‘Your Facebook data belongs to you and you have complete control over it,’ that was the line that Mark Zuckerberg kept pushing over and over, both times he testified before US legislators this week. But everyone wasn’t buying it. Congressman Ben Luján, a Democrat from New Mexico pressed Zuckerberg on what information Facebook collects beyond what people knowingly hand over

To learn more about what information Facebook collects beyond what users knowingly hand over, Luján asked Zuckerberg about something called shadow profiles – a term for non-user data collection that Zuckerberg was apparently unfamiliar with.

Here’s an excerpt from the exchange:

Luján asks: “It’s been admitted that you do collect data points on non-Facebook users. So my question is, can someone who does not have a Facebook account opt out of Facebook’s involuntary data collection?”

Zuckerberg responds: “Congressman, anyone can opt out of any data collection for ads, whether they use our services or not. But in order to prevent people from scraping public information, we need to know when someone is trying to repeatedly access our services.”

Luján continued: “You’ve said everyone controls their data, but you’re collecting data on people who are not even Facebook users, who never signed a consent or privacy agreement and you’re collecting their data. And you’re directing people who don’t have a Facebook page to sign up for Facebook in order to get their data. It may surprise you that, on Facebook’s page, when you go to ‘I don’t have a Facebook account and would like to request all my personal data stored by Facebook,’ it takes you to a form that says go to your Facebook page, and then, on your account settings, you can download your data.”

Facebook controls the data not users

The above exchange highlights the main flaw in Zuckerberg’s line of argument that all data that Facebook collects is consent driven. The reality is that, even if you’ve never signed up for Facebook, the company still has a general sense of who you are, gathered through uploaded contact lists, photos, or other sources. Zuckerberg feigning ignorance on this issue won’t make it go away, neither will his argument that this is being done to deal with bad actors or security purposes.

Facebooks’s collection of non-user data raises questions about what data is covered by Zuckerberg’s idea of user control and ownership of data.
Zuckerberg had said that Facebook deletes all your profile data if you delete your account, but didn’t know how long it takes for that data to be deleted which means it’s not done immediately. The question then is, are elements of your data used to build a shadow profile even after you have left Facebook? What if Facebook already had a shadow profile on you before you signed up, do you have control over that data when you choose to join?

How Facebook uses shadow profiles

Writing for Gizmodo, Kashmir Hill offers the most detailed example of how Facebook shadow profiles work in its ‘People You May Know’ feature. Even if you have never signed up for Facebook you are part of someone’s phone contact list who probably is. All this information is collected by Facebook and they don’t discard your contact even if they know you aren’t on board. When users sync their email account or phone messages with Facebook, data on other non-users is picked up. Instead of discarding their information, Facebook keeps non-user data attached to something Hill calls a shadow profile — a reliable bank of information held in reserve so that, if you ever do sign up for Facebook, the company will know exactly who to recommend as friends.

All this might seem harmless as it’s just being used to recommend friends who are on the service to you. But this data is being gathered without your consent and is almost certainly being put to other use, the above use case was only one of many that was discovered by a journalist’s investigation. When Zuckerberg says that you can delete your account or any piece of data you have shared with Facebook, that rings hollow when Facebook collects and stores data that you haven’t shared with it.