Marketers may be getting tarred with another alleged privacy violation: retargeted ads based on specific products that a person has viewed online.
This form of tracking links
“third-party ephemeral tracking cookies to a user’s durable identity (e.g., email address),” according to Cart-ology: Intercepting Targeted Advertising via Ad Network
Identity Entanglement, a study by researchers from the Georgia Institute of Technology, University of Illinois Chicago (UIC), and New York University
(NYU).
Here's the problem: These retargeted ads are sometimes mistakenly shown to the devices of family members and friends that often share
network connections,” the authors write. “Such 'leaked' retargeted advertisements can cause a range of harms from ruining a surprise gift to revealing sensitive personal information such
as sexual orientation, religious affiliation, or pregnancy status,” they add.
advertisement
advertisement
In addition, a test showed retargeted advertisements can contain
sensitive location information, putting the person at risk.
“An ad network potentially leaking travel plans to anyone with a target’s email address is a
significant privacy threat and potentially dangerous to people being stalked,” states Damon McCoy, associate professor at
NYU.
It is not clear if these risks will continue when third-party cookies disappear in 2024, or if any consumers have been victimized. But, for
now, the authors conclude that there is “data leakage occurring which could allow an attacker to determine merchant websites and products viewed by a victim, as well as control
what ads are shown to the victim.”
“Third party ad networks have no direct relationship with users,” states Paul
Pearce, assistant professor in the School of Cybersecurity and Privacy at Georgia Tech. “Thus, if they want to track user activity across devices, they must rely on identity information, such as email addresses,
given to them from other various websites.”
Pearce adds that if “an attacker knows a victim’s email address, they can lie to the ad network
pretending to be a user, leading to very real privacy problems.”
"When I use the Internet on my own private device, like a phone or a laptop, I
don't expect that anyone who knows my personal email could manipulate what I see,” says Chris Kanich, associate professor at
UIC.
The findings were presented last week at the ACM Conference on Computer and Communications Security.