security flaws

Why Keeping Your Sexuality ‘Private’ On Facebook Is a Farce (Or, How To Find Out If Anybody Is Gay)

We already know Facebook is leaking your sexuality to advertisers through its data-rich demographic targeting system. And there’s the possibility Facebook’s check-in platform Places could let your friends reveal you’re a big homo without your consent. And there was that time Facebook let any of your friends spy on your person IM chats, possibly reading in real-time about your steamy gay affair. And there was that computer script some college students built that could pretty accurately guess if you’re gay simply by seeing what kind of company you keep in your social network. Let’s add one more potential means of Facebook outing to the list.

Stanford researcher Aleksandra Korolova appears to have merged the first and last of those potential privacy breaches into a new tactic, where she places ads based on some publicly known information about someone and then has Facebook target them at certain sexual orientations (or religious affiliations, or any other “private” data set). If the ad is even displayed, then Korolova knows she had a hit, and the person she targeted is a homo. The Times explains:

In her paper, Ms. Korolova said she used public sources to collect information like the location, gender, age and interests of a Facebook user. Then she placed an ad on Facebook that was aimed at those characteristics and also to people who are interested in people of the same sex. If Facebook’s system indicated that the ad had been displayed to someone, she would know that the person was gay, because nobody else on Facebook was a match for those other attributes. (For ethical reasons, she used the profile of a friend in her experiment.)

In an interview, Ms. Korolova said she alerted Facebook to the issue in July. Facebook responded by changing its system so that if an advertiser’s targeting criteria is so precise that fewer than 20 people would see the ad, it is not allowed. But Ms. Korolova said she could, in theory, circumvent that measure by creating 20 profiles to match the known characteristics of the person whose information she is trying to uncover, and then staying out of those accounts once the ad was placed. Facebook disputed that, saying that its terms of service prohibit fake accounts and that it works hard to eliminate them. It said that if someone quickly created 20 similar accounts, its automated systems would detect them. “We are confident that our techniques address the practical concerns of the privacy violations Aleksandra discusses,” the company said in a statement.

Mr. Soghoian said it was unlikely the attack described by Ms. Korolova could be used widely, but said it exposed yet another vulnerability in online networks.

Alright, so Facebook might unwittingly out you to anyone with a credit card and some free time, but at least they’ll delete mean comments posted about you after you die.