Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Privacy Social Networks

Mark Zuckerberg Denies Knowledge of Non-Consensual Shadow Profiles Facebook Has Been Building of Non-Users For Years 235

It has been widely reported that Facebook builds profile of people even if they have never signed up for its services. However, in a hearing with the House Energy & Commerce Committee on Wednesday, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it. Here's the exchange: Lujan: Facebook has detailed profiles on people who have never signed up for Facebook, yes or no?
Zuckerberg: Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].
Lujan: So these are called shadow profiles, is that what they've been referred to by some?
Zuckerberg: Congressman, I'm not, I'm not familiar with that.
Lujan: I'll refer to them as shadow profiles for today's hearing. On average, how many data points does Facebook have on each Facebook user?
Zuckerberg: I do not know off the top of my head.
Lujan: Do you know how many points of data Facebook has on the average non-Facebook user?
Zuckerberg: Congressman, I do not know off the top of my head but I can have our team get back to you afterward.
Lujan: It's been admitted by Facebook that you do collect data points on non-[Facebook users]. My question is, can someone who does not have a Facebook account opt out of Facebook's involuntary data collection?
Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not but in order to prevent people from scraping public information ... we need to know when someone is repeatedly trying to access our services.
This discussion has been archived. No new comments can be posted.

Mark Zuckerberg Denies Knowledge of Non-Consensual Shadow Profiles Facebook Has Been Building of Non-Users For Years

Comments Filter:
  • by Anonymous Coward on Wednesday April 11, 2018 @01:06PM (#56418975)

    He doesn't deny knowledge of it, he says they do! And he just doesn't have the data on hand. Sheesh, what a misleading title.

    Everyone knows Shadow Profiles are real, that is how they know all the info they do when you sign up.

    • by Anonymous Coward on Wednesday April 11, 2018 @02:07PM (#56419363)

      I myself have never ever signed up for Facebook. I have never wanted it. But, I have several friends that have an account. One photo taken at a Christmas party was tagged with my name even though I have no account. When viewing Facebook from another friend, they get my name on photos from friends we have in common. I know it happens.

      • All that means is simply that your "friend" told Facebook the name that goes with the face. Having a name associated with a photo isn't quite the same as a shadow profile (at least the way people usually mean it, though I guess you could make an argument that it's a rudimentary version of one).

        But that doesn't mean the name in the photo is associated with the cookie that you're sent every time you load a page with a "like" button. It could happen, but I don't know if anyone has presented evidence that it d

    • I think he denied the vocabulary word "Shadow Profile", which is reasonable to do since the term has no accepted definition in his context. A definition was asserted (which may or may not correlate to common parlance), and he admitted to doing what was asked.

      I'm not sure there's anything to see here, except maybe the congressman asked the wrong question or asserted the wrong definition. I'm thinking the latter.

      • by Sarten-X ( 1102295 ) on Wednesday April 11, 2018 @03:00PM (#56419735) Homepage

        It seems to me that the congressman had a particular narrative he wanted to fit.

        "Shadow profiles" sounds scary and mysterious. In a previous big-data job, I used the term "unassociated data" to describe when we had a connected set of records that didn't match any known individual. They still existed as records, and we didn't discard them... but they weren't anything personally identifiable until we stumbled across a record that tied them to known individuals (and when that happened, our term for that connecting record was the "decoder ring").

        • After having a quick look at this [theverge.com] I am wondering if this is not a good way to get Facebook to give more in campaign contributions, as it says they have spent $7 million over the last 12 years, which sounds like almost nothing.
          It could be seen as "We will make your life uncomfortable regularly unless we get more of that sweet, sweet cash".
          After all, the way Facebook runs its business is none of congress' business.
    • by mysidia ( 191772 ) on Wednesday April 11, 2018 @03:27PM (#56419887)

      Yes..... But in the Slashdot summary Zuck seemed to be conflating "Shadow profiles of Non-Users" with
      "History of pages viewed by IP addresses visiting Facebook.com without logging in"

      Implying that the "Shadow profile" was required for a security purpose is deliberately deceptive (IMO).... If you visit Facebook.com you're an "Anonymous Facebook user"

      Whereas a "Shadow Profile" is not IP addresses/"knowledge when someone is repeatedly trying to access our services."
      BUT Shadow profiles are Personal Information collected through 3rd party sources about real persons who have never created an account or personally provided the information directly on Facebook.com.

    • He doesn't deny knowledge of it, he says they do! And he just doesn't have the data on hand. Sheesh, what a misleading title.

      Everyone knows Shadow Profiles are real, that is how they know all the info they do when you sign up.

      He is denying that he has any knowledge of the shadow profiles.

      Lujan: So these are called shadow profiles, is that what they've been referred to by some?
      Zuckerberg: Congressman, I'm not, I'm not familiar with that.
      Lujan: I'll refer to them as shadow profiles for today's hearing. On average, how many data points does Facebook have on each Facebook user?
      Zuckerberg: I do not know off the top of my head.
      Lujan: Do you know how many points of data Facebook has on the average non-Facebook user?
      Zuckerberg: Congress

      • Nice to start your quote on the line after the statement from Zuckerberg acknowledging the existence of such profiles. He of course obfuscated as much as possible with the red herring of security.

        All he denied was being familiar with them being called "shadow profiles" (which does seem a rather unlikely name for them to be called internally) and knowing how many data points they have on average.

  • Wow (Score:5, Interesting)

    by Chris Mattern ( 191822 ) on Wednesday April 11, 2018 @01:09PM (#56418999)

    "Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers]. "

    So, then, you're telling us that you're collecting the data to ensure nobody is collecting that data, is that correct?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Of course. The data is valuable. Facebook wants it, and Facebook doesn't want screen-scrapers to get it.

      It makes perfect sense.

      • Won't stop them. They can slow down the screen scrapers, cost them money, but that's all.

        Especially now that facebook is restricting it's API. So now phone apps will scrape directly and upload to their servers. Especially unauthorized by facebook phone apps.

  • by sinij ( 911942 ) on Wednesday April 11, 2018 @01:11PM (#56419015)
    I don't understand why they left him off the hook so easily on this point. They could never collect consent from someone that didn't sign up for FB, so how is data collection could be legal?
    • Re: (Score:3, Insightful)

      by OrangeTide ( 124937 )

      I don't consent to political campaigns calling me up during election season. But there are public records and they've been doing this for decades. That you have some right to not have your public information accessed is some new right that currently does not exist in US legal code. Perhaps congress will write a new law, but until then it's a bit premature to get upset over something that we've tolerated for so long. (or at least spread your outrage out among the many marketing and political firms that have

      • by sinij ( 911942 ) on Wednesday April 11, 2018 @01:24PM (#56419105)
        Ted Stevens, is that you posting from beyond the grave? Because comparing digital tracking FB does to a publicly-listed PSTN number is rather flawed comparison.

        A better comparison would be a third party wiretapping your phone, creating a list of everyone you calling to, then selling such list for profit.
        • A better comparison would be a third party wiretapping your phone, creating a list of everyone you calling to, then selling such list for profit.

          I think that's not a good example, if they were doing that then hopefully people go to jail.

          I think a better comparison is wiretapping all of your friends and associates who all consented to it, and recording their side of the conversation, and interpolating things about you and your actions from the references. Then associating that with publicly available infor

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Political campaigns don't get to look at the phone and email contacts of people on their lists. Facebook does precisely that. I must have missed the part about how that is public information.

      • by bluefoxlucid ( 723572 ) on Wednesday April 11, 2018 @02:13PM (#56419391) Homepage Journal

        I don't consent to political campaigns calling me up during election season. But there are public records and they've been doing this for decades

        Actually, we can't use them.

        To call or e-mail you, I have to purchase a list of contact data from an appending service. These in turn get them from data warehouses, who get them by purchasing from organizations who directly connect with those persons.

        You know that thing where your contract says your information "may be shared with partners" or some such?

        You sign up for a service or donate to a charity. Hell, a politician knocks on your door and you sign up for their Web page.

        They build a giant database of contact information and voter/donor/volunteer/user/etc research.

        That information gets shared or sold to other organizations--two wildlife charities might mutually exchange their lists under NDA so they both benefit from greater access to donors.

        The information not under such sharing generally gets sold.

        We pay 3 cents per successful record append to turn your voter history (purchased from the State for use only in conjunction with a political campaign) and information into contact info. Name and address go in, phone numbers and e-mails come out. Donor information, social networking profiles, and the like might come along with that, too.

        Yes, you consented to this. Unfortunately, we let people consent to far too much without requiring them to understand the ramifications, or putting a timer on that data so it has to go away after a few years. We should have a small number of certified data warehouses who can buy, aggregate, and provide information, with limits on where it can come from, how long it can be stored, and how aggregate information can be disseminated. instead, everyone is a data warehouse, and they sell and distribute the information however they want.

        It's really a question of what we can give up. There's likely a sweet spot where you've only lost a little functionality, and can work around that easily, while gaining plenty of privacy; and then there's that last bit of privacy to gain, but cutting deeper starts rapidly shoving us back into the 90s where all this convenience wasn't around while not protecting us very much more at all. The first step is to identify that range and abut up to it; the second is to determine what protections we need and what we have to sacrifice to get them.

        The most extreme example would be eliminating so much data sharing that OAUTH2 isn't a thing: you can't sign up to services with Google or use things like Disqus because of strict data privacy laws preventing the kind of sharing that this requires. Obviously, we're not going that far: those kinds of conveniences require very little data sharing, and it's obvious what's shared of the necessary things (i.e. your e-mail address, or some unique identifier; if it fills in your name, you can actually see that).

        I'm most-concerned with background collection and retention. You got on Slashdot. Slashdot has a Facebook log-in thing. Facebook is able to track your activity here because there's a Facebook pixel--even if you're anonymous. That's stuff around which we need strict controls and won't lose much for it, so that's going right at the top of my list.

        • You know that thing where your contract says your information "may be shared with partners" or some such?

          Yes. I've always declined. And I'm on the do-not-call list. But these campaign guys still find me, and somehow are exempt from most of the rules that private business must adhere to.

          We pay 3 cents per successful record append to turn your voter history (purchased from the State for use only in conjunction with a political campaign) and information into contact info. Name and address go in, phone numbers and e-mails come out. Donor information, social networking profiles, and the like might come along with that, too.

          Kind of my point. conceptually no difference, even if you use different mechanisms for the processing and scraping of information.

          • Kind of, but not really. Public information (e.g. FEC donor data) can't be used for leads; we legally have to get a lead, then use public information to correlate. That's why there's this whole Rube Goldberg machine of subscriber list sharing and sale.

            The Federal DNC registry doesn't apply to politicians, although I filter my lists anyway (I'll put those folks last, and I'll leave off the non-voting donors if I'm well-funded; voters are frequently happy to talk to someone about their needs anyway). Robo [robokiller.com]

            • You're encouraging me to mail my political donations anonymously. I'm not sure if a campaign is even allowed to accept an envelope with a $10 bill in it and no return address.

              Democracy is fine, I'll participate up to the point it interferes with me being a recluse.

              • Legally, we have to go and make a best-effort attempt to get the name, address, and employer of the donor. If the contribution is small enough, it's kept; if not or it's suspected illegal, it's disbursed by either returning, not cashing (check), or donating to charity or the US Treasury for deposit in the General Fund.

                My point was more that a large volume of calls is a public nuisance, whereas a small volume of calls is likely not worth your effort to try and get rid of, and you may as well just wave th

    • They aren't really smart enough to do anything but grandstand. They may as well be grilling a physicist about quantum theory. They know they don't know anything. The least they could do is try to look important during this historic occasion.
    • From the exchange:
      I think this point is a bit pathetic. If you visit the facebook site, they collect your ip/mac address so they can tell if you are accessing an unreasonably large number of pages, or trying to brute force someone's password. Big deal. Don't visit the facebook site if you don't want that data collected.

      On the other hand if it is more than that, like building up a profile of you from third party sites or intentionally building a profile from what other people post about you then that is bad.

    • I don't understand why they left him off the hook so easily on this point. They could never collect consent from someone that didn't sign up for FB, so how is data collection could be legal?

      Oh yeah, the bribes.

    • by SeaFox ( 739806 ) on Wednesday April 11, 2018 @03:56PM (#56420049)

      They could never collect consent from someone that didn't sign up for FB, so how is data collection could be legal?

      "Anyone can turn off and opt out of any data collection for ads, whether they use our services or not"

      I'd like to know how one would go about opting out of data collection on Facebook if they don't use the service.
      If it's a [shadow] profile they have no personal access to, how do you change preferences on it?

    • Whenever I'm asked for my name for some trivial reason (maybe the barber wants it for their database) I give the same fake details. I'd love to know if the fake me has a shadow profile. It's hard to believe his details haven't been sold by now.
    • from Facebook. What's not to understand?
  • Nose Growing (Score:4, Insightful)

    by FerociousFerret ( 533780 ) on Wednesday April 11, 2018 @01:14PM (#56419039)
    Zuckerberg's nose is growing. Just sayin'
    • Not so sure.

      we need to know when someone is repeatedly trying to access our services.

      It is trivial to define "trying to access our services" as "visiting any page with a facebook link/like button on it". So you know, like /.. Or just about any other major website out there.

  • by FudRucker ( 866063 ) on Wednesday April 11, 2018 @01:14PM (#56419041)
    because his lips are moving, he is the biggest liar in washington right now
    • by Shark ( 78448 )

      He doesn't care. I don't even think he's under oath. There are no real consequences to him for lying.

    • Lips?

      more like:

      "labial attachments designed to obfuscate mastication devices, which can be retracted to mirror a range of human-like emotions such as levity or agitation."

  • by grasshoppa ( 657393 ) on Wednesday April 11, 2018 @01:14PM (#56419043) Homepage

    How is collecting data on non-users helpful in preventing reverse searches? It would seem to me that by not having that data non-users are best protected from searches?

    • by JesseMcDonald ( 536341 ) on Wednesday April 11, 2018 @01:20PM (#56419081) Homepage

      Zuckerberg was speaking of data which would be relevant for information security—things like IP addresses and access logs—which of course has absolutely nothing to do with these hypothetical "shadow profiles" Lojan was asking about. A simple case of miscommunication, or a well-executed bit of deflection? You decide.

    • How is collecting data on non-users helpful in preventing reverse searches? It would seem to me that by not having that data non-users are best protected from searches?

      I think he was saying that somehow collecting data on non FB users prevents the non users themselves from scraping data.

      Or something. I'm not sure it was actually English.

  • by FudRucker ( 866063 ) on Wednesday April 11, 2018 @01:18PM (#56419075)
    then how can they opt out from getting their data collected?

    i think facebook should be shut down, all their computer hardware confiscated and run through a shredder and the employees personal computers and other gadgets searched for other people's personal info and if any is found they should be investigated for identity theft
    • [if someone does not have a facebook account] then how can they opt out from getting their data collected?

      By not visiting Facebook. He's talking about website analytics and nothing more.

      • By not visiting Facebook.

        Or any of billions of sites with a FB widget? Please try to understand the issue.

  • by Impy the Impiuos Imp ( 442658 ) on Wednesday April 11, 2018 @01:19PM (#56419079) Journal

    Lujan: I don't have a Facebook account. What does your shadow profile of me say?
    Zuckerberg: Just a sec...it says you enjoy viewing Natalie Portman on Wikibellybutton.
    Lujan: Wtf, I just jer...did that for the first time last night!

  • by argStyopa ( 232550 ) on Wednesday April 11, 2018 @01:21PM (#56419093) Journal

    "Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not... " ...how, precisely do I turn off and opt out of FB data collection without signing up for FB?
    I'm rather curious.

    • by fahrbot-bot ( 874524 ) on Wednesday April 11, 2018 @01:38PM (#56419189)

      "Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not... " ...how, precisely do I turn off and opt out of FB data collection without signing up for FB? I'm rather curious.

      It's a simple On/Off setting in your Shadow Profile, but you have to log into FB to change it.
      You can find it on the Catch-22 [wikipedia.org] settings page.

  • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Wednesday April 11, 2018 @01:53PM (#56419291) Homepage Journal

    With all the hate suddenly piled up on the company, someone has to point out, that they've done nothing illegal. Not even unethical — certainly, not grossly so.

    The information they keep about people was given to them voluntarily — either by users themselves, or by their friends and acquaintances. And what they now know, they are free to share — sell, give away, publicize, it is up to them.

    Contrary to frequent assertions by the weaker-minded, there is no "right to be forgotten".

    This whole "grilling" and questioning is quite extraordinary and barely constitutional, for it has most of the markings of a criminal prosecution without any crime.

    That said, Zuckerberg does seem like a dork and an "accidental" billionaire, without the faculties, abilities, and guts normally necessary to achieve the power he wields.

    • by NichardRixon ( 869899 ) on Wednesday April 11, 2018 @03:45PM (#56419973)

      "The information they keep about people was given to them voluntarily — either by users themselves, or by their friends and acquaintances. And what they now know, they are free to share — sell, give away, publicize, it is up to them."

      I disagree. Most of the people who provided the data to Facebook had no idea that it could be used in the way it is. Most Facebook users still don't know what's being done with their data, and that's exactly the way Facebook wants it. To say that these people willingly handed it over is like saying people scammed during the savings and loan scandals should have known better. When is the last time you read three or four pages of fine print legalese before signing up to use a website, or when applying for a mortgage? Even if you're determined to read it, you won't fully understand it unless you're a lawyer.

      And when they scrape copies of every text message you sent with your cell phone, back when they could do it without asking; when they collected the names and phone numbers of all of your contacts; when they kept logs of who and when you call; when they keep logs of where you've been day after day out using location data from your phone--when they store all of this information, combined it with data from your Facebook profile, then put AI engines to work on it--I would say that those actions were all illegal invasions of privacy. Zuckerberg and friends should be tried for illegal eavesdropping.

      And when that's done, they should start on Google and Microsoft . . .

      Some people worry about what will happen when computers get smarter than people. They don't realize that it's already happened. AI can process huge volumes of data that humans could never hope to handle. The insights/information that can be derived from the kind of data that Facebook and Google keep boggles the mind. But don't believe me. Google it for yourself and you'll see. Maybe start with 'psycho-analytics'.

      • by mi ( 197448 )

        Most of the people who provided the data to Facebook had no idea that it could be used in the way it is

        These people's ignorance is not a reason to blame Facebook for anything.

        To say that these people willingly handed it over is like saying people scammed during the savings and loan scandals should have known better

        Except, no one has been scammed by Facebook. "Information can not be stolen" — remember [slashdot.org]?

        And when they scrape copies of every text message you sent with your cell phone ...

        They could only do

  • "Lujan: I'll refer to them as shadow profiles for today's hearing. On average, how many data points does Facebook have on each Facebook user?
    Zuckerberg: I do not know off the top of my head."

    This is actually an interesting question, and the answer is probably very complicated. The answer is probably a multi-dimensional vector that the congressman wouldn't understand if Zuckerberg tried to explain it.

  • by NichardRixon ( 869899 ) on Wednesday April 11, 2018 @02:12PM (#56419387)

    Zuckerberg took maximum advantage of the fact that the questions came from people mostly lacking the technical knowledge to judge his responses. For example, when asked if Facebook could track users across devices, he acted as though he didn't know. Is there anyone here who believes that? I wish we could ask him a few questions on Slashdot!

    Zuckerberg also said that Facebook doesn't share user data, just uses it to predict which advertisements users are likely to respond to. In that case I'd really like to see what gets sent when someone uses Facebook to sign into a third party website.

    • by Zmobie ( 2478450 ) on Wednesday April 11, 2018 @03:23PM (#56419865)

      Your first point is basically what they were banking on. Most of Congress lacks the technical expertise to verbally spar with him on most of these issues. He is employing the tactic every software engineer ever has when talking to non-tech executives. Plead ignorance to simple but damning questions and give overly complex answers to others such that management won't understand and doesn't want to look stupid. I really wish they would have pulled in some of his engineering leads that HAVE to be familiar with the product implementation so he couldn't plead ignorance so easily.

      You second statement I think he was just abusing the double meaning. They aren't sharing data in the sense of a business deal where they get paid for the data, but they absolutely know they share a ton of information with developers and anyone plugging into the site to provide "enhancements" to their service.

  • by chispito ( 1870390 ) on Wednesday April 11, 2018 @02:14PM (#56419403)
    I don't know what a shadow profile is, but collecting data on anonymous visitors to your website is not a privacy violation, it's practicing security.

    I'm surprised that the comprehension around here seems to be about on par with the congresscritters.
    • Yup. "Turn on logging for everything that has it (And add it if it doesn't.), and dump it all into Splunk/Kibana/etc." is pretty much the first and automatic instinct for anyone after the first time they have to debug something where the previous guy failed to do so. And while you may off-load data to frozen buckets or glacier or wherever, you certainly don't throw data away, unless you're scrapping the entire system. (And even then...).

      It's kind of a no brainer if you've ever actually done honest and pro

  • Anyone can turn off and opt out of any data collection for ads, whether they use our services or not.

    It's far from obvious to me how he thinks I can do that.

    Does he mean I sign up for an account, click some boxes, and then never use the service again?

    Anyone who identifies themselves to Facebook can turn off and opt out of any data collection for ads we are currently displaying, whether they ever use our services again or not.

    Or does he image that the HTTP specification has an explicit provision for a header

  • by najajomo ( 4890785 ) on Wednesday April 11, 2018 @02:46PM (#56419637)
    By contracting with companies to plant invisible trackers known as WEBBUGs on their web sites, such as these that are pinged every time you click on a techcrunch.com page:

    cdn.tinypass.com/
    d1z2jf7jlzjs58.cloudfront.net/
    dashboard.tinypass.com/
    dpm.demdex.net/
    geo.yahoo.com/
    o.aolcdn.com/
    p.typekit.net/
    plugin.mediavoice.com/
    s.sa.aol.com/
    s.yimg.com/
    sb.scorecardresearch.com/
    stats.wp.com/
    use.typekit.net/
    www.google-analytics.com/
    www.npttech.com/

    And these ones that are pinged when you click on a slashdot article:

    a.fsdn.com/
    ads.pro-market.net/
    analytics.slashdotmedia.com/
    cdn-social.janrain.com/
    cdn.taboola.com/
    consent.trustarc.com/
    d1o5u7ifbz3swt.cloudfront.net/
    ml314.com/
    rpxnow.com/
    snap.licdn.com/
    ssl.google-analytics.com/
    tag.crsspxl.com/
    www.stack-sonar.com/
  • by schwit1 ( 797399 ) on Wednesday April 11, 2018 @02:53PM (#56419687)

    Zuckerberg says he is not familiar [grabien.com] with Section 230 (the law that protects ISPs from liability for third-party content.) That would be like the CEO of SmithKline saying he doesnt know anything about pharmaceutical testing rules.

    If his lawyers after all this time never briefed him on Section 230, he is either lying, willfully ignorant, or being poorly served by his legal team.

  • but the congessman who asked if Zuck would mind sharing what hotel he was staying made me laugh. Zuck said he would prefer not to. Hilarious. Maybe the congressman should have known and mentioned it in a followup question. Just to see how Zuck reacted to his personal info being shared.

  • by sacrilicious ( 316896 ) <qbgfynfu.opt@recursor.net> on Wednesday April 11, 2018 @03:58PM (#56420057) Homepage

    Lujan: It's been admitted by Facebook that you do collect data points on non-[Facebook users]. My question is, can someone who does not have a Facebook account opt out of Facebook's involuntary data collection?

    Zuckerberg: Anyone can turn off and opt out of any data collection

    HOW? How can someone, who isn't a facebook user, opt out of this data collection? If by "turn off" he means "not use the internet", that's not an answer. Zucktard.

If all else fails, lower your standards.

Working...