We are what we consume
How our online attention reveals who we are
A new study, presented at the ACM Web Conference 2026 last month, showed something that made me pause.
Researchers from UNSW Sydney and QUT, working with the Australian Ad Observatory, collected more than 435,000 Facebook ads seen by 891 Australian users. They then handed these ads - just the ad copy and images, nothing else - to an off-the-shelf Large Language Model and prompted it to infer things (attributes, demographics, beliefs…) about the people who’d been shown them.
The LLM had nothing else to work with: no browsing history, no clicks. No personal data of any kind - at least as we would traditionally describe it.
Then, using just some ad agency creative, and the simple knowledge of who had been shown the ad, the model worked out political preferences, education level, employment status, age, gender… and more.
Not only that, it matched or exceeded trained human annotators for accuracy, and did this all from short browsing sessions - the number of ad impressions required to start classifying people was incredibly small.
Finally, and perhaps unsurprisingly, running the LLM cost roughly two hundred times less than human analysis and delivered results fifty times faster.
The ads we’re shown, it turns out, are a high-fidelity portrait of who we are.
And this finding sits awkwardly against a story most of us thought was resolved.
In 2022, under increasing regulatory pressure, Meta removed advertisers’ ability to target users by sensitive categories; things like political beliefs, health causes, sexual orientation, religious practice, etc.
At the time, it was framed as a privacy win. Advocacy groups treated it as progress. The “dials” allowing morally questionable advertisers to ruthlessly target had been removed.
But, of course, the dials themselves weren’t where the signal originated - that was us. Or, more specifically, our attention.
Because, as any casual web or app browser quickly works out, ad delivery systems don’t show you ads at random. They actually measure your attention through detecting behaviours such as lingering time (did the user watch more than half of the video?), your actions (clicks, taps…), and what you do next (“conversions”).
They then simply optimise for this engagement, maximising the “positive outcomes” for the ads shown to you through experimenting and simple associations with other users (people who like ‘X’, tend to also like ’Y’).
But these measures of engagement also work in reverse; naturally beginning to cluster people who behave alike. This clustering begins to produce a sort of demographic map. Slowly building up a system that implicitly contains detailed and precise demographic data, whether or not the categories are named in a database table.
That’s why removing the targeting controls didn’t remove the leak - because the leak isn’t in the targeting. The leak is in the user’s engagement itself.
The leak is us.
The very thing that makes the ads valuable to advertisers is the same thing that makes them readable as a profile.
The study’s authors put it precisely:
“Ad streams act as high-fidelity digital footprints, and the profiling they enable inherently bypasses current platform safeguards.”
It happens outside the platform. It doesn’t require platform cooperation. It doesn’t even require breaking anything.
A browser extension is enough.
In fact, the researchers flag this vector specifically. Ad blockers, coupon finders, page translators… These all need permission to read page content in order to function. An extension that quietly harvests the ads being delivered to a user is, from the platform’s point of view, indistinguishable from one doing its advertised job. The user installs it for one purpose. It fulfils that purpose, while also doing something else entirely, and nobody is watching.
And this is where the legal architecture starts showing its cracks. Not because privacy law is badly drafted, but because it was built to imagine an entirely different kind of attack.
The prevailing comprehensive privacy regulations like GDPR were designed around the idea that sensitive personal information is an actual thing; a discrete, clearly labelled and deliberately stored data point someone holds about you that can be collected, accessed, transferred and deleted.
Article 9 explicitly lists the special categories: political opinions, religious beliefs, health, sexual orientation and others. The framework assumes those data points exist somewhere in a file or database, and regulates their handling.
What it doesn’t regulate is the deployment of cognitive effort at scale - human or machine - over data that was never considered in any way sensitive in the first place.
That’s because the ad for a mobility scooter isn’t a health record. No more than the ad for an off-grid solar kit is, in itself, a political opinion. A regulator looking at any single ad impression like this would find nothing to regulate.
But four hundred and thirty-five thousand of them, fed through a model that has read most of the internet, is becoming something else. It’s becoming someone.
And that “becoming” is exactly the point; because this is the entire mechanism by which the regulators’ carefully drafted protections fail. The system doesn’t need access to a database, or specific data categories the law cares about.
It only needs enough innocuous signal to reconstruct the categories from the outside. The protection was built around the stored data point; while the inference is happening outside of the database entirely, using ingredients that were never on the regulated list.
There is a particular kind of vertigo in realising that the safeguards we trusted were guarding the wrong door.
Now, I’m not implying anyone was negligent. Meta’s 2022 change was made in good faith, by people responding to real concerns. The regulators who wrote GDPR were trying to imagine what a determined adversary would do with the data and compute capabilities of the time. It was comprehensive, and it worked - back then.
It’s just that the compute world has moved dramatically with the rise of probabilistic systems. If I guess your religion with 95% accuracy using an LLM, have I “collected” your sensitive data? Most current regulations don’t have a clear answer for when a guess becomes a data point. The ones that are attempting to (Colorado’s regulations are one) have run into conceptual problems
So what we’re left with now is a system that can - perfectly legally - read us through what we are passively shown. Not what we share, not what we click, not what we sign up for; but what is delivered to us, by infrastructure we don’t control. And this can be assembled into a portrait we never consented to and that no individual fragment of it could have produced on its own.
What makes this really uncomfortable is the lack of a clear antagonist. The ad-funded web is the open web for most people most of the time - and access to the services it offers is today a fundamental necessity for most of us.
The platforms themselves aren’t doing anything they weren’t designed to do and nothing’s been hidden by their owners. The LLM wasn’t built for this purpose but offers genuinely powerful generalised inference. The individual data points are innocuous.
The portrait they can stitch together is not.
So it seems we really are, in the end, what we consume. And the systems built to hold our attention have become deeply reliant on this to keep the web open.
Should we be alarmed? Maybe. But more important is to be aware of the forward march of these capabilities and how their evolution might shape crucial modern questions of online safety, security and privacy.
And as we look to the future; if we, ourselves, are the leak, will we end up having to make a choice between forgoing privacy or the slow death of the open web?
Source: Chen, B., Salim, F., Angus, D., Tag, B., Xue, H. "When Ads Become Profiles: Uncovering the Invisible Risk of Web Advertising at Scale with LLMs." Proceedings of the ACM Web Conference 2026 (WWW '26), April 2026. Press summary: UNSW Newsroom, 4 May 2026.
