Facebook Is Building Shadow Profiles of Non-Users

An anonymous reader writes "As noted previously, Max Schrems of Europe Versus Facebook has filed numerous complaints about Facebook's data collection practices. One complaint that has failed to draw much scrutiny regards Facebook's creation of Shadow Profiles. 'This is done by different functions that encourage users to hand personal data of other users and non-users to Facebook... (e.g. synchronizing mobile phones, importing personal data from e-mail providers, importing personal information from instant messaging services, sending invitations to friends or saving search queries when users search for other people on facebook.com). This means that even if you don't use it, you may already have a profile on Facebook.'"

Facebook wants to be Google

[concealment]

Google's problem is that search engines can be easily fooled. Since the user indexes his or her own data by what is published to the web page, people tend to list all sorts of keywords which in turn create false results. Google's solution was PageRank, or picking the most popular sites. This doesn't work because all language is contextual, and as a result, a search term can mean many things.

What both Google and Facebook have realized is that unless they figure out who the user is, and what types of things they are looking for, there is no way to impose a type or context to the search. Without typed searching, search results become more irrelevant with the number of pages published to the web.

Both of them have hit on the same solution. Users aren't going to log in to a search engine, but they will log in to Gmail or Facebook, and that allows these companies to keep track of who you are (Google Plus is more an extension of Gmail than a separate app). Why else do you think both of them are manic about trying to get you to "validate" your account with a phone number?

Re:who's data

[QuasiSteve]

What the article is in part talking about is what a lot of people have been saying for years now.

People say if you don't want facebook to know anything about you, then you shouldn't post there.
So others reply that it doesn't matter that you didn't give the data to facebook, one of your friends might.

So now the statement is that if you don't want facebook to know anything about you, then you shouldn't tell your friends, colleagues, etc. anything - after all, they may enter it on facebook.

But this still makes the presumption that you actually gave that information, knowingly and willingly, to that person - and that it it's reasonable to assume that facebook will then collect it as well.

Let's say you went to Slashdot High. So did some other person. That other person tells facebook to look for MikeB0Lton who attended Slashdot High. Now facebook has a reasonable assumption that you went to Slashdot High.
You didn't give facebook that data. And you didn't really give that data to that person - it's just information that accumulates simply by existing. You could fo for a "well you could have chosen to be homeschooled" sort of retort, but setting aside that most people here went to highschool long before facebook even existed, that's of course asking for ridiculous steps to take just to prevent anybody from collecting data about you.

Now obviously pandora's box on this was opened a very long time ago and there's really no way that it'll ever change. Even if facebook were to be forced to kill all collected data beyond that required for direct facebook operations, there's plenty of companies and shady organizations who are not targeted and who will gladly not even bother with waiting for users to provide the data and instead crawl sites and official records for it.

But the suggestion that facebook only has data on you because you gave it to them - and now that it has it because you gave it to somebody else - seems to be putting some level of blame with people when really they needn't even do/say anything.

Rare opportunity.

[Arancaytar]

In Soviet Russia, Facebook has profile on YOU.

Re:Sex Offenders

[The+Moof]

I think that went out the window when they became a registered sex offender.

You'd be surprised what could get you on the registered sex offender list. When I purchased my house, I checked the list. Apparently, a guy down the street had a physical relationship with a 17 year old when he was 20. He's now on the list for life because of a vindictive parent, bad breakup, etc.

Re:Block

Use Ghostery - it kills web bugs in web sites just like Adblock kills ads.

Re:Facebook

[o'reor]

I'm so tired of reading ./ers bitching without reading the articles first.

It's about non-users who HAVE NEVER USED THE DAMN THING and yet are being profiled and harrassed by FB. (like "Hey, these guys are on FB, we know they're your friends, why don't you join ? Oh, and we know where you live and what school your kids go to. Just saying.")

Others can list your hometown for you

[Hadlock]

I had a weird notification this morning. Facebook wanted me to confirm that someone else said my hometown was X city. So now if you don't list this information, they're asking others to rat you out, despite your best efforts to keep that information off of the web. I'm not sure you can opt out of other people's disclosures in the same way you can opt out of listing your city/state/employer etc.

Violation of the Data Protection Act

[Wattos]

How is this not a violation of the data protection act? I quote from Wikipedia (http://en.wikipedia.org/wiki/Data_Protection_Act_1998)

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- [...]

Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data (Schedule 2).

        The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
        Processing is necessary for the performance of, or commencing, a contract;
        Processing is required under a legal obligation (other than one stated in the contract);
        Processing is necessary to protect the vital interests of the data subject;
        Processing is necessary to carry out any public functions;
        Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).[8]

Is any of the above true? I certainly did not consent for my data to be processed when I am not on Facebook. Also note, it is not important who has given the data to Facebook, the DPA talks about the data subject -> The person the data is about.

Re:People have no clue what's watching them

[FyberOptic]

You also have no idea if your ISP is collecting information on the sites you visit, either through DNS queries or by parsing the content of pages you visit, and creating a profile about you to sell. And once that profile exists, if even one website out there is connected to that company's profile database and can associate your visit and a particular account as being you, then suddenly they've attached a name to an otherwise anonymous profile. It can only grow from there.

The point I was trying to make is that unless there are privacy laws and strict rules on what data networks and companies are allowed to take and sell about you, then it's simply never going to stop.

The other point I was making is that Facebook is far from the only company doing this, and people shouldn't be wasting their time focusing on just one of them.

Re:Oh, really?!

[medv4380]

I think you're right, but I've received creepy email invites from Facebook saying "You might know these people come join us" followed by 9 profile images some of close friends and some of acquaintances that happened to attend an event that I've gone to from time to time. It was creepy and is the main reason I want nothing to do with facebook.

Propagate false data?

[LoudMusic]

Surely someone better at programming than myself has either produced or is working on a simple set of software that will fill these databases with false information, rendering the whole thing unreliable. This actually seems like an appropriate task for an organization which refers to itself as anonymous .

Even if human interaction is needed (or better at than software) to create the accounts (answer captchas), once the couple million accounts are up and running they could randomly friend and unfriend each other, get involved in various groups, produce believable profiles, and become pollutants in the databases of companies such as Google and Facebook. Before long there rises the question, "is this profile real or fake? can't answer that? can't consider it real". The fakes could even base their profile on real profiles, altering things like school graduation year, and selecting a subset of contacts from various 'friends' of the real profile. With just a few 'friends' on Facebook an account rapidly begins receiving suggestions from Facebook itself on who might also be a known friend. It would be self propagating.

This may already be in action. I've had a few people/accounts that I did not know on Facebook send me a friend request, but were friends with several of my friends. Before accepting I asked our mutual friends if they knew who this person was. More often than not my friends said they didn't know them but since we went to high school together they didn't want to be rude. NO THANKS! Just as easily as this could be a data pollutant account it could also be a 3rd party mining Facebook for private information. Social engineering has always been a more powerful method than security hacking.

Anyway, I just think that rather than fighting for privacy the better approach is to corrupt their data through their own system. It seems more wicked.

Re:who's data

[MikeB0Lton]

I'm MikeB0Lton too. We should have beers and stuff.

Re:Block

[The+Man]

Who uses adblock/noscript yet doesn't block those pointless facebook and twitter buttons?
Even if you don't care about the privacy angle, it really cuts down on useless traffic.

Here's a new one you may not have got around to adding yet: apis.google.com/js/plusone.js

I don't really think adblockers are sufficient in light of how devious facebook and others are known to be. Using those techniques amounts to participating in an arms war between these companies and other software engineers. Instead, or in addition, one should redirect their entire domains to localhost and blackhole all known netblocks they use. You can't do enough to keep yourself safe from these thieves and predators; they are the modern-day slavers and you, once again, are their product. While there may be no measure strong enough to prevent the kind of theft this article highlights, that serves only to point out that no available measure should be overlooked in the effort to shut down the flow of data into their systems.

Re:Monetize that....

[The+Man]

What is unfortunate, Facebook might be willing to sell this data to 3rd parties without your consent... as your friends/coworkers/family have already consented to releasing the contact information for you. Even without Facebook selling it, it's only a data breach away from some the unscrupulous hands.

I don't know that there's anyone more unscrupulous than facebook. The mobsters and fraud rings out there really just want to use your identity to take money from banks. They're annoying but not really that dangerous to ordinary people (nor to the banks, who treat low-level activity as a cost of doing business). The law is also firmly entrenched against them, and they are occasionally caught and punished. Facebook and their ilk, however, sell humans as products to thousands of corporations around the world, and they do so with impunity. They are a direct and real threat to every individual person alive today and countless unborn yet to come. If you put a gun to my head and told me I had to give all my personal information to either Mark Zuckerberg or a Russian gangster, I'd give it to the gangster every time. Then I can go file a police report, close all my accounts, and start over with no loss but a few hours of my time. Eventually the gangsters will be caught and imprisoned or perhaps killed in a war with other gangsters. There's no such happy ending possible if facebook gets its hands on my data; even if I change my name, move to a different state, and start a new career, sooner or later facebook will get my new data too. There's apparently nothing I can do about it, and the law won't help me.

Bottom line: a "facebook data breach" would mean nothing to us, since everything in their database was already for sale; it would only harm facebook, who will have given away what they were previously selling.

Re:We should have a "Tell Lies to Facebook Day"

[TheRaven64]

Most of Microsoft's evil was directed at their competition. They were rarely evil to their customers, lock-in aside, just incompetent. With things like lawsuits over FAT patents and demanding $15 for every Android phone sold, they're still just as evil to their competitors, but they seem to be a lot less incompetent to their customers (I've not used it, but I've heard good things about Windows 7).

In contrast, Facebook is evil to its users.

Re:You don't own facts about yourself. Get over it

[firewrought]

You do not "own" facts about yourself. You never did. It has never been, and will never be, illegal for someone to look at you in the bus queue and observe what clothes you're wearing, what your height is, what your hair colour is, or what number bus you're queuing for.

Yes, but it's also true that if a creepy man staked out a bus stop for months on end recording data about people, the police could get him to "move along sir". And if that creepy man was following you around all day, day in and day out, you could get a restraining order against him. Somehow I think getting a restraining order against FaceBook, Google, etc. will be a little more difficult despite the fact that they are stalking the entire world. What's needed is for the legislature to come to the rescue.

Re:who's data

[MightyMartian]

I don't think Facebook should be merely fined, I think it should be fined so vastly that it's very existence is put in doubt. I think CEOs, boards of directors and shareholders should be absolutely terrified to the point of pissing their pants if they create an aggregate database of people who have not given explicit permission to be in such a database. I want them to wake up in the middle of the night in cold sweats at the very thought that anyone in their data centers might even be doing it. I want them to spend a fair portion of every day worrying about it.