By now, most users of internet e-mail clients are used to the disturbingly accurate ads that appear near one’s e-mail. As is well known, your e-mail is scanned for various key words, and the ads are served up based on the contents of the e-mail. In principle, this is not supposed to affect the integrity of your e-mail, because the contents of the e-mail are not shared with the advertiser – he only knows that an ad has been served and whether it has been clicked on.
Threat Model
However, further consideration reveals that this approach creates potential leaks of personal information to the advertiser. Consider, for example, an advertiser who desires to gather certain pieces of personal information on a specific individual. They know certain publicly available details on the individual, and are able to register an advertiser account with the e-mail / ad provider. The advertiser can not directly access the user’s account, but can retrieve standard information, such as display counts, for their ads.
Attack
If the attacker chooses keywords in combinations that they are likely only to appear in e-mails to or from the individual in question, then they are able to construct ads that will only be shown when e-mails to or from this individual are displayed. They may then add keywords containing information that they would like to exfiltrate, and see how frequently their ad is displayed. If it appears more than a nominal number of times, there is a likelyhood that those keywords are present in the individual’s e-mail.
Example
Suppose, for example, an attacker who suspected that a certain individual worked on a specific, secret project. They could create an ad account and insert an ad with the individual’s e-mail address and the name of the project as keywords. If the ad was displayed frequently, it would suggest that the keyword appeared frequently in conjunction with the user, and thus suggest an involvement of the user with the project.
Notes
An ad provider could try to circumvent this sort of attack by only permitting keywords that appear with a certain level of frequency (unlike specific e-mail addresses.) However, because combinations of common words may be quite rare and distinguishing, such an approach would not be sufficient to block the attack. Only if the advertiser required frequently appearing keyword combinations could the attack be minimized. Additionally, it is worth noting that the attack would be easy to disguise from a user, because most advertising agencies / e-mail providers do not share the keywords used to generate the ads shown to the user. The ad itself could be made sufficiently generic that there would be no reason to expect any foul play.
While I have not tried out any such attack, attempting to execute it would be a worthwhile experiment, and a way of understanding one aspect of electronic privacy and e-mail security.