Facebook Senior Staff Knew about Privacy Busting ‘Bug’ Five Years Ago

A senior marketing staffer at Facebook congratulated a prankster who used the platform to send a unique advertisement targeted only at his roommate in 2014, an email acquired by The Tyee reveals.

The email proves that Facebook has been aware for five years of a technique called “sniper-targeting” that bypasses its anonymity safeguards and enables customized ads to reach just a few or even a single person.

The technique can also enable spying on recipients, since the sender of the ad knows exactly who clicked on it and can then harvest other online data about that recipient.

In 2014, Brian Swichkow blogged about creeping out his roommate by sending a unique ad based on intimate details. The roommate was fooled into thinking the ad was seen by others, Swichkow recounted.

That article “made the rounds at work,” a Facebook manager told Swichkow in a 2014 email The Tyee has seen.

But the loophole, enabling a distilled version of the micro-targeting later used by ad firms such as Cambridge Analytica, was not closed by Facebook.

Swichkow grew disillusioned with marketing practices on the platform, he said, and his agency now focuses on projects that “elevate the human frequency.” He provided the communication to The Tyee.

Facebook said in March 2019 it had finally fixed the “bug” allowing sniper-targeting after The Tyee showed it still existed. But that proved to be false when The Tyee did another investigation to see if the loophole had been closed. After The Tyee published those findings, Facebook said it was again looking into the problem.

The ability to target a single person with Facebook ads violates the social media’s own pledges to the public and likely Canadian law, as The Tyee had reported.

The security flaw allows any advertiser to find a specific person on the platform and send that individual a wholly unique ad, which appears to the target as though it was sent to a group. The advertiser knows if the target saw the ad or not. If the target clicks, the advertiser can know the target’s location, details about their device and connect anything entered on the advertiser’s website (under assumed anonymity) to the target’s identity.

Cambridge Analytica had tools to target lone recipients of ads, contrary to Facebook’s claimed policies and assurances to lawmakers, researcher Chris Vickery told The Tyee. Vickery presented testimony to U.K. and Canadian parliaments on tools used by ad agency Cambridge Analytica to sway the U.S. election and Brexit.

The very U.K. committee members questioning Facebook were targeted by specific ads from unknown persons during the questioning “as either some sort of proof or reprisal,” said Vickery.

When The Tyee managed to get an audience of only one person approved on the platform, Facebook told The Tyee the technique would not deliver an ad. Next, when we successfully delivered an ad to the lone target, Facebook said it was not aware of anyone else using the technique. When we pointed out many articles documenting it, including one by Brian Swichkow, which received coverage in several prominent publications including the Observer and an estimated seven million impressions, Facebook said nobody had used the technique “maliciously.”

Now the email confirms senior management at Facebook was aware of the ability to circumvent its minimum audience size restrictions — intended to ensure anonymity — as early as 2014.

Liberal MP Nathaniel Erskine-Smith last year questioned Facebook representatives in his role on the parliamentary Committee on Access to Information, Privacy and Ethics. He told The Tyee the company was “adamant” individuals could not be isolated to receive lone ads on Facebook. Cambridge Analytica co-founder Christopher Wylie told the committee that name lists for ad audiences had to be a minimum of 1,000.

Facebook admitted to The Tyee that the target list minimums could be as small as 20.

In fact, The Tyee proved a first time and then again that the target lists could be filtered down to just one by exploiting the long existing “bug” which Facebook only has lately acknowledged.

The Tyee sent questions to Facebook which the company so far has not answered.

The Tyee asked how many people unwittingly have been targets of one-person campaigns, and whether they would be alerted their privacy might have been compromised.

The Tyee asked how the latest fix differs from the company’s previous claimed repair.

March 5 was the first time Facebook told The Tyee, wrongly, that it had closed the privacy-violating loophole. The next day the company released CEO Mark Zuckerberg’s “A Privacy-Focused Vision for Social Networking,” meant to assure users his firm is “committed to working openly and consulting with experts across society” to “address the biggest challenges facing Facebook.”

In their latest response to The Tyee, Facebook spokespeople confirmed that, despite their previous claims, the ability to send ads to one person only had still been possible up to May 3.

Now, assures Facebook for a second time, the flaw has been fixed. The Tyee has yet to test that claim.