Regulatory limits on explicit targeting have not eliminated algorithmic profiling on the Web, as optimisation systems still adapt ad delivery to users' private attributes. The widespread availability of powerful zero-shot multimodal Large Language Models (LLMs) has dramatically lowered the barrier for exploiting these latent signals for adversarial inference. We investigate this emerging societal risk, specifically how adversaries can now exploit these signals to reverse-engineer private attributes from ad exposure alone. We introduce a novel pipeline that leverages LLMs as adversarial inference engines to perform natural language profiling. Applying this method to a longitudinal dataset comprising over 435,000 Facebook ad impressions collected from 891 users, we conducted a large-scale study to assess the feasibility and precision of inferring private attributes from passive online ad observations. Our results demonstrate that off-the-shelf LLMs can accurately reconstruct complex user private attributes, including party preference, employment status, and education level, consistently outperforming strong census-based priors and matching or exceeding human social perception at only a fraction of the cost (223x lower) and time (52x faster) required by humans. Critically, actionable profiling is feasible even within short observation windows, indicating that prolonged tracking is not a prerequisite for a successful attack. These findings provide the first empirical evidence that ad streams serve as a high-fidelity digital footprint, enabling off-platform profiling that inherently bypasses current platform safeguards, highlighting a systemic vulnerability in the ad ecosystem and the urgent need for responsible web AI governance in the generative AI era. The code is available at https://github.com/Breezelled/when-ads-become-profiles.

翻译：尽管监管对显式定向的限制并未消除网络中的算法画像行为，优化系统仍会根据用户的私有属性调整广告投放。功能强大的零样本多模态大语言模型（LLMs）的广泛普及，极大地降低了利用这些潜在信号进行对抗性推断的门槛。本研究探讨这一新兴社会风险，具体分析攻击者如何利用这些信号仅通过广告曝光即可逆向推导私有属性。我们提出了一种创新流程，将LLMs作为对抗性推断引擎进行自然语言画像分析。该方法应用于包含891名用户收集的超过435,000条Facebook广告曝光记录的纵向数据集，通过大规模研究评估了仅通过被动在线广告观察推断私有属性的可行性与精确度。实验结果表明，现成的LLMs能够准确重构复杂的用户私有属性（包括政党倾向、就业状况和教育水平），其表现持续优于基于人口统计数据的强先验基准，在仅需人类1/223成本（成本降低223倍）和1/52时间（速度提升52倍）的情况下，达到甚至超越人类社会感知能力。关键发现表明，即使在短观察窗口内也可实现具有行动价值的画像，说明长期追踪并非成功攻击的必要前提。这些发现首次提供实证证据：广告流可作为高保真数字足迹，实现绕开现有平台保护机制的非平台画像，揭示了广告生态系统的系统性漏洞，并凸显了生成式AI时代负责任网络AI治理的迫切需求。代码已开源：https://github.com/Breezelled/when-ads-become-profiles。