A shadowy figure in front of a Facebook logo.

Social media services collect data about their users, which is then used for targeted advertising or sold directly to third parties for various purposes. But what if a platform like Facebook collected information about non-users, too? It does, and it’s called a “shadow profile.”

Facebook’s Shadow Profile Practices

Early in 2018, Mark Zuckerberg admitted in a congressional hearing that Facebook collects information on people who are not Facebook users. To be clear, Facebook does not use the term “shadow profile,” but that’s become the common term for information collected on people who are not Facebook users. (It can also refer to data collected about people who are users, but the information in question was not provided by them.) Instead, it comes from third-party sources. In other words, whether you’re a Facebook user or not, the company knows things about you that you did not explicitly tell it.

Why does Facebook collect such data? The official answers vary, but it seems to feed features such as “people you may know” and helps new users rapidly build connections when they sign up. Whatever Facebook’s reasons for collecting this data, you may be wondering where it gets it from in the first place. While we’ll never know the entire story, there are a few likely sources.

Piecing Together a Shadow Profile

If you have friends who use Facebook, chances are that they share content with Facebook that helps paint a picture of who you are. If your friends post photos of you, Facebook’s facial recognition system is (in principle) capable of matching it to other photos of you on the internet. We don’t know if Facebook actually ever did this, but the technology was certainly in place. Facebook’s use of facial recognition technology has been so controversial that the company announced it would remove facial recognition features and delete all collected data using the tech.

When Facebook users sign up, they can give the app access to their phone contacts, which can make it easier for them to connect with people they know. However, it also means Facebook gets to see all the names and contact details of non-users in that contacts list.

Once Facebook knows certain key facts about you, such as what you look like, who your friends are, and what your email address or phone number is, it can simply scour the surface web to aggregate more info about you. Again, we don’t actually know exactly how Facebook gathers data on non-users, we just know that it does and how it could (hypothetically) work.

It’s Going to Get Worse

Facebook is perhaps the most famous name linked to shadow profiling, but that doesn’t mean the company is the only entity doing it. The fact of the matter is that most of us have been pumping gigabytes of data about ourselves onto the internet for years. Much of it isn’t behind any sort of security and taken individually, is pretty benign.

The problem is that smart algorithms and massive data centers with incredible computing power can take all those individually “harmless” breadcrumbs of information about you and gain shocking insights about who you are, how you’re likely to behave, and the best ways to influence you.

As we hook more of our personal data into the web and these systems get smarter and more powerful, large data broker organizations may end up knowing more about you than you do yourself. One famous incident reported by Forbes in 2012 details how Target could accurately predict which of its customers are most likely to be pregnant. In the 9 years since that story, the data mining and analytics methods at the disposal of companies like Facebook have advanced in leaps and bounds.

What Can You Do About Shadow Profiling?

The sad fact is that we can’t do anything about the technology itself and unless you’re willing to become an off-grid hermit there’s no practical way to keep your personal data off the internet. What we can do is influence the laws that govern how and when companies can gather information on us.

There are privacy laws in the real world that, for example, describe in which situations someone can take a photo of you without your consent. There are legal descriptions of what reasonable expectations of privacy are. While it may not feel like it, we are still in the early age of the internet. If social media platforms were people, none of them would be old enough to drink! In other words, we’re still figuring out the rules as we go and regular users can lobby their representative lawmakers to push for pro-privacy laws that protect average individuals.

You can also carefully read the privacy policies of the services you use, especially when it comes to how and when they share your information with third-party entities like Facebook. That includes when privacy policies are updated! If you find anything in the privacy policy that you’re not comfortable with, vote with your feet and walk away.

Profile Photo for Sydney Butler Sydney Butler
Sydney Butler has over 20 years of experience as a freelance PC technician and system builder. He's worked for more than a decade in user education and spends his time explaining technology to professional, educational, and mainstream audiences. His interests include VR, PC, Mac, gaming, 3D printing, consumer electronics, the web, and privacy. He holds a Master of Arts degree in Research Psychology with a focus on Cyberpsychology in particular.
Read Full Bio »