- Researchers modeled interactive targeted ads as a noisy oracle that can reveal user attributes.
The team built a synthetic benchmark calibrated with public data, assigning known sensitive labels to a virtual population. They simulated ad campaigns that expose users, record interactions, and optionally disclose linked observations to advertisers. Across four topic variants, seven random seeds, and two interaction settings, Bayesian and supervised attacks peaked at roughly 0.64 AUC in the standard scenario and 0.65 AUC when interactions were higher, after 160 repeated campaigns.
These numbers matter because they quantify how much personal detail an advertiser can infer from a realistic chain of ad delivery and user response. The ceiling is set not by the attack method but by the platform’s disclosure policy; aggregate reporting, type filtering, and randomized disclosure all suppress the signal. In practice, the findings suggest that without strict policy controls, targeted ad ecosystems could leak more attribute information than regulators might expect.
In short, the study shows that even with many campaigns, attribute inference stalls near 0.65 AUC, and that disclosure rules are the most effective lever to limit privacy erosion. Regulators should therefore focus on mandating aggregate reporting and stochastic disclosure rather than relying on opaque algorithmic safeguards.