The privacy of an individual is bounded by the ability of a third party to reveal their identity. Certain data items such as a passport ID or a mobile phone number may be used to uniquely identify a person. These are referred to as Personal Identifiable Information (PII) items. Previous literature has also reported that, in datasets including millions of users, a combination of several non-PII items (which alone are not enough to identify an individual) can uniquely identify an individual within the dataset. In this paper, we define a data-driven model to quantify the number of interests from a user that make them unique on Facebook. To the best of our knowledge, this represents the first study of individuals' uniqueness at the world population scale. Besides, users' interests are actionable non-PII items that can be used to define ad campaigns and deliver tailored ads to Facebook users. We run an experiment through 21 Facebook ad campaigns that target three of the authors of this paper to prove that, if an advertiser knows enough interests from a user, the Facebook Advertising Platform can be systematically exploited to deliver ads exclusively to a specific user. We refer to this practice as nanotargeting. Finally, we discuss the harmful risks associated with nanotargeting such as psychological persuasion, user manipulation, or blackmailing, and provide easily implementable countermeasures to preclude attacks based on nanotargeting campaigns on Facebook.
翻译:个人隐私受第三方披露身份的能力的约束。 某些数据项目, 如护照身份证或移动电话号码等, 可以用某些数据项目来独特识别一个人。 这些被称作个人识别信息(PII) 。 以前的文献还报告说, 在包括数百万用户的数据集中, 几个非PII项目( 单是不足以识别个人)的组合可以独特地识别数据集中的个人。 在本文中, 我们定义了一个数据驱动模型, 以量化用户的权益数量, 从而在Facebook上使其独有的用户的利益。 根据我们的知识, 这是首次研究个人在世界人口规模上的独特性。 此外, 用户的利益是可操作的非PII项目, 可用于界定广告运动, 并向脸书用户提供定制广告。 我们通过21个Facebook广告活动进行实验, 以3个作者为对象, 以证明, 如果广告商知道用户的兴趣足够多, Facebook 广告平台可以被系统利用, 向特定用户发送广告。 我们提到, 将这种攻击行为称为以纳米或纳米目标为目的, 将目标, 我们讨论以防范以危害性目标, 将攻击作为战略目标。