When Ads Become Profiles: Uncovering the Invisible Risk of Web Advertising at Scale with LLMs
Baiyu Chen, Benjamin Tag, Hao Xue, Daniel Angus, Flora Salim
TL;DR
This study demonstrates that passive exposure to online advertisements encodes high-fidelity private attribute signals, which off-the-shelf multimodal LLMs can reverse-engineer into accurate user profiles. By building a three-stage pipeline—multimodal ad understanding, session-level inference, and longitudinal user profiling—using a large Australian dataset, the authors show that zero-shot LLMs can outperform census priors and approach human-level inference, even from short observation windows. The work highlights a critical privacy risk in the era of generative AI and calls for governance measures to address off-platform profiling via benign browser extensions. It also provides a scalable, cost-efficient framework for assessing privacy threats in dynamic, multimodal web data.
Abstract
Regulatory limits on explicit targeting have not eliminated algorithmic profiling on the Web, as optimisation systems still adapt ad delivery to users' private attributes. The widespread availability of powerful zero-shot multimodal Large Language Models (LLMs) has dramatically lowered the barrier for exploiting these latent signals for adversarial inference. We investigate this emerging societal risk, specifically how adversaries can now exploit these signals to reverse-engineer private attributes from ad exposure alone. We introduce a novel pipeline that leverages LLMs as adversarial inference engines to perform natural language profiling. Applying this method to a longitudinal dataset comprising over 435,000 ad impressions collected from 891 users, we conducted a large-scale study to assess the feasibility and precision of inferring private attributes from passive online ad observations. Our results demonstrate that off-the-shelf LLMs can accurately reconstruct complex user private attributes, including party preference, employment status, and education level, consistently outperforming strong census-based priors and matching or exceeding human social perception, while operating at only a fraction of the cost (223$\times$ lower) and time (52$\times$ faster) required by humans. Critically, actionable profiling is feasible even within short observation windows, indicating that prolonged tracking is not a prerequisite for a successful attack. These findings provide the first empirical evidence that ad streams serve as a high-fidelity digital footprint, enabling off-platform profiling that inherently bypasses current platform safeguards, highlighting a systemic vulnerability in the ad ecosystem and the urgent need for responsible web AI governance in the generative AI era. The code is available at https://github.com/Breezelled/when-ads-become-profiles.