The level and extent to which Facebook profits from every single time you login to the website cannot be underestimated.
Every like, every share, every post, every time you attend - or even express an interest in attending - an event is recorded. It’s not just your ‘behaviour’ (as the social network calls it) on Facebook, but other websites too. Ever logged in to another service with your Facebook account? Yeah, that too.
You, or rather the composite grouping of behaviours that make up your online profile, is a serious cash cow for Facebook in two ways. Firstly, the access it sells to what’s called its ‘firehose’, which is a largely unfiltered stream of status updates that brand monitoring agencies pay thousands for access to. Secondly, your personality-profile and demographics are anonymised and sold to the highest bidder via Facebook’s ad platform ‘Insights’.
It’s that second way that is a cause for concern and the focus of this story, which is detailed in the video below.
It all starts with Facebook’s advertising platform, Insights. If you see an advert on Facebook, it’s been bought via Insights. Chances are you’ve heard about ‘dark ads’ in the run up to the recent UK and US elections - all those adverts were most likely bought through Insights.
The platform essentially distils - and anonymises - the activity of billions of Facebook users by grouping them into categories (hobbies, education level etc) that advertisers can chose to target.
This is open to virtually anyone with a company page. The anonymous behavioural data is powerfully granular. Practically any category of people you want to target, Facebook Insights will provide.
Except it isn’t so anonymous and it’s open to abuse.
Working off of a tip, we decided to put Insights to test and see if your data is truly safe with Facebook. The investigation is largely based on the research of Stanford university's Dr Michal Kosinski, who discovered that it’s possible to determine key characteristics of people based on a combination of their Facebook likes. For example, liking ‘roadtrips’ and ‘bonfires’ might give away someone’s ethnicity.
The first step was to create a fake company Facebook page. We then mocked up a logo and bought 5000 fake Facebook likes to make the company page look legitimate, at a cost of less than $100.
Facebook also lets you backdate posts, so we posted up some articles and pictures and backdated them to 2016 to make it look like the page had been active for months when it had in fact only been alive for a few weeks. It’s worth noting that this feature was only available during the course of our investigation earlier this year, by the time of publishing Facebook had removed it.
After two days we had created a genuine-looking, legitimate, popular and long-standing company page in less than two days.
We then took Kosinski’s research - which says that you can predict key demographics based on the pages they like - and tailored our adverts accordingly. We opted to focus on two important demographics: race and sexuality. We chose these two because they’re easier to verify than someone’s IQ or their parents’ relationship status.
Next we created and boosted several different posts, each one targeted at a specific demographic. There was nothing extraordinary about these posts and it wasn’t the content that was targeted but the audience, thanks to the tools Facebook Insights has to offer. (We’ve decided not to reveal all targetting terms or the original ads for fear of compromising the privacy of the users that interacted with the post).
We then set a $15 advertising budget for each post and submitted them for review - a process which is supposed to approve adverts that meet an unknown criteria.
In any case, despite our fake page gaining 5000 likes in a matter of a few hours, being a few days old but featuring posts that are months old and clearly targeting specific minority groups - Facebook still approved the advert.
In total, 1200 people liked and commented on our advert. We then set about going through those interactions to further verify that they were part of the target demographic groups by pouring over their Facebook pages, Linkedin and general internet sleuthing. This might seem like a small number, but the response rate was fairly average for our budget size. If we were a large company - or political campaign - with a specific agenda and a billionaire backer at our disposal, just spending $1.5m may get responses in the hundreds of thousands.
Our adverts and methodology proved to be successful, too. For the race demographic, the response rate to our race advert was 76% accurate and for the sexuality advert the response rate was 79% accurate. So we managed to accurately target and identify (by simply using their name and some information on their profile to find more details on the web) people based on their race and sexuality with a small budget thanks to Facebook’s powerful advertising algorithm and a fake company. This a simple and straightforward way to de-anonymise Facebook's anonymous ad platform.
No real privacy on Facebook
I sat down with Dr Kosinski and quizzed him on Facebook Insights and its privacy issues.
“One of the promises of behavioural marketing is that the company that does the marketing will never share with the marketers detailed information of the people who are being targeted. But there is one problem with that which is that it’s in fact impossible not to share this information.”
He continued. “Any person that basically reacts to an advert that is specifically targeted at a given group, must be a member of this group, which basically means that, in the context of behavioural marketing, there is no way of actually protecting the privacy of people who are being targeted.”
This is dangerous for obvious reasons. In a time when hate crime is on the rise, finding and identifying people based on demographics they perhaps don’t want made public should be a concern to Facebook users and the social network itself. Someone with more resources and will could potentially use this method as a starting point for finding out even more personal information about their targets.
Facebook didn’t respond to a request for comment by the time of publishing.
You can watch Kosinski's full interview below
A platform that’s easily manipulated and open to abuse
The ease with which it’s possible to set up a legitimate looking company account and bypass advert verification lends well to scams, too. Two recent cases of costly scams include fake starbucks voucher adverts circulating on Facebook that are designed to steal information, and fake money saving advice from popular website Money Saving Expert.
The latter example apparently cost one person £19k and forced an angry response the owner of moneysavingexpert.com, Martin Lewis. For the uninitiated, Lewis is well-known in the UK as a trusted source of financial advice. The appeal to a scammer of using Lewis’ name and brand on a fake advert that ultimately cleaned the victim’s account out is obvious. When I spoke with Lewis, he was indignant about Facebook’s apparent lacklustre approach to tackling scam adverts.
““Facebook is a technology company – where is its image search, where is its tech search, where are its systems? It is a wild west out there; it’s totally unregulated. The FCA doesn’t regulate it and the ASA does not regulate Facebook, it only regulates advertisers, which, when they’re scammers, is completely irrelevant.”
It’s understandable why the barrier to entry is low when it comes to advertising on Facebook. Advertising makes up the overwhelming majority of its profits. $27.64bn in 2016 to be exact, 97% of which was from ad revenue.
But with high-profile scams and a system that’s easily gamed - does Facebook have more of a responsibility to its users to make sure their identities are properly protected?
