> There is no way to match advertising keywords in encrypted content
Complete tangent, since this has nothing to do with what Facebook are looking into here, but:
If you control both ends of the connection (like Facebook does in WhatsApp), you can match on advertising keywords securely. By doing it client-side, after the text is decrypted.
As I understand it, this is essentially what Apple's iAds framework does: all possible advertising content that could be run in an iAd view gets pre-cached on the client; the iAds framework—running inside the client's address space—then chooses what to show the user, selecting ads based on demographic/interest information it has available locally on the device, never leaked outside. The iAd framework then collects just the impression metrics — how many times each ad was shown to a given user — and then every-so-often batches those metrics out to Apple's servers. Apple then reports re-groups and anonymizes these metrics, and reports them to the advertiser / charges the advertiser for them.
Of course, this means that advertisers need to be able to trust Apple's impression reporting; and to do that, they need to trust that Apple has set up iOS devices so that iAd selection + reporting is basically inviolable, such that nobody on the client end is generating false impressions. (Or, at least, that devices generating such impressions can be detected as being jailbroken through some mechanism, and so their iAd impression reports culled from the corpus.)
I think Telegram does that. I had someone send me a message about our video call we had that day and in the same minute I suddenly received a message from Telegram about their video call features
> The iAd framework then collects just the impression metrics — how many times each ad was shown to a given user — and then every-so-often batches those metrics out to Apple's servers.
If Apple knows how many times you were shown each ad, and which keywords are associated with that ad, then they are able to reconstruct which keywords appeared in your encrypted chat, and how often.
I believe the iAd platform offers fine-grained "eyeball" targeting, but not fine-grained context targeting. The iAds framework knows a lot about the device and its owner; but it doesn't/can't directly read the content of the app the iAd gets embedded into (the "host" app) — only the host app's barest metadata, e.g. the App Store category the host app is published under (e.g. Games vs. Productivity vs. Travel, etc.)
In the case of some apps, e.g. Apple's own News app, the app may opt to feed the iAds framework a "context clue" about the content currently being viewed — telling it the category of content being displayed (e.g. is this a Business News story? An Entertainment story? etc.) But this is just a high-level, categorical identifier attached to the metadata of the item being displayed, with no ability for specific content within the viewport to trigger specific ads.
One interesting thing I figure I should highlight from that page, for the sake of people who don't bother to click:
> We create segments, which are groups of people who share similar characteristics, and use these groups for delivering targeted ads. Information about you may be used to determine which segments you’re assigned to, and thus, which ads you receive. To protect your privacy, targeted ads are delivered only if more than 5,000 people meet the targeting criteria.
This is, I believe, a move to combat "seemingly-innocent" targeting rules that nevertheless de-anonymize someone, just because that person is weird. For example, if you're the only Tagalog speaker in Cuba, just plain-old Region+Language targeting that every platform supports would be enough to target+track you specifically. So Apple just won't allow "Cuba+Tagalog" unless there are at least 5000 Tagalog speakers in Cuba with iOS devices.
"and then every-so-often batches those metrics out to Apple's servers" means they do know, even if we trust the implementation.
For example, if you publish an ad that only matches the word "fnord", and the metrics reveal that you were shown that ad at least once, Apple can work out that "fnord" appeared in your chat.
Complete tangent, since this has nothing to do with what Facebook are looking into here, but:
If you control both ends of the connection (like Facebook does in WhatsApp), you can match on advertising keywords securely. By doing it client-side, after the text is decrypted.
As I understand it, this is essentially what Apple's iAds framework does: all possible advertising content that could be run in an iAd view gets pre-cached on the client; the iAds framework—running inside the client's address space—then chooses what to show the user, selecting ads based on demographic/interest information it has available locally on the device, never leaked outside. The iAd framework then collects just the impression metrics — how many times each ad was shown to a given user — and then every-so-often batches those metrics out to Apple's servers. Apple then reports re-groups and anonymizes these metrics, and reports them to the advertiser / charges the advertiser for them.
Of course, this means that advertisers need to be able to trust Apple's impression reporting; and to do that, they need to trust that Apple has set up iOS devices so that iAd selection + reporting is basically inviolable, such that nobody on the client end is generating false impressions. (Or, at least, that devices generating such impressions can be detected as being jailbroken through some mechanism, and so their iAd impression reports culled from the corpus.)