Nanotargeting Risks: The Urgent Need for Better Privacy Protections

Table of Links

Abstract and Introduction

LinkedIn Advertising Platform Background

Dataset

Methodology

User’s Uniqueness on LinkedIn

Nanotargeting proof of concept

Discussion

Related work

Ethics and legal considerations

Conclusions, Acknowledgments, and References

Appendix

10 Conclusions

This work contributes to the body of literature demonstrating that a few non-PII data items are enough to uniquely identify a user among a user base of tens or hundreds of millions of users. Our work shows that online privacy is very vulnerable, and anonymizing unique identifiers is not enough to hide users’ identities and protect them from being targeted.

The main contribution of our work is that we have shown for the first time that publicly available data can be exploited by third parties to potentially target hundreds of millions of users with hyper-personalized messages individually. Such an attack just requires retrieving information publicly available in the profile of the targeted individual and using it to define the target audience of an ad campaign.

Nanotargeting may expose users to privacy risks derived from malicious activities such as malvertising, manipulation, or blackmail. In our opinion, our work unveils a huge privacy gap that has to be urgently covered. Unfortunately, LinkedIn considers the outcome of our research cannot be considered a vulnerability based on the answer we received to the responsible disclosure process we initiated following the channel suggested by LinkedIn. We propose two immediate actions to mitigate the undesirable effects unveiled by our research.

First, social media platforms must immediately react to impose effective countermeasures that preclude advertisers from running nanotargeting campaigns based on combinations of non-PII attributes. The solution is extremely simple. LinkedIn and other social media platforms exploiting online advertising have to effectively impose their policy where they inform advertisers that they do not allow running campaigns targeting less than 300 users. We struggle to understand why LinkedIn is failing to implement that policy since, in our opinion, they do not have any clear incentive for not doing it. Unfortunately, the reaction of LinkedIn to our responsible disclosure procedure is quite disappointing since they do not consider the bug unveiled in our work as a vulnerability.

Second, our work discusses the practical limitations of the current definition of personal data in the GDPR to assess whether a combination of non-PII elements should be considered personal data. This generates uncertainties in the efficient application of the GDPR since demonstrating whether a combination of certain non-PII items allows uniquely identifying a user may be a very complex task, even for companies and regulators. Data protection authorities should work with the research community to elaborate a guide of good practices in managing non-PII data. This guide should define a clear ground for companies regarding when they should consider combinations of non-PII as personal data. At the same time, that guide may also help citizens to better identify potentially risky situations for their privacy.

Acknowledgments

This work has been partially funded by the following projects: the project TESTABLE (Grant 101019206) funded by European Union’s Horizon 2020 programme; the project AUDINT (Grant TED2021-132076B-I00) funded by the MCIN/AEI/ 10.13039/501100011033 and the EU FEDER funds; the project UE-MEASURE-CM-UC3M funded by the Madrid Government (Comunidad de Madrid-Spain) under the Multi-annual Agreement with UC3M (“Fostering Young Doctors Research”); the A2 PRIVCOMP funded by the Ministerio de Asuntos Económicos y Transformación Digital and the European Union-NextGenerationEU.

References

[1] EU. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). European Union, April 2016. accessed on 21 September, 2021.

[2] Yves-Alexandre de Montjoye, César A Hidalgo, Michel Verleysen, and Vincent D Blondel. Unique in the Crowd: The privacy bounds of human mobility. Scientific reports, 3(1):1376, 2013.

[3] Yves-Alexandre De Montjoye, Laura Radaelli, Vivek Kumar Singh, et al. Unique in the shopping mall: On the reidentifiability of credit card metadata. Science, 347(6221):536–539, 2015.

[4] Arvind Narayanan and Vitaly Shmatikov. Robust De-Anonymization of Large Sparse Datasets. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, SP ’08, page 111–125, USA, 2008. IEEE Computer Society.

[5] Latanya Sweeney. Simple demographics often identify people uniquely. Health (San Francisco), 671(2000):1–34, 2000.

[6] Philippe Golle. Revisiting the Uniqueness of Simple Demographics in the US Population. In Proceedings of the 5th ACM Workshop on Privacy in Electronic Society, WPES ’06, pages 77–80, New York, NY, USA, 2006. ACM.

[7] Luc Rocher, Julien M. Hendrickx, and Yves-Alexandre de Montjoye. Estimating the success of re-identifications in incomplete datasets using generative models. Nature Communications, 10(1):3069, 2019.

[8] José González-Cabañas, Ángel Cuevas, Rubén Cuevas, Juan López-Fernández, and David García. Unique on facebook: Formulation and evidence of (nano)targeting individual users with non-pii data. In Proceedings of the 21st ACM Internet Measurement Conference, IMC ’21, page 464–479, New York, NY, USA, 2021. Association for Computing Machinery.

[9] Daniel Shapero. Linkedin hits $10b in revenue by helping companies connect with talent and customers. https://www.linkedin.com/pulse/ linkedin-hits-10b-revenue-helping-companies-connect-talent-shapero, 2021.

[10] LinkedIn. Linkedin marketing solutions. https://business.linkedin.com/es-es/ marketing-solutions, 2023.

[11] LinkedIn. Target audience size – best practices. https://www.linkedin.com/help/lms/answer/a423690.

[12] Alan Bundy and Lincoln Wallen. Breadth-First Search, pages 13–13. Springer Berlin Heidelberg, Berlin, Heidelberg, 1984.

[13] Daniel Roth. Linkedin top voices 2020: Meet the professionals driving today’s business conversation. https://www.linkedin.com/pulse/ linkedin-top-voices-2020-meet-professionals-driving-todays-roth, 2020.

[14] Chin-Tser Huang, Muhammad Sakib, Charles Kamhoua, Kevin Kwiat, and Laurent Njilla. A bayesian game theoretic approach for inspecting web-based malvertising. IEEE Transactions on Dependable and Secure Computing, PP:1–1, 08 2018.

[15] Prabaharan Poornachandran, N. Balagopal, Soumajit Pal, Aravind Ashok, Prem Sankar, and Manu R. Krishnan. Demalvertising: A kernel approach for detecting malwares in advertising networks. In Jyotsna Kumar Mandal, Suresh Chandra Satapathy, Manas Kumar Sanyal, and Vikrant Bhateja, editors, Proceedings of the First International Conference on Intelligent Computing and Communication, pages 215–224, Singapore, 2017. Springer Singapore.

[16] Geumhwan Cho, Junsung Cho, Youngbae Song, Donghyun Choi, and Hyoungshick Kim. Combating online fraud attacks in mobile-based advertising. EURASIP Journal on Information Security, 2016(1):2, Jan 2016.

[17] Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley. Are these ads safe: Detecting hidden attacks through the mobile app-web interfaces. In NDSS, 01 2016.

[18] Gong Chen, Wei Meng, and John Copeland. Revisiting mobile advertising threats with madlife. In The World Wide Web Conference, WWW ’19, pages 207–217, New York, NY, USA, 2019. ACM.

[19] Aritz Arrate, José González-Cabañas, Ángel Cuevas, and Rubén Cuevas. Malvertising in facebook: Analysis, quantification and solution. Electronics, 9(8), 2020.

[20] Sean Ford, Marco Cova, Christopher Kruegel, and Giovanni Vigna. Analyzing and detecting malicious flash advertisements. In 2009 Annual Computer Security Applications Conference, pages 363–372, 2009.

[21] Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference, IMC ’14, page 373–380, New York, NY, USA, 2014. Association for Computing Machinery.

[22] Muhammad N. Sakib and Chin-Tser Huang. Automated collection and analysis of malware disseminated via online advertising. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 1411–1416, 2015.

[23] Steve Mansfield-Devine. The dark side of advertising. Computer Fraud & Security, 2014(11):5–8, 2014.

[24] S. C. Matz, M. Kosinski, G. Nave, and D. J. Stillwell. Psychological targeting as an effective approach to digital mass persuasion. Proceedings of the National Academy of Sciences, 114(48):12714–12719, 2017.

[25] J. Mullock, S. Groom, , and P. Lee. International online behavioural advertising survey 2010. Osborne Clarke, May 2010.

[26] Joseph Cesario, E. Tory Higgins, and Abigail A. Scholer. Regulatory Fit and Persuasion: Basic Principles and Remaining Questions. Social and Personality Psychology Compass, 2(1):444–463, 2008.

[27] S. Wheeler, Richard Petty, and George Bizer. Self-Schema Matching and Attitude Change: Situational and Dispositional Determinants of Message Elaboration. Journal of Consumer Research, 31:787–797, March 2005.

[28] Youngme Moon. Personalization and Personality: Some Effects of Customizing Message Style Based on Consumer Personality. Journal of Consumer Psychology, 12(4):313–325, 2002.

[29] Jacob B. Hirsh, Sonia K. Kang, and Galen V. Bodenhausen. Personalized Persuasion: Tailoring Persuasive Appeals to Recipients’ Personality Traits. Psychological Science, 23(6):578–581, 2012. PMID: 22547658.

[30] David Dubois, Derek D. Rucker, and Adam D. Galinsky. Dynamics of Communicator and Audience Power: The Persuasiveness of Competence versus Warmth. Journal of Consumer Research, 43(1):68–85, February 2016.

[31] David Moreno, Alex Moreno, Alex Benlloch, and Bruno Casanovas. De 0 a 100 millones, hawkers. https: //www.youtube.com/watch?v=yTLBykTc1SE#t=26m49s.

[32] LinkedIn. Linkedin security. https://security.linkedin.com/, 2023. [33] HackerOne. Linkedin’s bug bounty program. https://hackerone.com/linkedin, 2023.

[34] S. Rüdian, N. Pinkwart, and Z. Liu. I know who you are: Deanonymization using facebook likes. In Lecture Notes in Informatics (LNI), Proceedings - Series of the Gesellschaft fur Informatik (GI), volume 285, pages 109–118, 2018.

[35] Jessica Su, Ansh Shukla, Sharad Goel, and Arvind Narayanan. De-anonymizing web browsing data with social networks. In Proceedings of the 26th International Conference on World Wide Web, WWW ’17, page 1261–1269, Republic and Canton of Geneva, CHE, 2017. International World Wide Web Conferences Steering Committee.

[36] Arvind Narayanan and Vitaly Shmatikov. Robust de-anonymization of large sparse datasets. In 2008 IEEE Symposium on Security and Privacy (sp 2008), pages 111–125, 2008.

[37] Husam Al Jawaheri, Mashael Al Sabah, Yazan Boshmaf, and Aiman Erbad. Deanonymizing tor hidden service users through bitcoin transactions analysis. Computers & Security, 89:101684, 2020.

[38] J. Bennett and S. Lanning. The netflix prize. In Proceedings of the KDD Cup Workshop 2007, pages 3–6, New York, August 2007. ACM.

[39] Thepiratebay. thepiratebay.org.

[40] Monica J. Barratt. Silk road: Ebay for drugs. Addiction, 107(3):683–683, 2012.

[41] Pier Paolo Tricomi, Lisa Facciolo, Giovanni Apruzzese, and Mauro Conti. Attribute inference attacks in online multiplayer video games: A case study on dota2. In Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy, CODASPY ’23, page 27–38, New York, NY, USA, 2023. Association for Computing Machinery.

[42] Twitter. Intro to custom audiences. https://business.twitter.com/en/help/campaign-setup/ campaign-targeting/custom-audiences.html.

[43] Brian Swichkow. The Ultimate Retaliation: Pranking My Roommate With Targeted Facebook Ads. Ghost Influence, September 2014. accessed on 29 January, 2023.

[44] Michael Harf. Sniper Targeting on Facebook: How to Target ONE specific person with super targeted ads. Medium, December 2017. accessed on 29 January, 2023.

[45] Political Editor Tim Shipman. Labour HQ used Facebook ads to deceive Jeremy Corbyn. The Sunday Times, July 2018. accessed on 29 January, 2023.

[46] Jonathan Hawkins. Facebook Ads Sniper Method: How to Put Your Ad in front of ONE Specific Person. Jonathan Hawkins, February 2019. accessed on 29 January, 2023.

[47] Marc Faddoul, Rohan Kapuria, and Lily Lin. Sniper ad targeting. Berkeley School of Information, May 2019.

[48] Caroline Haskins. Facebook ad micro-targeting can manipulate individual politicians. The Outline, July 2018. accessed on 29 January, 2023.

[49] Dave Kerpen. Likeable Social Media: How to Delight Your Customers, Create an Irresistible Brand, and Be Generally Amazing on Facebook (& Other Social Networks). McGraw Hill-Ascent Audio, 2011.

[50] Aleksandra Korolova. Privacy violations using microtargeted ads: A case study. In 2010 IEEE International Conference on Data Mining Workshops, pages 474–482, 2010.