Attribute Inference from Interactive Targeted Ads, arXiv benchmark

Peihao Li submitted a paper titled "Attribute Inference from Interactive Targeted Ads" to arXiv on 13 Jun 2026, presenting a formal model and a reproducible benchmark that measures how much sensitive information advertisers can infer from interactive ad campaigns. The work treats the channel created by user interactions with targeted ads as a noisy oracle for attribute inference and evaluates multiple attack strategies and disclosure controls.

What the paper does

The paper separates four components of an interactive ad pipeline: targeting predicates, exposure, interaction, and disclosure. That decomposition isolates the gap between eligibility and actual delivery, and between an interaction and whether an advertiser sees it. Li builds a simulator that produces ground truth labels, event traces, disclosed observations, and evaluation metrics. The synthetic populations used for the benchmark are calibrated with public data and each carries known sensitive labels. A generated campaign semantics layer supplies topic variants and response priors which drive user reactions in the simulator.

The evaluation compares Bayesian, supervised, positive and unlabeled, and adaptive attacks under common campaign and disclosure definitions. The final evaluation uses four topic variants, seven simulator seeds, and two interaction settings to measure how repeated campaigns and disclosure choices affect inference signal.

Key findings from the benchmark

Repeated campaigns with identity exposure produce measurable but bounded inference signal in the simulated setting. At 160 campaigns, Bayesian and supervised attacks reach about 0.64 AUC in the main setting and about 0.65 AUC in the higher interaction setting. Disclosure policy is identified as the strongest control: aggregate reporting removes the evaluated oracle input tied to users, while type filtering and randomized disclosure reduce the released signal.

The paper delivers three deliverables: a formal model that distinguishes eligibility, exposure, interaction, and disclosure; a simulator and dataset generation pipeline calibrated to public data; and an evaluation of attack algorithms and disclosure defenses. The code for the benchmark is available at the paper's https URL.

Why it matters

The model shows that interactive ad campaigns can create a channel through which advertisers receive observations tied to individuals rather than only aggregates. That channel can be exploited by several inference strategies; the benchmark quantifies the strength of that signal under controlled, repeatable conditions. The results make clear that disclosure choices materially change the attacker’s input: moving from per-user disclosures to aggregate reporting removes the oracle signal evaluated in this study, and simpler mitigations such as type filtering and randomized disclosure reduce but do not necessarily eliminate signal.

What to watch

Look for other researchers to reuse the provided benchmark and simulator (the paper includes code at its https URL) to reproduce or extend the experiments, and for follow-up work that measures how real ad platform disclosure policies map to the paper’s disclosure definitions. Also watch whether future evaluations vary campaign counts, interaction models, or disclosure mechanisms beyond the four topic variants and two interaction settings reported here.