Ride the Lightning

Facebook Collects Shadow Profiles of People Who Never Signed Up for Facebook

April 18, 2018

Naked Security reported on something we all should have known, but which was confirmed when Mark Zuckerberg testified before Congress. As it turns out, even if you NEVER signed up for Facebook, it was collecting information about you.

While Zuckerberg didn't seem to know the term "shadow profiles," he did seem to know the concept. For anyone unsure of its meaning, shadow profiles are the data Facebook collects on people who don't have Facebook accounts.

Zuckerberg explained that Facebook needs to know when two or more visits come from the same non-user in order to prevent scraping: "…in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to … we need to know when someone is repeatedly trying to access our services."

Later he implied that non-users are also subject to data gathering for targeted advertising saying, "Anyone can turn off and opt out of any data collection for ads, whether they use our services or not." You can opt of targeted advertising by Facebook and a plethora of other advertisers using the Digital Advertising Alliance's Consumer Choice Tool or by blocking tracking cookies with browser plugins. Needless to say, most people don't know how to do this – or even that these shadow profiles exist.

In 2011, an Irish privacy group sent a complaint about shadow profiling – collecting data including but not limited to e-mail addresses, names, telephone numbers, addresses and work information – from non-members. More recently, in the latest installment in a long-running privacy case, a Belgian court ordered Facebook to stop profiling non-members in the country or face a daily fine.

So . . . it's not all about security.

Non-members of Facebook nonetheless interface with it through the 'like' buttons, or by downloading Facebook-connected apps such as WhatsApp or Instagram. There are also technologies such as Facebook Pixel, a web targeting system embedded on lots of third-party sites that the company has in the past publicized as a clever way to serve people (including non-members) targeted ads.

Non-members won't have signed a privacy consent form, nor would they know to delete data they weren't even aware was being collected.

When Facebook was hit with a data breach in 2013, we learned of the way Facebook collects and analyzes non-members. A journalist at the time summed it up:

"You might never join Facebook, but a zombie you – sewn together from scattered bits of your personal data – is still sitting there in sort-of-stasis on its servers waiting to be properly animated if you do sign up for the service."

So look out John Simek – you may never have signed up for Facebook, but there's a zombie version of you that Facebook has carefully compiled.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson