In the wake of the Cambridge Analytica scandal that's seen Facebook stock take a big hit and a strong user backlash against the platform, those who never signed up for the social network could be forgiven for being a little smug. But not so fast.
As it turns out, Facebook, which is in the business of gathering as much data from as many people as possible in order to run precisely targeted ads, gets its information about you from many sources, not just what's on the profiles of its users.
This gives the lie to Facebook's official line that the users are in control of the data that they share, and that the company is only using the data that people willingly offer up.
What are Facebook's 'shadow profiles?'
Even if you’ve never signed up for Facebook, the company might still have a file on you, gathered through uploaded contact lists, photos, or other sources.When someone you know joins Facebook, the social network can find traces of you in the email/phone contacts, for example. Should you then register on the network, you'll find it already has an uncanny ability to suggest friends from your social and professional circle before you've told them any details.
As well as details pulled from your social and professional circle that you may not have consented to share with the company, Facebook's file on you also contains information on your web browsing through use of embedded 'like' and 'share' buttons. These can be tracked even if you're logged out of your Facebook account.
Privacy advocates refer to these files on non-users as 'shadow profiles', and, given Facebook's huge userbase, there's a good chance the company has one on you even if you've been diligent in avoiding the social network.
Zuckerberg has, of course, never heard of such a thing
Mark Zuckerberg testified before a congressional hearing last week, Mark Zuckerberg was asked about shadow profiles by new Mexico Democrat Ben Luján. The Facebook founder and CEO claimed not to be familiar with them, and although it's not a term Facebook uses officially, it's also hard to believe Zuckerberg has never heard of the most widely used name for these occult files.
Congressman Ben Luján questions Zuckerberg on 'shadow profiles':
Nonetheless Zuckerberg confirmed the company collects information on nonusers. "In general, we collect data of people who have not signed up for Facebook for security purposes," he said.
Trouble is, non-users haven't given their consent to have his personal data collected, and what's worse, don't have any recourse to access this data without registering. Yes, you heard that right.
I don't have a Facebook account, and want to access my personal data
We've explained how to download all the information Facebook has on you, a sensible precaution to take if you're planning to #DeleteFacebook. Fine, if you're already a Facebook user. But if you don't have a Facebook account? Facebook's help page for this situation directs you to a process that requires you to sign up for the social network.
So to add insult to injury, not only has the non-Facebook user had their data gathered without their consent, but they have to sign up to a service they don't want and 'consent' to give up more information to the company in the process of requesting this data.
It's clear from this that Facebook's problems with privacy don't just concern its active users, but will remain a problem for those who have quit the social network or never signed up for it in the first place. This is likely going to cause some tension when Europe's GDPR kicks in, as the regulation requires data-portability for all citizens, not just Facebook users.
Zuckerberg has stated his willingness to comply with GDPR for its European users but has stopped short of guaranteeing similar protections for users in the US and elsewhere. Nonetheless, if Facebook wants people to take seriously the idea that they can control their data, it needs to bring the information in these shadow profiles into the light—where users and non-users alike can see their personal data and claim it.
What do you think of Facebook's data collection practices? What kind of changes would you like to see?