August 8, 2022

New Study Analyzing Political Advertising on Facebook, Google, and TikTok

By Orestis Papakyriakopoulos, Christelle Tessono, Arvind Narayanan, Mihir Kshirsagar

With the 2022 midterm elections in the United States fast approaching, political campaigns are poised to spend heavily to influence prospective voters through digital advertising. Online platforms such as Facebook, Google, and TikTok will play an important role in distributing that content. But our new study – How Algorithms Shape the Distribution of Political Advertising: Case Studies of Facebook, Google, and TikTok — that will appear in the Artificial Intelligence, Ethics, and Society conference in August, shows that the platforms’ tools for voluntary disclosures about political ads do not provide the necessary transparency the public needs. More details can also be found on our website: campaigndisclosures.princeton.edu.

Our paper conducts the first large-scale analysis of public data from the 2020 presidential election cycle to critically evaluate how online platforms affect the distribution of political advertisements. We analyzed a dataset containing over 800,000 ads about the 2020 U.S. presidential election that ran in the 2 months prior to the election, which we obtained from the ad libraries of Facebook and Google that were created by the companies to offer more transparency about political ads. We also collected and analyzed 2.5 million TikTok videos from the same time period. These ad libraries were created by the platforms in an attempt to stave off potential regulation such as the Honest Ads Act, which sought to impose greater transparency requirements for platforms carrying political ads. But our study shows that these ad libraries fall woefully short of their own objectives to be more transparent about who pays for the ads and who sees the ads, as well the objectives of bringing greater transparency about the role of online platforms in shaping the distribution of political advertising. 

We developed a three-part evaluative framework to assess the platform disclosures: 

1. Do the disclosures meet the platforms’ self-described objective of making political advertisers accountable?

2. How do the platforms’ disclosures compare against what the law requires for radio and television broadcasters?

3. Do the platforms disclose all that they know about the ad targeting criteria, the audience for the ads, and how their algorithms distribute or moderate content?

Our analysis shows that the ad libraries do not meet any of the objectives. First, the ad libraries only have partial disclosures of audience characteristics and targeting parameters of placed political ads. But these disclosures do not allow us to understand how political advertisers reached prospective voters. For example, we compared ads in the ad libraries that were shown to different audiences with dummy ads that we created on the platforms (Figure 1). In many cases, we measured a significant difference between the calculated cost-per-impression between the two types of ads, which we could not explain with the available data.

  • Figure 1. We plot the generated cost per impression of ads in the ad-libraries that were (1) targeted to all genders & ages on Google, (2) to Females, between 25-34 on YouTube, (3) were seen by all genders & ages in the US on Facebook, and (4) only by females of all ages located in California on Facebook.  For Facebook, lower & upper bounds are provided for the impressions. For Google, lower & upper bounds are provided for cost & impressions, given the extensive “bucketing” of the parameters performed by the ad libraries when reporting them, which are denoted in the figures with boxes. Points represent the median value of the boxes. We compare the generated cost-per impression of ads with the cost-per impression of a set of dummy ads we placed on the platforms with the exact same targeting parameters & audience characteristics. Black lines represent the upper and lower boundaries of an ad’s cost-per-impression as we extracted them from the dummy ads. We label an ad placement as “plausible targeting”, when the ad cost-per-impression overlaps with the one we calculated, denoting that we can assume that the ad library provides all relevant targeting parameters/audience characteristics about an ad.  Similarly, an placement labeled as `”unexplainable targeting’”  represents an ad whose cost-per-impression is outside the upper and lower reach values that we calculated, meaning that potentially platforms do not disclose full information about the distribution of the ad.

Second, broadcasters are required to offer advertising space at the same price to political advertisers as they do to commercial advertisers. But we find that the platforms charged campaigns different prices for distributing ads. For example, on average, the Trump campaign on Facebook paid more per impression (~18 impressions/dollar) compared to the Biden campaign (~27 impressions/dollar). On Google, the Biden campaign paid more per impression compared to the Trump campaign. Unfortunately, while we attempted to control for factors that might account for different prices for different audiences, the data does not allow us to probe the precise reason for the differential pricing. 

Third, the platforms do not disclose the detailed information about the audience characteristics that they make available to advertisers. They also do not explain how the algorithms distribute or moderate the ads. For example, we see that campaigns placed ads on Facebook that were not ostensibly targeted by age, but the ad was not distributed uniformly.  We also find that platforms applied their ad moderation policies inconsistently, with some instances of moderated ads being removed and some others not, and without any explanation for the decision to remove an ad. (Figure 2) 

  • Figure 2. Comparison of different instances of moderated ads across platforms. The light blue bars show how many instances of a single ad were moderated, and maroon bars show how many instances of the same ad were not. Results suggests an inconsistent moderation of content across platforms, with some instances of the same ad being removed and some others not.

Finally, we observed new forms of political advertising that are not captured in the ad libraries. Specifically, campaigns appear to have used influencers to promote their messages without adequate disclosure. For example, on TikTok, we document how political influencers, who were often linked with PACs, generated billions of impressions from their political content. This new type of campaigning still remains unregulated and little is known about the practices and relations between influencers and political campaigns.  

In short, the online platform self-regulatory disclosures are inadequate and we need more comprehensive disclosures from platforms to understand their role in the political process. Our key recommendations include:

– Requiring that each political entity registered with the FEC use a single, universal identifier for campaign spending across platforms to allow the public to track their activity.

– Developing a cross-platform data repository, hosted and maintained by a government or independent entity, that collects political ads, their targeting criteria, and the audience characteristics that received them. 

– Requiring platforms to disclose information that will allow the public to understand how the algorithms distribute content and how platforms price the distribution of political ads. 

– Developing a comprehensive definition of political advertising that includes influencers and other forms of paid promotional activity.

Toward Trustworthy Machine Learning: An Example in Defending against Adversarial Patch Attacks

By Chong Xiang and Prateek Mittal

Thanks to the stunning advancement of Machine Learning (ML) technologies, ML models are increasingly being used in critical societal contexts — such as in the courtroom, where judges look to ML models to determine whether a defendant is a flight risk, and in autonomous driving,  where driverless vehicles are operating in city downtowns. However, despite the advantages, ML models are also vulnerable to adversarial attacks, which can be harmful to society. For example, an adversary against image classifiers can augment an image with an adversarial pixel patch to induce model misclassification. Such attacks raise questions about the reliability of critical ML systems and have motivated the design of trustworthy ML models. 

In this 2-part post on trustworthy machine learning design, we will focus on ML models for image classification and discuss how to protect them against adversarial patch attacks. We will first introduce the concept of adversarial patches and then present two of our defense algorithms: PatchGuard in Part 1 and PatchCleanser in Part 2.

Adversarial Patch Attacks: A Threat in the Physical World

The adversarial patch attack, first proposed by Brown et al., targets image recognition models (e.g., image classifiers). The attacker aims to overlay an image with a carefully generated adversarial pixel patch to induce models’ incorrect predictions (e.g., misclassification). Below is a visual example of the adversarial patch attack against traffic sign recognition models: after attaching an adversarial patch, the model prediction changes from “stop sign” to “speed limit 80 sign” incorrectly.

a visual example of adversarial patch attacks taken from Yakura et al.

Notably, this attack can be realized in the physical world. An attacker can print and attach an adversarial patch to a physical object or scene. Any image taken from this scene then becomes an adversarial image. Just imagine that a malicious sticker attached to a stop sign confuses the perception system of an autonomous vehicle and eventually leads to a serious accident! This threat to the physical world motivates us to study mitigation techniques against adversarial patch attacks.

Unfortunately, security is never easy. An attacker only needs to find one strategy to break the entire system while a defender has to defeat as many attack strategies as possible. 

In the remainder of this post, we discuss how to make an image classification model as secure as possible: able to make correct and robust predictions against attackers who know everything about the defense and who might attempt to use an adversarial patch at any image location and with any malicious content.

This as-robust-as-possible notion is referred to as provable, or certifiable, robustness in the literature. We refer interested readers to the PatchGuard and PatchCleanser papers for its formal definitions and security guarantees

PatchGuard: A Defense Framework Using Small Receptive Field + Secure Aggregation

PatchGuard is a defense framework for certifiably robust image classification against adversarial patch attacks. Its design is motivated by the following question:

How can we ensure that the model prediction is not hijacked by a small localized patch? 

We propose a two-step defense strategy: (1) small receptive fields and (2) secure aggregation. The use of small receptive fields limits the number of corrupted features, and secure aggregation on a partially corrupted feature map allows us to make robust final predictions.  

Step 1: Small Receptive Fields. The receptive field of an image classifier (e.g., CNN) is the region of the input image that a particular feature looks at (or is influenced by). The model prediction is based on the aggregation of features extracted from different regions of an image. By using a small receptive field, we can ensure that only a limited number of features “see” the adversarial patch. 

The example below illustrates that the adversarial patch can only corrupt one feature — the red vector on the right – when we use a model with small receptive fields, marked with red and green boxes over the images.

.

We provide another example below for large receptive fields. The adversarial pixels appear in the receptive fields – the area inside the red boxes – of all four features and lead to a completely corrupted feature map, making it nearly impossible to recover the correct prediction. 

Step 2: Secure Aggregation. The use of small receptive fields limits the number of corrupted features and translates the defense into a secure aggregation problem: how can we make a robust prediction based on a partially corrupted feature map? Here, we can use any off-the-shelf robust statistics techniques (e.g., clipping and median) for feature aggregation. 

In our paper, we further propose a more powerful secure aggregation technique named robust masking. Its design intuition is to identify and remove abnormally large features. This mechanism introduces a dilemma for the attacker. If the attacker wants to launch a successful attack, it needs to either introduce large malicious feature values that will be removed by our defense, or use small feature values that can evade the masking operation, but are not malicious enough to cause misclassification. 

This dilemma further allows us to analyze the defense robustness. For example, if we consider a square patch that occupies 1% of image pixels, we can calculate the largest number of corrupted features and quantitatively reason about the worst-case feature corruption (details in the paper). Our evaluation shows that, for 89.0% of images in the test set of the ImageNette dataset (a 10-class subset of the ImageNet dataset), our defense can always make correct predictions, even when the attacker has full access to our defense setup and can place a 1%-pixel square patch at any image location and with any malicious content. We note that the result of 89.0% is rigorously proved and certified in our paper, giving the defense theoretical and formal security guarantees. 

Furthermore, PatchGuard is also scalable to more challenging datasets like ImageNet. We can achieve certified robustness for 32.2% of ImageNet test images, against a 1%-pixel square patch. Note that the ImageNet dataset contains images from 1000 different categories, which means that an image classifier that makes random predictions can only correctly classify roughly 1/1000=0.1% of images.

Takeaways

The high-level contribution of PatchGuard is a two-step defense framework: small receptive field and secure aggregation. This simple approach turns out to be a very powerful strategy: the PatchGuard framework subsumes most of the concurrent (Clipped BagNet, De-randomized Smoothing) and follow-up works (BagCert, Randomized Cropping, PatchGuard++, ScaleCert, Smoothed ViT, ECViT). We refer interested readers to our robustness leaderboard to learn more about state-of-the-art defense performance.

Conclusion

In this post, we discussed the threat of adversarial patch attacks and presented our PatchGuard defense algorithm (small receptive field and secure aggregation). This defense example demonstrates one of our efforts toward building trustworthy ML models for critical societal applications such as autonomous driving.

In the second part of this two-part post, we will present PatchCleanser — our second example for designing robust ML algorithms.

Switzerland’s E-voting: The Threat Model

Part 5 of a 5-part series starting here

Switzerland commissioned independent expert reviews of the E-voting system built by Swiss Post.   One of those experts concluded, “as imperfect as the current system might be when judged against a nonexistent ideal, the current system generally appears to achieve its stated goals, under the corresponding assumptions and the specific threat model around which it was designed.”

I have explained the ingenious idea (in the Swiss Post system) behind client-side security:  because the voter’s computer may be quite insecure, because the client-side voting app may be under control of a hacker, keep certain secrets on paper that the computer can’t see.  Professor Ford, the systems-security expert, points out that part of the threat model is:  if the printing contractor is corrupt, that prints the paper and mails it, then the system is insecure.

The new threat model in 2022. But I’ll now add something to the threat model that I would not have thought about last year:  Step one of the voter’s workflow is, “type in a 20-character password from the paper into the voting app.”

Start voting key:
ti6v-kvtc-yiju-hh5h-pjsk

In the old days (2020 and before) the voter would do this using a physical or on-screen keyboard.  In the modern era (2022) you might do this using Apple’s “live text”, in which you aim your phone camera at anything with text in it, and then you can copy-paste from the picture.  And, of course, if you do that, then the phone sees all the secrets on the paper.

So the security of the Swiss Post E-voting system relies entirely on a trick–that the voter’s computer can’t know the secret numbers on a piece of paper–that has been made obsolete by advances in consumer technology.

Voter behavior as a component of the threat model.  Experts in voting protocols came to realize, over the past two decades, the importance of dispute resolution in a voting protocol.  That is, suppose a voter comes to realize, while participating in an e-voting system (or at a physical polling-place) that the election system is not properly tallying their vote.  Can the voter prove this to the election officials in a way that appropriate action will be taken, and their vote will be tallied correctly?   If not, then we say the dispute resolution system has failed.

Also, experts have come to understand that voters are only human: they overlook things and they don’t check their work.  So the voting system must have a human-centered design that works for real people.

In my previous post I described the Swiss Post E-voting protocol:

  1. The voter receives a printed sheet in the mail;
  2. The voter copies the start-voting-key into the browser (or voting app);
  3. The voter selects candidates in the app;
  4. The app encodes the ballot using the serial number, and transmits to the servers;
  5. The servers send back “return codes” to the app, which then displays them to the voter;
  6. The voter looks up the return codes on the printed sheet to make sure they match the candidate selections.

But what if most voters omit step 6, checking the return codes?  Then the voting app could get away with cheating: encode the wrong candidates, the server will send return codes for those wrong candidates, and the voter won’t notice.

To address that problem, Swiss Post added more steps to the protocol:

  1. Voter enters “ballot casting key” into the app to confirm that they’ve checked the return codes; app transmits that to servers
  2. Servers transmit another return-code to confirm.
  3. Voter checks that the “vote cast return code” displayed by the app matches the one on the paper.
Ballot casting key: 8147-1584-8
Vote cast return code: 0742-5185

This protocol is becoming ridiculously complex – not exactly human-centered.  Even so, here’s how the app could cheat:  fail to transmit the “ballot casting key” to the servers, and make up a fake “Vote cast return code”.  If the voter omits step 9, then the app has gotten away with cheating: it didn’t manage to cast a vote for the wrong candidate, but it did manage to cancel the voter’s ballot.

And what’s the voter supposed to do if the return codes don’t match?  Recall what’s printed in red on the paper:

Choice Return Code:
Question 1: 
YES: 1225
NO: 7092
EMPTY: 2812

Question 2:
YES: 9817
NO: 2111
EMPTY: 6745

Please check that your device displays the correct choice return codes.  If you cannot see the correct codes or in case of doubt, please contact the election authorities (0XX/ XXX XX XX).

And what should the authorities do if voters call that phone number and claim that the return codes don’t match?  This video (found on this page) suggests the answer: the voter is told, “we didn’t count your e-vote, you should vote on paper by physical mail instead.”

A big danger is that voters skip step 6 (diligently check every return code against the paper printout) and proceed directly to step 7 (enter the “casting key” to submit their ballot).  Would voters really do that?  Of course they would: research has shown over and over that voters don’t carefully reconfirm on paper the choices they made on-screen.

You might think, “I’ll check my own result, so it’s OK.”  But if thousands of your fellow voters are careless with step 6, that allows the voting app (if hacked) to change thousands of their votes, which can change the outcome of your election.  For a full analysis, see Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters (here’s the non-paywall version).

In conclusion, the protocol has many, many steps for the voter to follow, and even then it’s not robust against typical voter behavior.   These issues were left out of the threat model that the experts examined.


Other threats:    For brevity, I didn’t even describe some other threats that the experts should probably consider in their next-round evaluation.  For example:

  • When the (hacked) app transmits a fake vote and displays a fake return-code, it could also display a (fake) “return code doesn’t match, try again” button.  If the user clicks there, then the app transmits the real vote (the one the voter selected) and gets back the real return code.  In that case, the app hasn’t succeeded in stealing this voter’s vote, but the voter is reassured and doesn’t alert the hotline.
  • That last point is an indication of a more general threat:  the hacked app can change the protocol, at least the part of the protocol that involves interaction with the voter, by giving the voter fraudulent instructions.  There could be a whole class of threats there; I invite the reader to invent some.
  • Back to step 9:  Suppose an attacker hacks thousands of voter computers/phones, so thousands of voters get bad return codes (because their vote has been stolen), and some percentage of them will notice (in step 9) and call the phone number to report.  That is, a couple hundred calls come in to the hotline.  Hundreds of calls to the hotline is evidence either that thousands of votes are being stolen, or that hundreds of voters are falsely reporting.  Should the election be re-run?  The point is, the election protocol is not complete without a written protocol for what the authorities should do in this case.  And unfortunately, there’s nothing good they can do; which is already a serious flaw in the whole system.
  • I discussed, “the (hacked) computer might be able to see what’s on the paper.”  But consider this:  within a few years after deployment of such a system, it’s easy to imagine that voters will pressure election administrators, “can’t you just e-mail my voter-sheet to me (as a PDF) instead of sending paper in physical mail?”  Then it’s trivial for a (hacked) computer or phone to see all the return codes on the voter sheet.  It will be natural for an election administrator to forget that the security of this whole system relies on the fact that the computer can’t see the paper; sending the “paper” as a PDF defeats that crucial security mechanism.
  • The same is true if the voter-sheet is faxed to the voter; fax is internet, these days.