• by Ray Schultz , Columnist, November 14, 2022

Marketers may be getting tarred with another alleged privacy violation: retargeted ads based on specific products that a person has viewed online. 

This form of tracking links “third-party ephemeral tracking cookies to a user’s durable identity (e.g., email address),” according to Cart-ology: Intercepting Targeted Advertising via Ad Network Identity Entanglement, a study by researchers from the Georgia Institute of Technology, University of Illinois Chicago (UIC), and New York University (NYU). 

Here's the problem: These retargeted ads are sometimes mistakenly shown to the devices of family members and friends that often share network connections,” the authors write. “Such 'leaked' retargeted advertisements can cause a range of harms from ruining a surprise gift to revealing sensitive personal information such as sexual orientation, religious affiliation, or pregnancy status,” they add. 

In addition, a test showed retargeted advertisements can contain sensitive location information, putting the person at risk.

“An ad network potentially leaking travel plans to anyone with a target’s email address is a significant privacy threat and potentially dangerous to people being stalked,” states Damon McCoy, associate professor at NYU. 

It is not clear if these risks will continue when third-party cookies disappear in 2024, or if any consumers have been victimized. But, for now, the authors conclude that there is “data leakage occurring which could allow an attacker to determine merchant websites and products viewed by a victim, as well as control what ads are shown to the victim.”

“Third party ad networks have no direct relationship with users,” states Paul Pearce, assistant professor in the School of Cybersecurity and Privacy at Georgia Tech. “Thus, if they want to track user activity across devices, they must rely on identity information, such as email addresses, given to them from other various websites.”

Pearce adds that if “an attacker knows a victim’s email address, they can lie to the ad network pretending to be a user, leading to very real privacy problems.” 

"When I use the Internet on my own private device, like a phone or a laptop, I don't expect that anyone who knows my personal email could manipulate what I see,” says Chris Kanich, associate professor at UIC. 

The findings were presented last week at the ACM Conference on Computer and Communications Security.