[numair]

Just so people are clear --

Even if you are not using Facebook, even if none of your friends ever use Facebok or tag you in any content, Facebook is maintaining a shadow profile on you. They have your web browsing habits from the Like button, and in many countries (such as the United States) they have bought data from data brokers such as Datalogix to gain access to your grocery store purchases and other data. They can sell you as an audience on behalf of other sites/apps if they choose (they aren't doing this now, but they could), and they can continue to use third party mechanisms to keep close tabs on you. They might not know you by name, but they definitely know you by many other identifying traits.

I would be very interested to see the results of a European data request by a non-Facebook-user in a country where Facebook has been aggressive in cutting data brokerage deals. Maybe the UK or something. We can get a lot of feel good rhetoric from the company's PR and employees, but nobody really knows what is collected and stored. (Of course, the company could say "we don't have data for anyone with that name," which would be factually correct.)

There is another comment here that is completely wrong in asserting that Facebook only tracks you insomuch as is required to help your friends make use of the site. This fantasy notion might make people feel better about making use of the site -- sort of like how consumers of H&M will reason that "those Bangladeshi girls really needed the job" -- but it isn't the truth.

[the8472]

> Even if you are not using Facebook, even if none of your friends ever use Facebok or tag you in any content, Facebook is maintaining a shadow profile on you.

That's a more general flaw with the current web. Just look at how much 3rd party content is embedded into almost any site. A good chunk of them are user trackers. Facebook is just one among many.

I think we need stronger compartmentalization in the web. The iframe sandboxing + message-channel APIs is a good start to isolate things and minimize information leakage, sadly that doesn't help with libraries loaded from CDNs. Mozilla's contextual identities is another approach[1]

[1] https://wiki.mozilla.org/Security/Contextual_Identity_Projec...

[stickfigure]

You had me right up until the Bangladesh jab. Yes, it turns out that those Bangladeshi girls really do need the jobs:

http://www.npr.org/sections/money/2013/12/03/247360855/two-s...

The whole series on the making of tshirts is amazing: http://www.npr.org/shirt

[tombrossman]

Facebook explicitly deny creating 'shadow profiles' and I'm not aware of any proof that they do so, have I overlooked this somehow?

I was interested in this too, and I'm in Europe and submitted a formal request for data. I've never used Facebook but because I'm active in a number of community groups, my name comes up on the occasional Facebook page and I'm in photos taken at some events.

At the time I was using a catchall email address so I entered facebook@(my-domain-dot-tld) which is all they used to search for a match. Because that wasn't a real email address I wasn't surprised that in their response they claimed to hold none of my personal data, though that seems a bit weaselly.

Here is their email reply from 2013:

Hi,

We've received your request for information about the possible storage of your personal data.

There isn't a Facebook account associated with the email address from which you are writing. This might be because you don't have a Facebook account or because you already deleted your account. In either of these cases, we do not hold any of your personal data.

Please refer to our Privacy Policy (also called “Data Use Policy”) for more information:

https://www.facebook.com/about/privacy

It contains a description of: - The categories of data being processed by Facebook - The personal data that Facebook receives from Facebook members - The purpose or purposes of the processing of such data - The source or sources(s) of the data, if known - The recipients or categories of recipients to whom Facebook members’ personal data are or may be disclosed

If you're referring to an account associated with another email address, please use that email address to file a new request:

https://www.facebook.com/help/contact/?id=166828260073047

Once we receive your request, we'll take further steps to assist you.

Thanks, The Facebook Team

[DanBC]

I suspect that you need to ask a very specific question to get Facebook to reveal what they collect about you.

And I think there's a bunch of information that the EU does think is personal that Facebook thinks is not personal.

We probably need some researchers to send a bunch of requests in for different types of data.