A researcher who uncovered a privacy glitch that could disclose the sexual orientation of Facebook users has won an award from Ontario’s privacy commissioner.
Aleksandra Korolova, a computer studies PhD candidate at Stanford University in California, won the $3,000 award for Outstanding Research in Privacy Enhancing Technologies (PET) , sponsored by Microsoft Corp. and given out annually by Ontario privacy commissioner Ann Cavoukian.
In her academic paper “Privacy Violations Using Microtargeted Ads: A Case Study,” Korolova discovered that by using Facebook’s advertising system to target ads to users based on their age, gender, location and other factors, it would be possible to figure out the sexual orientation of one individual user among millions on the social media site — even if they put restricted privacy settings on the information about being gay, straight, lesbian or bisexual on their Facebook profile.
“I started researching this on Facebook because Facebook is, I think, the first company that’s offering really targeted ads in a very defined way,” Korolova says. “It’s the first example where you can really select your target (advertising) audience with very defined criteria.”
In her research, Korolova used the Facebook profile of a lesbian friend whose account was set to “friends only” access. She put publicly accessible information about her friend (such as age, location, interests and education) into Facebook’s advertising system to create an ad that would only target this friend, then set parameters in the system so the ad would only target women interested in women.
When the ad appeared on her friend’s Facebook page, it proved to Korolova that Facebook’s ad criteria system can be used to target only one individual based on sexual orientation, therefore determining if that specific person is gay or straight.
“Not everyone who advertised on Facebook could infer (sexual orientation) information. Only those who created the advertisements with the explicit goal of inferring information may have been able to do so,” Korolova says.
It’s also possible to guess someone’s age and relationship status – single, married, divorced, etc. – by placing ads with targeted criteria on Facebook, Korolova says.
What might be even more surprising than Korolova’s findings is the rapid response they drew from Facebook.
“I notified them even before I submitted my paper to the conference and they met with me almost immediately to kind of better understand the research,” says Korolova, who travelled to Waterloo, Ont. in late July to receive her PET award from Cavoukian in person.
Within a week of meeting with Korolova, Facebook widened its micro-targeting criteria so any ad that would end up on less than 20 users’ pages is not distributed on the site, preventing an individual user from being singled out based on ads appearing on their Facebook pages.
Despite those changes, there is ultimately no foolproof way to technically prevent such privacy breaches, since an advertiser could theoretically set up 20 fake Facebook accounts matching the characteristics of one user to make sure their ad gets through on the site, Korolova explains, “but in practice it’s hard to do.”
Facebook addressed that possibility in a released statement, saying its automated systems would immediately detect someone setting up 20 similar accounts.
“We intentionally introduce randomness in enforcing and reporting thresholds throughout our systems. We are confident that our techniques address the practical concerns of the privacy violations Aleksandra discusses,” Facebook’s statement says.
Still, the social media giant gets a thumbs up from both Korolova and Cavoukian for its speedy response when shown proof of its privacy vulnerabilities.
“(Facebook was) very receptive, as evidenced by how quickly they responded. I feel that they did change the system to kind of reflect the findings and make these kinds of attacks harder,” Korolova says.
“I applaud Facebook for being so responsive in such a short period of time,” says Cavoukian. “We’re not opposed to advertising or business, we just don’t want it to overshadow privacy. And here you have both privacy and business continuing in a very positive manner. I think Facebook really did the right thing.”
Facebook had drawn criticism from Cavoukianin the past for not doing enough to safeguard user privacy, although she did welcome its moves to help thwart cyberbullying earlier this year. The way Facebook collects and distributes user data is still the subject of an ongoing probe by Canada’s federal privacy commissioner Jennifer Stoddart, however.
The PET awards were created in 2003 to highlight technology that protects privacy rather than threatens it. Cavoukian hopes they also make a strong business case for privacy protection in the corporate world.
“No company wants to lose the trust of their users. They don’t want consumer confidence to go out the door. They want users to trust their brand and continue using their products and services without concern for privacy,” Cavoukian said.
Korolova actually tied for the top award with a team of Indiana researchers who looked at the protection of personal genetic information during Genome-based disease studies. The winners split the $3,000 prize.
It’s not the first time PET awards winners have influenced a tech company to change its business practices. On demand and mail order video company Netflix Inc. scrapped a $1 million contest in 2010 after PET honourees Arvind Narayanan and Vitaly Shmatikov proved that data Netflix released for the contest (which challenged IT researchers to improve the accuracy of the company’s internal movie recommendation software) could actually be used to identify anonymous Netflix users.