
You Might Have an Invisible Facebook Account Even if You Never Signed Up - pessimizer
http://www.groovypost.com/news/facebook-shadow-accounts-non-users/
======
novum
Is this it? This is our brave new world of pervasive data gathering, social
network analysis, and the dying gasp of any shred of privacy? This is the
future we've built for ourselves?

I haven't had a facebook account for 3 years. I'm certain FB has a shadow
profile for me today and there's nothing I can do about it. My friends don't
understand (or don't care about) the implications of everything they do online
being tracked, in minute detail, and stored indefinitely.

Real-time indefinite mass surveillance is a fact and yet failed to galvanize
the public into action. What can I do other than allow the cynicism to take
hold and become a recluse?

I earn my livelihood from technology. I want to believe technology has great
potential for medicine, exploration, and improving the human condition. The
cognitive dissonance has to give somewhere.

~~~
hyperplane
You think _your_ cognitive dissonance is bad? You're heaps ahead of where the
people that "don't care" are. I try to evangelize privacy to friends and
family all the time, and 60-80% of the time I am written off or ignored.

Most people don't seem to want to accept the fact that something terrible may
ever happen to them, and will gladly drown out the pain of dealing with a
potential future threat to prolong happiness in the short-term. How's that for
dealing with cognitive dissonance? After all, the easiest way to remove the
dissonance is to render the counterargument false without resorting to reason
that might shake your emotional foundations.

As for your own cognitive dissonance: I don't believe that you are death,
destroyer of worlds, by default just because you have the ability to build
technology, no more so than a man with the capacity to develop firearms is by
default a murderer. Improve the human condition, engineer systems toward that
goal, and just pay more attention to the question of "what would somebody evil
possibly use this product for?" and try to mitigate against the evil bits.

If you are terrified of ever having unintentionally built a weapon, then it is
best not to be an engineer at all, as nearly every tool can be weaponized in
the right environment with some degree of effectiveness by someone that means
harm.

~~~
Jupe
I have the same issue with the 60-80% - trying to convince others of the deep
evil that can (and when there's a bad quarter probably will) be done.

I generally let people know how absolutely permanent this stuff really is...
More permanent than a tattoo. The information people put on facebook will,
like it or not, outlive your grand kids.

------
jacobquick
I actually got a peek at Facebook's behavior maybe 5 years ago when I signed
up to beta-test a video game. They had used the Facebook login API for their
beta forums without marking it on their site, so signing up for the game
signed me up for Facebook.

Suddenly all the Facebook ads everywhere knew my name. Three weeks and about
40 emails to "update my Facebook profile" that I reported to Gmail as phishing
later, I received the dubious honor of being banned from Facebook without ever
using it.

I threw all their domains into loopback in my hostfile at home and haven't
seen their site or ads on that machine since, but if I log into LinkedIn in my
work browser it starts all over again, so I've figured for a while there's
probably also an account for everyone who has LinkedIn.

~~~
kamjam
I have the same feeling about LinkedIn! I only recently signed up for
LinkedIn, about a year ago, using my GMail address I use for job-hunting
purposes. I've had this account since circa-2008 but I ONLY use it for work
purposes (since it's a bit more professional sounding). I also have another
GMail account which I have had for much longer and shared amongst friend and
some old colleagues.

When I signed up for LinkedIn, I put in my name and "work" email address and
straight away, without me having provided any other piece of information it
was suggesting people I may know. It was not possible that it could have
shadow guessed this from my email since those colleagues don't have that one,
but both my GMail accounts are linked so I wonder if that was the weak point.
Definitely something strange going on and it scared me somewhat...

I should also note that at no point did I use the "find my friends" type
feature and give it access to my GMail to mine my contacts either.

~~~
reinhardt
LinkedIn's "people you may know" is notorious for its creepy accuracy. Not
only colleagues, current and past, but friends, acquaintances, ex girlfriends,
university professors, landlords, hairdressers and more.. The least paranoid
explanation is that, unlike me and you, many others click "find my friends"
and let LinkedIn slurp their thousand-entries address books.

~~~
kamjam
I imagined so too, but what were they basing this match on? The people they
were suggesting did not, or at least should not, have had this particular
email address since it was created after I had worked with them. They only
ever emailed (for group meetups/drinks) on my "personal" email address.

Now I can recommendations for other people in the same company, previous
colleagues who were at the same company at the same time, "friends of friends"
and all that makes sense. But creepy as you say. Maybe the guys who wrote the
algorithm now work for the NSA...

~~~
narag
The connection point might be your name.

------
argumentum
The main invasion of privacy here is your friend(s) agreeing to give Facebook
(a 3rd party) your information without asking or informing you. This is
analogous to Facebook giving the government (a 3rd party) your information
without asking or informing you.

~~~
dmead
i brought this up when my family using the "family tree" app a few years ago.
they kept marking their familial relations online for all to see, for free and
in great detail.

needless to say, i was met with blank stares when i brought this up.

~~~
fsckin
You're worried about family tree data? Births, marriages, deaths, etc are all
_public_ information.

This data should be free and open instead of behind pay walls or locked away
in a records office or library.

Google combinations of your full name, father/mother and birthdate in various
formats and you might be pleasantly surprised how much is out there.

~~~
pessimizer
>You're worried about family tree data? Births, marriages, deaths, etc are all
public information.

Not databased and internetted they're not. The lion's share of that data on
living people (not to mention dead people) is probably only on paper, and to
get pieces of it often required a written request.

Not to Godwin too hard here, but that's exactly the information that the Nazis
and IBM used to detect Europeans who were descended from Jews but who didn't
self-identify as Jewish.

~~~
mpyne
Re: Godwin, which solution is more "brittle"?

Keeping the next fascist government from gaining control of the state, or
somehow managing to keep _all_ people and companies from retaining any extra
data about you?

This isn't to say that we should allow companies to maintain extra data, but
if that is your defense against the next Nazis you're screwed before you
start, for the same reason that we say writing secure code in C and most C++
is a Bad Idea. It's impossible to do even for well-trained, very smart people
who are trying to do the right thing.

On that note, doesn't the state _already_ have the majority of PII on you just
for tax purposes alone?

~~~
pessimizer
I'm not defending against the Nazis, just noting why somebody might be alarmed
that their connection to every member of their family is being published on
the internet.

------
xpose2000
Let's think of a typical use case where a "shadow profile" is useful.

Let's say my friend Jane is on facebook. She has my phone number on her phone
with my first name. Facebook notices that this phone number is not linked to
any other accounts, therefore I must not be registered.

Fast forward two months, and I decide to sign up for facebook. I put my phone
number in (as a form of password recovery I believe) and it automatically asks
me if I'd like to add Jane.

"Shadow profile" sounds scary, but in actuality it's just the modern web at
work.

~~~
jerrya
No, that's how modern privacy invasion works.

After Facebook scanned Jane's phonebook, and made the invites Jane asked,
Facebook should have deleted your phone number.

~~~
mason240
You are going to be in for a real shock if you ever see a phone book. Pages
upon pages of names matched with phone numbers!

~~~
GauntletWizard
It's a relatively new idea, the modern expectation of 'privacy', and one
that's completely out of touch with reality. It's only within the past hundred
years that most people did not know everyone in their town - Even in cities,
you probably shopped at a small set of stores and were known by name by the
clerks. Technology has caught up, and now it's possible for shopkeeps to know
your name again.

~~~
pessimizer
I'm still known by the clerks of the stores in my neighborhood. That's
completely orthogonal to this.

The reason this type of discussion of privacy wasn't being had 30 years ago is
because 99.9% of the things we did 30 years ago were private, outside of
getting arrested as an adult and, eventually, drivers' license info. If I
didn't want to be recognized while buying birth control or hemorrhoid
medication, I would just have to go to a store that I didn't usually go to.

Also, of course, 1890:
[https://en.wikipedia.org/wiki/The_Right_to_Privacy_%28articl...](https://en.wikipedia.org/wiki/The_Right_to_Privacy_%28article%29)

------
Raphmedia
Serious question here. Why should I care?

Convince me why I should close my facebook account. Why I shouldn't purposely
feed google with infos. Why I shouldn't answer to phone surveys.

Hell. I /like/ having accurate ads on the web. I like reading meaningful spam
that sells me the products I want for half the price.

Anybody can already look up my name on 411 and get all my infos. Why should I
care if the big corps also gather it to sell me meaningful stuff? It's not
like they could use magickal voodoo power based on those infos to brainwash
me...

~~~
diydsp
You meet $g at a caffeinated yogurt startup tasting party. You want to form an
intimate relationship with person $g. $g looks you up on SureEros.com and
finds a bogus profile for you claiming you actually don't like milk products
or stimulants. $g figures you lied to get into $g's pants and you look like a
lamer.

Race or religion $x takes over a large portion of the local government. You
belong to race or religion $y. All of your friends tell facebook you're a $y
and their clever algorithm confirms it based on your last name, which you
actually only acquired when your father remarried into your stepmother's
caffeinated yogurt family enterprise. Local, infiltrated gov't decides to
launch a pogrom against $x. They come and get you.

You apply for a job at $q. All of your friends have been telling linkedin
you're good at $r. You have no profile at linkedin. You show up at the
interview. They say, "Well you have lots of $r experience, but we consider
that wasted time, you probably picked up bad habits doing $r. We want someone
who's spend more time on $q than $r and who doesn't lie about fermented dairy
and alkaloids."

How do I come up with these scenarios? What is my formula? It's based on an
article I once read by a Canadian politician who described the right to
privacy as simply the right to not be known before someone actually meets you,
to have no false representations before you. (And then I added details about
yogurt and caffeine b/c that's what I'm consuming this morning and afternoon.)

~~~
VMG
You present a compelling case for having profiles on major social network
platforms, with you controlling the shared information.

I also don't know why I should desire to work at company $q which is has a
completely incompetent hiring department.

And governments are pretty good at progroms and determining ethnicities
without using social media platforms - they've done this literally since dawn
of time. If you add this scenario, you'll need to add the increased sharing of
information about the government that is happening through facebook and the
fact that governments are _banning_ access to social media whenever they are
up to something shady.

> the right to privacy as simply the right to not be known before someone
> actually meets you

Then you need to ban gossip as well.

~~~
greyfade
> I also don't know why I should desire to work at company $q which is has a
> completely incompetent hiring department.

Then you should not try getting a job at all, since many companies have
similarly incompetent HR departments, which gather background information on
you that you might not otherwise wish for them to use when weighing your
application.

~~~
VMG
I've never seen a company I've wished to work for that cared about my Facebook
profile.

Companies that care about their employee's choice of fermented milk will go
not be a good place to work at, regardless of Facebook. And they will have
serious competitive disadvantages.

------
coreyja
Ok so maybe I'm alone here, but this doesn't bother me at all. How is this an
invasion on anyone's privacy? They are just using the info a user already gave
them access to.

Why does it matter if Facebook has information about you you can't see? Is it
really surprising that they do? It's not like FB just shows us the DB tables
so that we know what info they are storing on us. As programmers we should all
understand that there is some data that you keep that doesn't need to be shown
to the user but helps make your program run. That's all I see this as.

~~~
TheCowboy
Why wouldn't you consider it a violation of privacy simply because another
person provided information about you? If you had friends and family who
intentionally shared any information you provided in private, you would have
no problem with that, and think it should be a generally acceptable societal
norm?

The idea that any information you share beyond your own mindspace is up for
grabs by any method seems bizarre to me.

It is simply too inconvenient to live in a way where you give up zero
information about yourself to everyone. It shouldn't be a black or white
decision when it comes to sharing any information, but it's to the advantage
of companies that make money on other people's information to want people to
believe such a severe stance on personal information is a reasonable choice
people have to face.

~~~
coreyja
A few days late in my reply, sorry.

The distinction I make is that it isn't Facebook that is violating your
privacy. Facebook. If anyone is violating your privacy it is your
friend/family that is giving the information to Facebook, and I think that in
providing this information to Facebook they are violating your privacy, but
you shouldn't blame Facebook.

My best analogy is the 'guns don't kill people, people kill people' argument.
It isn't the gun makers fault if you murder someone, just like it isn't
Facebook's fault if someone gives them info about you, you didn't want shared.

------
tjr
_When you install the Facebook app on your phone it requires permission to
read your contacts, call log, location, accounts, and application data._

Is this true?

~~~
BlackDeath3
Good thing deleting the pre-installed Facebook application (if it's ever been
used at all it was inadvertently) off of my Android phone is quick and easy,
and doesn't require root access!

EDIT: This is why we need sarcasm tags. No, I have not actually been able to
remove my Facebook application.

~~~
mcintyre1994
How? Sony Ericsson Xperia Arc S, ICS, locked to my carrier, unrootable. I've
been wanting to get rid of it ever since the phone started running out of
space all the time, app info gives no option to remove it. Is this a case of
my manufacturer/carrier are more annoying than yours, or am I really missing
something?

~~~
BlackDeath3
I was being sarcastic. I'll probably never rid myself of the damn thing.

~~~
mcintyre1994
Dammit, it's really easy on my rooted Touchpad, but this thing's horrible for
it. It'd be fine if it had storage space, but nope.

~~~
shocks
You can "disable" it through the Applications menu under Settings.

~~~
mcintyre1994
I had to uninstall updates (the option where disable normally is), and then I
could go and disable it, weird. Thanks though, disabled and uses about 1/6 of
the space of the updated one :)

~~~
shocks
Excellent. :) It's not the best solution, the best solution would be the
ability to uninstall it completely, but it's better than nothing.

------
drunkenmasta
The bigger picture is in terms of Social Network Analysis
[https://en.wikipedia.org/wiki/Social_network_analysis](https://en.wikipedia.org/wiki/Social_network_analysis)

and the fact that companies are able to figure out lots of stuff about you
even though you never consented to being a part of their service.

Hopefully the next "leak" will be about one of these big companies and what
they do with your information.

------
seiji
None of this is unexpected.

If you were making exactly the same service, you would come up with exactly
the same evil outcomes.

"Hey, we can upload every contact list in the world with no consent then
cluster and cross reference every entry behind the scenes!" Sounds fun to me,
especially if you have no sense of societal ethics or boundaries (quintuply so
if you firmly believe you're changing the world and everybody else only
advances at the pace of your unique genius).

Imagine the graph the NSA can construct about how people are connected
throughout the world. facebook probably has close to exactly the same
information based solely on voluntary information coughed up by Social
Internet Morons. People aren't trained to think about data and relations and
how everything can be sewn together, and that puts them at a gross
disadvantage when interacting with global megacorps these days.

------
logn
I think this might be a good example of how to communicate software
architecture to non-technical people. It was informative on that level. And by
the end, we saw a full-blown process diagram, with even a loop, of Facebook
waiting to create a shadow profile.

------
jagira
I wish Facebook fades into oblivion like Myspace.

~~~
greyfade
We'll need a replacement for all the pleebs to use.

~~~
qu4z-2
I fear any replacement will be just as bad.

------
alternize
last year, i - without having a facebook account - tried to get the data
facebook might have stored about me through the corresponding EU privacy
protection laws. all i got was the answer that they do not compile custom data
exports upon request anymore and that i would have login into my facebook
account [sic] to any data through some data downloading service...

now i wonder if i should have pestered a bit more, i.e. by demanding the
release of the possible stored data (which definitely exists seeing the
"please join"-spam from some years ago) in writing through snail mail. anyone
had any success with that?

~~~
gknoy
Would you get a lawyer to write the letter? That might be most fruitful.

------
dylangs1030
Title is sensationalist and the article is melodramatic.

In terms of threat-level to privacy, this isn't all that egregious. The term
"shadow profile" is not one that Facebook itself espouses, it's just added for
flair. Clearly, this is making a lot of noise about something that's actually
fairly harmless.

I would place more blame on the people sharing my data with Facebook than I
would blame Facebook for "mapping" interpersonal data. It's really not that
big a deal people.

------
JanezStupar
I joined Facebook last year and my profile was 80% done and waiting for me to
claim it.

It was beyond creepy.

~~~
skeletonjelly
That is creepy. To be fair that 80% metric is something that Facebook has
"measured" and told you, and is probably gear to coax people into finishing
things that are unfinished. Some smart social engineering.

~~~
JanezStupar
Oh no... 80% is my own estimate. I even had pictures of me in the gallery.

~~~
aestra
How did they do this? Facial recognition? Did you create a profile, upload one
picture, and they said "these might also be you?" How did it work?

~~~
JanezStupar
People tagged me on their photos. From there, facial recognition I guess.

I wouldn't really know how else it would happen.

------
shmerl
That's why this is still very relevant: [http://betabeat.com/2011/12/in-which-
eben-moglen-like-legit-...](http://betabeat.com/2011/12/in-which-eben-moglen-
like-legit-yells-at-me-for-being-on-facebook/)

By merely using Facebook, its users are harming others (i.e. their privacy).
And it extends even to those who don't use Facebook themselves.

------
fixermark
How does this differ from credit reporting agencies and other forms of legal
public spying and data collection?

------
junto
This kind of practice just makes me aggressive against the company that
practices it. It builds negative connotations towards Facebook.

I guess I am the kind of person that is becoming aggressive in general to
invasions of privacy, including personalised advertising. In the long run I'm
just going to become deliberately blind to it, even extra negative to
companies that use such techniques.

As an example, I recently used SkyScanner.net to search for flights. Shortly
after I kept being shown ads for the exact flights I searched for on third
party sites. Bam, I shall never use skyscanner.net again.

These companies will only learn when it affects their bottom line. Period.

------
unreal37
What's a shadow profile? Sounds so sinister.

It's probably just a line in a database with your email address and phone
number. It's not like Facebook is actively keeping tabs on people that don't
have accounts.

~~~
greenyoda
The profile also probably contains a list of all the Facebook users who had
you in their contact lists, and all the photos that you were tagged in. Since
such information would get updated every time a Facebook user uploaded your
contact information or tagged you, I'd say this qualifies as Facebook actively
keeping tabs on you.

~~~
kamjam
How do you tag someone if they don't have a Facebook account? AFAIK it's not
possible to tag someone with an email address or telephone number?

Certainly you can "tag" someone if they are not on Facebook and not in your
friends (of friends) list, but it is then just tagged as text, not associated
with an account... maybe I missed an option somewhere...

~~~
pessimizer
>it is then just tagged as text, not associated with an account...

Not associated with a non-shadow account.

~~~
webvictim
I would suggest that the noise from associating free-typed tags (subject to
spelling errors and without a user account attached) with photos would be way
higher than the signal you'd gain. I even have irritating friends that tag
people who aren't even present in photos just because they want them to
receive a notification about it. All of that is total garbage input to any
machine learning model or otherwise.

~~~
dougbarrett
It'd be easy when editing the tag for the server to say "Does this name match
this user in the imported contact list? Yes? Ok, it's most likely that person
then."

~~~
kamjam
I have a lot of noise in my contacts list though. Very rarely do I have a
surname, mostly it's suffixed with "home", "mbl" or "work" or even city name
as surname sometimes. I'm sure a "best guess" would be possible, I'm not sure
of anyone that religiously stores first/last name aside from pure business
contacts.

~~~
aestra
With smart phones with keyboards and cloud sync I think more people are
starting to. I do now, and have since 2008 when I started using a smart phone.
I've noticed more people switch over from short nicknames to full names with
easier input. It's easier than going to your contact and saying "who the heck
is James?" Now I just keep as much data as possible on each person. That way I
also have their address handy, in case I need to mail them something. I've
been meaning to start keeping birthdays in there too, so I can get a
notification on my phone.

------
ddalex
Oh my god, this is it.

I posted a story a while back saying that I receive messages from a FB account
created with my email. I suspected that somebody may have made an account with
my email by mistake, but FB keeps on sending messages with "you know this
guys?" etc, and it's about people I know.

So I had a FB shadow account created, it inferred my email (probably through
looking up some of my friends address books on their email), and now it keeps
trying to make me join FB with that account.

This is both creepy and scary. Yet, I'll leave it be because it adds to the
noise in the data they have.

~~~
junto
You need to make sure you mark every single email like this as spam.
Eventually, f we all do this, they will be permanently marked as spammers.

------
trebor
Great. So all my effort in an attempt to keep my info off Facebook has not
paid off; my friends with Facebook apps have "allowed" Facebook to create a
ghost profile for me. Thanks a lot, Facebook!

------
j_s
There was a related HN discussion of the fairly recent security vulnerability
where Facebook was giving away information about your friends (a shadow
profile with additional info on users who hadn't been the ones to give that
info to Facebook) when you requested your extended data download:

Facebook security bug exposed 6 million users' personal information

[https://news.ycombinator.com/item?id=5921092](https://news.ycombinator.com/item?id=5921092)

------
GoodIntentions
If there was a browser plugin that would surf some random innocuous crap in
the background for me, with an eye to messing up the data scrape, I'd install
it. ( Fly fishing? sure. Country Line dancing? OK. Fancy goldfish? sign me up.
) A three for one ratio of random to real would make the data set pretty much
crap for advertising purposes.

The only drawback, so far as I see, is wasting bandwidth of sites I don't
really visit.

------
wj
I'm surprised this wasn't widely known. For a couple of years I would get
invitations to join Facebook that showed the names and photos of some of my
friends (some of who didn't know each other).

My problem now is that somebody tried to create an account with one of my
email addresses and even though I didn't confirm the account (and contacted
Facebook asking them to delete it) I'm now getting emails from Facebook.

------
mathattack
Is this any shadier than a credit bureau aggregating data?

------
jfb
I find this very creepy, but I think that fundamentally, the idea that my
contact info isn't mine, once it's "public", is correct.

~~~
pessimizer
What if that info became "public" because it was conned out of one of your
friends, a friend hypothetically fully aware of your distaste for facebook and
also someone who would never put any of your info into it consciously, when
that friend allowed facebook to access their email/phone contact list to find
people on facebook that they knew?

~~~
jfb
Well, right, which to me points out that we have to learn to cope with the
difference between "private" and "public" being fuzzy.

------
morgante
I really don't see how this is an issue. Your friends have access to your
contact information. When the delegate that access to Facebook, of course
Facebook would log in. In fact, I've implemented systems similar to this in
any number of apps—it helps to improve the onboarding experience of future
users, and honestly isn't giving up any information which wasn't voluntarily
shared.

------
thehme
aha! there is the term I have been looking for all along, "shadow profile"!. I
just knew there was something going on in the back ends that seems to keep me
connected even when I was not even connected. Sadly, they (FB) are not the
only ones who keep this information around, building up your profile with
crumbs left by others. The problem is that we are interconnected and while we
can be friends with people who respect our privacy and do not opt in to allow
"contacts access" in all apps they install, they themselves may not have
friends who think the same. Therefore, you are talking about your friends'
friends allowing access to their contacts, which in turn probably exposes you
as well and this probability just keeps on increasing with the number of
friends/acquaintances you have. It almost seems useless to try to avoid it,
but we can hopefully at least push for way to have our shadow profiles cleared
completely when requested - by law.

------
singold
It happened to me before I created an account on facebook, that there was a
profile with my name but the photo was of another guy.

Later I googled "him" (or myself) but found nothing except that photo about
"him", it is really weird.

Some of my friends already had facebook accounts, so maybe it has something to
do with this, maybe it was my not-so-invisible profile...

~~~
greenyoda
Most probably it was just another guy who happens to have the same name that
you have. And if this person has never published anything to the web, he won't
show up on a Google search.

~~~
singold
I thoght that too, but is really strange that he has the same photo five or
seven years later.

------
jschuur
Could Facebook be storing the email addresses/phone numbers in hashed form?
They should not need to hold onto the cleartext one, and if it's hashed,
there's no temptation (or danger) of it being used to send unsolicited emails.

------
NicoJuicy
I'm wondering... If someone requests his data of facebook without him having a
facebook account.

Facebook has to give him all the information they have about him, right?

So, i have facebook :-S, who will request their data.

PS. I see a class action lawsuit coming up:)

------
jonknee
Pinterest and Twitter too. It has gained some mainstream attention recently, I
remembering seeing it in the New York Times within the past month.

------
samspenc
Doesn't LinkedIn do this too?

------
pit
Yeah, no shit.

