Random Thoughts – Randocity!

Recently with Facebook’s fall from grace, another issue has surfaced at Facebook: Shadow Profiling. Yes, you should be concerned. Let’s explore.

Facebook and Cambridge Analytica

With Cambridge Analytica, Facebook got caught with its pants down. Facebook allowed Cambridge Analytica, a known data broker, to mine data from Facebook’s network at a time when Facebook was vulnerable to such attacks. Facebook has been, for years, skirting every privacy initiative. In fact, Facebook didn’t want to implement any privacy controls, truth be told. They wanted to keep everything as open and accessible as possible. On the one hand, I can understand this… because it makes it easier for people to find other people. On the other hand, people’s data is their own. These are two parallel lines that will never meet.

I won’t go into every single little problem that Facebook has run into along the way, but suffice it to say that Facebook has taken baby steps to implement privacy. In 2014 when Cambridge Analytica did its mining, Facebook hadn’t implemented many controls to prevent such data mining attacks via their APIs. In fact, one might even call Facebook egregiously wilful in not implementing such data protections. Sure, they had implemented some in their web UI for user-to-user control, but not on the backend where businesses operate.

After Cambridge Analytica performed its mining operation, Facebook claims to have plugged-that-hole the same year to prevent any further Cambridge-Analytica’s from doing the same thing. Likely, they saw what CA had done and realized they were gamed and closed the hole. Of course, too little, too late. And, they didn’t disclose this fact to the public. It wouldn’t be until 2018 (4 years later) when Facebook got caught.

I won’t get into just how close Cambridge Analytica was to Facebook between then and now (hint: they occupied the same office space in 2016), but suffice it to say that Facebook was well aware of Cambridge Analytica and what business line they are in. To feign ignorance about another business using your network is so disingenuous as to be a lie.

This is all the pretext that opened the door to further scrutiny for Facebook.

Government Hearings

As a result of Facebook’s conduct back in 2014, many governments have interviewed (and will continue) to interview Mark Zuckerberg over Facebook’s conduct at that time. In that process, many side things have been uncovered. One of those things coming to light is shadow profiling. What exactly is shadow profiling?

A shadow profile is data collected about you without your knowledge. It might be data from public records, it might be personally identifying information such as email address, phone number, birth date, home address, social security, public information you share on Facebook or Twitter or Amazon. In Facebook’s case, they are collecting data about you via photos of you (facial recognition), through text messaging through WhatsApp and via other messaging means. Even simply visiting a site where you do have a login and where Facebook hosts comments is enough to gather data about you. The list goes on and on.

Facebook and Profiling

Let’s understand that many companies have shadow profiles on you, not just Facebook. Facebook is obviously one in a long list of companies that perform shadow profiling, but don’t kid yourself, Facebook is not alone in this practice. Companies such as LexisNexis, insurance companies and credit bureaus collect this information. In fact, credit bureaus hold a mountain of personal data so important that even the tiniest leak could cause immediate irreparable damage to those affected. Damage such as identity theft. Theft that, in fact, could be so bad you’d need to have a new social security number issued (along with all of your credit card numbers, phone numbers and the list goes on). Equifax found this out the hard way… and, I don’t think we’re done with these credit bureau hacks yet. It’s only going to get worse.

I digress. There are many companies that collect data about you without your knowledge. Facebook just got caught at it after this information was unceremoniously disclosed. But, don’t kid yourself that Facebook is alone in this. Google does this also. In fact, Google probably has more data on you than even Facebook has… even if you’ve never ever had a Google account. Why? Because you’ve inevitably sent email to someone@gmail.com or to a domain hosted by Google.

Google has already said they scour emails for content that helps target advertising to the Google user. If they’re scouring emails, they’ve inevitably found your email address, your phone number, address, first and last name and on and on. Google doesn’t have to do anything with this data, but it is almost certain that they store it for use later. Why? Because if you ever do create an account, they’ll already have data on you and things you like. It will make targeting ads to you much easier.

Don’t kid yourself, Facebook isn’t the only company keeping shadow profile data on people who do and don’t use their networks.

Reviewing Shadow Data

Unfortunately, to review or delete any data that Facebook has collected on you, you must first create an account. As soon as you do that, they’ve roped you in. Once you create an account, you can then download the data and see what they’ve collected. Then, you can go through the request Facebook to delete that data and your newly created account.

However, that means you are firmly in their system. Even when you ask to have your data deleted, Facebook is under absolutely no obligation to delete any data from their systems. The only thing they need do is make it not visible through their APIs and Web UI, but that’s like hiding your iPad under your bed. You can’t see it, but it’s definitely still there.

Request Shadow Data Removal

So, you’ve decided to create an account so you can request deletion. Even if Facebook does delete some data, there’s no guarantee they’ll delete every copy of it. Companies today utilize many technologies to manage, mine, extrapolate and handle user data. These systems include short term storage (hard drives), long term storage systems, multiple copy offsite backup systems, local hard drives, AWS glacier, billing systems, text based log files, marketing and advertising systems and even analytics systems such as Splunk or Kibana.

In fact, companies today have so many systems storing bits and pieces of your personal data, it’s nearly impossible for a company to actually delete ALL of your data. There will be some amount of your data that will continue to exist in at least one system somewhere on their property. That’s a guarantee. Chances are, it will exist in a whole lot more places then one.

Continued Shadow Profiling

Even if you do request your data to be removed by Facebook, it’s an entirely fleeting effort. Why? Because as soon as you’ve logged in and requested deletion and they do so, Facebook will continue their data collections efforts right after. Your request for deletion is a single point-in-time request. That request isn’t perpetual going forward. It’s a one-shot-deal. Facebook will continue collecting data on you going forward from that point. It is then entirely pointless to request deletion because within 1 year, they will have collected it all again.

In fact, there is no way to permanently request Facebook to not shadow profile your data. It is left up to you to recreate your account and request deletion every year. You may not even be able to do this more than once. Once you’ve deleted a Facebook account, that placeholder may be held in a locked state preventing you or anyone else from opening it again. At this point, any data they may have collected after you’ve requested deletion is entirely locked out from you.

For this reason, I’d suggest not requesting data deletion at all. At least, not until some laws come into effect that require Facebook and similar companies to stop shadow profiling and permanently delete data from any shadow profiling efforts.

Note that if you have even one friend who continues to use Facebook and you interact with that friend on any Facebook property (text messages, email, etc), Facebook can continue to pull that data on you and create / add to your shadow profile. Don’t think you’re safe by logging in and requesting deletion. If you’re dissatisfied by this outcome, reach out to your state representatives and request them to introduce legislation to regulate this practice.