Facebook Ads Could 'Out' Gay Users 196
itwbennett writes "Researchers at Microsoft Research India and the Max Planck Institute for Software Systems in Germany have written a paper showing that a users may be inadvertently revealing their sexual preference to advertisers. 'One example was an advertisement for a nursing program at a medical college in Florida, which was only shown to gay men. The researchers said that persons seeing the ad would not know that it had been exclusively aimed at them solely based on their sexuality, nor would they realize that clicking on the ad would reveal to the advertiser, by implication, their sexual preference in addition to other information they might expect to be sent, such as their IP (Internet Protocol) address.' For its part, Facebook 'downplayed the study, saying that the site does not pass any personally identifiable information back to an advertiser.'"
Re:IP (Score:4, Interesting)
The MAFIAA is furiously trying to make "IP" mean "Intellectual Property" in the public mindshare. The ugly thing is when you smash both acronyms into the same sentence you get Halloween Horror.
"I recorded that this IP is stealing my IP and demand he be sued into bankruptcy".
Re:soooo..... (Score:5, Interesting)
No, you don't understand. Facebook has a policy saying they won't disclose personal info, like what age you are.
Now, suppose an advertiser says "target this ad at people born in October of 1978" ... Facebook says "OK". So all of these people's birth months are revealed to the advertiser, in violation of the policy. Thru essentially costless micro-targeting, advertisers (or any attacker with $) can dig out whatever info they want. There's a simple and obvious way for an attacker to get a list of people based on a piece of information Facebook has said they're keeping private.
There is a big difference between someone clicking on an ad for, say, a gay-dating site -- when you click on an ad, you know you are implicitly signaling some level of interest in its content to the advertiser -- and clicking on an ad (*any* ad, it could be for a car or for dog food ... the content of the ad could have *nothing* to do with the audience targeting) that happens to be targeted based on a specific database query.
If a piece of information is promised to be kept private, private should not equal "disclosed to third parties who pay us."
Re:Which part of this is "inadvertent"? (Score:4, Interesting)
It's not even an issue with privacy settings though. I just read this part of the summary and went, "uhh, well yeah, duh!"
The researchers said that persons seeing the ad would not know that it had been exclusively aimed at them solely based on their sexuality, nor would they realize that clicking on the ad would reveal to the advertiser, by implication, their sexual preference in addition to other information they might expect to be sent, such as their IP (Internet Protocol) address.
So essentially, if you had been on any site, and you clicked on the advertisement from any website, your IP address would get sent so that you can be redirected from the adserver to the website. (This is how they know the Ads are working, if it was a direct link to the website, the adserver wouldn't be the proper referer). So now the adserver has your IP and will use BY IMPLICATION your sexual preferences. Seriously, this doesn't even DEAL with Facebook.
So the question is whether the ad is being shown to them based on their information - whether Facebook is giving up the information in the first place. Now thats a big doozy. It hasn't been proven, but its highly suspected. I would normally think that Adservers are catering to me based on my IP, but I've had other people use my computer and its shocking how the ads immediately cater to them after starting a facebook session.
Then there's this juicy nugget.
For its part, Facebook 'downplayed the study, saying that the site does not pass any personally identifiable information back to an advertiser
Emphasis mine. Well - no, it's not sending it BACK to the adserver, the adserver hasn't made a request yet. Facebook says to itself "I need to load a page. There's going to be an advertisement here. Hey advertising server, here's who is lookin'" and the Adserver serves up the correct ads.
Devil's in the details, right?
Does not pass any personally identifiable info... (Score:5, Interesting)
Facebook DOES pass personally identifiable information, albeit inadvertently.
As a Facebook Ads user, I have tracked down people who have clicked my ads EASILY.
How?
Your unique Facebook user ID is passed through the refer string each and every time you click on an ad.
Simply copy down this ID and paste it in the USERID variable below.
http://www.facebook.com/profile.php?id=USERID [facebook.com]
Tada.
Re:Which part of this is "inadvertent"? (Score:2, Interesting)
I have had gay targeted ads show up on my facebook before. It has been awhile though. My sexual preference is left blank, but I must have an unusually high percentage of gay male friends. I'm out to most people so it didn't out me or anything, but it was kind of scary that it could correctly guess my sexual preference.
So I screwed up my profile and initially... (Score:2, Interesting)
Said I was interested in men rather than that I was a man. So I got some really really gay targeted ads. Gay dating services, special razors to shave with, all very fun. Try it and see.
The real issue is that the current terms of service allows yhem to share your groups and interests, which likely can identify you as being close to the GLBC.
Lesson learned from a previous incident (Score:5, Interesting)
I sometimes hang out on a web forum, and they have a special forum where you could post anonymously - it's not really anonymous, as you still need to login and post, but the postings do not show your user id or IP addresses, so it appears totally anonymous, except to the web admins. So people post a lot of random crazy stuff there which would embarrass themselves if it had not been anonymous.
Then one day the forum upgraded their software, and due to a bug, all posts inside that anonymous forum suddenly showed all user IDs - including the old ones. That quickly turned into a sh*tstorm as people ran around screaming in panic with their underwear.
The lesson: do not post anything if you don't want others to find out it's you.
Re:Which part of this is "inadvertent"? (Score:4, Interesting)
Wait, what? (Score:4, Interesting)
Are male nurses required to be gay?
Re:Rule number 1 (Score:1, Interesting)
Drug tests determine whether you are a criminal or not. A business has the right to disallow criminals from working for them. If you have problems with drug laws, try to debate them, but just because you failed a drug test doesn't make your former employers dishonorable; it just means you failed to respect the society you live in, and it therefore failed to respect you back. Period.
The question is whether the conditions you describe must be met by your employer and cannot be satisfied by the relationship between a citizen and the state. Because drug testing and the related administration costs are nothing but expenses for a business. Why should they take on those costs and either charge more to their customers and/or deliver less profit to their shareholders just to enforce a law of the state? If they should be doing that, why stop at drugs? Why not have employers test employees for willingness to use violence, traffic violations, tax evasion, and fraud? Surely a con man who hasn't been caught yet is no less of a danger than a drug user who hasn't been caught yet.
According to what you've said, the ultimate respect a corporation can show for its society is to act as a private enforcement agent for all of society's laws, not merely victimless-crime offenses. Why then do they fall so short of your standard?
Re:Rule number 1 (Score:1, Interesting)
That doesn't explain it -- why this one crime? Why a victimless crime, of all the vices you could test people for? Why do employers hire agents to collect and chemically test someone's urine but do not hire agents to visit their homes and check for domestic abuse? They are equally intrusive, show an equal amount of distrust and scrutiny, only domestic abuse actually involves a victim. If anything that should be done before drug testing, though of course neither should be the concern of an employer until and unless they measurably affect work performance.
Sure. The difference is that a court of law found that the person has actually committed a crime and convicted him or her. The court did this based on a much higher standard of evidence. The court also did this as its proper role in an official capacity. It did not act as an unofficial private enforcement agent.
Unlike employer drug testing, in court you actually do have a legal right to appeal a false conviction. Oh yeah, and before the court could do anything, there first had to be probable cause and a reasonable premise for searching the suspect. Unlike employers, cops can't just search people for the hell of it and that's for some damn good reasons. Employers having this power isn't more desirable than cops having this power. Neither should have it and both for the same reasons.
The whole fucking thing is a rejection of "innocent until proven guilty".