Mark Zuckerberg Denies Knowledge of Non-Consensual Shadow Profiles Facebook Has Been Building of Non-Users For Years

It has been widely reported that Facebook builds profile of people even if they have never signed up for its services. However, in a hearing with the House Energy & Commerce Committee on Wednesday, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it. Here's the exchange: Lujan: Facebook has detailed profiles on people who have never signed up for Facebook, yes or no?
Zuckerberg: Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].
Lujan: So these are called shadow profiles, is that what they've been referred to by some?
Zuckerberg: Congressman, I'm not, I'm not familiar with that.
Lujan: I'll refer to them as shadow profiles for today's hearing. On average, how many data points does Facebook have on each Facebook user?
Zuckerberg: I do not know off the top of my head.
Lujan: Do you know how many points of data Facebook has on the average non-Facebook user?
Zuckerberg: Congressman, I do not know off the top of my head but I can have our team get back to you afterward.
Lujan: It's been admitted by Facebook that you do collect data points on non-[Facebook users]. My question is, can someone who does not have a Facebook account opt out of Facebook's involuntary data collection?
Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not but in order to prevent people from scraping public information ... we need to know when someone is repeatedly trying to access our services.

tl;dr: fu mr congressman

zuck is such an asshat

Misleading title - he admits data is collected

He doesn't deny knowledge of it, he says they do! And he just doesn't have the data on hand. Sheesh, what a misleading title.

Everyone knows Shadow Profiles are real, that is how they know all the info they do when you sign up.

Re:Mental gymnastics

[Rick+Schumann]

If they have the MAC of any ethernet device that I own, then there is something seriously wrong with the public Internet that needs to be fixed immediately -- either that or everyone has out-and-out spyware on their computers and devices. Beyond your local network no one should have your MAC.

Re:Mental gymnastics

[ls671]

The apps running on your devices can access the MAC address and transmit the info over IP. Wireless access point know your MAC too, etc...

Badly configured IPv6

[DrYak]

It might happen with badly configured IPv6.

Among other, IPv6 addresses can be created by adding a suffix derived from you MAC address to the prefix advertised by your router.

Of course, there are privacy extensions, which generate addresses by adding random nonsensical suffices to the prefix, and a well configured IPv6 stack should generate several of those and prefer them over the MAC-derived one.
(i.e.: your laptop will respond when called by it's MAC-based IPv6 - useful for services, e.g.: SSH - but when contacting the web, it will present itself with a random addresses so your mac address should never be revealed in some webserver's logs).

Facebook supports IPv6.

A badly configured IPv6 combined with some clever javascripting (e.g.: the "like" button that you see on virtually any website when you don't have FSF's "Privacy Badger" activated) makes it possible for Facebook to track you by your mac address no matter which network you're connecting from.

(I'm saying facebook, but it works just as well with any other IPv6 support social website that has its buttons plastered all over the web: Twitter, etc.)

So, if you use IPv6, remember to enable the bloody privacy option on.

Re:Mental gymnastics

[gnick]

Until you sign up, you are an unwitting, unwilling user.

Re:Non-consensual Facebooking

[bluefoxlucid]

I don't consent to political campaigns calling me up during election season. But there are public records and they've been doing this for decades

Actually, we can't use them.

To call or e-mail you, I have to purchase a list of contact data from an appending service. These in turn get them from data warehouses, who get them by purchasing from organizations who directly connect with those persons.

You know that thing where your contract says your information "may be shared with partners" or some such?

You sign up for a service or donate to a charity. Hell, a politician knocks on your door and you sign up for their Web page.

They build a giant database of contact information and voter/donor/volunteer/user/etc research.

That information gets shared or sold to other organizations--two wildlife charities might mutually exchange their lists under NDA so they both benefit from greater access to donors.

The information not under such sharing generally gets sold.

We pay 3 cents per successful record append to turn your voter history (purchased from the State for use only in conjunction with a political campaign) and information into contact info. Name and address go in, phone numbers and e-mails come out. Donor information, social networking profiles, and the like might come along with that, too.

Yes, you consented to this. Unfortunately, we let people consent to far too much without requiring them to understand the ramifications, or putting a timer on that data so it has to go away after a few years. We should have a small number of certified data warehouses who can buy, aggregate, and provide information, with limits on where it can come from, how long it can be stored, and how aggregate information can be disseminated. instead, everyone is a data warehouse, and they sell and distribute the information however they want.

It's really a question of what we can give up. There's likely a sweet spot where you've only lost a little functionality, and can work around that easily, while gaining plenty of privacy; and then there's that last bit of privacy to gain, but cutting deeper starts rapidly shoving us back into the 90s where all this convenience wasn't around while not protecting us very much more at all. The first step is to identify that range and abut up to it; the second is to determine what protections we need and what we have to sacrifice to get them.

The most extreme example would be eliminating so much data sharing that OAUTH2 isn't a thing: you can't sign up to services with Google or use things like Disqus because of strict data privacy laws preventing the kind of sharing that this requires. Obviously, we're not going that far: those kinds of conveniences require very little data sharing, and it's obvious what's shared of the necessary things (i.e. your e-mail address, or some unique identifier; if it fills in your name, you can actually see that).

I'm most-concerned with background collection and retention. You got on Slashdot. Slashdot has a Facebook log-in thing. Facebook is able to track your activity here because there's a Facebook pixel--even if you're anonymous. That's stuff around which we need strict controls and won't lose much for it, so that's going right at the top of my list.

How does Zukerberg track non-Facebook users

[najajomo]

By contracting with companies to plant invisible trackers known as WEBBUGs on their web sites, such as these that are pinged every time you click on a techcrunch.com page:

cdn.tinypass.com/
d1z2jf7jlzjs58.cloudfront.net/
dashboard.tinypass.com/
dpm.demdex.net/
geo.yahoo.com/
o.aolcdn.com/
p.typekit.net/
plugin.mediavoice.com/
s.sa.aol.com/
s.yimg.com/
sb.scorecardresearch.com/
stats.wp.com/
use.typekit.net/
www.google-analytics.com/
www.npttech.com/

And these ones that are pinged when you click on a slashdot article:

a.fsdn.com/
ads.pro-market.net/
analytics.slashdotmedia.com/
cdn-social.janrain.com/
cdn.taboola.com/
consent.trustarc.com/
d1o5u7ifbz3swt.cloudfront.net/
ml314.com/
rpxnow.com/
snap.licdn.com/
ssl.google-analytics.com/
tag.crsspxl.com/
www.stack-sonar.com/

Re:Mental gymnastics

Also you WAP is on your private network. Nothing outside of your private, logical subnet needs to know you MAC.

Not necessarily true. Many automated configuration algorithms use MAC addresses to ensure some level of uniqueness or as a tie breaker.

The most prominent use is automated IPv6 addressing. IEEE EUI-64 embeds your MAC within your IPV6 address if not statically or DHCP assigned. All someone needs to do is query the IPv6 address in a browser script to get the MAC address of most everyone who does not have a IPv6 DHCP complaint ISP.

Re:Mental gymnastics

[swillden]

They're not supposed to do that!

There's no network technology-based need for them to do that, but if the operating system makes the data available to them they can and some do use the MAC address as a unique device identifier. The major mobile device OSes have stopped providing it.