Facebook shadow profiles: you probably have one and don’t even know it

Last week, Facebook confirmed that it had leaked the private information of six million of its users. You may have thought to yourself, “ha! That’s not me! I don’t give any of my personal information to Facebook!”

Unfortunately, thanks to your friends, it may turn out that your phone number and email address could have ended up in that leak, after all.

Your personal information may be included in something called a ‘Facebook Shadow Profile,’ a term that came up a lot over the last week while people were reporting how a bug had exposed the personal information of millions of users. The security research company who identified the bug, Packet Storm Security, said that Facebook has been compiling information on many of its users, and even on people who don’t have Facebook accounts, ZDNET reports.

That’s where shadow profiles come in: Facebook’s shadow profiles include information culled from Facebook user’s phones when they use the ‘Find Friends’ feature. When a user first installs Facebook on their smartphone, they gets a prompt asking if they would like Facebook to scan the phone using the ‘Find Friends’ tool, which will look through all the phone numbers and emails in their phone, and match them to the profiles of existing Facebook users. It’s a handy way to find people who you know on Facebook, but it’s also a way for Facebook to gain access to personally identifying information.

Facebook then takes the information it collects and puts it into a shadow profile. If you opt not to provide the information yourself on the social network, that’s okay: your information is just kept in Facebook’s data centre. This information is used to help other friends make contact matches, and also to help power the ‘People You May Know’ feature on Facebook, which also uses information on how you know people you’re Friends with on your Facebook page.

[ More Right Click: Find out how much your email is worth to a hacker ]

The bug at the heart of this controversy has been accidentally combining users shadow profiles with their real profiles, so when someone used Facebook’s ‘Download Your Information’ tool, it would include information that some Facebook users had not provided to the social network.

According to Mashable, collecting this information is most likely a legal practice in the United States, as phone number collection of contacts is outlined in the Terms and Conditions a user signs when he signs up for the service. In places like Europe, where the privacy laws are stricter, Facebook’s shadow profiles have been found to violate the Data Protection Act of Ireland, where Facebook’s European headquarters are, seven different cases.

As for who’s information is kept in shadow profiles, that remains somewhat unclear. Facebook has argued in the past that they do not keep the personal information of non-members, however users were still reporting that information of non-users were being included two days after the news of the leak was made public.

And the story’s not over yet: Huffington Post reported on Thursday that users were only told about some of the data that had been disclosed through the leak. When Facebook sent out notifications to users about the information breach, informing users of the bug, they may have listed one or three email addresses, when in actuality it may have been four or seven in some cases.

Need to know what’s hot in tech? Follow @yrightclick on Twitter!