> 4.3.5 PII obtained without user’s knowledge ... Facebook could
learn users’ PII from their friends would be by scanning
friends’ contact databases, linking contacts to existing
Facebook accounts, and then augmenting the Facebook
accounts with any additional PII found in the contacts
database ... We found that
the previously-unused phone number became targetable
in 36 days, 13 showing that it had indeed been linked to
the corresponding author’s account without their knowledge. Making this situation worse, the matched phone
number was not listed on the account’s profile, nor in the
“Download Your Information” archive obtained from
Facebook ; thus the target user in this scenario was
provided no information about or control over how this
phone number was used to target them with ads.
Huh, that sounds like a GDPR violation?
One can argue that FB doesnt need to use probabilistic data structures for estimating the size of a small set of externally provided PII, but they probably need to keep them at hand in case they need to intersect with geo-demo sets.e.g one uploads a large list of emails, and wants to intersect that audience with the set of males in san francisco.
You have to read the details later, where they uploaded 2 different pieces of PII for a customer - one already associated with a FB user, and therefore targetable. The other was brand new PII. Only the latter was not found to be targetable.
So yay - Facebook doesn’t use rainbow table lookups to extract plaintext PII from hashes that advertisers upload. Gold star for them.
Another way to view the same thing is "Facebook makes a big database of adverts available to me to view, and I (automatically) choose to view the ones most closely matching my personal information".