The most interesting bit is the following text:
[W]e set up six Facebook profiles to check the impact of sexual-preference: a highly-sensitive personal attribute. Two profiles (male control) are for males interested in females, two (female control) for females interested in males, and one test profile of a male interested in males and one of a female interested in females. The age and location were set to 25 and Washington D.C. respectively.
. . .
Alarmingly, we found ads where the ad text was completely neutral to sexual preference (e.g. for a nursing degree in a medical college in Florida) that was targeted exclusively to gay men. The danger with such ads, unlike the gay bar ad where the target demographic is blatantly obvious, is that the user reading the ad text would have no idea that by clicking it he would reveal to the advertiser both his sexual-preference and a unique identifier (cookie, IP address, or email address if he signs up on the advertiser's site). Furthermore, such deceptive ads are not uncommon; indeed exactly half of the 66 ads shown exclusively to gay men (more than 50 times) during our experiment did not mention "gay" anywhere in the ad text.
This means that simply by clicking on a Facebook ad, a user could be revealing a bit of highly sensitive personal information to an advertiser, simply due to the fact that the advertiser has only targeted a particular group (gender, sexuality, religion) for that advertisement. Thus, the moment you arrive at the advertiser's website, they now know that the IP address and cookie value they have assigned to you is associated with someone that is gay, muslim, or a republican.
While it may be obvious that some advertisements are targeted based on these attributes, such as gay dating sites, this study makes it clear that there are some advertisements where such targeting is not intuitive.
Given the privacy firestorm earlier this week, I have a tough time imagining that Facebook will be able to sweep this under the carpet, or, that class action attorneys won't jump on this.
As I see it, the company has two options:
1. Do not allow advertisers to target advertisements based on sensitive categories, such as religion, sexuality, or political affiliation.
2. Disclose, directly below the ad, the fact that the ad was targeted based on a specific profile attribute, and state there which attribute that was. Users should also be told, after clicking on the ad, but before being directed to the site, that the advertiser may be able to learn this sensitive information about them, simply by visiting the site.
I suspect that neither option is going to be something that Facebook is going to want to embrace.
8 comments:
If it's intentionally put on the internet, in what way is it 'sensitive' data?
Also, this can and has been done for any filter besides sexual preference btw.
6 accounts? That was your test group?
Not even 100, or 10 but 6?? Your results mean nothing.
@#2 it's not the number of accounts, they just used all permutations of preference. it's the number of ads that counts, as you can see in the graphs, they generated a lot of ad impressions.
The test data size is the number of advertisements viewed, not the number of different profiles requesting advertisements.
If you object to ads targeting sexual preference, that is your prerogative. However, I kind of like ads targeted to my political preference or religious beliefs so I can join groups or visit websites that might be of interest to me. I would appreciate your not linking all three things together.
"Thus, the moment you arrive at the advertiser's website, they now know that the IP address and cookie value they have assigned to you is associated with someone that is gay, muslim, or a republican."
If the advertiser is any good, they have already inferred all this information from the websites that you have visited.
Facebook has ads? Who knew? I love my adblock :)
I know I'm rather late in joining this discussion, but the same issue is discussed in the marketing section of a 2008 World Privacy Forum report re: Personal Health Records. http://www.worldprivacyforum.org/pdf/WPF_PHR_02_20_2008fs.pdf (see page 8)
Post a Comment