This article is one of a series covering the Federal Trade Commission’s 2018 PrivacyCon event. The conference featured research on privacy implications of Internet technologies and smart devices. For a full list of Consumers’ Research’s articles on this event, click here.
Alan Mislove presented a research paper he and his colleagues at Northeastern University published explaining the data risks that Facebook’s ad platform posed. Using their custom audience implementation page, Mislove and his team realized that it was possible to determine whether or not a specific individual was a part of a target audience using Facebook’s ad portal. Using a script that he and his team created Mislove developed a technique that would allow an attacker to mine Facebook’s data. In particular Mislove developed a technique for mining phone numbers for specific individuals from Facebook’s database even if their privacy settings were set to not allow this information to be public. The attack can be done in approximately 15 minutes and represents a serious data leak in Facebook’s ad platform.
Facebook patched the leak after Mislove and his team reached out to them but the fact that the exploit existed shows the dangers when massive amounts of data are aggregated in one place and when large data brokers such as Facebook and Google use such data.
Steven Englehardt of Princeton University presented his paper, “I never signed up for this! Privacy implications of email tracking.” This paper was written along with Jeffrey Han and Arvind Narayanan, also of Princeton University. The paper discusses email tracking that occurs in marketing and promotional emails. Rather than just exposing the target email address to the sender, these emails often share email address with a number of third-parties. Englehardt used the example of a promotional email from “experiences” marketing website LivingSocial. That particular email shared contact information with 24 companies – 20 who are able to track the user, and 10 that received “hashed,” or anonymized, versions of the user’s email address.
Englehardt’s research found that 85 percent of emails embedded third party access, with almost one-quarter sharing information with a single website: advertising and marketing site DoubleClick.net. 29 percent of emails sent (from 19 percent of the senders studied) leak the email addresses themselves to third parties. Englehardt told the audience that trackers can correlate email tracking with web browsing habits. He also noted blog posts published by web marketing companies LiveIntent and Criteo, that claim to anonymize email addresses to preserve privacy – but this “hashing” is not fool-proof.
LiveIntent’s posts go into detail as to why email addresses are more valuable for web tracking than cookies are: email addresses are specific to a user, while cookies may be linked to more than users who use a device (such as a family computer). Emails are also “cross-device,” meaning the same email address is accessed on a computer, smartphone, tablet, and sometimes other devices as well. An audience member asked Englehardt during the panel discussion for the panel whether there was anything consumers can do about tracking. Englehardt said that running tracking prevention tools like Adblock is a good step. The goal, Englehardt said, is to prevent web tracking before it happens.