Attribute Inference from Interactive Targeted Ads

arXiv cs.AI Papers

Summary

This paper models how interactive targeted ads can leak user attribute information through observable interactions, and evaluates Bayesian, supervised, and other attack methods on synthetic data. It also discusses disclosure controls as a defense.

arXiv:2606.15209v1 Announce Type: new Abstract: Targeted advertising systems can pair audiences selected by advertisers with ad units that expose visible user actions. When an interaction remains linked to the campaign that elicited it, the advertiser may receive an observation tied to a user rather than only an aggregate report. We model that channel as a noisy oracle for attribute inference. The model separates targeting predicates, exposure, interaction, and disclosure. These boundaries capture the gap between eligibility and delivery, and the gap between interaction and advertiser visibility. We build a reproducible benchmark using synthetic populations calibrated with public data, each with known sensitive labels. A generated campaign semantics layer provides topic variants and response priors. The simulator generates the ground truth, event traces, disclosed observations, and metrics. The evaluation compares Bayesian, supervised, positive and unlabeled, and adaptive attacks under common campaign and disclosure definitions. The final evaluation uses four topic variants, seven simulator seeds, and two interaction settings. Repeated campaigns with identity exposure produce measurable but bounded inference signal. At $160$ campaigns, Bayesian and supervised attacks reach about $0.64$ AUC in the main setting and about $0.65$ AUC in the higher interaction setting. Disclosure policy is the strongest control. Aggregate reporting removes the evaluated oracle input tied to users. Type filtering and randomized disclosure reduce the released signal. The result is a model, artifact, and defense evaluation method for privacy in interactive targeted advertising. The code is available at https://github.com/P-HOW/Interactive-Ad-Oracle.
Original Article
View Cached Full Text

Cached at: 06/16/26, 11:44 AM

# Attribute Inference from Interactive Targeted Ads
Source: [https://arxiv.org/html/2606.15209](https://arxiv.org/html/2606.15209)
###### Abstract

Targeted advertising systems can pair audiences selected by advertisers with ad units that expose visible user actions\. When an interaction remains linked to the campaign that elicited it, the advertiser may receive an observation tied to a user rather than only an aggregate report\. We model that channel as a noisy oracle for attribute inference\. The model separates targeting predicates, exposure, interaction, and disclosure\. These boundaries capture the gap between eligibility and delivery, and the gap between interaction and advertiser visibility\.

We build a reproducible benchmark using synthetic populations calibrated with public data, each with known sensitive labels\. A generated campaign semantics layer provides topic variants and response priors\. The simulator generates the ground truth, event traces, disclosed observations, and metrics\. The evaluation compares Bayesian, supervised, positive and unlabeled, and adaptive attacks under common campaign and disclosure definitions\.

The final evaluation uses four topic variants, seven simulator seeds, and two interaction settings\. Repeated campaigns with identity exposure produce measurable but bounded inference signal\. At160160campaigns, Bayesian and supervised attacks reach about0\.640\.64AUC in the main setting and about0\.650\.65AUC in the higher interaction setting\. Disclosure policy is the strongest control\. Aggregate reporting removes the evaluated oracle input tied to users\. Type filtering and randomized disclosure reduce the released signal\. The result is a model, artifact, and defense evaluation method for privacy in interactive targeted advertising\. The code is available athttps://github\.com/P\-HOW/Interactive\-Ad\-Oracle\.

## IIntroduction

Social platforms now combine targeted advertising with ad units that invite visible user action\. An advertiser defines an audience and campaign criteria through platform tools\. The advertiser then observes delivery reports\. In some platform designs, the advertiser can also inspect user\-facing traces created by the ad\. Prior work has shown that targeting and reporting interfaces can leak information through audience construction and reach estimates\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\. Studies of ad explanations show that transparency interfaces can reveal partial views of the targeting process\[[3](https://arxiv.org/html/2606.15209#bib.bib3)\]\. Interactive ads add a signal tied to users\. A platform may expose a reaction or comment as an identifiable engagement record to the advertiser\[[4](https://arxiv.org/html/2606.15209#bib.bib4)\]\. When this signal is tied to a targeted campaign, the advertising system can produce observations tied to users rather than aggregate campaign statistics alone\. The privacy question is whether interactions that expose identity on targeted ads can act as noisy oracles for sensitive attribute inference\.

The attack follows from the interface\. An advertiser can treat a campaign as a query against the platform’s targeting system\. The targeting predicate defines a subset of eligible users or user profiles\. One predicate may match a custom audience\. Another may match an interest group inferred by the platform or a demographic range\. If an identifiable user interacts with the ad, the advertiser learns an observation about that user under a predicate chosen before the campaign ran\. The observation is noisy because targeting eligibility is distinct from ad delivery, while delivery does not imply attention or interaction\. The noise changes the inference problem rather than removing it\. Repeated campaigns create an observation history in which each visible interaction supplies evidence about a user’s relationship to a known predicate\. Across enough predicates, that history can support probabilistic inference about attributes that were never directly disclosed to the advertiser\. This composition of predicates chosen by the advertiser, interactions that expose identity, and repeated campaigns is the systems privacy problem studied here\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[4](https://arxiv.org/html/2606.15209#bib.bib4)\]\.

The work builds on prior research in advertising privacy, transparency, delivery, tracking, and inference\. Studies of microtargeting and advertiser interfaces have shown that ad systems can leak information through platform feedback and audience tools\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\. Work on ad transparency has examined how users and auditors observe targeting explanations\[[3](https://arxiv.org/html/2606.15209#bib.bib3)\]\. Work on ad delivery has shown that platform optimization can produce discriminatory outcomes even when the stated targeting choices appear neutral\[[5](https://arxiv.org/html/2606.15209#bib.bib5)\]\. Measurement studies of web tracking have documented infrastructure that links browsing activity, identifiers, and behavioral profiling across sites\[[6](https://arxiv.org/html/2606.15209#bib.bib6)\]\. Privacy attacks in machine learning provide a related method base for inferring hidden properties from observed system outputs\. This base includes membership inference, model inversion, and attribute inference\[[7](https://arxiv.org/html/2606.15209#bib.bib7),[8](https://arxiv.org/html/2606.15209#bib.bib8),[9](https://arxiv.org/html/2606.15209#bib.bib9)\]\. The missing problem is the interaction between targeting predicates chosen by advertisers and ad interactions that expose identity\. Existing work has not provided a systematic account of this interaction as an oracle, or a benchmark for attack and defense evaluation in this setting\.

We organize the paper around four research questions\.RQ1asks whether interactions that expose identity enable sensitive attribute inference when the advertiser knows the predicates it selected and observes the users who interact with its ads\.RQ2asks how risk changes with campaign count, interaction rate, targeting granularity, minimum audience constraints, and disclosure policy\.RQ3asks whether adaptive campaign selection reduces the campaigns or cost needed to reach a target confidence level\.RQ4asks which platform side disclosure defenses reduce the inference channel tied to users while preserving ordinary campaign reporting\.

We answer these questions by introducing an oracle abstraction for interactive targeted ads\. The abstraction separates the campaign predicate chosen by the advertiser from the latent user attribute being inferred\. It also separates both quantities from the noisy interaction process that creates visible evidence\. We instantiate this abstraction in a campaign predicate model with audience constraints and disclosure rules\. The attack section instantiates the inference rule and the campaign selection policy\. The benchmark section instantiates the user population, campaign library, event process, disclosure policies, and calibration splits\. The evaluation then answers RQ1 through RQ4 under common event traces and shared metrics\.

The evaluation isolates the inference channel under controlled disclosure policies\. Synthetic users calibrated from public data provide known ground truth for sensitive attributes\. They support parameter sweeps and repeatable attack comparisons without collecting sensitive labels from real users without consent\. This benchmark design follows the role of controlled datasets in privacy inference evaluation\[[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\. It also follows recent work on synthetic data for personal attribute inference\[[10](https://arxiv.org/html/2606.15209#bib.bib10)\]\. Controlled platform validation, where used, checks whether the assumed disclosure channels exist under consented account conditions\. The defense evaluation includes group size constraints and aggregate reporting\. It also studies noisy release mechanisms\. These choices draw on k\-anonymity and differential privacy as formal privacy tools for reducing individual disclosure from released data\[[11](https://arxiv.org/html/2606.15209#bib.bib11),[12](https://arxiv.org/html/2606.15209#bib.bib12)\]\.

The contributions are:

- •We formalize interactive targeted ads as noisy attribute inference oracles under disclosure policies with visible identity\. This answers RQ1 by defining the observation channel tied to users and the conditions under which campaign predicates become inference evidence\.
- •We instantiate the oracle with Bayesian, supervised, positive and unlabeled, and adaptive attacks\. This answers RQ3 by separating the inference rulefffrom the campaign selection policyπ\\piand by defining confidence and cost metrics for repeated campaigns\.
- •We build a reproducible benchmark with synthetic users and calibration from public data for evaluating RQ1 and RQ2\. The benchmark supports sweeps over campaign count, interaction rate, predicate granularity, minimum audience constraints, and disclosure rules\.
- •We evaluate disclosure defenses for RQ4\. The defense space covers type filtering, randomized identity disclosure, thresholding, and aggregate reporting as transformations of the disclosure mapDD\.

## IIBackground and Motivation

The oracle abstraction in the introduction depends on separating the stages of a targeted advertising system\. A campaign records the advertiser’s objective and budget, together with the ad creative\. The targeting predicate is the advertiser’s chosen condition over platform data\. It may refer to platform attributes, inferred interests, advertiser supplied lists, or audience planning categories\[[13](https://arxiv.org/html/2606.15209#bib.bib13)\]\. Audience construction applies that predicate before the delivery system selects impression opportunities\. Exposure records that an ad was shown to a user\. Engagement records a user action on the ad surface\. Reporting releases campaign statistics\. Disclosure policy determines whether the advertiser receives aggregate measurements or traces tied to users\. Figure[1](https://arxiv.org/html/2606.15209#S2.F1)summarizes the pipeline and the variables used throughout the paper\.

The advertiser controls the campaigncc, predicategcg\_\{c\}, and budgetbcb\_\{c\}\. The platform maps the predicate to an eligible audienceAcA\_\{c\}, selects delivery opportunities, and releases reports or engagement records that expose identity according to a disclosure policy\.

Figure 1:Pipeline view of an interactive targeted ad as a query surface\. The formal model in Section[IV](https://arxiv.org/html/2606.15209#S4)assigns probability models to delivery, interaction, and disclosure\.Prior audits show why these stages cannot be collapsed into a single report\. Microtargeting and PII based targeting can leak information when small predicates reveal whether a person satisfies an advertiser selected condition\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\. Delivery is also a separate source of risk\. Platform optimization can change which eligible users receive ads after the predicate is set, producing privacy and fairness concerns even under neutral stated criteria\[[5](https://arxiv.org/html/2606.15209#bib.bib5),[14](https://arxiv.org/html/2606.15209#bib.bib14)\]\. We treat the advertising interface as a query surface\. The advertiser chooses predicates first\. The advertiser later observes delivery outcomes and engagement events\. Campaign reports and disclosure rules determine how those observations are released\. This separation follows audit work that studies targeted advertising through interface controls and observed system behavior\[[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\.

Transparency and disclosure interfaces expose different facts to different actors\. User facing ad explanations give a partial account of why a person saw an ad, often simplifying the path from targeting to delivery\[[3](https://arxiv.org/html/2606.15209#bib.bib3)\]\. Public ad libraries expose archived ads and selected metadata for outside observers\. Security analyses show that these archives can suffer from evasion and completeness failures\[[16](https://arxiv.org/html/2606.15209#bib.bib16)\]\. Advertiser analytics reports expose aggregate campaign performance, including impressions or reach\. Interaction disclosure interfaces differ because they can reveal an identifiable engagement trace to the advertiser who ran the campaign\[[4](https://arxiv.org/html/2606.15209#bib.bib4)\]\.

The privacy channel studied here is an interaction that exposes identity\. Social media studies treat comments and likes as distinct engagement modes\. Reactions and shares are also observable response types on many social surfaces\[[17](https://arxiv.org/html/2606.15209#bib.bib17)\]\. An aggregate engagement count tells the advertiser that some users responded\. A record that exposes identity tells the advertiser which user responded\. When that record is tied to a campaign predicate chosen before delivery, the interaction becomes evidence about the user’s relationship to that predicate\. The evidence remains noisy because eligibility does not imply delivery\. A delivered impression also does not imply exposure, attention, or a decision to interact\. The noise changes inference accuracy, but it does not remove the channel\.

A single visible engagement supplies evidence under one advertiser chosen predicate\. The systems risk arises when the advertiser repeats the process\. Each campaign supplies a chosen condition\. Each engagement that exposes identity supplies an observation under that condition\. Across campaigns, the advertiser obtains a historyHu\(T\)H\_\{u\}^\{\(T\)\}linking predicates to responses by user afterTTcampaigns\. Such histories can support attribute inference because targeting predicates partition users in ways that may correlate with latent traits\. Prior work on microtargeting and nanotargeting shows that advertising predicates can become highly identifying when they isolate small groups or combine several attributes\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[18](https://arxiv.org/html/2606.15209#bib.bib18)\]\.

The inference problem is related to privacy attacks on observed system outputs, but the observable object is different\. Attribute inference studies whether partial knowledge and observed outputs can reveal missing sensitive values\. It also stresses comparison with imputation baselines, which is relevant for evaluating claims in this setting\[[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\. In an interactive ad oracle, the output is not a classifier score\. It is an engagement record that exposes identity after the platform applies targeting, delivery, and disclosure rules\. The attacker still learns from chosen inputs and observed outputs, but the input is a campaign predicate and the output is a disclosed interaction trace\.

Delivery behavior remains part of the oracle model because the delivered audience can differ from the population implied by the predicate alone\[[5](https://arxiv.org/html/2606.15209#bib.bib5),[14](https://arxiv.org/html/2606.15209#bib.bib14)\]\. Tracking and profiling can also affect audience construction by changing correlations among predicates and users\[[6](https://arxiv.org/html/2606.15209#bib.bib6)\]\. The model keeps eligibility separate from delivery\. It also separates engagement, reporting, and disclosure\. This structure lets the attack evaluation vary each component without treating any one platform report as ground truth\.

A controlled benchmark for this setting needs known attributes, repeatable campaign predicates, and disclosure rules that can be varied across runs\. Synthetic or public calibrated users provide ground truth for sensitive attributes while avoiding live experiments that collect sensitive labels from real platform users\[[10](https://arxiv.org/html/2606.15209#bib.bib10),[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\. The same population can support sweeps over campaign count, interaction rate, targeting granularity, and audience size constraints\. Public calibration gives the synthetic population realistic attribute distributions\. Synthetic records keep the evaluation repeatable while allowing the benchmark to vary disclosure policy\.

Defenses map to the same interface boundaries as the oracle\. Predicate constraints can remove sensitive targeting categories or impose minimum audience sizes before a campaign can run\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\. External evaluations of mitigation measures show that platform changes can be studied through observed delivery outcomes, which motivates defense evaluation at both the targeting and delivery layers\[[19](https://arxiv.org/html/2606.15209#bib.bib19)\]\. Disclosure limits can hide identities in engagement records\. Reporting defenses can replace traces tied to users with aggregate reporting\. Group thresholds and k\-anonymity formalize the rule that released records should not single out individuals\[[11](https://arxiv.org/html/2606.15209#bib.bib11)\]\. Randomized response motivates perturbing categorical reports before release\[[20](https://arxiv.org/html/2606.15209#bib.bib20)\]\. Differential privacy gives a formal basis for calibrated noisy release of aggregate statistics\[[21](https://arxiv.org/html/2606.15209#bib.bib21)\]\.

## IIIThreat Model

The threat model fixes the same pipeline at a lower level of abstraction\. LetUUdenote users,𝒞\\mathcal\{C\}denote campaigns,gcg\_\{c\}denote the targeting predicate selected for campaigncc,SuS\_\{u\}denote the sensitive benchmark attribute associated with useruu, andHu\(T\)H\_\{u\}^\{\(T\)\}denote the observation history for useruuafterTTcampaigns\. The attacker is an advertiser operating through the ordinary campaign interface\. Its inputs are campaigns and predicates\. Its outputs are the records released by reporting and disclosure rules\.

TABLE I:Threat model summary\.The attacker knows the predicates it selected and the timing of its own campaigns\. In the fixed setting, it chooses a campaign set before seeing any observations\. In the adaptive setting, it uses earlier reports or disclosed interactions to choose later campaigns\[[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\. Adaptation changes the query strategy, while the action space remains the platform campaign interface\. The attacker treats each campaign as a chosen query\. Its result reflects targeting and delivery effects\. It also reflects user interaction behavior and disclosure policy\. This view follows audit methods that study advertising systems by varying interface inputs and observing released outputs\[[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\.

The target is a user whose identity becomes visible to the advertiser through one or more campaign interactions\. In validation experiments, a target can also be a controlled or consented account whose attributes are known to the experimenter\. The sensitive attribute is a private label represented in the benchmark\. Examples include health interest and political interest\. Other benchmark labels can encode financial stress or parent status\. The attack objective is to estimateSuS\_\{u\}from the target’s observation historyHu\(T\)H\_\{u\}^\{\(T\)\}rather than from an explicit release of the sensitive label\[[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\.

The model distinguishes direct sensitive predicates from proxy predicates\. A direct sensitive predicate is closely tied to the label, when the platform permits such a criterion under its rules\. A proxy predicate is a nonsensitive feature with statistical dependence on the label\. The attack can use either type when the predicate is permitted and the campaign satisfies the platform constraints\. Attribute inference work frames this task as estimating hidden values from observed records and auxiliary structure, rather than from an explicit release of the target attribute\[[7](https://arxiv.org/html/2606.15209#bib.bib7),[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\.

The core observation is an interaction that exposes identity linked to a campaign\. The record binds a visible user identity to a campaign chosen by the advertiser and to the disclosure policy that made the engagement inspectable\. The exact interaction type depends on platform design\. The model covers visible comments and reactions when the interface exposes them to the advertiser\[[4](https://arxiv.org/html/2606.15209#bib.bib4)\]\. It also covers other visible engagement traces under the same disclosure rule\. The observation history for a target is the sequence of disclosed interactions, paired with the predicates and timing of the campaigns that produced them\[[4](https://arxiv.org/html/2606.15209#bib.bib4)\]\.

Aggregate reports are also observations\. Reach and impression measurements give campaign level delivery signals\[[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\. Engagement totals give campaign level response signals\. These signals can help the attacker choose later campaigns, estimate base rates, or decide whether to continue a campaign sequence\. The available records consist of disclosed interactions, aggregate reports, and campaign metadata selected by the advertiser\. The hidden part includes eligible users who receive no delivered ad, exposed users who take no visible action, and users whose interactions are hidden by the disclosure policy\. This separation is needed because campaign reports and disclosures tied to users expose different parts of the advertising pipeline\[[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\. Aggregate releases are relevant to privacy because repeated aggregate observations can support inference under realistic attacker knowledge\[[22](https://arxiv.org/html/2606.15209#bib.bib22)\]\.

Platform constraints are part of the threat model\. Campaigns must satisfy minimum audience sizes, predicate\-combination limits, sensitive\-category rules, and budget limits\. Delivery rules, approval checks, and disclosure rules further restrict the query surface\[[3](https://arxiv.org/html/2606.15209#bib.bib3)\]\. The adaptive attacker chooses legal campaigns within those constraints\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\. Delivery noise is included because eligible users and delivered impressions can differ after platform allocation\. Constraints affect attack cost and inference accuracy\. Prior studies of microtargeting and advertising interfaces motivate treating audience\-size thresholds and predicate restrictions as relevant to privacy controls\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2)\]\.

The base model consists of campaign creation, targeting predicate selection, budget selection, aggregate reporting, and interaction disclosure through advertising and reporting interfaces provided by the platform\[[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\. It covers repeated campaigns and adaptive selection over the same interface\. The base model fixes the advertiser side oracle to records exposed by campaigns, reports, and disclosure policy\. Platform compromise, account takeover, malware, private API abuse, unauthorized collection of private user records, and unparameterized linkage through external data brokers belong to other attacker models\. Parameterized auxiliary information, browser privacy, and tracking strength controls can be added without changing the oracle interface because they change predicate precision and correlation structure rather than the disclosure map\.

The benchmark uses synthetic users or users calibrated from public data so that sensitive labels are known without collecting sensitive labels from real platform users outside the study\. Synthetic personal attribute benchmarks support repeatable inference evaluation with controlled ground truth\[[10](https://arxiv.org/html/2606.15209#bib.bib10)\]\. The evaluation treats attribute labels as benchmark variables, not as labels gathered from nonparticipants\. Public data calibration sets distributions and correlations\. Synthetic users supply the records needed for attack comparison\[[10](https://arxiv.org/html/2606.15209#bib.bib10),[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\.

Controlled validation checks disclosure behavior with controlled or consented accounts\. The validation question is whether a platform interface exposes the interaction record described by the threat model\. Attribute inference is evaluated on benchmark users and controlled accounts\. Retained evidence records aggregate interface behavior or redacted observations, while sensitive labels and nonparticipant identities remain outside the benchmark records\. Group thresholds and calibrated noise provide the basis for later reporting defenses\[[11](https://arxiv.org/html/2606.15209#bib.bib11),[12](https://arxiv.org/html/2606.15209#bib.bib12)\]\. These capabilities, constraints, and observations define the formal oracle model used by the attacks and defenses\.

## IVSystem and Oracle Model

This section formalizes the oracle used by the attacks and the benchmark\. An interactive targeted ad is a noisy query whose output is determined by eligibility, exposure, interaction, and disclosure\.

TABLE II:Notation used in the oracle model\.### Users and campaigns\.

LetU=\{u1,…,uN\}U=\\\{u\_\{1\},\\ldots,u\_\{N\}\\\}be a finite population\. Each useru∈Uu\\in Uhas featuresXu∈𝒳X\_\{u\}\\in\\mathcal\{X\}and a binary benchmark attributeSu∈\{0,1\}S\_\{u\}\\in\\\{0,1\\\}\. The advertiser does not observeSuS\_\{u\}at test time\. A campaign is

c=\(gc,ac,bc\),c=\(g\_\{c\},a\_\{c\},b\_\{c\}\),\(1\)wheregc:𝒳→\{0,1\}g\_\{c\}:\\mathcal\{X\}\\rightarrow\\\{0,1\\\}is the targeting predicate,aca\_\{c\}is the creative or topic, andbc≥0b\_\{c\}\\geq 0is budget or normalized cost\. The eligible audience is

Ac=\{u∈U:gc​\(Xu\)=1\}\.A\_\{c\}=\\\{u\\in U:g\_\{c\}\(X\_\{u\}\)=1\\\}\.\(2\)The legal campaign space is

𝒞legal=\{c∈𝒞:\|Ac\|≥m,bc≤Bmax,gc∈𝒢allowed\}\.\\mathcal\{C\}\_\{\\mathrm\{legal\}\}=\\\{c\\in\\mathcal\{C\}:\|A\_\{c\}\|\\geq m,\\ b\_\{c\}\\leq B\_\{\\max\},\\ g\_\{c\}\\in\\mathcal\{G\}\_\{\\mathrm\{allowed\}\}\\\}\.\(3\)The thresholdmm, budget capBmaxB\_\{\\max\}, and allowed predicate set𝒢allowed\\mathcal\{G\}\_\{\\mathrm\{allowed\}\}encode the platform constraints used in RQ2 and RQ4\.

### Exposure and interaction\.

Eligibility changes the exposure distribution but does not determine exposure\. For each user and campaign,

Eu,c∼Bernoulli​\(pu,cE\),pu,cE=pE​\(u,c;gc,ac,bc,θE\)\.E\_\{u,c\}\\sim\\mathrm\{Bernoulli\}\(p^\{E\}\_\{u,c\}\),\\qquad p^\{E\}\_\{u,c\}=p\_\{E\}\(u,c;g\_\{c\},a\_\{c\},b\_\{c\},\\theta\_\{E\}\)\.\(4\)The model assumes targeting monotonicity:

pE​\(u,c∣gc​\(Xu\)=1\)≥pE​\(u,c∣gc​\(Xu\)=0\)\.p\_\{E\}\(u,c\\mid g\_\{c\}\(X\_\{u\}\)=1\)\\geq p\_\{E\}\(u,c\\mid g\_\{c\}\(X\_\{u\}\)=0\)\.\(5\)Interaction is conditional on exposure:

Pr⁡\(Ru,c=1∣Eu,c=0\)=0\.\\Pr\(R\_\{u,c\}=1\\mid E\_\{u,c\}=0\)=0\.\(6\)Pr⁡\(Ru,c=1∣Eu,c=1\)=pR​\(u,c;Xu,Su,ac,θR\)\.\\Pr\(R\_\{u,c\}=1\\mid E\_\{u,c\}=1\)=p\_\{R\}\(u,c;X\_\{u\},S\_\{u\},a\_\{c\},\\theta\_\{R\}\)\.\(7\)The interaction typeTu,c∈𝒯T\_\{u,c\}\\in\\mathcal\{T\}records the visible action category when an interaction occurs\. The benchmark instantiatespEp\_\{E\}andpRp\_\{R\}through the campaign and interaction parameters evaluated in RQ2\.

### Disclosure and histories\.

Let⊥\\botdenote no released record tied to a user\. A disclosure policy maps event traces to observations visible to advertisers\. Disclosure with visible identity releases a record tied to a user for interactions:

Yu,cid=\{\(u,c,Tu,c\),Ru,c=1,⊥,Ru,c=0\.Y\_\{u,c\}^\{\\mathrm\{id\}\}=\\begin\{cases\}\(u,c,T\_\{u,c\}\),&R\_\{u,c\}=1,\\\\ \\bot,&R\_\{u,c\}=0\.\\end\{cases\}\(8\)Type filtering releases the same record only for shown action types𝒯show⊆𝒯\\mathcal\{T\}\_\{\\mathrm\{show\}\}\\subseteq\\mathcal\{T\}:

Yu,ctype=\{\(u,c,Tu,c\),Ru,c=1​and​Tu,c∈𝒯show,⊥,otherwise\.Y\_\{u,c\}^\{\\mathrm\{type\}\}=\\begin\{cases\}\(u,c,T\_\{u,c\}\),&R\_\{u,c\}=1\\ \\text\{and\}\\ T\_\{u,c\}\\in\\mathcal\{T\}\_\{\\mathrm\{show\}\},\\\\ \\bot,&\\text\{otherwise\}\.\\end\{cases\}\(9\)Randomized identity disclosure samples otherwise visible records with probabilityρ\\rho\. Threshold disclosure releases records that expose identity only when∑v∈URv,c≥k\\sum\_\{v\\in U\}R\_\{v,c\}\\geq k\. Aggregate reporting releases

Ycagg=∑u∈URu,cY\_\{c\}^\{\\mathrm\{agg\}\}=\\sum\_\{u\\in U\}R\_\{u,c\}\(10\)and noYu,cY\_\{u,c\}indexed by user\.

For reporting tied to users, the target history afterTTcampaigns is

Hu\(T\)=\(\(ct,gct,act,bct,Yu,ct\)\)t=1T\.H\_\{u\}^\{\(T\)\}=\\left\(\(c\_\{t\},g\_\{c\_\{t\}\},a\_\{c\_\{t\}\},b\_\{c\_\{t\}\},Y\_\{u,c\_\{t\}\}\)\\right\)\_\{t=1\}^\{T\}\.\(11\)For aggregate reporting, the aggregate history is

G\(T\)=\(\(ct,gct,act,bct,Yct\)\)t=1T\.G^\{\(T\)\}=\\left\(\(c\_\{t\},g\_\{c\_\{t\}\},a\_\{c\_\{t\}\},b\_\{c\_\{t\}\},Y\_\{c\_\{t\}\}\)\\right\)\_\{t=1\}^\{T\}\.\(12\)This separation is the formal boundary for RQ1 and RQ4:Hu\(T\)H\_\{u\}^\{\(T\)\}supports the evaluated attack on histories indexed by users, whileG\(T\)G^\{\(T\)\}is a campaign level history\.

### Attack objective\.

Letℋ\\mathcal\{H\}denote the space of histories indexed by user\. An inference attack is a function

f:ℋ→\{0,1\},S^u=f​\(Hu\(T\)\)\.f:\\mathcal\{H\}\\rightarrow\\\{0,1\\\},\\qquad\\hat\{S\}\_\{u\}=f\(H\_\{u\}^\{\(T\)\}\)\.\(13\)For probabilistic attacks, define

sf​\(u\)=Prf⁡\(Su=1∣Hu\(T\)\)\.s\_\{f\}\(u\)=\\Pr\_\{f\}\(S\_\{u\}=1\\mid H\_\{u\}^\{\(T\)\}\)\.\(14\)An adaptive policy selects legal campaigns by

ct=π​\(H\(t−1\),𝒞legal,Bt\),∑t=1Tcost​\(ct\)≤B0\.c\_\{t\}=\\pi\(H^\{\(t\-1\)\},\\mathcal\{C\}\_\{\\mathrm\{legal\}\},B\_\{t\}\),\\qquad\\sum\_\{t=1\}^\{T\}\\mathrm\{cost\}\(c\_\{t\}\)\\leq B\_\{0\}\.\(15\)This notation connects the oracle to RQ3:ffdetermines inference, whileπ\\pidetermines the next legal query\.

### Bayesian baseline\.

For a campaigncc, sensitive values∈\{0,1\}s\\in\\\{0,1\\\}, and observation tied to a useryy, define

qc,s​\(y\)=Pr⁡\(Yu,c=y∣Su=s,c\)\.q\_\{c,s\}\(y\)=\\Pr\(Y\_\{u,c\}=y\\mid S\_\{u\}=s,c\)\.\(16\)Letπ0=Pr⁡\(Su=1\)\\pi\_\{0\}=\\Pr\(S\_\{u\}=1\)\. Under conditional independence of campaign observations givenSuS\_\{u\}, the posterior log odds are

log⁡Pr⁡\(Su=1∣Hu\(T\)\)Pr⁡\(Su=0∣Hu\(T\)\)=log⁡π01−π0\+∑t=1Tlog⁡qct,1​\(Yu,ct\)qct,0​\(Yu,ct\)\.\\log\\frac\{\\Pr\(S\_\{u\}=1\\mid H\_\{u\}^\{\(T\)\}\)\}\{\\Pr\(S\_\{u\}=0\\mid H\_\{u\}^\{\(T\)\}\)\}=\\log\\frac\{\\pi\_\{0\}\}\{1\-\\pi\_\{0\}\}\+\\sum\_\{t=1\}^\{T\}\\log\\frac\{q\_\{c\_\{t\},1\}\(Y\_\{u,c\_\{t\}\}\)\}\{q\_\{c\_\{t\},0\}\(Y\_\{u,c\_\{t\}\}\)\}\.\(17\)This expression defines the Bayesian attack used in the evaluation\. The supervised attacks in Section[V](https://arxiv.org/html/2606.15209#S5)use the same histories but relax this conditional independence assumption\.

### Disclosure postprocessing\.

Fix the campaigns and the exposure and interaction trace\. If disclosure policyD2D\_\{2\}is a randomized postprocessing of disclosure policyD1D\_\{1\}, then the observations tied to users released byD2D\_\{2\}contain no more information aboutSuS\_\{u\}than those released byD1D\_\{1\}in the evaluated channel tied to users\. LetO1O\_\{1\}andO2O\_\{2\}be the corresponding observations tied to users\. By the postprocessing condition,O2O\_\{2\}is sampled fromO1O\_\{1\}without readingSuS\_\{u\}or any additional event state\. ThusSu→O1→O2S\_\{u\}\\rightarrow O\_\{1\}\\rightarrow O\_\{2\}is a Markov chain, and the data processing inequality givesI​\(Su;O2\)≤I​\(Su;O1\)I\(S\_\{u\};O\_\{2\}\)\\leq I\(S\_\{u\};O\_\{1\}\)\. Aggregate reporting removes theHu\(T\)H\_\{u\}^\{\(T\)\}input required by the base attack on histories indexed by user; attacks over repeatedG\(T\)G^\{\(T\)\}are a separate aggregate attacker model\.

The next section instantiatesffandπ\\piwith Bayesian, supervised, positive and unlabeled, and adaptive attacks while keeping the same campaign space, disclosure policies, and cost variables\.

## VAttacks

The attacks vary along two axes: the inference ruleffand the campaign selection policyπ\\pi\. LetHT​\(u\)=Hu\(T\)H\_\{T\}\(u\)=H\_\{u\}^\{\(T\)\}denote the target history afterTTcampaigns, and letCL=𝒞legalC\_\{L\}=\\mathcal\{C\}\_\{\\mathrm\{legal\}\}denote the legal campaign space\. All attacks use campaign metadata and outputs released underDD; calibration data are available only in the benchmark or shadow population setting\.

### Attack surface\.

The attacker is the advertiser defined in the threat model\. For each selected campaignctc\_\{t\}, the attacker knows the predicategctg\_\{c\_\{t\}\}, where eligibility is evaluated throughgct​\(Xu\)g\_\{c\_\{t\}\}\(X\_\{u\}\)\. The attacker also knows the creative or topicacta\_\{c\_\{t\}\}, the cost variablebctb\_\{c\_\{t\}\}, the legal spaceCLC\_\{L\}, and the remaining budgetBtB\_\{t\}\. These records match advertiser side audit settings where campaign inputs and released outputs can reveal information about selected audiences\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[2](https://arxiv.org/html/2606.15209#bib.bib2),[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\.

The released observation depends onDD\. Under disclosure with visible identity, the attacker observesYu,ctY\_\{u,c\_\{t\}\}when useruuappears in a disclosed interaction record\. Under reporting only or mixed disclosure, the attacker may observe aggregate outputsYctY\_\{c\_\{t\}\}or historiesG\(T\)G^\{\(T\)\}\. Such outputs can guide later campaign choices, but inference about a target user depends on the target history available toff\. Engagement that exposes identity is the channel that binds a person to the campaign that induced the observation\[[4](https://arxiv.org/html/2606.15209#bib.bib4)\]\.

### Bayesian oracle attack\.

The Bayesian attack instantiatesffas a posterior threshold rule\. Its score is

sBayes​\(u\)=Pr⁡\(Su=1∣HT​\(u\)\)\.s\_\{\\mathrm\{Bayes\}\}\(u\)=\\Pr\(S\_\{u\}=1\\mid H\_\{T\}\(u\)\)\.\(18\)Given a confidence thresholdτ\\tau, the decision rule is

S^u=𝟙​\{sBayes​\(u\)≥τ\}\.\\hat\{S\}\_\{u\}=\\mathbb\{1\}\\\{s\_\{\\mathrm\{Bayes\}\}\(u\)\\geq\\tau\\\}\.\(19\)For campaigncc, sensitive values∈\{0,1\}s\\in\\\{0,1\\\}, and observationy∈𝒴y\\in\\mathcal\{Y\}, the attack estimates

qc,s​\(y\)=Pr⁡\(Yu,c=y∣Su=s,c\)\.q\_\{c,s\}\(y\)=\\Pr\(Y\_\{u,c\}=y\\mid S\_\{u\}=s,c\)\.\(20\)The valueqc,s​\(y\)q\_\{c,s\}\(y\)is estimated from calibration users or simulator parameters\. The posterior factorization is defined in Section[IV](https://arxiv.org/html/2606.15209#S4); this section uses it as a baseline rather than repeating the derivation\. The baseline is useful because each campaign contributes an explicit evidence term, which makes it possible to compare later learned attacks against a transparent probabilistic rule\. This framing follows prior membership and attribute inference work that estimates hidden properties from observable system behavior\[[7](https://arxiv.org/html/2606.15209#bib.bib7),[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\.

### Supervised shadow attack\.

The supervised attack replaces the explicit likelihood model with a learned predictor\. Define the feature map

ϕ​\(HT​\(u\)\)∈ℝd\.\\phi\(H\_\{T\}\(u\)\)\\in\\mathbb\{R\}^\{d\}\.\(21\)The learned score is

ssup​\(u\)=hω​\(ϕ​\(HT​\(u\)\)\)\.s\_\{\\mathrm\{sup\}\}\(u\)=h\_\{\\omega\}\(\\phi\(H\_\{T\}\(u\)\)\)\.\(22\)The vectorϕ​\(HT​\(u\)\)\\phi\(H\_\{T\}\(u\)\)encodes disclosed interaction indicators\. It can also encode interaction types, aggregate outputs, predicate metadata, and cost features\. The classifierhωh\_\{\\omega\}is trained on synthetic or shadow users with knownSuS\_\{u\}and evaluated on held out target users\. The benchmark uses logistic regression, random forests, and gradient boosted trees as classifier families\.

This attack relaxes the conditional independence assumption used by the Bayesian baseline\. A learned model can represent correlations among predicates when those correlations appear in the shadow data\. It can also represent repeated observation patterns induced by delivery and disclosure\. The input boundary remains the same: histories are created from selected campaigns and outputs released underDD\. Learned privacy attacks motivate comparing such predictors with explicit posterior rules\[[9](https://arxiv.org/html/2606.15209#bib.bib9),[7](https://arxiv.org/html/2606.15209#bib.bib7)\]\.

### Positive and unlabeled attack\.

Disclosure with visible identity makes an observed interaction positive evidence, while absence from a disclosed list is censored\. Define

Zu,c=𝟙​\{Yu,c​exposes identity\}\.Z\_\{u,c\}=\\mathbb\{1\}\\\{Y\_\{u,c\}\\text\{ exposes identity\}\\\}\.\(23\)The closed world setting treats missing disclosed records as negative observations:

Zu,c=0is treated as negative\.Z\_\{u,c\}=0\\quad\\text\{is treated as negative\.\}\(24\)The open world setting treats the same value as unlabeled:

Zu,c=0is treated as unlabeled\.Z\_\{u,c\}=0\\quad\\text\{is treated as unlabeled\.\}\(25\)The closed world variant tests the effect of complete observation over target disclosures\. The open world variant tests the effect of censoring by delivery, attention, interaction, or disclosure\. Comparing the two settings measures sensitivity to observation completeness, which is central when an advertiser sees visible engagements but not a complete absent event log\[[4](https://arxiv.org/html/2606.15209#bib.bib4),[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\.

### Adaptive campaign selection\.

The adaptive attack chooses later campaigns after observing earlier outputs\. Its policy is

ct=π​\(H\(t−1\),CL,Bt\)\.c\_\{t\}=\\pi\(H^\{\(t\-1\)\},C\_\{L\},B\_\{t\}\)\.\(26\)Forp∈\(0,1\)p\\in\(0,1\), define binary entropy as

Hb​\(p\)=−p​log⁡p−\(1−p\)​log⁡\(1−p\)\.H\_\{b\}\(p\)=\-p\\log p\-\(1\-p\)\\log\(1\-p\)\.\(27\)Letst−1​\(u\)s\_\{t\-1\}\(u\)be the current posterior score for targetuu\. The expected information gain of candidate campaignccis

EIG​\(c∣H\(t−1\)\)=Hb​\(st−1​\(u\)\)−𝔼Y​\[Hb​\(st​\(u;Y\)\)\],\\mathrm\{EIG\}\(c\\mid H^\{\(t\-1\)\}\)=H\_\{b\}\(s\_\{t\-1\}\(u\)\)\-\\mathbb\{E\}\_\{Y\}\\left\[H\_\{b\}\(s\_\{t\}\(u;Y\)\)\\right\],\(28\)where the expectation is overY∼P\(⋅∣c,H\(t−1\)\)Y\\sim P\(\\cdot\\mid c,H^\{\(t\-1\)\}\)\. The normalized by cost rule is

ct=arg⁡maxc∈CLcost​\(c\)≤Bt⁡EIG​\(c∣H\(t−1\)\)cost​\(c\)\+λ\.c\_\{t\}=\\arg\\max\_\{\\begin\{subarray\}\{c\}c\\in C\_\{L\}\\\\ \\mathrm\{cost\}\(c\)\\leq B\_\{t\}\\end\{subarray\}\}\\frac\{\\mathrm\{EIG\}\(c\\mid H^\{\(t\-1\)\}\)\}\{\\mathrm\{cost\}\(c\)\+\\lambda\}\.\(29\)Hereλ\>0\\lambda\>0is a stabilizer for small costs\. This rule selects legal campaigns by expected uncertainty reduction per unit cost\. Nonadaptive attacks fix the campaign sequence before observations, while adaptive attacks treat the advertising interface as an interactive query surface\. Audit work motivates this view because later queries can depend on earlier platform outputs\[[15](https://arxiv.org/html/2606.15209#bib.bib15)\]\.

Aggregate reports can enter the expectation throughYcY\_\{c\}orG\(T\)G^\{\(T\)\}when the disclosure policy releases campaign level outputs\. These reports can update base rate estimates or change the estimated value of future queries when no observation indexed by user is released\. The final decision for a target still uses the inference ruleffon the available target history\. This separation preserves the distinction between histories indexed by user and aggregate histories established by the oracle model\.

### Stopping rules and baselines\.

For a confidence thresholdτ\\tau, define the first threshold crossing time as

Tτ​\(u\)=min⁡\{t:max⁡\(st​\(u\),1−st​\(u\)\)≥τ\}\.T\_\{\\tau\}\(u\)=\\min\\\{t:\\max\(s\_\{t\}\(u\),1\-s\_\{t\}\(u\)\)\\geq\\tau\\\}\.\(30\)The campaign cost incurred by that time is

Cτ​\(u\)=∑t=1Tτ​\(u\)cost​\(ct\)\.C\_\{\\tau\}\(u\)=\\sum\_\{t=1\}^\{T\_\{\\tau\}\(u\)\}\\mathrm\{cost\}\(c\_\{t\}\)\.\(31\)A run without threshold crossing before budget exhaustion is recorded as a no threshold run\. This convention separates failed confidence attainment from late success and lets the evaluation compare accuracy, confidence, and cost under the same trace\.

The benchmark evaluates random legal campaign selection, nonadaptive informative campaigns, Bayesian posterior inference, and supervised shadow inference\. It also evaluates positive and unlabeled inference, greedy expected information gain selection, and normalized by cost adaptive selection\. These baselines instantiate both axes of the attack definition:ffdetermines howHT​\(u\)H\_\{T\}\(u\)is mapped toS^u\\hat\{S\}\_\{u\}, whileπ\\pidetermines which legal campaign is queried next\.

The next section constructs the benchmark users and campaign predicates\. It then defines event models, disclosure policies, and calibration splits needed to instantiate these attacks\.

## VIBenchmark and Evaluation Setup

### Benchmark goals\.

The benchmark instantiates the oracle model and attacks as a reproducible artifact\. It generates a user populationUU, observable featuresXuX\_\{u\}, hidden labelsSuS\_\{u\}, legal campaignsCLC\_\{L\}, exposure eventsEu,cE\_\{u,c\}, interaction eventsRu,cR\_\{u,c\}, disclosed observationsYu,cY\_\{u,c\}, user historiesHT​\(u\)H\_\{T\}\(u\), aggregate historiesG\(T\)G^\{\(T\)\}, and campaign costs\. The same interface supports the RQ2 sweeps over campaign count, interaction rate, predicate granularity, minimum audience size, and disclosure policy\. Run metadata record the population size, campaign count, topic library size, target label, prevalence, random seeds, and exported evidence needed to reproduce a run\.

### Synthetic users and campaign semantics\.

Each generated user has platform side featuresXuX\_\{u\}and a hidden benchmark labelSuS\_\{u\}\. The feature vector contains demographic buckets, household\-status proxies, interest proxies, activity level, comment propensity, and reaction propensity\. The label generator uses

Pr⁡\(Su=1∣Xu\)=σ​\(γ0\+γ⊤​ϕ​\(Xu\)\)\.\\Pr\(S\_\{u\}=1\\mid X\_\{u\}\)=\\sigma\(\\gamma\_\{0\}\+\\gamma^\{\\top\}\\phi\(X\_\{u\}\)\)\.\(32\)Hereσ\\sigmais the logistic link andϕ​\(Xu\)\\phi\(X\_\{u\}\)is the generator feature map\. The evaluator observesSuS\_\{u\}for scoring, while the attacker observes only campaign histories and permitted calibration data\. The artifact can use an LLM to improve campaign semantics under a fixed schema\. This layer proposes topic names, short ad texts, proxy feature mappings, sensitive risk tags, and relative response tendencies\. The simulator clips, normalizes, audits, and logs those values before using them as response priors\. It still generatesSuS\_\{u\},Eu,cE\_\{u,c\},Ru,cR\_\{u,c\},Yu,cY\_\{u,c\}, attack labels, and metrics\. A deterministic fallback topic library keeps the benchmark runnable without external API access\.

### Campaigns and events\.

Each campaign isc=\(gc,ac,bc\)c=\(g\_\{c\},a\_\{c\},b\_\{c\}\)\. The predicategcg\_\{c\}is a Boolean expression over generated features, the topicaca\_\{c\}is drawn from the topic library, andbcb\_\{c\}is a normalized campaign cost\. The induced audience

Ac=\{u∈U:gc​\(Xu\)=1\}A\_\{c\}=\\\{u\\in U:g\_\{c\}\(X\_\{u\}\)=1\\\}\(33\)must satisfy\|Ac\|≥m\|A\_\{c\}\|\\geq m\. Predicate length controls targeting granularity, subject to the same legality and audience\-size rules at every length\. Eligibility increases exposure probability but does not determine exposure\. The simulator first samplesEu,cE\_\{u,c\}and then samplesRu,cR\_\{u,c\}conditional on exposure:

Pr⁡\(Ru,c=1∣Eu,c=1\)=pR​\(u,c;Xu,Su,ac,θR\)\.\\Pr\(R\_\{u,c\}=1\\mid E\_\{u,c\}=1\)=p\_\{R\}\(u,c;X\_\{u\},S\_\{u\},a\_\{c\},\\theta\_\{R\}\)\.\(34\)The parameterθR\\theta\_\{R\}contains the base interaction rate, topic relevance weights, response noise, and feature correlation controls\. The simulator enforcesPr⁡\(Ru,c=1∣Eu,c=0\)=0\\Pr\(R\_\{u,c\}=1\\mid E\_\{u,c\}=0\)=0\. Tracking strength is a benchmark knob that changes predicate precision and correlation strength; it is not a live platform measurement\.

### Disclosure and splits\.

The benchmark implements disclosure with visible identity, type filtered disclosure, aggregate reporting,kk\-threshold disclosure, and randomized identity disclosure\. Identity exposure and type filtered policies produceHT​\(u\)H\_\{T\}\(u\)\. Thresholded and randomized policies may produce partial user histories\. Aggregate reporting producesG\(T\)G^\{\(T\)\}rather than indexed by user histories\. Defense experiments reuse the same event traces when possible and vary only the disclosure map\. Generated users are split into calibration, training, and held out sets\. Calibration estimates likelihood terms such asqc,s​\(y\)q\_\{c,s\}\(y\)\. Training supports supervised shadow attacks\. Held out users support attack evaluation under fixed campaign and disclosure definitions\.

TABLE III:Benchmark parameters recorded by the artifact\.
### Attack baselines and metrics\.

The evaluation maps directly to RQ1 through RQ4\. It measures whetherHT​\(u\)H\_\{T\}\(u\)contains signal aboutSuS\_\{u\}beyond the prior, how the signal changes across benchmark knobs, whether adaptive selection reduces campaigns or cost to confidence, and how disclosure policies change the oracle input under a common event trace\. All baselines use the same campaign library, split assignment, disclosure policy, and held out users\. The baseline set includes prior baseline scoring, random legal selection, nonadaptive informative selection, Bayesian posterior inference, supervised shadow inference, positive and unlabeled inference, greedy expected information gain selection, and normalized by cost adaptive selection\. Microtargeting and nanotargeting results motivate comparing legal predicate choice against prevalence and random legal selection\[[1](https://arxiv.org/html/2606.15209#bib.bib1),[18](https://arxiv.org/html/2606.15209#bib.bib18)\]\.

TABLE IV:Evaluation metrics for inference quality, posterior confidence, and attack cost\.
### Sweeps and validity checks\.

The campaign count sweep evaluates attacks after increasing prefixes of the campaign sequence\. The interaction rate sweep changes the base response probability\. The predicate granularity and minimum audience sweeps vary predicate length andmm\. The tracking strength sweep changes predicate precision and correlation strength in the generator\[[6](https://arxiv.org/html/2606.15209#bib.bib6)\]\. The disclosure sweep runs common exposure and interaction traces through different mapsDD, and the cost threshold sweep variesτ\\tauand budget settings\. Before interpreting results, the artifact checks split separation, common event traces for defense comparisons, topic library schema validity, the boundary between generated campaign semantics and generated by the simulator ground truth, likelihood sanity forqc,s​\(y\)q\_\{c,s\}\(y\), and negative controls from prior baseline and random selection baselines\.

## VIIEvaluation Results

### Final run\.

This section reports the final benchmark results for the oracle defined in Sections[IV](https://arxiv.org/html/2606.15209#S4)and[VI](https://arxiv.org/html/2606.15209#S6)\. The final run used four automatically generated topic variants, seven simulator seeds, and two interaction settings, for5656total runs\. Each run used80008000synthetic users and160160campaigns\. The target label washealth\_interest\. Generated topic libraries influenced only campaign semantics and response priors\. LabelsSuS\_\{u\}, exposure eventsEu,cE\_\{u,c\}, interaction eventsRu,cR\_\{u,c\}, disclosed observationsYu,cY\_\{u,c\}, attack labels, and metrics were generated by the simulator\.

The results answer RQ1 through RQ4\. Repeated campaigns with identity exposure increase the evidence available in user historiesHT​\(u\)H\_\{T\}\(u\), answering RQ1\. The two interaction settings and campaign count sweeps measure how the channel changes with interaction density and repeated queries, answering RQ2\. The confidence and cost curves evaluate the stopping behavior used by adaptive policies, answering RQ3\. The disclosure policy comparison evaluates platform side defenses, answering RQ4\.

### Attack performance\.

Table[V](https://arxiv.org/html/2606.15209#S7.T5)summarizes attack performance at the maximum campaign count\. At160160campaigns, the Bayesian and supervised attacks reach about0\.640\.64AUC in the main setting and about0\.650\.65AUC in the higher interaction setting\. Bayesian AUPRC follows the same pattern\. The benchmark records about1\.041\.04visible observations per evaluation user in the main setting and about1\.331\.33in the higher interaction setting\. These values show that repeated campaigns produce usable signal, but the signal remains noisy\. The result matches the model in Section[IV](https://arxiv.org/html/2606.15209#S4): campaign histories compose evidence, while delivery, interaction, and disclosure noise constrain recovery ofSuS\_\{u\}\.

TABLE V:Main inference results at160160campaigns\. Values are means across2828runs per setting, with standard deviations in parentheses\. The main setting is the conservative configuration\. The higher interaction setting increases event density while keeping the same population, campaign, and disclosure interface\.The bounded strength is important for interpretation\. The evaluated attacks are stronger than prior baseline scoring, but the oracle derives its signal from repeated observations under legal campaign predicates\. This supports comparing oracle based inference against prevalence and imputation baseline baselines, rather than treating any ranking gain as direct disclosure\[[8](https://arxiv.org/html/2606.15209#bib.bib8)\]\.

![Refer to caption](https://arxiv.org/html/2606.15209v1/x1.png)\(a\)Main: AUC increases with the number of queried campaigns\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x2.png)\(b\)Higher interaction: the same trend appears with a larger signal\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x3.png)\(c\)Main: high confidence decisions remain limited\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x4.png)\(d\)Higher interaction: more observations increase confidence crossings\.

Figure 2:Campaign count and confidence sweeps\.The top row shows the inference signal as campaigns accumulate\. Bayesian AUC rises from0\.5320\.532to0\.6360\.636in the main setting and from0\.5410\.541to0\.6540\.654in the higher interaction setting\. The bottom row reports the fraction of evaluated users whose posterior confidence crosses0\.700\.70\. The same monotone pattern appears, but high confidence decisions remain a minority of runs in the main setting\. Together, the four panels show that the oracle is compositional: repeated campaigns with identity exposure add evidence, while interaction noise keeps the attack bounded\.
### Disclosure policies\.

Table[VI](https://arxiv.org/html/2606.15209#S7.T6)shows that the disclosure mapDDis the strongest control in both settings\. Disclosure with visible identity gives the evaluated attacks a history indexed by user and yields Bayesian AUC0\.6360\.636in the main setting and0\.6540\.654in the higher interaction setting\. Aggregate reporting remains at prior ranking with AUC0\.5000\.500and releases no observations tied to users in the base oracle\. This matches the aggregate history definition and the disclosure postprocessing argument in Section[IV](https://arxiv.org/html/2606.15209#S4): the evaluated attack on histories indexed by user needs an input historyHT​\(u\)H\_\{T\}\(u\)\.

TABLE VI:Disclosure policy effects under the final run\. Values are mean Bayesian AUC across runs, with standard deviations in parentheses\. Aggregate reporting remains at chance level ranking in both settings\. Type filtering and randomized identity disclosure reduce the signal, while the evaluated threshold setting remains close to disclosure with visible identity\.Type filtering reduces Bayesian AUC to0\.5840\.584in the main setting and0\.6010\.601in the higher interaction setting\. Randomized identity disclosure weakens the oracle to0\.5920\.592and0\.6090\.609\. Thresholded disclosure remains close to disclosure with visible identity in both configurations, indicating that the evaluated threshold does not bind strongly under these event distributions\. These results support evaluating defenses as transformations ofDD, not only as written platform policies\. Thresholds, randomized release, and aggregate reporting are standard mechanisms for reducing individual disclosure from released records or statistics\[[11](https://arxiv.org/html/2606.15209#bib.bib11),[20](https://arxiv.org/html/2606.15209#bib.bib20),[12](https://arxiv.org/html/2606.15209#bib.bib12)\]\.

![Refer to caption](https://arxiv.org/html/2606.15209v1/x5.png)\(a\)Main: disclosure policy AUC\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x6.png)\(b\)Higher interaction: disclosure policy AUC\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x7.png)\(c\)Main: AUC reduction relative to disclosure with visible identity\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x8.png)\(d\)Higher interaction: AUC reduction relative to disclosure with visible identity\.

Figure 3:Disclosure policy is the dominant platform control\.The top row shows Bayesian AUC under identity exposure, type filtering, randomized identity release, thresholding, and aggregate disclosure\. The bottom row shows the corresponding AUC reduction relative to disclosure with visible identity\. Aggregate reporting returns the evaluated oracle input tied to users to chance level ranking in both settings\. Type filtering and randomized identity disclosure reduce, but do not remove, the signal\. The evaluated threshold setting stays near the identity exposure baseline because the release threshold does not bind strongly for the simulated event rates\.
### Topic library robustness and interaction setting sensitivity\.

Figure[4](https://arxiv.org/html/2606.15209#S7.F4)shows that the main result is stable across generated topic libraries and across interaction settings\. The four variants use different topic library seeds and temperatures\. Bayesian AUC stays in a narrow band around the setting mean\. The higher interaction setting increases AUC from0\.6360\.636to0\.6540\.654and increases visible observations per user from1\.041\.04to1\.331\.33\. This direction matches the oracle model: more visible evidence strengthens inference, while aggregate disclosure still removes the evaluated input tied to users\.

![Refer to caption](https://arxiv.org/html/2606.15209v1/x9.png)\(a\)Interaction setting sensitivity: higher interaction increases AUC\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x10.png)\(b\)Main: topic library robustness\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x11.png)\(c\)Higher interaction: topic library robustness\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x12.png)\(d\)Main: predicate granularity sweep\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x13.png)\(e\)Higher interaction: predicate granularity sweep\.
![Refer to caption](https://arxiv.org/html/2606.15209v1/x14.png)\(f\)Main: visibility rate heatmap by topic risk and predicate length\.

Figure 4:Robustness and diagnostic checks\.The top row summarizes interaction setting sensitivity and topic library robustness\. The higher interaction setting increases the measured signal, but the same qualitative pattern remains: histories with identity exposure support bounded inference and aggregate disclosure removes the evaluated oracle input tied to users\. The bottom row reports predicate granularity diagnostics\. Predicate length11retains measurable signal, while predicate length33is close to prior ranking because narrower predicates reduce exposure and interaction opportunities under the minimum audience constraint\. The heatmap gives the corresponding visibility pattern in the main setting\.The robustness result addresses a concern specific to the benchmark\. Generated topics are used to improve campaign semantics and response priors, while labels and event outcomes come from the simulator\. Stable behavior across topic variants indicates that the result is a property of the oracle channel grounded in the simulator: campaign predicates, sampled exposure, sampled interaction, and the disclosure map\.

### Cost and predicate granularity\.

Table[VII](https://arxiv.org/html/2606.15209#S7.T7)summarizes two secondary checks\. At confidence thresholdτ=0\.70\\tau=0\.70, the threshold crossing rate is0\.1720\.172in the main setting and0\.2980\.298in the higher interaction setting\. This means that high confidence inference is reached for a minority of target runs under the campaign limit in the main setting, even though ranking performance is above chance\. The cost to confidence result therefore constrains the attack interpretation: the ranking signal is measurable, but high posterior confidence is not routine for every target\.

TABLE VII:Cost and predicate granularity summary\. Values are means across2828runs per setting, with standard deviations in parentheses\. Predicate length11retains measurable signal, while predicate length33is near prior ranking in both settings\.The predicate granularity check shows that narrower predicates do not automatically improve inference\. Predicate length11gives Bayesian AUC0\.6280\.628in the main setting and0\.6440\.644in the higher interaction setting, while predicate length33stays near0\.5010\.501\. Longer predicates narrow the eligible audience, but they also reduce opportunities for exposure and interaction under minimum audience constraints\. This result keeps the threat model tied to the actual query surface: highly specific legal predicates remain relevant to privacy, but their value depends on whether the disclosure channel supplies enough observations indexed by user\.

### Summary\.

The final run connects the four RQs to the measured oracle behavior\. For RQ1, repeated campaigns with identity exposure create a measurable and stable but bounded inference signal\. For RQ2, the signal grows with campaign count and interaction density\. For RQ3, confidence crossing remains limited in the main setting and increases in the higher interaction setting\. For RQ4, disclosure policy controls the channel tied to users: type filtering and randomized disclosure reduce the signal, and aggregate reporting remains at prior ranking in both settings\. The measured oracle is stable across topic variants, and aggregate reporting removes the evaluated inputHT​\(u\)H\_\{T\}\(u\)\.

## VIIIDiscussion

### What the benchmark establishes\.

The benchmark gives a formal and empirical account of interactive targeted ads with identity exposure as noisy attribute inference oracles\. The model fixes the roles of campaign predicates, delivery, interaction, and disclosure\. The artifact then instantiates those roles with known labels, legal campaigns, event traces, and release policies\. The final results answer RQ1 and RQ2 by showing that repeated campaigns with identity exposure create measurable signal inHT​\(u\)H\_\{T\}\(u\)across two interaction settings\. They answer RQ4 by showing that the disclosure mapDDcontrols whether the evaluated attacks receive a history indexed by user\.

### Interpreting bounded attack strength\.

AUC around0\.640\.64in the main setting and0\.650\.65in the higher interaction setting indicates stable inference signal under noisy delivery and interaction\. This distinction matters for platform design\. The oracle becomes meaningful through repeated observations, and the confidence curves quantify how often repeated campaigns reach high posterior confidence\. The result supports the central model: interactive targeted ads form a noisy oracle whose risk depends on campaign repetition and disclosure design\. The bounded signal also makes the defense analysis sharper\. A release policy can reduce or remove the history indexed by user used by the evaluated attacks, even when the underlying event process still produces engagements\.

### Calibration and interface validation\.

The evaluation uses synthetic users calibrated from public data because the oracle channel requires known sensitive labels for scoring\. This design isolates the channel and supports controlled sweeps over campaign count, predicate granularity, interaction rate, tracking strength, and disclosure policy\. Real platform validation fits this structure as an interface check\. Controlled or consented accounts can confirm whether a platform exposes the interaction records represented byYu,cY\_\{u,c\}\. Redacted or aggregate evidence can document disclosure behavior while retaining the benchmark as the place where attribute inference is measured\.

### Automatic topic generation\.

The automatic topic layer improves semantic realism by producing campaign topics, proxy feature mappings, sensitive risk tags, and response prior suggestions\. Generated topic libraries influence only campaign semantics and response priors\. LabelsSuS\_\{u\}, exposure eventsEu,cE\_\{u,c\}, interaction eventsRu,cR\_\{u,c\}, disclosed observationsYu,cY\_\{u,c\}, attack labels, and metrics are generated by the simulator\. The final run uses four topic variants, seven simulator seeds, and two interaction settings, for5656total runs\. Bayesian and supervised AUC reach0\.6360\.636in the main setting and0\.6540\.654or0\.6530\.653in the higher interaction setting, and aggregate reporting stays at prior ranking in the evaluated base oracle\. This supports the conclusion that the disclosure effect is stable across topic libraries and interaction rates\.

### Defense implications\.

The strongest implication concerns disclosure\. Aggregate reporting removes the histories indexed by user used by the evaluated attacks\. Type filtering reduces the signal\. Randomized identity disclosure weakens the oracle\. Thresholding depends on whether the threshold binds under the event distribution\. These findings support evaluating defenses as transformations ofDD\. Written targeting policies matter, but the released observation determines whether an advertiser can constructHT​\(u\)H\_\{T\}\(u\)for the base attack on histories indexed by user\. This disclosure side view also frames interactive advertising as a platform governance problem rather than only a targeting policy problem\. Advertising platforms, like broader AI marketplaces, must balance data utility, participant incentives, trust, auditability, and privacy preserving access to signals derived from users\[[23](https://arxiv.org/html/2606.15209#bib.bib23)\]\.

### Extensions\.

The artifact supports extensions that preserve the same oracle interface\. Public data calibration can replace synthetic marginals with demographic and survey marginals\. Larger seed sweeps can tighten uncertainty intervals\. Controlled validation can measure disclosure behavior on consented accounts\. Browser and tracking strength experiments can be represented as parameterized changes to predicate precision and feature correlation\. Inference from aggregate reports can be evaluated as a separate attacker model overG\(T\)G^\{\(T\)\}\. These extensions keep the contribution centered on the same object: a model, benchmark, and defense analysis for leakage through records tied to users created by interactive targeted advertising disclosure\.

## IXConclusion

Interactive targeted ads combine predicates chosen by advertisers with interactions that expose identity\. This combination creates an observation channel tied to users\. We model that channel as a noisy attribute inference oracle with separate stages for campaign predicates, exposure, interaction, and disclosure\.

The benchmark gives this oracle an executable form\. It uses synthetic users calibrated from public data, known benchmark labels, legal campaign predicates, sampled exposure and interaction events, and controlled disclosure maps\. Automatic campaign semantics make the campaign library more realistic, while the simulator remains the source of labels, events, disclosed observations, and metrics\.

Across four topic variants, seven simulator seeds, and two interaction settings, repeated campaigns with identity exposure produce measurable but bounded inference signal\. At160160campaigns, Bayesian and supervised attacks reach about0\.640\.64AUC in the main setting and about0\.650\.65AUC in the higher interaction setting\. Disclosure policy is the dominant control\. Aggregate reporting removes the evaluated oracle input tied to users\. Type filtering and randomized disclosure reduce the released signal\.

Disclosure design at the platform therefore matters\. Defenses should be evaluated at the disclosure mapDDand reporting interface, not only at targeting policy text\. The result is a model, benchmark, and defense evaluation method for reasoning about privacy leakage from interactive targeted advertising systems\.

## References

- \[1\]A\. Korolova, “Privacy violations using microtargeted ads: A case study,”*Journal of Privacy and Confidentiality*, 2011\. \[Online\]\. Available:https://journalprivacyconfidentiality\.org/index\.php/jpc/article/view/594
- \[2\]G\. Venkatadri*et al\.*, “Privacy risks with facebook’s pii\-based targeting: Auditing a data broker’s advertising interface,” in*IEEE Symposium on Security and Privacy*, 2018\. \[Online\]\. Available:https://conferences\.computer\.org/sp/pdfs/sp/2018/PrivacyRiskswithFacebooksPIIBasedTargeti\.pdf
- \[3\]A\. Andreou, G\. Venkatadri, O\. Goga, K\. P\. Gummadi, P\. Loiseau, and A\. Mislove, “Investigating ad transparency mechanisms in social media: A case study of facebook’s explanations,” in*Network and Distributed System Security Symposium*, 2018\. \[Online\]\. Available:https://www\.ndss\-symposium\.org/wp\-content/uploads/2018/02/ndss2018\\\_10\-1\\\_Andreou\\\_paper\.pdf
- \[4\]J\. B\. Kieserman, A\. Andreou, L\. Edelson, S\. Siby, and D\. McCoy, “Reckless designs and broken promises: Privacy implications of targeted interactive advertisements on social media platforms,”*arXiv*, 2026\. \[Online\]\. Available:https://arxiv\.org/abs/2603\.03659
- \[5\]M\. Ali, P\. Sapiezynski, M\. Bogen, A\. Korolova, A\. Mislove, and A\. Rieke, “Discrimination through optimization: How facebook’s ad delivery can lead to biased outcomes,” in*Proceedings of the ACM on Human\-Computer Interaction*, 2019\. \[Online\]\. Available:https://par\.nsf\.gov/servlets/purl/10195583
- \[6\]S\. Englehardt and A\. Narayanan, “Online tracking: A 1\-million\-site measurement and analysis,” in*ACM Conference on Computer and Communications Security*, 2016\. \[Online\]\. Available:https://webtransparency\.cs\.princeton\.edu/webcensus/
- \[7\]R\. Shokri, M\. Stronati, C\. Song, and V\. Shmatikov, “Membership inference attacks against machine learning models,” in*IEEE Symposium on Security and Privacy*, 2017\. \[Online\]\. Available:https://arxiv\.org/abs/1610\.05820
- \[8\]B\. Jayaraman and D\. Evans, “Are attribute inference attacks just imputation?” in*Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security*, 2022\. \[Online\]\. Available:https://doi\.org/10\.1145/3548606\.3560663
- \[9\]M\. Rigaki and S\. García, “A survey of privacy attacks in machine learning,” in*ACM Computing Surveys*, 2023\. \[Online\]\. Available:https://doi\.org/10\.1145/3624010
- \[10\]H\. Yukhymenko, R\. Staab, M\. Vero, and M\. Vechev, “A synthetic dataset for personal attribute inference,”*arXiv*, 2024\. \[Online\]\. Available:https://arxiv\.org/abs/2406\.07217
- \[11\]L\. Sweeney, “k\-anonymity: A model for protecting privacy,”*International Journal of Uncertainty, Fuzziness and Knowledge\-Based Systems*, 2002\. \[Online\]\. Available:https://www\.hks\.harvard\.edu/publications/k\-anonymity\-model\-protecting\-privacy
- \[12\]C\. Dwork, F\. McSherry, K\. Nissim, and A\. Smith, “Calibrating noise to sensitivity in private data analysis,” in*Theory of Cryptography Conference*, 2006\. \[Online\]\. Available:https://link\.springer\.com/chapter/10\.1007/11681878\\\_14
- \[13\]T\. Beauvisage, J\.\-S\. Beuscart, S\. Coavoux, and K\. Mellet, “How online advertising targets consumers: The uses of categories and algorithmic tools by audience planners,”*New Media & Society*, 2023\. \[Online\]\. Available:https://doi\.org/10\.1177/14614448221146174
- \[14\]D\. Bär, F\. Pierri, G\. D\. F\. Morales, and S\. Feuerriegel, “Systematic discrepancies in the delivery of political ads on facebook and instagram,”*PNAS Nexus*, 2024\. \[Online\]\. Available:https://doi\.org/10\.1093/pnasnexus/pgae247
- \[15\]M\. S\. Lam, A\. Pandit, C\. H\. Kalicki, R\. Gupta, P\. Sahoo, and D\. Metaxa, “Sociotechnical audits: Broadening the algorithm auditing lens to investigate targeted advertising,” in*Proceedings of the ACM on Human\-Computer Interaction*, 2023\. \[Online\]\. Available:https://doi\.org/10\.1145/3610209
- \[16\]L\. Edelson, T\. Lauinger, and D\. McCoy, “A security analysis of the facebook ad library,” in*IEEE Symposium on Security and Privacy*, 2020\. \[Online\]\. Available:https://damonmccoy\.com/papers/ad\\\_library2020sp\.pdf
- \[17\]O\. Tenenboim, “Comments, shares, or likes: What makes news posts engaging in different ways,”*Social Media \+ Society*, 2022\. \[Online\]\. Available:https://doi\.org/10\.1177/20563051221130282
- \[18\]J\. González\-Cabañas, Ángel Cuevas, R\. Cuevas, J\. López\-Fernández, and D\. García, “Unique on facebook: Formulation and evidence of \(nano\)targeting individual users with non\-pii data,”*arXiv*, 2021\. \[Online\]\. Available:https://arxiv\.org/abs/2110\.06636
- \[19\]B\. Imana, Z\. Shen, J\. Heidemann, and A\. Korolova, “External evaluation of discrimination mitigation efforts in meta’s ad delivery,” in*Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency*, 2025\. \[Online\]\. Available:https://doi\.org/10\.1145/3715275\.3732170
- \[20\]S\. L\. Warner, “Randomized response: A survey technique for eliminating evasive answer bias,”*Journal of the American Statistical Association*, 1965\. \[Online\]\. Available:https://www\.tandfonline\.com/doi/abs/10\.1080/01621459\.1965\.10480775
- \[21\]C\. Dwork and A\. Roth, “The algorithmic foundations of differential privacy,”*Foundations and Trends in Theoretical Computer Science*, 2014\. \[Online\]\. Available:https://www\.cis\.upenn\.edu/\\textasciitilde\{\}aaroth/Papers/privacybook\.pdf
- \[22\]V\. Guan, F\. Guépin, A\.\-M\. Creţu, and Y\.\-A\. de Montjoye, “A zeroa auxiliary knowledge membership inference attack on aggregate location data,” in*Proceedings on Privacy Enhancing Technologies*, 2024\. \[Online\]\. Available:https://doi\.org/10\.56553/popets\-2024\-0108
- \[23\]P\. Li, “Web3 meets ai marketplace: Exploring opportunities, analyzing challenges, and suggesting solutions,”*arXiv preprint arXiv:2310\.19099*, 2023\.

Similar Articles

The Attribution Contract: Feature Attribution for Generative Language Models

arXiv cs.LG

This paper introduces the Attribution Contract, a specification for feature-attribution claims in generative language models, addressing ambiguities in what constitutes a feature and how attribution methods should be evaluated. It uses autoregressive and diffusion models as case studies to show when attribution is informative or misleading.