- This woman told two students to ‘speak English’ and people are not having it Friday 9:53 PM
- Iconic 1968 drag documentary ‘The Queen’ finally released on Netflix Friday 9:29 PM
- This TikTok account for Chancellor Palpatine is hilarious Friday 8:43 PM
- Did the Space Force logo rip off Star Trek? Friday 6:24 PM
- Disabled people with service dogs say Uber, Lyft drivers are denying them rides Friday 3:25 PM
- TikTok teen famous for greasy hair ends her 8-year reign Friday 2:48 PM
- Police handcuff brown man at subway station for carrying a toy gun Friday 1:20 PM
- Fake clip of Sanders quoting infamous ‘hot chip’ tweet is duping people online Friday 1:16 PM
- The Mars Volta’s Cedric Bixler-Zavala alleges Scientologists behind dog’s death Friday 12:46 PM
- Eminem responds to critics: ‘This album was not made for the squeamish’ Friday 12:42 PM
- ‘The poet, the poem’ meme takes iconic lines and turns them into art Friday 12:40 PM
- People are making dark memes about the coronavirus Friday 12:27 PM
- Trump camp’s ‘head on a pike’ impeachment threat hit with memes Friday 11:34 AM
- What is the #FreeBritney movement, and why is Cher tweeting about it? Friday 10:52 AM
- This YouTuber claims the Saudi government plotted to kidnap him on U.S. soil Friday 10:30 AM
What’s a Facebook shadow profile, and should you be worried about it?
If you use Facebook, your friends may have given the company your email address, phone number, and more—even if you didn’t.
Facebook shadow profiles. Surely you’ve seen the term bouncing across tech news the past few days, and you’ve got a sense it’s probably some nefarious privacy violation—or just the first fun feature Facebook has introduced in years.
But seriously, are shadow profiles real? Do I have one? Are they bad?
If you use Facebook, then “yes” to all three.
Let’s take a trip into Facebook’s shadowy recesses.
Why are shadow profiles in the news?
Last Friday, right when most journalists were ready to go home for the weekend, Facebook released some embarrassing news. A bug had exposed the private email addresses and phone numbers of 6 million of its users.
Though Facebook tried to downplay the significance of the bug, journalists rudely forced to work on a weekend quickly realized there was more to the story than just another data leak: Many of the email addresses and phone numbers exposed were not necessarily ever intentionally given to Facebook.
Instead, they were collected on the sly, stored in Facebook’s secret behind the scenes scaffolding, where it collects troves of data on you you’ve never known about. That data on you that you didn’t know Facebook has? That’s a “shadow profile.”
Who has a shadow profile? Are they real?
Well, potentially everyone who has a Facebook account. They contain a certain amount of information you’re not surprised Facebook knows about you—your name, your interests, your relationship status, how many times you’ve liked your friends posts. But at the same time, Facebook’s been able to smartly collect other data about you. Even if you’ve never told Facebook your phone number, for instance, it might have it. As well as your second and third and fourth email addresses.
So where did Facebook get this data?
Your friends! Or maybe even friends of friends. You can thank anyone who allowed Facebook to scan their mobile phone contacts through the “find friends” feature.
When someone uses this feature, Facebook downloads all of a phone’s contact data to its own servers. This includes mostly emails and phone numbers. At the same time, Facebook is also collecting harder-to track data on how you and all your friends and friends of friends are connected to each other. That’s how it finds people to recommend for its “people you may know” feature.
The company’s mobile app even tells you it will do this:
“Find Friends uploads contacts from your device and stores them on Facebook’s servers where they may be used to help others search for people or to generate friend suggestions for you and others.” (Emphasis added)
Does Facebook have shadow profiles on non-Facebook users?
It makes sense that, with all the contact lists uploaded to its servers every day, Facebook would be able to learn a whole lot of information about people who don’t even have Facebook accounts. But while it has stayed mum on shadow accounts as a whole, the company has asserted it does not collect information on people who don’t actually use Facebook.
Is that legal?
In the United States, probably. Facebook mentioned collecting phone contacts in the Terms of Service that all users must agree to before using the site, so unless the company is collecting additional information it didn’t disclose, users have already given their consent.
But Europe’s data protection laws are much stronger. Max Schrems, owner of Europe vs. Facebook and privacy rights advocate, launched a complaint against Facebook’s European offices, headquartered in Ireland, citing seven different instances where shadow profiles potentially violate the country’s Data Protection Act (read the PDF here). Schrems asserts that the profiles gathered “excessive amounts of information about data subjects without notice or consent by the data subject. In many cases these information might be embarrassing or intimidating for the data subject.”
How long has this been going on?
Facebook said that its user data has been leaking for over a year. Shadow Profiles have been catalogued at least since August 2011, when Schrems filed his complaint against the company. Facebook has had an iPhone app since August 2007, and the “Find Friends” feature launched on iPhone and Android in April 2011.
Should I be concerned?
Probably! Especially in light of the recent revelations regarding the National Security Agency’s intrusive spying campaign, PRISM. Facebook was one of nine companies the NSA made deals with to turn over information about users. Since Facebook won’t even confirm it hosts “shadow profiles,” its unclear if that information from shadow profiles could have also been passed along to the NSA. But it’s certainly possible.
In other words, you may have an email address that you’ve never listed anywhere for anyone else to see, but because one of your friends added it to their contact list, a snooping government agency might just discover it.
UPDATE: Following the publication of this article, a Facebook representative reached out to the Daily Dot. He denied any data from shadow profiles were handed over to the NSA as a part of the PRISM program.
Photo by Jason Reed
Kevin Morris is a veteran web reporter and editor who specializes in longform journalism. He led the Daily Dot’s esports vertical and, following its acquisition by GAMURS in late 2016, launched Dot Esports, where he serves as the site’s editor-in-chief.