Facebook’s “Shadow Profile” Problem

Sometimes it takes a big screwup to reveal a bigger problem. The news that Facebook maintains so-called “shadow profiles” of both users and–some allege–non-users is not new. Privacy groups started raising red flags about the policy at least two years ago, but the details remained obscure.

A “shadow profile” is, basically, extra data on you which you never provided to Facebook. Typically, this is harvested as part of “Finding Friends” feature that combs through a user’s contact list looking for people they know who might also be on Facebook. It also draws data from friends, conversations you have, things you like, and topics you post about.

What people may not realize is that the emails and phone numbers found during this process apparently attached to your profile even if you do not provide that data to Facebook.

And, at least at some point, it saved that data even if you didn’t have a Facebook account.

Some time in the last year, an exploit appeared that merged the public data and the private data for people who downloaded and saved profile information. This exploit affected as many as 6 million people.

This means that if someone has your email and phone number in their contact list and they allow Facebook to access that data, that data is saved and attached to your Facebook profile even if you never provided it.

Here’s how Facebook explained it in their sorta-apology:

When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed.

We always assumed Facebook was compiling plenty of data that was not provided to them, and that this was stored unseen to us. The extent of their data-gathering, however, still remains a bit fuzzy, and the idea that they were mining contact data had been assumed but remained unproven.

If PRISM taught us anything, it should be that the age of privacy is over. It really is, and as a former privacy nut I’m deeply disturbed at its passing.

However, it is becoming almost impossible to take advantages of the conveniences, power, and connectivity of the digital age while also retaining a firm grip on privacy. Watching Netflix, streaming Google Play, buying from Amazon, chatting on Facebook or Skype: these are all things I enjoy, and I’m glad they’re exist.


Unfortunately, they also mean that my entertainment choices, opinions, buying habits, and even my conversations and movements are exposed, collected, stored, and commodified.

In my own minor way, I’m a “Public Person.” My photo has been under my name in a column in at least one magazine–and often as many as three–every month for over two decades. I got my first “death threat” in 1994, when the internet was young and “I’m going to kill you for saying something bad about a game I like” was still a novel amusement. I’ve blogged since 2010.

So … privacy? It’s a little late for that. It’s kind of pointless for me to complain that Hulu and their partners know I watched “Voodoo Man” last night when I’m writing that I watched “Voodoo Man” last night at this very moment, and posting it to be read by about 5,000 to 10,000 people.

However … most people are not an opinion writer and magazine editor, or a politician, star, executive, YouTube sensation, or other public or semi-public figure. They’d rather keep their choices personal, and their information private.

And so they will need to make hard choices. Give up some of the niceties and conveniences–and even, for some, the necessities–of the digital age for a privacy which they will never get back.

I came to Facebook slowly and reluctantly. It seemed like little more than a playground for narcissists. I’ve since found it useful for sharing photos with family, links to my posts, and other items of interest. I’ve gotten to know people there and formed real friendships, particularly within the tight-knit Catholic community. I can stay in touch with people I just don’t get to see and far-flung family can keep up with news and photos of my kids in the most convenient way possible.

I keep all of that “locked down,” knowing that nothing is really ever “locked down” on Facebook. Most people can’t see the things I set for “Friends Not Acquaintances,” but it remains possible that a determined person could access them with some effort. I have a “public page” that you can follow, but usually I don’t add people I don’t know to my private page. (If you’ve tied to add me and gotten no response, it’s because I usually keep the private page for colleagues, friends, and family. The public page is here.  Some of my personal page is public. Most of it isn’t.)

As for all that “metadata” such as emails, phone numbers, entertainment preferences, and friends? That box was opened long ago, and we’re never going to slam it shut again. See also: Pandora.

Today I changed my profile just to screw around: changing  my birthday to 1913, my college to Miskatonic University, my high school to Miss Havisham’s School For Wayward Girls, things like that. It’s a small gesture of contempt to Mark Zuckerberg and his prying minions, and although ultimately meaningless, it provided a few minutes of amusement.

I will continue to use Facebook as I have, with eyes wide open to its inherent flaws. I know that it’s not free: I’m paying for it with my private data. That is the coin of the realm in the internet age.

There’s an old saying in the tech field: If a service is free, you are not the customer: you are the product being sold.