Facebook Knows Who You Are. Even if You Don’t Have a Profile. Really.

In April of this year Mark Zuckerberg, CEO of Facebook, had some special airtime with the United States Congress. This two-day questioning period revealed a lot about both sides of the table. 1) Some members of Congress don’t have a great understanding of social networks, and 2) There is a lot more that Facebook knows about people than most of its 1 B + users realize.

The reason Zuckerberg ended up before Congress was so governing bodies could learn more about Facebook’s access to both user and non-user data, how they use it and how much control users have over it. Facebook wants to be able to say that their users have control over their data, and it’s true. Users do have a lot of control over their data. They mostly control their data. There are just a whole lot of loopholes that are pretty easy for Facebook to skirt around. Vague wording of details people barely, if at all, read make exploitation of personal data even easier.

Users can control most of their data

What was clarified during the hearing is that users do have control over their data. Some of their data. Maybe even most of their data. But when it comes to personal information no one should take any chances. The European Union recognizes the value of personal information, which is why they just instated the new General Data Protection Regulation (GDPR). Facebook allows users to download their data and also delete their accounts. The data users can download, though, isn’t quite the entire picture, which could give some people a false sense of security, and really weird out the other people. Essentially, Facebook lets people download the information that belongs to that user. That means information that they specifically added about themselves, any pictures that they uploaded, and any posts that they created. Facebook has web-based tracking data that it gets from tools like Pixel, Like buttons that are embedded in sites, and from location data from mobile phones, that users do not have access to, though.

What about non-Facebook users?

In addition to there being some questionable practices around user data, there is also the subject of non-user data. Packet Storm Security first discovered that Facebook had a collection of non-user data back in 2013 when they discovered and reported a security vulnerability. The bug, that has since been fixed, had been sharing information from what we now know as “shadow profiles” along with real profile information when people downloaded their Facebook profile content. This came as a surprise, and undoubtedly made same people very angry.

If Facebook knows things about non-users, what are they? Facebook has a general sense of who lots of non-users are. They get this information when users upload contact lists from their email provider or phone, in addition to people identification in pictures, and possibly from other sources.

People with Facebook accounts have some control over their data, but non-Facebook users don’t have this control because to delete their information they would need an account. To download their data they would also need an account. Non-Facebook users can’t change the settings of how their information is being used in regards to targeted ads, either. Facebook account holders sign a consent and privacy agreement when they join the platform, but non-users have obviously not signed this. So many problems here.

Enter “shadow profiles”

All the data that Facebook gets about people from contact lists, tags in photos, etc., gets stored in a special, independent profile Facebook has on you, whether you like it or not. This is what we know as a “shadow profile”. Even non-users of Facebook have a shadow profile. The shadow profile of a given individual will keep a list of people’s contact lists in which the person appears. That way Facebook can suggest all those connections when the person does choose to sign up to the platform. Facebook has a much better idea of who you may have met or interfaced with before than you do! The information in your shadow profile is about you, it is not necessarily data that you create, which is your own intellectual property. Any information regarding your browsing history, tracking pixels, cookies, and social graph data could be in your shadow profile, and this data could date back to a time before you even had an account. One of the problems, though, is that if a user chooses to delete their account, that does not delete their shadow profile.

Shadow profiles at work

A Facebook feature demonstrating the breadth of information the platform has about both its users and non-users is People You May Know. While this feature can be seen as valuable in the ideal situation, and does serve Facebook’s goal of connecting people, it can go awry, as well. Facebook gives a vague disclosure when a user signs up that giving Facebook access to a new user’s friends list helps Facebook make connections for you. Even Facebook recognizes that users need to use good judgement when sending invites and that not everyone in your contact list may want to hear from you. Facebook doesn’t seem to follow their own words of wisdom, though. So what happens is when people give Facebook access to their contact lists Facebook starts drawing connections between people. It doesn’t take a rocket scientist to see how this could get messy pretty quickly, and maybe even ruin lives! Think of exes, court cases, patients, etc. Facebook knows the people you even kind of met just once! We all give out our phone numbers and email addresses pretty liberally, both socially and for business. Facebook has brought the traditional degrees of separation down to a shocking 3.5.

Facebook likes to believe, and communicate, that their users have control over what and how personal information is used in regards to ads. When questioned about tracking users who have deleted their accounts or users who are not currently logged in, they give the justification that it is necessary for security purposes and to avoid inappropriate use of the system.

By Facebook having this massive web of data, it is pretty important that security and regulations around this be established. Both governments and criminals would love to get their hands on this data. Unfortunately, Facebook is not yet there, nor is U.S. law. In the U.S. there are no protections that guarantee opt-outs and there are no laws saying users should be able to identify and remove information. The GDPR in the EU does require data portability for its citizens, so Facebook will need to address this soon. Facebook can and should take a step up about how they educate users. Fortunately there are some alternatives on the blockchain to keep your personal data safer.