José González Cabañas, Ángel Cuevas, and Rubén Cuevas, Department of Telematic Engineering, Universidad Carlos III de Madrid
The recent European General Data Protection Regulation (GDPR) restricts the processing and exploitation of some categories of personal data (health, political orientation, sexual preferences, religious beliefs, ethnic origin, etc.) due to the privacy risks that may result from malicious use of such information. The GDPR refers to these categories as sensitive personal data. This paper quantifies the portion of Facebook users in the European Union (EU) who were labeled with interests linked to potentially sensitive personal data in the period prior to when GDPR went into effect. The results of our study suggest that Facebook labels 73% EU users with potential sensitive interests. This corresponds to 40% of the overall EU population. We also estimate that a malicious third party could unveil the identity of Facebook users that have been assigned a potentially sensitive interest at a cost as low as €0.015 per user. Finally, we propose and implement a web browser extension to inform Facebook users of the potentially sensitive interests Facebook has assigned them.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Jos{\'e} Gonz{\'a}lez Caba{\~n}as and {\'A}ngel Cuevas and Rub{\'e}n Cuevas},
title = {Unveiling and Quantifying Facebook Exploitation of Sensitive Personal Data for Advertising Purposes},
booktitle = {27th USENIX Security Symposium (USENIX Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {479--495},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/cabanas},
publisher = {USENIX Association},
month = aug
}