Home Privacy Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw

Facebook Is Reinstating Reach Estimates In Custom Audiences After Fixing A Security Flaw

SHARE:

After more than a year on ice, Facebook is bringing back reach estimates in Custom Audiences.

Facebook suspended the metric, which advertisers would use to preview reach estimates for lists uploaded to Custom Audiences, in March 2018 when academic researchers from Northeastern University discovered a vulnerability.

The exploit could have allowed someone to infer attributes related to the individuals included in an advertiser’s list.

The researchers were rewarded through Facebook’s bug bounty program and the metric was shelved pending investigation.

Facebook re-introduced it Tuesday to buyers on a randomized basis, a process that will continue through the end of the year.

What was the problem?

Simply put (sort of), researchers could determine the rounding threshold, aka, the point at which Facebook’s system would round up to create an estimate.

Having identified the threshold, one could ascertain gender or country or any one of more than 1,000 targeting attributes, by adding an email to the list, selecting an attribute and checking if the reach estimate went up or stayed the same.

Anyone diligent enough could mine the metric to build fairly detailed customer profiles.

Over the past year, Facebook worked with the researchers who uncovered the bug to patch the problem. Facebook claims that it never saw anyone take advantage of the exploit.

The solution is threefold: making the rounding logic more complex for how estimates are displayed; improving the backend detection process for potential misuse in collaboration with Facebook’s business integrity team, which investigates security issues; and limiting the number of audiences and API calls that a single account can have.

Restricting the API calls and capping the number of audiences won’t have an impact on how advertisers use the metric, but should prevent anyone from manipulating it. Multiple API calls can be a sign of potential misuse.

This isn’t the first time Custom Audiences was found to be vulnerable to possible abuse. The same Northeastern researchers who found the Custom Audience reach estimate issue unearthed a similar bug within Custom Audiences in December 2017 that would allow someone to figure out a user’s cell phone number from their email address.

A Facebook spokesperson said that advertisers have been consistently requesting to get the metric back, even though they had alternative tools when reach estimates in Custom Audiences weren’t available.

But Facebook decided not to rush things this time. “We’re doing this a little more slowly than with other products to be cautious and make sure everything is going as intended,” the spokesperson said.

Phillip Huynh, VP of paid social at 360i, said he’ll be pleased to see reach estimates back in its rightful place in Ad Manager.

“This allows us to, once again, understand the audience we’re targeting and make appropriate decisions on investment,” Huynh said, as well as keep tabs on audience sizes as upcoming changes to the platform begin to roll out, including Clear History.

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.