From the whitepaper:
"Cookies/MAID. Every DSP allows targeting users based on cookies
or mobile advertising ID (MAID). Either of these could be obtained
by an ADINT attacker if the user ever clicks on their ad.
They can also be obtained from sniffing network traffic. Finally,
active ad content (see below) can be used to potentially acquire
Also Facebook allows targeting by email with minimum of 20 addresses.
"(...) these minimums can be
circumvented; we conducted a preliminary experiment and found
uploading 19 entirely spurious email addresses (not even connected
to fake Facebook accounts) allowed us to target ads at a test user"