Skip to content
Naked Security Naked Security

Facebook shines a little light on ‘shadow profiles’

Shadow... what now?

Mark Zuckerberg, CEO of supposed surveillance titan Facebook, has apparently never heard of shadow profiles.
Of all the things learned during Zuckerberg’s questioning by a succession of politicians in Congress this week, for privacy campaigners this was one of the most unexpected.
We have Congressman Ben Luján to thank for a discovery that might come to hang around Zuckerberg as he battles to save his company’s image.
After asking Zuckerberg about the company’s practice of profiling people who had never signed up for the service, said Luján:

So, these are called shadow profiles – is that what they’ve been referred to by some?

Replied Zuckerberg:

Congressman, I’m not, I’m not familiar with that.

For anyone unsure of its meaning, shadow profiles are the data Facebook collects on people who don’t have Facebook accounts.
Zuckerberg’s ignorance was presumably limited to the term and its usage rather than the concept itself, since Facebook offers non-members the ability to request their personal data.
It seems that all web users are of interest to Facebook for security and advertising.
During the exchange Zuckerberg explained that Facebook needs to know when two or more visits come from the same non-user in order to prevent scraping:

…in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to … we need to know when someone is repeatedly trying to access our services

A little later he implied that non-users are also subject to data gathering for targeted advertising:

Anyone can turn off and opt out of any data collection for ads, whether they use our services or not

You can opt of targeted advertising by Facebook and a plethora of other advertisers using the Digital Advertising Alliance’s Consumer Choice Tool or by blocking tracking cookies with browser plugins.
While not in widespread public use, the term shadow profiles has been kicking around privacy circles for some time as a big deal.
In 2011, a Irish privacy group sent a complaint about shadow profiling – collecting data including but not limited to email addresses, names, telephone numbers, addresses and work information – from non-members.
More recently, in the latest instalment in a long-running privacy case, a Belgian court ordered Facebook to stop profiling non-members in the country or face a daily fine.
The problem of shadow profiles for Zuckerberg is that it blows a hole in some of the arguments he has used to defend the way Facebook collects data on web users, not least that it’s all about security.
But what about the large number of people who encounter Facebook somewhere and aren’t scraping anything?
This includes non-members who encounter it through the ubiquitous ‘like’ button, or by downloading Facebook-connected apps such as WhatsApp or Instagram.


On top of that are technologies such as Facebook Pixel, a web targeting system embedded on lots of third-party sites, that the company has in the past trumpeted as a clever way to serve people (including non-members) targeted ads.
As Luján pointed out, non-members won’t have signed a privacy consent form, nor would they know to delete data they weren’t even aware was being collected.
Ironically, one of the ways the world has learned of the way Facebook collects and analyses non-members was through data breaches such as the one that hit the company in 2013.
A journalist at the time summed it up rather well:

You might never join Facebook, but a zombie you – sewn together from scattered bits of your personal data – is still sitting there in sort-of-stasis on its servers waiting to be properly animated if you do sign up for the service.

So, not having a Facebook account is not an effective way to avoid its data harvesting. Facebook is always watching, analysing and learning, even when it is nowhere to be seen.
But are they the only one? With just about everyone’s online business models dependent on extensive data gathering and targeted advertising, perhaps Zuckerberg might console himself with the thought that he likely won’t be the last tech executive hauled up and asked questions about this topic.

7 Comments

I’d like to see congress ask these same questions of Equifax. I did not sign up for their service, they have collected my data, sold it to anyone, and lost it to criminals.
They may be much worse than FB, as I doubt anyone ever willingly gave them their pie.

+1 on Equifax issue. You can sign up for a 90-120 day credit watch which apparently can be manually renewed. I’m not sure if it can be repeatedly renewed for years or decades but my info is “out there” for life. Did Equifax ever receive a notable punishment or fine? Already got a letter from the IRS that someone already is using my info to impersonate me.

Unfortunately if you borrow any money via credit card or loan etc you are agreeing that the provider of the funds can give or inquire about your credentials in credit reports. It’s in the fine print in your agreement with a financial organization.

I can see that. Yet there should still be an opt out. Maybe the GDPR will bring that option about.

Facebook offers non-members the ability to request their personal data.
Tried this and got the response:
Your request couldn’t be processed
There was a problem with this request. We’re working on getting it fixed as soon as we can.
Saturated by requests or does the system just not work?
Will his people get back to me?

Also tried this, got an email response asking me to login to my FB account or fill in the form again and again and again.

I wrote to Farcebook. Got a letter back that literally says “Please note, Facebook does not create ‘Shadow’ Profiles of people who aren’t Facebook users”.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?