Skip to main content

What’s a Facebook shadow profile, and why should you care?

fb shadowAfter the recent security scare over Facebook leaking user information, a dust-up over Facebook shadow profiles has relaunched. A “shadow profile” sounds like something a CIA operative would have – but if you’re a Facebook user, you have a shadow profile, whether you’re a real-life James Bond or just an accountant from Des Moines.

So what is a Facebook shadow profile, and where does yours lurk?

A Facebook shadow profile is a file that Facebook keeps on you containing data it pulls up from looking at the information that a user’s friends voluntarily provide. You’re not supposed to see it, or even know it exists. This collection of information can include phone numbers, e-mail addresses, and other pertinent data about a user that they don’t necessarily put on their public profile. Even if you never gave Facebook your second email address or your home phone number, they may still have it on file, since anyone who uses the “Find My Friends” feature allows Facebook to scan their contacts. So if your friend has your contact info on her phone and uses that feature, Facebook can match your name to that information and add it to your file.

“When people use Facebook, they may store and share information about you.”

Facebook recently announced that it fixed a bug that inadvertently revealed this hidden contact information for six million users. Their mea culpa was not particularly well-received, since this security breach revealed that the social network had been collecting this data on all of its users and compiling it into shadow profiles for years. Some people who use Facebook’s Download Your Information (DYI) tool could see the dossiers Facebook had been collecting as well as information their friends put up themselves. So, if I downloaded my information and was affected by the bug, I’d see some of the email addresses and phone numbers of my friends who did not make that information public.

Although Facebook corrected the bug, it hasn’t stopped this program of accumulating extra information on people. And researchers looking at the numbers say the breach is actually more involved than Facebook initially claimed, with four pieces of data released for a user that Facebook said had one piece of data leaked.

This snafu won’t come as a surprise to researchers who brought up Facebook’s shadow profiles long before this most recent breach. In 2011, an Irish advocacy group filed a complaint against Facebook for collecting information like email addresses, phone numbers, work details, and other data to create shadow profiles for people who don’t use the service. Since it actually takes moral fortitude to resist the social pull of Facebook, this is a slap in the face for people who make a point to stay off the network: The group claimed that Facebook still has profiles for non-Facebookers anyway.

Though the decision to publicly own up to the bug was a step in the right direction, this leak is disturbing because it illustrates just how little control we have over our data when we use services like Facebook. And it illustrates that Facebook isn’t apologizing for collecting information – it’s just apologizing for the bug. The shadow profile will live another day. 

Most people understand that Facebook can see, archive, and data-mine the details you voluntarily put up on the site. The reason people are disturbed by shadow profiles is the information was collected in a roundabout way, and users had no control over what was collected (which is how even people who abstain from Facebook may have ended up with dossiers despite their reluctance to get involved with the site). Now we don’t just need to worry about what we choose to share; we also have to worry that the friends we trust with personal information will use programs that collect our data.

To Facebook’s credit, they do make this clear in the privacy policy, it’s just that no one bothers to read it:

“We receive information about you from your friends and others, such as when they upload your contact information, post a photo of you, tag you in a photo or status update, or at a location, or add you to a group. When people use Facebook, they may store and share information about you and others that they have, such as when they upload and manage their invites and contacts.”

Now, the Facebook shadow profiles contain information that many people make public anyways; plenty of people have made their phone numbers and addresses discoverable via a simple Google Search (not that they should, but that’s another story). But if you make a point to keep that kind of information private, this shadow profile business will sting. And even if you don’t mind the fact that Facebook creeped on your phone number via your friends, you should be concerned that next time these shadow profiles make it into the news, it will be over other data-mining that could be potential harmful. Imagine if your credit card information or PIN number ended up going public.

The way Facebook worded its apology is interesting because it doesn’t say that they don’t collect that type of information.

“Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”

The fact that they said “were included” instead of “were collected” leaves open the possibility that Facebook does have this kind of information on file – it just wasn’t part of this particular mix-up.

Facebook hasn’t reassured users by saying they don’t collect this kind of data, and that’s awfully suspicious; if their shadow data collection was really limited to phone numbers and email addresses, your would think they would’ve explicitly said so, to ameliorate critics. What Facebook isn’t saying here versus what they are saying speaks volumes. The site is sorry for the bug, but not sorry for surreptitiously collecting data on you. And they’re admitting the data that was released in the bug, but not explaining the exact scope of the shadow profile amalgamation.

Facebook’s shadow profiles aren’t uniquely or especially nefarious, but this incident makes it all the more obvious that the amount of data companies are collecting on you far surpasses what you might suspect. And unless there are legislative changes, this will continue unabated.

Topics
Kate Knibbs
Former Digital Trends Contributor
Kate Knibbs is a writer from Chicago. She is very happy that her borderline-unhealthy Internet habits are rewarded with a…
The Off-Facebook Activity tool lets you take control of your shared data
fbi wants social media data facebook app mem2

Facebook is hoping to be more transparent about your data and activity by expanding a new privacy feature to the U.S. and the rest of the world. 

The new feature is called the Off-Facebook Activity tool, which was previously only available to people in Spain, Ireland, and South Korea. Facebook CEO Mark Zuckerberg announced the worldwide feature rollout on Tuesday, January 28, which is appropriately Data Privacy Day. 

Read more
Facebook will protect your data — as long as no one’s paying them for it
Facebook CEO Mark Zuckerberg speaking on a panel at the Paley Center for Media

At a Capitol Hill hearing Tuesday — no, not the one with the impeachment and such — Sen. Dick Durbin (D-Illinois) asked Jay Sullivan, Facebook’s product management director for privacy and integrity in Messenger, whether Facebook collected any data from its Messenger Kids app. It was the exact same question, Durbin said, that he had posed to Mark Zuckerberg last year, when he received an answer he deemed unsatisfactory.

“I have significant concerns that the data gathered by this app might be used or sold,” Durbin told Sullivan. “[Zuckerberg] responded, ‘in general, that data is not going to be shared with third parties.’ I said his use of that terms was ‘provocative and worrisome.'” Durbin then asked Sullivan the same question. “Is your answer that there is no information collected via Messenger Kids that is shared by Facebook to any third parties?”

Read more
Now that you can easily transfer photos out of Facebook, will you stay?
mark zuckerberg speaking in front of giant digital lock

Facebook on Monday announced a new feature that will begin rolling out in Ireland before spreading elsewhere: The ability to transfer your Facebook photos directly to other platforms without having to download them first. The feature will initially only port your pics over to Google Photos, though it's likely more platforms are on the way.

This is a step forward from Facebook's already-existing data portability tool, “Download Your Information,” which allows a user to keep a copy of everything they’ve ever put on Facebook on their private computer. In a statement, Facebook told Digital Trends that “the feedback we’ve received over the years tells us that although this tool is helpful, it isn’t seamless enough for users to take information directly from one service to another.”

Read more