Exploring Nanotargeting Risks on LinkedIn

Authors: (1) Ángel Merino, Department of Telematic Engineering Universidad Carlos III de Madrid {angel.merino@uc3m.es}; (2) José González-Cabañas, UC3M-Santander Big Data Institute {jose.gonzalez.cabanas@uc3m.es} (3) Ángel Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {acrumin@it.uc3m.es}; (4) Rubén Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {rcuevas@it.uc3m.es}. Table of Links Abstract and Introduction LinkedIn Advertising Platform Background Dataset Methodology User’s Uniqueness on LinkedIn Nanotargeting proof of concept Discussion Related work Ethics and legal considerations Conclusions, Acknowledgments, and References Appendix 7 Discussion In this paper, we have shown that nanotargeting can be implemented systematically on LinkedIn. The only requirement is quite simple for many potential attackers: having an active LinkedIn account, learning how to run an ad campaign on LinkedIn, and activating the disabled button to launch the campaign. In this section, we discuss some issues derived from our work. 7.1 Theoretical Privacy Limits and Awareness Our work contributes to the existing body of literature that has demonstrated in a different context that our privacy is bounded by a handful of non-PII attributes. In the case of Linkedin, the location and 6 skills make a user unique with a probability of 75% in a database including ∼800M users, i.e., 1/10th of human beings. Our results reinforce the undeniable fact that our privacy is a very vulnerable asset. Unfortunately, our intuition is that users have an unconscious safety feeling when they share non-PII data. Talking to some computer science colleagues (not necessarily working in privacy) about our research, most of them found added value to reporting professional skills on their LinkedIn profile since that would allow other colleagues to know their expertise. However, none considered sharing that information may represent a risk. They were very surprised when we explained that they could be nanotargeted with ads based on the professional skills they publicly report. Although it is not a scientific experiment, we extract two important lessons from those informal discussions with our colleagues. First, if skilled users struggle to identify potential privacy risks of sharing non-PII data, that means there is a lot of work ahead for making regular Internet users aware of how vulnerable they are, even if they are careful not to share and protect their PII data. Second, non-PII data may expose users to a challenging dichotomy. On the one hand, users may find value in sharing non-PII data, such as in the case of professional skills. On the other hand, the more non-PII data they share, the more vulnerable they become in terms of privacy, as our results have demonstrated. 7.2 Nanotargeting on LinkedIn First, it is straightforward to configure a nanotargeting campaign on LinkedIn since all the required information is available in the targeted user’s profile. An attacker will likely use all the skills in the targeted user’s profile since gathering one or many skills is equally simple. This means the nanotarteging risk a user on LinkedIn is exposed to is directly proportional to the number of professional skills they report in their profile. Second, the cost of nanotargeting campaigns is very low. The cost of the successful nanotargeting campaigns in our experiment ranged between $0.10 and $0.69. This means that implementing a nanotargeting campaign is roughly free. This is an obvious (worrisome) incentive for potential attackers. Third, although we run the campaign for only three days, in all but one campaign, we obtained at least 2 impressions. On average, users were exposed to 2.67 ad impressions in successful nanotargeting campaigns. Roughly speaking, we impacted the targeted users once a day. More importantly, the experience of the three targeted authors was that when the nanotargeted ad was displayed, it usually was the first ad impression in the user’s newsfeed. Therefore, they did not have to scroll down to visualize the nanotargeted ad impression. All these elements suggest that it is feasible to frequently expose the targeted individual to a tailored message embedded in the nanotargeted ads in case they are active on LinkedIn. In a nutshell, our proof of concept experiment depicts a worrisome scenario that suggests it is feasible to continuously expose users to nanotargeted messages at an extremely low cost on LinkedIn, including very influential users. 7.3 Nanotargeting Influential People LinkedIn is especially interesting since it allows for easy access to profiles of relevant and influential people worldwide, such as politicians, CEOs, etc. Therefore, our research opens a worrying question regarding how easy it would be to send hyper-personalized messages to these users. We gathered the location and number of skills from 120 LinkedIn Top Voices 2020 [13] as a sample of LinkedIn influential users to check how many of them can be exposed to nanotargeting according to our results. All of them report a location except one (Richard Branson). The number of skills in their profiles is 28 on average, and 94 of them publish 13 skills or more. Based on our results, most of these users are susceptible to being reached with LinkedIn nanotargeting campaigns. 7.4 Risks Associated with Nanotargeting There are multiple risks users could be exposed to in case an attacker nanotarget them with tailored ads. Next, we briefly discuss a few of them. -Malvertising: Malvertising stands for malicious advertising and refers to the process of using online advertising to perform some attack [14][15] [16][17][18] [19]. Multiple vector attacks can be implemented through malvertising. One type of malvertising consists of using online ads to inject malware into ad networks, webpages, or the end-user device [20][21][22][23]. A second type of malvertising replicates the concept of phishing attacks, but instead of using emails to capture the user’s attention, it uses ads. This attack aims to persuade the user to click on the ad to land on a website managed by the attacker. At this point, the attacker, as in the case of phishing attacks, can use any potential technique willing to obtain sensitive information from the user (e.g., credentials) or to compromise the user’s device. Nanotargeting may be especially relevant in this second type of attack emulating phishing. Nanotargeting allows the creation of hyper-personalized ads targeting a single user. The literature on psychological persuasion has demonstrated that a well-designed, tailored ad substantially increases the probability that the user clicks on the ad [24][25]. Since nanotargeting allows reaching the maximum expression of personalization, a savvy attacker can exploit it to increase the chances to persuade the users of clicking on the tailored ad and land in the attacker’s domain. -User manipulation: Our results have demonstrated that we can run multiple campaigns over time to nanotarget an individual. In addition, our proof of concept experiment suggests that it is feasible to reach the users multiple times in a nanotargeting campaign in case they are active on LinkedIn. In other words, it is possible to expose the user to a tailored message frequently. Based on the psychological persuasion literature, it is easier to persuade an individual if the advertiser creates tailored messages to the psychological characteristics and motivations of that person [26][27][28][29][30][24]. We also show a clear example of potential user influence in the related work [31]. In that case, nanotargeting, based on PII data, was used to expose celebrities to a specific brand before approaching them to propose a collaboration. This same strategy could be used to influence celebrities, CEOs, politicians, etc., with an account on LinkedIn. 7.5 Legal discussion Modern data protection regulations such as the General Data Protection Regulation (GDPR) [1], enacted in all EU countries in May 2018, eliminate the PII concept to avoid the misconception that personal data refers only to PII items. Instead, Article 4 of the GDPR includes the following definition: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). Although we are not legal experts, it is clear from the definition that the combination of skills and location on LinkedIn falls under the definition of personal data. While the text of the GDPR is clear regarding what personal data is, in practice, it is tough to validate when a specific combination of non-PII items makes a user unique in an online application. For instance, in most cases, there is no way an honest advertiser on LinkedIn (or other applications) can assess whether a particular audience created through the combination of non-PII attributes is personal data. In our opinion, it is urgent to concretize the concept of personal data in the context of non-PII. To this end, the research community should work with data protection authorities to create guidelines informing companies when they should treat combinations of non-PII attributes as personal data. 7.6 LinkedIn’s reaction to responsible disclosure We consider that our research is unveiling an obvious privacy vulnerability within the LinkedIn Advertising Platform. Even more, there are security implications as nanotargerting could also compromise the users’ device (e.g., through malvertising attacks). Furthermore, our work also proves that LinkedIn fails to implement its own policy that limits the targeted audiences of ad campaigns to ≥300 users [11]. Therefore, we believe our research unveils a privacy and security vulnerability within the LinkedIn Ads platform. Based on the standard practice in the security community, we have followed a responsible disclosure based on the guidelines provided by LinkedIn. We contacted LinkedIn to make them aware of the unveiled vulnerability and give them the opportunity to fix it before our work becomes public. LinkedIn’s Security Page [32] refers to their bug bounty program on HackerOne as the channel to report system vulnerabilities. We found no other procedure to report privacy or security issues on the LinkedIn platform. We submitted a report describing our findings, but at the triage stage, managed by HackerOne, they considered that the issue we reported was out of the scope according to LinkedIn’s Policy Page within the platform [33]. Furthermore, they argued the bug we reported requires social engineering to implement it. Contrarily, we believe it is the other way around. The bug allows attackers to run social engineering attacks, for instance, to manipulate users through hyper-personalized messages. The bug exists independently of the potential nanotargeting attacks because running ad campaigns to target audiences involving less than 300 users is possible. Running such a campaign does not require any social engineering. It is extremely surprising to us that LinkedIn has ignored the vulnerability we have disclosed in this work since (i) it implies privacy and security risks for LinkedIn users, (ii) it may mean that LinkedIn is not correctly complying with current data protection regulations such as the GDPR. 7.7 Countermeasures to Prevent Nanotargeting The most efficient measure to preclude advertisers from running nanotargeting ad campaigns is implementing a policy, like the one LinkedIn advertises [11], that establishes a minimum audience size to allow running a campaign. Most social media platforms indicate such a limit: Facebook 1000, TikTok 1000, LinkedIn 300, etc. Unfortunately, we show that, at least in the case of LinkedIn, the limit was not effectively imposed. The very first step LinkedIn should adopt is fixing the bug that allows attackers to easily activate the "Launch Campaign" button for audiences whose size is <300 users. 7.8 Dataset limitations We are aware that our dataset does not represent a random sample of the whole LinkedIn network. Also, the 1699 users in our dataset are a small sample compared to the 800M registered on the platform. However, our goal is to demonstrate that it is feasible to systematically nanotarget users with ads on LinkedIn using a combination of non-PII data items, and the collected dataset is a valid sample for this purpose. In summary, while we acknowledge that using a larger dataset had been better, the results suggest that, for the purpose of our paper, the collected dataset is good enough. This paper is available on arxiv under CC BY-NC-ND 4.0 DEED license. Authors: (1) Ángel Merino, Department of Telematic Engineering Universidad Carlos III de Madrid {angel.merino@uc3m.es}; (2) José González-Cabañas, UC3M-Santander Big Data Institute {jose.gonzalez.cabanas@uc3m.es} (3) Ángel Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {acrumin@it.uc3m.es}; (4) Rubén Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {rcuevas@it.uc3m.es}. Authors: Authors: (1) Ángel Merino, Department of Telematic Engineering Universidad Carlos III de Madrid {angel.merino@uc3m.es}; (2) José González-Cabañas, UC3M-Santander Big Data Institute {jose.gonzalez.cabanas@uc3m.es} (3) Ángel Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {acrumin@it.uc3m.es}; (4) Rubén Cuevas, Department of Telematic Engineering Universidad Carlos III de Madrid & UC3M-Santander Big Data Institute {rcuevas@it.uc3m.es}. Table of Links Abstract and Introduction Abstract and Introduction LinkedIn Advertising Platform Background LinkedIn Advertising Platform Background Dataset Dataset Methodology Methodology User’s Uniqueness on LinkedIn User’s Uniqueness on LinkedIn Nanotargeting proof of concept Nanotargeting proof of concept Discussion Discussion Related work Related work Ethics and legal considerations Ethics and legal considerations Conclusions, Acknowledgments, and References Conclusions, Acknowledgments, and References Appendix Appendix 7 Discussion In this paper, we have shown that nanotargeting can be implemented systematically on LinkedIn. The only requirement is quite simple for many potential attackers: having an active LinkedIn account, learning how to run an ad campaign on LinkedIn, and activating the disabled button to launch the campaign. In this section, we discuss some issues derived from our work. 7.1 Theoretical Privacy Limits and Awareness Our work contributes to the existing body of literature that has demonstrated in a different context that our privacy is bounded by a handful of non-PII attributes. In the case of Linkedin, the location and 6 skills make a user unique with a probability of 75% in a database including ∼800M users, i.e., 1/10th of human beings. Our results reinforce the undeniable fact that our privacy is a very vulnerable asset. Unfortunately, our intuition is that users have an unconscious safety feeling when they share non-PII data. Talking to some computer science colleagues (not necessarily working in privacy) about our research, most of them found added value to reporting professional skills on their LinkedIn profile since that would allow other colleagues to know their expertise. However, none considered sharing that information may represent a risk. They were very surprised when we explained that they could be nanotargeted with ads based on the professional skills they publicly report. Although it is not a scientific experiment, we extract two important lessons from those informal discussions with our colleagues. First, if skilled users struggle to identify potential privacy risks of sharing non-PII data, that means there is a lot of work ahead for making regular Internet users aware of how vulnerable they are, even if they are careful not to share and protect their PII data. Second, non-PII data may expose users to a challenging dichotomy. On the one hand, users may find value in sharing non-PII data, such as in the case of professional skills. On the other hand, the more non-PII data they share, the more vulnerable they become in terms of privacy, as our results have demonstrated. 7.2 Nanotargeting on LinkedIn First, it is straightforward to configure a nanotargeting campaign on LinkedIn since all the required information is available in the targeted user’s profile. An attacker will likely use all the skills in the targeted user’s profile since gathering one or many skills is equally simple. This means the nanotarteging risk a user on LinkedIn is exposed to is directly proportional to the number of professional skills they report in their profile. Second, the cost of nanotargeting campaigns is very low. The cost of the successful nanotargeting campaigns in our experiment ranged between $0.10 and $0.69. This means that implementing a nanotargeting campaign is roughly free. This is an obvious (worrisome) incentive for potential attackers. Third, although we run the campaign for only three days, in all but one campaign, we obtained at least 2 impressions. On average, users were exposed to 2.67 ad impressions in successful nanotargeting campaigns. Roughly speaking, we impacted the targeted users once a day. More importantly, the experience of the three targeted authors was that when the nanotargeted ad was displayed, it usually was the first ad impression in the user’s newsfeed. Therefore, they did not have to scroll down to visualize the nanotargeted ad impression. All these elements suggest that it is feasible to frequently expose the targeted individual to a tailored message embedded in the nanotargeted ads in case they are active on LinkedIn. In a nutshell, our proof of concept experiment depicts a worrisome scenario that suggests it is feasible to continuously expose users to nanotargeted messages at an extremely low cost on LinkedIn, including very influential users. 7.3 Nanotargeting Influential People LinkedIn is especially interesting since it allows for easy access to profiles of relevant and influential people worldwide, such as politicians, CEOs, etc. Therefore, our research opens a worrying question regarding how easy it would be to send hyper-personalized messages to these users. We gathered the location and number of skills from 120 LinkedIn Top Voices 2020 [13] as a sample of LinkedIn influential users to check how many of them can be exposed to nanotargeting according to our results. All of them report a location except one (Richard Branson). The number of skills in their profiles is 28 on average, and 94 of them publish 13 skills or more. Based on our results, most of these users are susceptible to being reached with LinkedIn nanotargeting campaigns. 7.4 Risks Associated with Nanotargeting There are multiple risks users could be exposed to in case an attacker nanotarget them with tailored ads. Next, we briefly discuss a few of them. - Malvertising : Malvertising stands for malicious advertising and refers to the process of using online advertising to perform some attack [14][15] [16][17][18] [19]. Multiple vector attacks can be implemented through malvertising. One type of malvertising consists of using online ads to inject malware into ad networks, webpages, or the end-user device [20][21][22][23]. A second type of malvertising replicates the concept of phishing attacks, but instead of using emails to capture the user’s attention, it uses ads. This attack aims to persuade the user to click on the ad to land on a website managed by the attacker. At this point, the attacker, as in the case of phishing attacks, can use any potential technique willing to obtain sensitive information from the user (e.g., credentials) or to compromise the user’s device. Nanotargeting may be especially relevant in this second type of attack emulating phishing. Nanotargeting allows the creation of hyper-personalized ads targeting a single user. The literature on psychological persuasion has demonstrated that a well-designed, tailored ad substantially increases the probability that the user clicks on the ad [24][25]. Since nanotargeting allows reaching the maximum expression of personalization, a savvy attacker can exploit it to increase the chances to persuade the users of clicking on the tailored ad and land in the attacker’s domain. Malvertising - User manipulation : Our results have demonstrated that we can run multiple campaigns over time to nanotarget an individual. In addition, our proof of concept experiment suggests that it is feasible to reach the users multiple times in a nanotargeting campaign in case they are active on LinkedIn. In other words, it is possible to expose the user to a tailored message frequently. Based on the psychological persuasion literature, it is easier to persuade an individual if the advertiser creates tailored messages to the psychological characteristics and motivations of that person [26][27][28][29][30][24]. We also show a clear example of potential user influence in the related work [31]. In that case, nanotargeting, based on PII data, was used to expose celebrities to a specific brand before approaching them to propose a collaboration. This same strategy could be used to influence celebrities, CEOs, politicians, etc., with an account on LinkedIn. User manipulation 7.5 Legal discussion Modern data protection regulations such as the General Data Protection Regulation (GDPR) [1], enacted in all EU countries in May 2018, eliminate the PII concept to avoid the misconception that personal data refers only to PII items. Instead, Article 4 of the GDPR includes the following definition: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). Although we are not legal experts, it is clear from the definition that the combination of skills and location on LinkedIn falls under the definition of personal data. While the text of the GDPR is clear regarding what personal data is, in practice, it is tough to validate when a specific combination of non-PII items makes a user unique in an online application. For instance, in most cases, there is no way an honest advertiser on LinkedIn (or other applications) can assess whether a particular audience created through the combination of non-PII attributes is personal data. In our opinion, it is urgent to concretize the concept of personal data in the context of non-PII. To this end, the research community should work with data protection authorities to create guidelines informing companies when they should treat combinations of non-PII attributes as personal data. 7.6 LinkedIn’s reaction to responsible disclosure We consider that our research is unveiling an obvious privacy vulnerability within the LinkedIn Advertising Platform. Even more, there are security implications as nanotargerting could also compromise the users’ device (e.g., through malvertising attacks). Furthermore, our work also proves that LinkedIn fails to implement its own policy that limits the targeted audiences of ad campaigns to ≥300 users [11]. Therefore, we believe our research unveils a privacy and security vulnerability within the LinkedIn Ads platform. Based on the standard practice in the security community, we have followed a responsible disclosure based on the guidelines provided by LinkedIn. We contacted LinkedIn to make them aware of the unveiled vulnerability and give them the opportunity to fix it before our work becomes public. LinkedIn’s Security Page [32] refers to their bug bounty program on HackerOne as the channel to report system vulnerabilities. We found no other procedure to report privacy or security issues on the LinkedIn platform. We submitted a report describing our findings, but at the triage stage, managed by HackerOne, they considered that the issue we reported was out of the scope according to LinkedIn’s Policy Page within the platform [33]. Furthermore, they argued the bug we reported requires social engineering to implement it. Contrarily, we believe it is the other way around. The bug allows attackers to run social engineering attacks, for instance, to manipulate users through hyper-personalized messages. The bug exists independently of the potential nanotargeting attacks because running ad campaigns to target audiences involving less than 300 users is possible. Running such a campaign does not require any social engineering. It is extremely surprising to us that LinkedIn has ignored the vulnerability we have disclosed in this work since (i) it implies privacy and security risks for LinkedIn users, (ii) it may mean that LinkedIn is not correctly complying with current data protection regulations such as the GDPR. 7.7 Countermeasures to Prevent Nanotargeting The most efficient measure to preclude advertisers from running nanotargeting ad campaigns is implementing a policy, like the one LinkedIn advertises [11], that establishes a minimum audience size to allow running a campaign. Most social media platforms indicate such a limit: Facebook 1000, TikTok 1000, LinkedIn 300, etc. Unfortunately, we show that, at least in the case of LinkedIn, the limit was not effectively imposed. The very first step LinkedIn should adopt is fixing the bug that allows attackers to easily activate the "Launch Campaign" button for audiences whose size is <300 users. 7.8 Dataset limitations We are aware that our dataset does not represent a random sample of the whole LinkedIn network. Also, the 1699 users in our dataset are a small sample compared to the 800M registered on the platform. However, our goal is to demonstrate that it is feasible to systematically nanotarget users with ads on LinkedIn using a combination of non-PII data items, and the collected dataset is a valid sample for this purpose. In summary, while we acknowledge that using a larger dataset had been better, the results suggest that, for the purpose of our paper, the collected dataset is good enough. This paper is available on arxiv under CC BY-NC-ND 4.0 DEED license. This paper is available on arxiv under CC BY-NC-ND 4.0 DEED license. available on arxiv