Facebook has been accused of building “shadow profiles” on individuals not registered with the social network, gathering information from synchronized phones, email providers, IM conversations and more. The claim, leveled by Europe Versus Facebook as one of several complaints regarding how the popular website collects and stores personal information, suggests that even those people who have chosen not to register with Facebook still have hidden profiles, constructed from all the data the social network can scrape together. Facebook Ireland is expected to be audited by the Irish Data Protection Commissioner next week.
Facebook, the complaint reads [pdf link], “is mainly collecting e-mail addresses but it also collects names, telephone numbers, addresses or work information about its users and non- users.” A public profile only reveals a subset of the information Facebook stores about each active user, it’s suggested, with the remainder being used by the site to power its friend suggestions and other tools. “This information might also constitute sensitive data such as political opinions, religious or philosophical beliefs, sexual orientation and so forth.”
“This is done by different functions that encourage users to hand personal data of other users and non-users to Facebook Ireland (e.g. “synchronizing” mobile phones, importing personal data from e-mail providers, importing personal information from instant messaging services, sending invitations to friends or saving search queries when users search for other people on facebook.com). Even commercial users that have a “page” on facebook.com have the option to import their costumers’ e-mail-addresses to promote their page” Europe Versus Facebook
Moreover, while Facebook Ireland is legally required to release details of the personal information it holds on users outside of the US and Canada, if they request it, the site has not been including the “shadow profile” data with it. Still, there’s plenty of reading: Europe Versus Facebook received a 1,000+ page PDF document burned to a CD after filing one individual request.
Facebook, meanwhile, has argued that the Irish Data Protection Acts do not cover the extra information being gathered, and that it is only releasing exactly what it is legally obliged to. That extra data, it’s said, includes details on what sites with Facebook “Like” buttons you visit, even if you don’t actually click the button [pdf link].