Jean-Michel Dricot (left) and Charles Cuvelliez. (Credits: DR) A number of companies may not be ready on 25 May when will apply the regulations for the protection of private data (RGPD). Among them, we can count Facebook as shown by an experiment conducted by researchers at the University of Madrid. By Charles Cuvelliez and Jean-Michel Dricot, Polytechnic School of Brussels Free University of Brussels.
Every day we evokes European companies that are not ready for RGPD the famous regulation for the protection of private data that strongly frames (with a hefty fine to the key) the use of personal data. But what about the Internet giants, against which it is RGPD (much much) directed, are they ready?
Facebook would be nowhere from Madrid University who conducted an experiment that speaks volumes about the possibilities of network handling. This social network profile rail, no less, 73% of European users without their knowledge (that is to say, without consent, the cornerstone of RGPD), based on very sensitive criteria strictly prohibited by the RGPD (Sexual Orientation, political or religious, health). This profiling is available to advertisers who can then choose who to send their advertisements, unable to identify the individual, it is true … except that the authors show the way to get there!
This is an unfortunate advertising to join a gay community sent to one of the authors of the study that set fire to the powder. The researcher in question had nothing yet never explicitly mentioned. The research group that is developing is developing a browser extension for the Internet which provides real-time Facebook users on preferences assigned by the latter based on their online behavior. This extension also believes that generates income for Facebook based on their profile and the number of displayed ads.
Ads Manager, double-edged
What has “trapped” Facebook is its Ads Manager tool that allows advertisers to target users who send advertising. The criteria are broad: location, gender, age, language, behavior (they use their mobile for Facebook, Windows, Apple, they travel a lot …) but also their interest (cars, food, cosmetic … ). This last criterion is impressive by the choice offered: thousands of combinations are possible and prioritized. Everything is done to make it easier for advertisers: they can introduce free text describing the target group. Facebook then provides the parameters to select. That said, Facebook users can access their profiling and change but few know.
The researchers were able to determine, with their browser extension installed by several thousand volunteers, on what basis the profiling is done. It is clear that it is developed without the consent of the user: what it was like, seen as pages or ad, based on an installed app, based on web pages visited, based on the comments, posts, shares. Not sure that all Facebook users have given their explicit consent, except to ask for each click.
No emergency rule
Facebook contradicts the RGPD, although it provides for exceptions. None held here. No, the information that Facebook collects is not necessary for the vital interests of its users, so, they are able, physically, to give their consent. No, the data users on Facebook are not already public. This profiling pursues no public interest Another possible exception to consent. Finally, this profiling serves no scientific or statistical purposes.
4,577 users installed the browser extension at the base of the study. 3166 are based in the EU. Researchers have developed a set of 126,192 preferences for targeted advertising. All this has allowed them to see what proportion of Facebook users located in Europe have in their profile keywords relating to sensitive criteria: the outcome is final with 73% of this panel of 3,166 users. Using the tool for advertisers, they then established by EU countries, the number of users who fall into the categories identified as sensitive. There are large differences between countries, the top 7 consisting of Malta, Cyprus, Sweden, Denmark, Ireland, Portugal and Britain. The least affected are Germany, Poland, Latvia, Slovakia and the Czech Republic. These young adults are the most represented in the “sensitive” group. In terms of very sensitive criteria found in the user profile, there is the religion 20.8%, 18.2% for health, 1.5% to 1.1% sexuality and ethnicity. The researchers then used the tool for advertisers to quantify how many users in each European country. some are left speechless.
So far, one behind reassured that advertisers do not have access individually to end users when handling the Ads Manager. Except that the ability to reach end users on the basis of very sensitive criteria identifies them without too much difficulty. And imagine two scenarios: it would be easy for a neo-Nazi organization to send targeted and offensive campaign to users with gay or Jewish in their preferences, favorite targets! Indeed, what need to identify individual users of Facebook if the goal is reached. The researchers simulated this strategy, without going until the end of course: for less than 35 euros, they could reach 26,000 users! This is where we also understand how the Russians could so easily influence US elections!
Another scenario, more subtle yet to identify end users launch a phishing attack, that is to say, send a targeted campaign asking users to provide information on them to get to a price which, iPhone or a voucher. There are always those who fall for it and it’s always so much identified users. Cyber attacks say identification, it is no accident gaining popularity.
It is not for nothing that Facebook announced a project than ever, the RGPD, has mobilized a great in-house project team. He needs it !