Shadow profiles are the biggest flaw in Facebook’s privacy defense

JLab’s Rewind wireless headphones have retro style, but dated sound
April 11, 2018
Bellus3D brings its uncanny 3D selfies to the iPhone X
April 11, 2018

Called before Congress this week, Mark Zuckerberg tried to present Facebook's approach to user data as open and transparent. In question after question, he focused on the privacy options available to users and their ownership of all the data they share, and not everything was incorrect. Facebook has data because users share it (mainly). Users control that data and can review or delete it whenever they want (with some exceptions). And if you delete your account, (almost) all of that data will disappear from the Facebook servers within 90 days. None of that is false, but as the parentheses should tell you, it is incomplete, and by the second day of the hearings, members of Congress were beginning to understand.
The most powerful example came from Representative Ben Lujan (D-NM), who confronted Zuckerberg about the company's use of hidden profiles, a term for the collection of non-user data that Zuckerberg apparently was not familiar with.
"It has been admitted that data points are collected from users who are not from Facebook," Luján asked. "So my question is, can someone who does not have a Facebook account opt ​​for the involuntary collection of Facebook data?"
"Congressman, anyone can choose not to receive any type of data collection, whether they use our services or not," said Zuckerberg. "But to prevent people from restricting public information, we need to know when someone is trying to repeatedly access our services."
"My question is, does someone who does not have a Facebook account choose to collect data?"
"You have said that everyone controls your data, but you are collecting data on people who are not even Facebook users, who never signed a consent or privacy agreement and who are collecting your data," continued Luján. "And you're directing people who do not have a Facebook page to sign up on Facebook and get their data."
In the exchange, Luján took advantage of a serious error in Zuckerberg's Facebook vision, which could have regulatory consequences in the coming months. The fact is that, even if you have never registered on Facebook, the company still has a general idea of ​​who you are, gathered through lists of loaded contacts, photos or other sources.
The collection of Facebook data about non-Facebook users opens a world of questions about what data is and is not covered by Zuckerberg's vision of user consent and control. Zuckerberg said repeatedly that Facebook removes all data from your profile if you delete your account, but what about the hidden profile data that preceded your account? Zuckerberg also mentioned the possibility of downloading his Facebook data, but not only a user who does not belong to Facebook does not have access to that information, the download tool omits the data that Facebook collects and uses clearly, whether they are Pixel data analyzed from Facebook or location data extracted. from a phone
The most concrete example of an alternative profile comes from the People You May Know service on Facebook, studied in detail by Kashmir Hill in Gizmodo. Even if you have never registered on Facebook, you have appeared on the contact list of people who did. When users connect their email account or text message data with Facebook, countless users are not swept. Instead of discarding their information, Facebook maintains non-user related data assigned to something that Hill calls a hidden profile: a trusted information bank held in reserve so that, if it ever registers on Facebook, the company will know exactly whom Recommend as friends.
"Even after logging out of Facebook, they still have the ability to follow my interactions on the web"
If that were all, it would be easy enough to get away, but the hidden profiles have become a substitute for all the data that is not part of a person's official profile. Facebook says that when you delete your account, all your data disappears from the company's servers within 90 days, but it's hard to believe that it applies to the hidden profile data, which exists even without an official profile. Today, Zuckerberg assured Congress that Facebook's data download tool includes all the information of a given user, but it lacks much of the web-based tracking done by Facebook through the Insert button, showing only the categories of interest that are created as a result of that data. How can we be sure that similar data is not collected about non-users or that they do not remain associated with them after deleting their account?
Representative Kurt Schrader (D-OR) tried to get a response from Zuckerberg about the extent of Facebook tracking of users off the platform, but the response was ambiguous.
"As I understand it, based on the testimony here today, even after logging off on Facebook, they still have the ability to follow my interactions on the web," Schrader asked Zuckerberg.
"You have crawlers all over the web."
"You have control over what we do for the announcements and the collections of information based on that," Zuckerberg replied. "In terms of security, there may be specific aspects about how you use Facebook, even if you have not logged in, which we follow up to make sure you're not abusing the systems."
This area of ​​interrogation is particularly difficult for Facebook because, as Luján pointed out, all Facebook controls have a person who has a Facebook profile. You can not change your ad settings or download your information unless you are a Facebook user, even though we know that the company still contains information related to you. That catch-22 may soon cause problems in Europe, where the GDPR requires data portability for all citizens, not just Facebook users.
Meanwhile, Facebook's data protection tools mostly serve to distract users from the more aggressive data collection that occurs behind the scenes. That point was taken home by a heated speech by Representative Debbie Dingell (D-MI) towards the end of the hearing, leading Zuckerberg to the task for lack of information.
"As a CEO, I did not know some key facts," Dingell told Zuckerberg. "You did not know what a hidden profile was, you did not know how many applications you need to audit, you did not know how many other firms have been sold by Cambridge Analytica … You do not even know the different types of information that Facebook collects from its users."
"This is what I know," Dingell continued. "You have crawlers all over the web." Virtually all websites, we all see "Like" or "Like" buttons on Facebook, and with Facebook Pixel, people may not even see the Facebook logo. It matters if you have a Facebook account, through these tools, Facebook can collect information from all of us. "


Leave a Reply

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.