Slashdot Mirror
Facebook Is Building Shadow Profiles of Non-Users
An anonymous reader writes "As noted previously, Max Schrems of Europe Versus Facebook has filed numerous complaints about Facebook's data collection practices. One complaint that has failed to draw much scrutiny regards Facebook's creation of Shadow Profiles. 'This is done by different functions that encourage users to hand personal data of other users and non-users to Facebook... (e.g. synchronizing mobile phones, importing personal data from
e-mail providers, importing personal information from instant messaging services, sending invitations
to friends or saving search queries when users search for other people on facebook.com). This means that even if you don't use it, you may already have a profile on Facebook.'"
Google's problem is that search engines can be easily fooled. Since the user indexes his or her own data by what is published to the web page, people tend to list all sorts of keywords which in turn create false results. Google's solution was PageRank, or picking the most popular sites. This doesn't work because all language is contextual, and as a result, a search term can mean many things.
What both Google and Facebook have realized is that unless they figure out who the user is, and what types of things they are looking for, there is no way to impose a type or context to the search. Without typed searching, search results become more irrelevant with the number of pages published to the web.
Both of them have hit on the same solution. Users aren't going to log in to a search engine, but they will log in to Gmail or Facebook, and that allows these companies to keep track of who you are (Google Plus is more an extension of Gmail than a separate app). Why else do you think both of them are manic about trying to get you to "validate" your account with a phone number?
Who uses adblock/noscript yet doesn't block those pointless facebook and twitter buttons?
Even if you don't care about the privacy angle, it really cuts down on useless traffic.
Here's a new one you may not have got around to adding yet: apis.google.com/js/plusone.js
What the article is in part talking about is what a lot of people have been saying for years now.
People say if you don't want facebook to know anything about you, then you shouldn't post there.
So others reply that it doesn't matter that you didn't give the data to facebook, one of your friends might.
So now the statement is that if you don't want facebook to know anything about you, then you shouldn't tell your friends, colleagues, etc. anything - after all, they may enter it on facebook.
But this still makes the presumption that you actually gave that information, knowingly and willingly, to that person - and that it it's reasonable to assume that facebook will then collect it as well.
Let's say you went to Slashdot High. So did some other person. That other person tells facebook to look for MikeB0Lton who attended Slashdot High. Now facebook has a reasonable assumption that you went to Slashdot High.
You didn't give facebook that data. And you didn't really give that data to that person - it's just information that accumulates simply by existing. You could fo for a "well you could have chosen to be homeschooled" sort of retort, but setting aside that most people here went to highschool long before facebook even existed, that's of course asking for ridiculous steps to take just to prevent anybody from collecting data about you.
Now obviously pandora's box on this was opened a very long time ago and there's really no way that it'll ever change. Even if facebook were to be forced to kill all collected data beyond that required for direct facebook operations, there's plenty of companies and shady organizations who are not targeted and who will gladly not even bother with waiting for users to provide the data and instead crawl sites and official records for it.
But the suggestion that facebook only has data on you because you gave it to them - and now that it has it because you gave it to somebody else - seems to be putting some level of blame with people when really they needn't even do/say anything.
In Soviet Russia, Facebook has profile on YOU.
I think that went out the window when they became a registered sex offender.
You'd be surprised what could get you on the registered sex offender list. When I purchased my house, I checked the list. Apparently, a guy down the street had a physical relationship with a 17 year old when he was 20. He's now on the list for life because of a vindictive parent, bad breakup, etc.
It's about non-users who HAVE NEVER USED THE DAMN THING and yet are being profiled and harrassed by FB. (like "Hey, these guys are on FB, we know they're your friends, why don't you join ? Oh, and we know where you live and what school your kids go to. Just saying.")
In Soviet Russia, our new overlords are belong to all your base.
IMHO, Facebook passed MS a long time ago. And that's saying something. At least MS is primarily evil because of their thirst for money and control -- Facebook sees that and raises them the desire to know absolutely everything about everyone on earth, then sell it to anyone who wants it. If Zuckerberg were CEO of MS, registering Windows would be mandatory, and would require everything down to your underwear size and medical history. And there'd be text ads on the start menu that would be chosen based on what websites you visited last night or what medications might appeal to you.
I had a weird notification this morning. Facebook wanted me to confirm that someone else said my hometown was X city. So now if you don't list this information, they're asking others to rat you out, despite your best efforts to keep that information off of the web. I'm not sure you can opt out of other people's disclosures in the same way you can opt out of listing your city/state/employer etc.
moox. for a new generation.
How is this not a violation of the data protection act? I quote from Wikipedia (http://en.wikipedia.org/wiki/Data_Protection_Act_1998)
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- [...]
Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data (Schedule 2).
The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
Processing is necessary for the performance of, or commencing, a contract;
Processing is required under a legal obligation (other than one stated in the contract);
Processing is necessary to protect the vital interests of the data subject;
Processing is necessary to carry out any public functions;
Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).[8]
Is any of the above true? I certainly did not consent for my data to be processed when I am not on Facebook. Also note, it is not important who has given the data to Facebook, the DPA talks about the data subject -> The person the data is about.
You also have no idea if your ISP is collecting information on the sites you visit, either through DNS queries or by parsing the content of pages you visit, and creating a profile about you to sell. And once that profile exists, if even one website out there is connected to that company's profile database and can associate your visit and a particular account as being you, then suddenly they've attached a name to an otherwise anonymous profile. It can only grow from there.
The point I was trying to make is that unless there are privacy laws and strict rules on what data networks and companies are allowed to take and sell about you, then it's simply never going to stop.
The other point I was making is that Facebook is far from the only company doing this, and people shouldn't be wasting their time focusing on just one of them.
Even without Facebook selling it, it's already in some unscrupulous hands.
FTFY
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
I think you're right, but I've received creepy email invites from Facebook saying "You might know these people come join us" followed by 9 profile images some of close friends and some of acquaintances that happened to attend an event that I've gone to from time to time. It was creepy and is the main reason I want nothing to do with facebook.
So while everyone is taking issue at Facebook doing this, whats really needed is a Personal Information Control Act aimed at individuals rather than corporations?
Rather like (as i am in the UK) a Data Protection Law aimed at everyone, rather than just what businesses and organisations can do with data collected?
Or are we going to try and stick a band aid on it by limiting what companies can collect from people willing to offer?
For heaven's sake, get it into your head: You do not "own" facts about yourself. You never did. It has never been, and will never be, illegal for someone to look at you in the bus queue and observe what clothes you're wearing, what your height is, what your hair colour is, or what number bus you're queuing for. Nor is it illegal for someone to listen to you chatting to your friend and hear your name or where you live.
Even before the widespread use of computers, people were compiling databases about individuals. In the Victorian and Edwardian era there were still card indexes of potential customers' names and addresses.
What is different here is the *interconnectedness* . I don't mind people complaining about interconnectedness - I mean, it's pointless and they've missed the boat by at over 20 years, but it is at least a valid argument. The ability of this information to spread at lightning speed between billions of people using thousands of databases, yes, that is relatively new. But complaining about somebody else knowing facts about you, that's dumb.
In England we've had this for well over 950 years, since the Domesday Book in 1089AD which listed every landowner in the country. Most likely the Roman empire kept a similar directory over two thousand years ago.
If you visit a company's website and they record the facts of your visit, that is NOT illegal. It's not even immoral. It only becomes controversial when they pass this information on to an entity which was not otherwise involved with your visit.
Andrew Oakley - www.aoakley.com
See this is why I don't use facebook..... er...damn it!
To be fair, it sounds more like Facebook is using you.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Surely someone better at programming than myself has either produced or is working on a simple set of software that will fill these databases with false information, rendering the whole thing unreliable. This actually seems like an appropriate task for an organization which refers to itself as anonymous .
Even if human interaction is needed (or better at than software) to create the accounts (answer captchas), once the couple million accounts are up and running they could randomly friend and unfriend each other, get involved in various groups, produce believable profiles, and become pollutants in the databases of companies such as Google and Facebook. Before long there rises the question, "is this profile real or fake? can't answer that? can't consider it real". The fakes could even base their profile on real profiles, altering things like school graduation year, and selecting a subset of contacts from various 'friends' of the real profile. With just a few 'friends' on Facebook an account rapidly begins receiving suggestions from Facebook itself on who might also be a known friend. It would be self propagating.
This may already be in action. I've had a few people/accounts that I did not know on Facebook send me a friend request, but were friends with several of my friends. Before accepting I asked our mutual friends if they knew who this person was. More often than not my friends said they didn't know them but since we went to high school together they didn't want to be rude. NO THANKS! Just as easily as this could be a data pollutant account it could also be a 3rd party mining Facebook for private information. Social engineering has always been a more powerful method than security hacking.
Anyway, I just think that rather than fighting for privacy the better approach is to corrupt their data through their own system. It seems more wicked.
No sig for you. YOU GET NO SIG!
I'm MikeB0Lton too. We should have beers and stuff.
Let's say you went to Slashdot High.
People visit Slashdot when they're high? That'd explain a lot of comments! ;-)
127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 static.ak.fbcdn.net
127.0.0.1 www.static.ak.fbcdn.net
127.0.0.1 login.facebook.com
127.0.0.1 www.login.facebook.com
127.0.0.1 fbcdn.net
127.0.0.1 www.fbcdn.net
127.0.0.1 fbcdn.com
127.0.0.1 www.fbcdn.com
127.0.0.1 static.ak.connect.facebook.com
127.0.0.1 www.static.ak.connect.facebook.com
What is unfortunate, Facebook might be willing to sell this data to 3rd parties without your consent... as your friends/coworkers/family have already consented to releasing the contact information for you. Even without Facebook selling it, it's only a data breach away from some the unscrupulous hands.
I don't know that there's anyone more unscrupulous than facebook. The mobsters and fraud rings out there really just want to use your identity to take money from banks. They're annoying but not really that dangerous to ordinary people (nor to the banks, who treat low-level activity as a cost of doing business). The law is also firmly entrenched against them, and they are occasionally caught and punished. Facebook and their ilk, however, sell humans as products to thousands of corporations around the world, and they do so with impunity. They are a direct and real threat to every individual person alive today and countless unborn yet to come. If you put a gun to my head and told me I had to give all my personal information to either Mark Zuckerberg or a Russian gangster, I'd give it to the gangster every time. Then I can go file a police report, close all my accounts, and start over with no loss but a few hours of my time. Eventually the gangsters will be caught and imprisoned or perhaps killed in a war with other gangsters. There's no such happy ending possible if facebook gets its hands on my data; even if I change my name, move to a different state, and start a new career, sooner or later facebook will get my new data too. There's apparently nothing I can do about it, and the law won't help me.
Bottom line: a "facebook data breach" would mean nothing to us, since everything in their database was already for sale; it would only harm facebook, who will have given away what they were previously selling.
Most of Microsoft's evil was directed at their competition. They were rarely evil to their customers, lock-in aside, just incompetent. With things like lawsuits over FAT patents and demanding $15 for every Android phone sold, they're still just as evil to their competitors, but they seem to be a lot less incompetent to their customers (I've not used it, but I've heard good things about Windows 7).
In contrast, Facebook is evil to its users.
I am TheRaven on Soylent News
You do not "own" facts about yourself. You never did. It has never been, and will never be, illegal for someone to look at you in the bus queue and observe what clothes you're wearing, what your height is, what your hair colour is, or what number bus you're queuing for.
Yes, but it's also true that if a creepy man staked out a bus stop for months on end recording data about people, the police could get him to "move along sir". And if that creepy man was following you around all day, day in and day out, you could get a restraining order against him. Somehow I think getting a restraining order against FaceBook, Google, etc. will be a little more difficult despite the fact that they are stalking the entire world. What's needed is for the legislature to come to the rescue.
-1, Too Many Layers Of Abstraction
I don't think Facebook should be merely fined, I think it should be fined so vastly that it's very existence is put in doubt. I think CEOs, boards of directors and shareholders should be absolutely terrified to the point of pissing their pants if they create an aggregate database of people who have not given explicit permission to be in such a database. I want them to wake up in the middle of the night in cold sweats at the very thought that anyone in their data centers might even be doing it. I want them to spend a fair portion of every day worrying about it.
The world's burning. Moped Jesus spotted on I50. Details at 11.