals.

The Persistence of Nanotargeting

A significant vulnerability exists in how advertising platforms operate, specifically concerning the possibility of highly focused, one-to-one targeting. Implementing a stricter minimum audience size requirement by platforms like Facebook could potentially mitigate this issue.

According to research, Facebook’s Ads Campaign Manager provides advertisers with a “Potential Reach” estimate. This value is displayed only when the anticipated audience size exceeds 1,000 users – a threshold that was previously set at 20 before being increased in 2018.

However, investigations reveal that Facebook does not actively prevent ad campaigns from targeting fewer individuals than these stated reach limits. The platform simply refrains from informing advertisers about the extremely limited scope of their audience.

Researchers successfully demonstrated this by launching campaigns designed to reach a single Facebook user. They validated their success through multiple data points: Facebook’s ad reporting confirmed reaching only one user, their web server logged a single click from that user, and the targeted individual provided screenshots of the ad with corresponding “Why am I seeing this ad?” explanations, aligning with the defined targeting criteria.

The study’s key findings indicate that nanotargeting a user on Facebook is probable if an attacker can determine at least 18 of the user’s interests. Furthermore, this practice is remarkably inexpensive, with two-thirds of nanotargeted ads expected to reach the intended user within seven hours of campaign activation.

The research also challenges the effectiveness of Facebook’s claimed audience size limitations. The previously stated limit of 20 users is reportedly not currently enforced.

Moreover, the researchers suggest that workarounds exist for the 100-user limit applied to Custom Audiences, a targeting feature that relies on advertisers uploading personally identifiable information (PII).

From the research paper:

Throughout the study, the researchers categorize interest-based data as “non-PII.” However, this classification holds limited weight within the European legal framework.

The EU’s General Data Protection Regulation (GDPR) adopts a broader definition of personal data than the more commonly used term PII in the United States, which lacks comparable comprehensive federal privacy legislation.

Adtech companies often favor the term PII due to its narrower scope, contrasting with the extensive data they process for identifying and profiling individuals for targeted advertising.

The GDPR defines personal data not only as direct identifiers like names and email addresses but also as information that can indirectly identify an individual, including location and interests.

Consider this excerpt from the GDPR (Article 4(1)):

Numerous studies over several decades have demonstrated the feasibility of re-identifying individuals using limited amounts of “non-PII” data, such as credit card transaction details or Netflix viewing history.

Therefore, it’s unsurprising that Facebook’s extensive user profiling and ad targeting system, which continuously collects interest-based signals (personal data) to create individual profiles for ad relevance, has created a potential avenue for manipulating individuals, provided sufficient information about them is known and they possess a Facebook account.

However, this situation also raises significant legal concerns.

The legal justification Facebook employs for processing personal data for ad targeting has faced scrutiny within the EU for years.

The Legal Foundation of Ad Targeting Practices

Previously, the technology corporation asserted that user consent authorized the utilization of personal data for advertising purposes. However, it did not provide individuals with a truly free, specific, and informed option regarding whether they wished to be profiled for behavioral advertising, or simply maintain connections with friends and family. This standard of free, specific, and informed consent aligns with GDPR regulations.

Acceptance of Facebook’s terms necessitates agreement to the use of personal information for ad targeting. This practice has been characterized by EU privacy advocates as “forced consent,” effectively amounting to coercion rather than genuine consent.

Following the implementation of the GDPR in May 2018, Facebook has seemingly altered its justification, claiming a legal basis for processing European users’ data for advertising stems from an existing contractual agreement to receive advertisements.

A preliminary ruling from Facebook’s primary EU regulatory body, Ireland’s Data Protection Commission (DPC), recently proposed a $36 million fine against the company for insufficient transparency regarding this shift in rationale.

While the DPC appears unconcerned with Facebook’s contractual claim regarding advertisements, other European regulators hold differing opinions and are anticipated to challenge Ireland’s proposed decision. Consequently, regulatory examination of this specific Facebook GDPR complaint remains ongoing and unresolved.

Should Facebook be ultimately determined to be circumventing EU legislation, it may be compelled to offer users a genuine choice regarding the utilization of their data for ad targeting. This would fundamentally undermine its advertising targeting capabilities, as even limited data points representing interests constitute personal data, as demonstrated by recent research.

Currently, the technology corporation is employing its standard approach of denying any cause for concern.

In response to the research, a Facebook spokesperson dismissed the findings, asserting that the paper “is wrong about how our ad system works.”

Facebook’s statement attempts to redirect attention from the researchers’ central conclusions, aiming to downplay the significance of their discoveries, as articulated by its spokesperson.

Responding to Facebook’s counterargument, Angel Cuevas, one of the paper’s authors, characterized it as “unfortunate,” suggesting the company should prioritize implementing robust safeguards against the risk of nanotargeting, rather than disputing its existence.

The research identifies several potential risks associated with nanotargeting, including psychological persuasion, manipulation of users, and potential for blackmail.

“It is surprising to find that Facebook is implicitly recognizing that nanotargeting is feasible and the only countermeasure is assuming advertisers are unable to infer users interests,” Cuevas stated to TechCrunch.

“There are numerous methods by which advertisers could deduce interests. We demonstrated this in our paper using a browser plugin (with explicit user consent for research purposes). Furthermore, beyond interests, other parameters exist – such as age, gender, city, and zip code – which we did not utilize in our research.

“We consider this argument to be unfortunate. We believe a major platform like Facebook can implement more effective countermeasures than simply assuming advertisers are incapable of inferring user interests for audience definition within the Facebook advertising platform.”

The 2018 Cambridge Analytica Facebook data misuse scandal serves as a relevant example, where a developer with platform access extracted data from millions of users without their full knowledge or consent, through a quiz application.

Therefore, as Cuevas points out, it is plausible that similar covert and unethical tactics could be employed by advertisers, attackers, or agents to gather Facebook users’ interest data for the purpose of manipulating individuals.

The researchers observed that Facebook deactivated the account used for their nanotargeting experiment shortly after its conclusion, without providing any explanation.

The technology corporation did not address specific inquiries regarding the research, including the reason for the account closure and, if related to the nanotargeting issue, why the advertisements were not prevented from running and targeting a single user. 

Potential for Legal Challenges

The findings of this research could have significant repercussions for Facebook's operations. Experts suggest it will undoubtedly be leveraged in ongoing and future legal proceedings.

Litigation is already increasing across Europe, fueled by the perceived sluggishness of EU regulators in enforcing privacy laws against Facebook and the broader adtech industry.

One key takeaway is Facebook’s demonstrated capacity to “systematically re-identify” users on a large scale. This occurs even while the company maintains it doesn't process 'personal data' in a manner that would trigger legal restrictions.

Essentially, Facebook has accumulated a vast amount of data, enabling it to potentially bypass limitations imposed by regulations designed to protect Personally Identifiable Information (PII).

Regulators aiming to effectively curb the harms associated with behavioral advertising must be aware of how Facebook’s algorithms can identify and utilize data proxies. These proxies exist within the massive datasets the company holds and associates with individual users.

Facebook is likely to argue that its data processing practices avoid legal implications, a strategy it has previously employed regarding inferred sensitive interests.

Dr. Lukasz Olejnik, an independent privacy researcher and consultant, described the research as groundbreaking. He considers the paper to be among the most impactful privacy research of the last ten years.

“Successfully identifying one user out of 2.8 billion, despite Facebook’s claims of preventative measures against such precise targeting, places this research in the top tier of privacy advancements this decade,” he stated to TechCrunch.

According to Olejnik, the research indicates that user interests, as defined in Article 4(1) of the GDPR, qualify as personal data. However, the scalability of this targeting method remains uncertain, as the nanotesting was limited to only three users.

Olejnik further asserts that the targeting is demonstrably based on personal data, and potentially even on “special category data” as outlined in GDPR Article 9.

“This implies the necessity of explicit user consent, unless adequate safeguards are in place. However, based on the research, these safeguards, if they exist, appear insufficient,” he explained.

When questioned about a potential GDPR violation, Olejnik responded emphatically: “Data Protection Authorities (DPAs) should investigate without delay. Constructing a case should require no more than two days.”

The research was brought to the attention of Facebook’s primary European DPA, the Irish DPC. A request for investigation into potential GDPR breaches was submitted, but a response was not received at the time of publication.

The Debate Surrounding a Potential Ban on Microtargeting

Regarding the possibility of strengthening the argument for prohibiting microtargeting, Olejnik posits that restricting this practice represents a viable path forward. However, he emphasizes that the central challenge now lies in determining how to effectively implement such restrictions.

He expressed skepticism about the current readiness of both the industry and the political landscape for a complete prohibition. At a minimum, he advocates for the implementation of robust technical safeguards, noting that previous assurances regarding their existence appear to have been inaccurate, particularly in the context of nanotargeting on Facebook.

Potential Changes and Google’s Privacy Sandbox

Olejnik also indicated that forthcoming changes might be influenced by concepts embedded within Google’s Privacy Sandbox proposal. It is important to note, however, that this proposal has encountered delays due to competition concerns raised by adtech companies.

Balancing Privacy and Economic Considerations

Cuevas shared his perspective, stating the need to carefully weigh the trade-offs between privacy risks and economic factors – including job creation and innovation. Their research clearly demonstrates that the adtech sector must recognize that focusing solely on Personally Identifiable Information (PII) like emails and addresses is insufficient. More stringent measures are required concerning how audiences are defined.

Despite this, Cuevas does not believe a complete ban on microtargeting – defined as the ability to target audiences of at least tens of thousands of users – is warranted. He highlights the significant market and employment opportunities generated by microtargeting, as well as its innovative nature. Therefore, his position favors limiting the scope of microtargeting to ensure user privacy.

The Importance of Informed Consent

Cuevas further emphasized that a crucial unresolved issue within the realm of privacy is obtaining valid consent. He believes that collaboration between the research community and the adtech industry is essential to develop an effective solution for securing informed consent from users.

Upcoming EU Legislation and AI Regulation

Looking at the broader legal landscape, new regulations concerning AI-driven tools are on the horizon in Europe. Proposed EU legislation for high-risk AI applications suggests a potential ban on AI systems employing “subliminal techniques” that manipulate behavior and cause psychological or physical harm.

This raises the question of whether Facebook’s platform could face restrictions under the forthcoming EU AI Regulation, unless the company implements adequate safeguards to prevent its ad tools from being used for blackmail or psychological manipulation.

Currently, however, Facebook continues to profit from its highly targeted advertising practices.

Future Research Directions

Cuevas outlined plans for future research, focusing on combining interests with demographic data to assess whether nanotargeting can be made “even easier”. He suggests that advertisers could readily combine age, gender, location, and a few interests to pinpoint individual users.

The research team aims to determine the minimum number of parameters needed for this combination, noting that inferring gender, age, location, and a few interests may be simpler than identifying a larger number of interests.

Cuevas confirmed that the nanotargeting paper has been accepted for presentation at the ACM Internet Measurement Conference next month.

Note: This report has been updated to correct a previous misstatement regarding the Facebook tool used for nanotargeting. The correct tool is Facebook Ads Manager, not Facebook’s Custom Audience tool.