Ads Enable LLMs to Reconstruct User Profiles
Pentesting
A Large Language Model (LLM) is a machine learning system trained on large text and image collections that can predict and generate language and labels from input. Researchers apply a multimodal LLM pipeline to social media ad streams and demonstrate that sequences of ads can be used to infer sensitive user attributes, with clear implications for privacy and targeted exploitation.
Why this matters: the study shows opaque ad delivery is not just a commercial nuisance. Ad streams form a rich, machine‑readable footprint that can be reconstructed into demographics. That enables targeted manipulation, sharper phishing, and discrimination against vulnerable groups where delivery is already biased.
Scope and methods: the work audits hundreds of thousands of Facebook ad impressions collected from volunteer Australian users via a privacy‑preserving browser plugin. Ads were summarised into text features and processed by a multimodal LLM in a two‑stage pipeline: session level zero‑shot classification followed by longitudinal aggregation at the user level. The authors benchmark the model against census baselines and human evaluators and test sequence order by shuffling sessions.
Key findings: advertising categories show systematic skews, with gambling ads disproportionately reaching socioeconomically vulnerable groups and political ads concentrating on older and politically aligned users. The LLM achieves notably higher than baseline reconstruction: gender around 76% accuracy, age and income less exact but often near misses, and party preference and employment showing measurable gains. Temporal order improves user‑level inference.
Practical risk and mitigations
The immediate risk for practitioners is twofold: biased delivery can amplify harm to vulnerable cohorts, and ad streams themselves become an attack surface for profile building. Practical, minimal controls include logging restrictions and access controls on raw ad streams, introducing randomness to sequencing, and restricting sensitive‑category ad delivery. Better options include mandated algorithmic impact assessments and content‑level auditing; best practice adds differential privacy, red‑teaming, and stronger platform transparency.
Limitations: the dataset is a self‑selected Australian cohort and focuses on Facebook, so results may not generalise. The study cannot prove platform causality without internal ad delivery data.
Forward look: treat ad streams as personal data. Platforms and regulators should expand technical audits and governance now, because the combination of opaque targeting and capable LLMs makes profile reconstruction a practical risk, not a theoretical one.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
When Ads Become Profiles: Large-Scale Audit of Algorithmic Biases and LLM Profiling Risks
🔍 ShortSpan Analysis of the Paper
Problem
Automated ad targeting on social media is opaque, creating risks of exploitation and invisibility to external scrutiny. Users may be steered toward harmful content while independent auditing of these processes remains blocked. Large Language Models LLMs raise a new concern: the potential to reverse engineer sensitive user attributes from exposure alone. The study presents a multi stage auditing framework to investigate these risks. First, a large scale audit of over 435 000 ad impressions delivered to 891 Australian Facebook users reveals algorithmic biases, including disproportionate Gambling and Politics ads shown to socioeconomically vulnerable and politically aligned groups. Second, a multimodal LLM can reconstruct users demographic profiles from ad streams, outperforming census based baselines and matching or exceeding human performance. The results provide the first empirical evidence that ad streams constitute rich digital footprints for public AI inference, highlighting urgent privacy risks and the need for content level auditing and governance.
Approach
The research adopts a novel auditing framework combining statistical analysis and LLM based inference. It uses a large scale longitudinal dataset from Australian Facebook users donated via a privacy preserving browser plugin, comprising over 700 000 ad observations from more than 2 000 users observed between 2021 and 2023. Ads are segmented into sessions using a data driven threshold determined from inter ad time gaps. A multimodal understanding pipeline processes each ad (images and text) to extract four structured textual features Captions, Descriptive Categories, IAB categories, and KeyEntities. Gemini 2.0 Flash is used for the large scale extraction to balance multimodal understanding with cost and speed. The session level outputs feed a zero shot classification by the LLM for six demographic attributes; the session level results are then aggregated into a user level longitudinal narrative to perform holistic demographic inferences. The LLM performance is benchmarked against Census priors and human evaluators. A random control experiment shuffles ad sequences to measure the value of temporal order. The study uses Negative Binomial Regression to quantify ad delivery disparities across demographic groups, with Coverage and Average Intensity as measures, and reports Incidence Rate Ratios with robust standard errors clustered at the user level.
Key Findings
- Algorithmic biases in ad targeting: Descriptive analysis shows significant, systematic skews in sensitive categories. Gambling ads exhibit higher exposure for socioeconomically vulnerable groups, including lower educational attainment and unemployment, with men showing markedly higher exposure than women. Politics ads concentrate among older age groups, retired individuals, and those with declared party preferences. Education and Careers ads show no evidence of systematic opportunity exclusion in ad delivery.
- Description of method for measuring bias: Two stage analysis using Coverage and Average Intensity, followed by Negative Binomial Regression controlling for demographic factors; results reported as incidence rate ratios with 95 confidence intervals.
- Session level reconstruction: Gemini 2.0 Flash processes each ad to generate a structured feature set; zero shot classification on six demographics per session shows higher than chance accuracy for several attributes, with gender being the strongest signal at session level and age income harder to classify exactly due to many categories.
- User level reconstruction: Aggregating session level summaries into a longitudinal narrative allows a final user level demographic inference. Gemini 2.0 Flash and an Australian context augmented model Gemini augment robustly against census baselines. Gender reconstruction at user level achieves 76.38 per cent accuracy and 76.35 per cent F1 score, far exceeding baselines. Age accuracy improves to 41.18 per cent with a F1 of 34.57 per cent; lenient evaluation raises age accuracy to 80.55 per cent and F1 to 79.03 per cent. Education F1 reaches 34.37 per cent and Party accuracy 41.60 per cent. Employment shows strong gains (accuracy 62.46 per cent, F1 35.63 per cent) while Income remains more challenging.
- Temporal sequence signals improve reconstruction: A random control where ad order is shuffled reduces performance at session level but shows stronger effects at user level, indicating that long term temporal dynamics provide useful signals for profiling. Australian contextual prompts offer modest improvements in some attributes, particularly Party preference.
- Near misses reveal risk: For ordinal attributes like Age and Income, the model often yields near correct predictions, suggesting a robust underlying signal even when exact classification is difficult.
Limitations
The study relies on a self selected Australian volunteer cohort, which may not generalise to the broader Facebook population or other jurisdictions. Causal mechanisms behind observed biases remain unclear without access to platform side data. The analysis focuses on Facebook ad delivery; results may differ on other platforms with different ad formats and policies. The LLM based reconstruction uses a multi stage pipeline rather than an end to end system, bottlenecked by initial summary generation which may limit optimal inference. Additional sensitive attributes beyond those studied may be encoded in ad streams.
Why It Matters
The research highlights that opaque ad systems and LLMs can leak or infer sensitive user attributes from exposure data, creating security and privacy risks. The findings imply that ad streams constitute a rich digital footprint for public AI inference, with potential for targeted manipulation, discrimination and societal polarization. Practical implications include the need for content level auditing and governance, privacy preserving measures, and stronger transparency mechanisms beyond current ad explainability tools. Policy and governance considerations include adapting privacy frameworks to recognise ad streams as a form of personal data, introducing technical mitigations such as logging restrictions, randomness in sequencing, and restrictions on sensitive category ad delivery; and mandating algorithmic impact assessments that account for emergent demographic signals embedded in content streams.