Shadow profiles the biggest flaw in Facebook’s privacy defense

Called before Congress this week, Mark Zuckerberg tried to present Facebook’s approach to user data as open and transparent. In question after question, he focused on the privacy choices available to users, and their ownership over all the data they share and it wasn’t all wrong. Facebook has data because users share it (mostly). Users control that data and can review it or delete it whenever they want (with a few exceptions). And if you delete your account, (almost) all of that data will disappear from Facebook’s servers within 90 days. None of it’s false, but as the parentheses should tell you, it is incomplete and by the second day of hearings, members of Congress were starting to catch on.

The most powerful example came from Rep. Ben Luján (D-NM), who confronted Zuckerberg on the company’s use of shadow profiles, a term for non-user data collection that Zuckerberg was apparently unfamiliar with. “It’s been admitted that you do collect data points on non-Facebook users,” Luján asked. “So my question is, can someone who does not have a Facebook account opt out of Facebook’s involuntary data collection?” “Congressman, anyone can opt out of any data collection for ads, whether they use our services or not,” Zuckerberg said. “But in order to prevent people from scraping public information, we need to know when someone is trying to repeatedly access our services.”

“You’ve said everyone controls their data, but you’re collecting data on people who are not even Facebook users, who never signed a consent or privacy agreement and you’re collecting their data,” Luján continued. “And you’re directing people who don’t have a Facebook page to sign up for Facebook in order to get their data.” In the exchange, Luján seized on a serious flaw in Zuckerberg’s consent-driven vision of Facebook, one that could have regulatory consequences in the months to come. The fact is, even if you’ve never signed up for Facebook, the company still has a general sense of who you are, gathered through uploaded contact lists, photos, or other sources.

“As CEO, you didn’t know some key facts,” Dingell told Zuckerberg. “You didn’t know what a shadow profile was. You didn’t know how many apps you need to audit. You did not know how many other firms have been sold data by Cambridge Analytica. You don’t even know all the different kinds of information Facebook is collecting from its users.” “Here’s what I know,” Dingell continued. “You have trackers all over the web. On practically every website, we all see the Facebook like or share buttons, and with the Facebook Pixel, people may not even see that Facebook logo. It doesn’t matter whether you have a Facebook account. Through those tools, Facebook is able to collect information from all of us.”