journalism that swims
against the current.
Rights + Justice
Science + Tech

Facebook Senior Staff Knew about Privacy Busting ‘Bug’ Five Years Ago

Tyee has 2014 email on ‘sniper-targeting’ that runs counter to company’s denials.

Bryan Carney 7 May

Bryan Carney is director of web production at The Tyee and reports on technology and privacy issues. You can follow his very occasional tweets at @bpcarney.

A senior marketing staffer at Facebook congratulated a prankster who used the platform to send a unique advertisement targeted only at his roommate in 2014, an email acquired by The Tyee reveals.

The email proves that Facebook has been aware for five years of a technique called “sniper-targeting” that bypasses its anonymity safeguards and enables customized ads to reach just a few or even a single person.

The technique can also enable spying on recipients, since the sender of the ad knows exactly who clicked on it and can then harvest other online data about that recipient.

In 2014, Brian Swichkow blogged about creeping out his roommate by sending a unique ad based on intimate details. The roommate was fooled into thinking the ad was seen by others, Swichkow recounted.

That article “made the rounds at work,” a Facebook manager told Swichkow in a 2014 email The Tyee has seen.

But the loophole, enabling a distilled version of the micro-targeting later used by ad firms such as Cambridge Analytica, was not closed by Facebook.

Swichkow grew disillusioned with marketing practices on the platform, he said, and his agency now focuses on projects that “elevate the human frequency.” He provided the communication to The Tyee.

Facebook said in March 2019 it had finally fixed the “bug” allowing sniper-targeting after The Tyee showed it still existed. But that proved to be false when The Tyee did another investigation to see if the loophole had been closed. After The Tyee published those findings, Facebook said it was again looking into the problem.

The ability to target a single person with Facebook ads violates the social media’s own pledges to the public and likely Canadian law, as The Tyee had reported.

The security flaw allows any advertiser to find a specific person on the platform and send that individual a wholly unique ad, which appears to the target as though it was sent to a group. The advertiser knows if the target saw the ad or not. If the target clicks, the advertiser can know the target’s location, details about their device and connect anything entered on the advertiser’s website (under assumed anonymity) to the target’s identity.

Cambridge Analytica had tools to target lone recipients of ads, contrary to Facebook’s claimed policies and assurances to lawmakers, researcher Chris Vickery told The Tyee. Vickery presented testimony to U.K. and Canadian parliaments on tools used by ad agency Cambridge Analytica to sway the U.S. election and Brexit.

The very U.K. committee members questioning Facebook were targeted by specific ads from unknown persons during the questioning “as either some sort of proof or reprisal,” said Vickery.

When The Tyee managed to get an audience of only one person approved on the platform, Facebook told The Tyee the technique would not deliver an ad. Next, when we successfully delivered an ad to the lone target, Facebook said it was not aware of anyone else using the technique. When we pointed out many articles documenting it, including one by Brian Swichkow, which received coverage in several prominent publications including the Observer and an estimated seven million impressions, Facebook said nobody had used the technique “maliciously.”

Now the email confirms senior management at Facebook was aware of the ability to circumvent its minimum audience size restrictions — intended to ensure anonymity — as early as 2014.

Liberal MP Nathaniel Erskine-Smith last year questioned Facebook representatives in his role on the parliamentary Committee on Access to Information, Privacy and Ethics. He told The Tyee the company was “adamant” individuals could not be isolated to receive lone ads on Facebook. Cambridge Analytica co-founder Christopher Wylie told the committee that name lists for ad audiences had to be a minimum of 1,000.

Facebook admitted to The Tyee that the target list minimums could be as small as 20.

In fact, The Tyee proved a first time and then again that the target lists could be filtered down to just one by exploiting the long existing “bug” which Facebook only has lately acknowledged.

The Tyee sent questions to Facebook which the company so far has not answered.

The Tyee asked how many people unwittingly have been targets of one-person campaigns, and whether they would be alerted their privacy might have been compromised.

The Tyee asked how the latest fix differs from the company’s previous claimed repair.

March 5 was the first time Facebook told The Tyee, wrongly, that it had closed the privacy-violating loophole. The next day the company released CEO Mark Zuckerberg’s “A Privacy-Focused Vision for Social Networking,” meant to assure users his firm is “committed to working openly and consulting with experts across society” to “address the biggest challenges facing Facebook.”

In their latest response to The Tyee, Facebook spokespeople confirmed that, despite their previous claims, the ability to send ads to one person only had still been possible up to May 3.

Now, assures Facebook for a second time, the flaw has been fixed. The Tyee has yet to test that claim.  [Tyee]

  • Share:

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.


  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context


The Barometer

What Environmental Impacts Are Most Concerning to You This Summer?

Take this week's poll