SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Shadow Profiles on Social Media

Posted on April 13, 2017
  • What is a shadow profile?
  • Where does the data for a shadow profile come from?
  • Why do shadow profiles exist in the first place?
  • Are shadow profiles a bad thing?
  • What can you do to protect your privacy?

Shadow profiles… the very name sounds spooky, mysterious, and maybe even a little bit bad, doesn’t it? Most people already have shadow profiles on social media platforms, even if they’re not aware of them. If you’ve spent any amount of time on the internet, there’s a good chance you have one too. So… what is a “shadow profile,” exactly? What’s it used for? Is it a bad thing?

On today’s episode of The Checklist, we’ll cover the answers to those questions and more!

One thing to note: We’ll be focusing on shadow profiles specifically in the context of Facebook in today’s episode, but they exist in one form or another on almost every major social media network. Also, keep in mind that Facebook most likely has a shadow profile for you even if you don’t have a Facebook account!

What is a shadow profile? The first thing to understand is that shadow profiles aren’t the same thing as public profiles. If you have an account on a social media platform, you’re already familiar with your public profile – it’s all of the information that you’ve provided (your bio, status updates, shared posts, and so on) collected into a single page. Most users of social media platforms supply a vast amount of personal data when setting up their public profile, from the basics like their birthday and hometown, to where they went to school, where they work, relationship status, and more. More privacy-conscious users might choose to provide extremely minimal (or even fake) information in order to limit what Facebook or other social media platform providers know about them. But just because you were careful with the information you provided when setting up your public profile doesn’t guarantee that Facebook didn’t already know about your alternate e-mail address or phone number.

That’s where shadow profiles come in. Along with your public profile, Facebook maintains a secret shadow profile for you as well. The shadow profile contains all sorts of information and data that you didn’t provide in your public profile. This could include everything from your private cellphone number, to your alternate e-mail address, to your physical home address, and so on. Facebook doesn’t make this information public, but rather uses the data behind the scenes in a variety of ways.

If you’ve signed up for a new social media account in the past few years, there’s a good chance you’ve encountered your shadow profile first-hand, even if you weren’t aware of it at the time! Long gone are the days when an e-mail address was all you needed to sign up for a social media account – these days, most social media platforms require a phone number during signup. Ostensibly, your phone number is used for account authentication and recovery, as well as a way to indicate that you’re a “real” person signing up for an account, in order to limit the number of fake or “troll” profiles on the site. It’s also used to figure out where you fit into the giant web of social media profiles that already exist on the platform.

Did you ever wonder how Facebook knew which people to suggest as friends? The accuracy of Facebook’s friend suggestions might seem a bit spooky, especially when you barely gave them any information to work with in the first place. That accuracy isn’t a random fluke – it’s all based off of data they know about you, either from your public profile, or from your shadow profile.

Where does the data for a shadow profile come from? Ok, so if you’re not handing out private contact information to Facebook, how are they getting ahold of it? Well, you’re not the only one providing them with data – your friends are in on it too! Facebook’s smartphone app has a “find friends” feature, which not only helps someone locate people they might know on Facebook, but also supplies Facebook with data which it uses to create and maintain shadow profiles.

The feature works by uploading a user’s address book to Facebook’s servers. From there, Facebook extracts contact information from the address book entries, and compares it against data it already has stored in public and shadow profiles. It then provides friend suggestions based off of things like e-mail addresses and phone numbers.

This can be really helpful in some situations, such as reconnecting people who may have fallen out of touch. If an old friend from high school only had your old phone number in their address book, and someone else you know has your old phone number and current e-mail address on file, Facebook can help make the connection between you and your old high school buddy even though their contact information for you was out-of-date. Multiply that by the millions of shadow profiles that Facebook maintains, and it can use the data to find connections between people based on the tiniest shred of information to go on.

On the other hand, it can result in Facebook getting ahold of information that you’d rather they not have. Say you have a friend who has your private number or alternate e-mail address stored in their address book alongside your public contact information. When they use the “find friends” feature on Facebook’s mobile app, they’ve just handed over your private contact information to Facebook. Facebook then adds that information to your shadow profile, and uses it to provide more accurate friend suggestions, among other things.

Even if you don’t have a Facebook profile yourself, Facebook has been collecting this type of data any time someone who has your contact data in their address book uses the “find friends” feature. If, at some later point, you sign up for a Facebook account, Facebook is able to suggest those people as friends based on the data they already had in your shadow profile.

Why do shadow profiles exist in the first place? Shadow profiles exist for two main reasons: connections and ad revenue. We’ve already covered how Facebook uses your phone number to offer friend suggestions, but how does that tie in with ad revenue?

Keep in mind that you got your Facebook account for free. You don’t pay for your social media accounts, and the social media platforms need to make money so they can stay in business – they have to pay their bills somehow! With such a vast amount of data to work with, including interests and personal preferences for each and every user, their main clientele are advertisers. Facebook makes money by showing ads in the form of “recommended” posts to hundreds of millions of users every day.

One major impact on ad revenue is the number of users that are seeing ads on the social media site itself. If people are using the site and interacting with their friends, they’re going to be seeing ads. Giving users a reason to visit the site as much as possible results in more ads being shown, so Facebook encourages people to interact with friends as much as possible. By using shadow profile data to help connect people who might know each other, Facebook encourages users to interact with more friends on the site more often, perpetuating the cycle.

However, ad revenue isn’t limited to just the number of users seeing a specific ad – it’s more heavily based on the number of users who actually *click* the ad, which is where targeted advertising comes into play. The more a social media platform knows about you, the more accurate they can be when targeting you with ads – and better accuracy results in better ad performance, which means a bigger payout for Facebook. Facebook is able to target ads specifically tailored to you based not only on the information in your public profile, but also based on data from your shadow profile.

Are shadow profiles a bad thing? Ok, so aside from the creepiness factor that Facebook is secretly harvesting address books and contact information every time someone uses the “find friends” feature in their mobile app, are shadow profiles really all that bad? Facebook keeps that data secret, so no harm, no foul, right? Well… not quite.

Back in 2013, a Facebook bug resulted in the exposure of shadow profile data for over six million users. Facebook had been inadvertently combining data from shadow profiles and public profiles, and then including that data when people used Facebook’s Download Your Information tool, which is normally used for people to make personal backups of their public profile data. The worst part? It wasn’t users getting their own shadow profile data. Instead, it was being given to other users who had some connection to the affected accounts. And the bug had been live for an entire year. The end result was that people were seeing non-public phone numbers and e-mail addresses that didn’t even belong to them.

Last summer, Facebook shadow profiles likely played a role in a troubling privacy breach at a psychiatrist’s office. Different patients who visited the same psychiatrist started appearing as friend recommendations for each other, despite the fact that they didn’t actually know each other – the only thing tying them together was that they went to the same psychiatrist. While there was some speculation that location data (which is gathered automatically by the Facebook mobile app) played a role, Facebook claimed that they only used location data for friend suggestions for a short time period as a test, and not at such a specific level, location-wise. The more likely case was that all of the patients had their psychiatrist’s phone number in their address books, and Facebook’s algorithms used that information alongside shadow profiles to make the friend recommendations.

There’s no denying that the friend recommendation feature is convenient when it comes to reconnecting with people, but these type of incidents show that shadow profile data is a privacy nightmare just waiting to happen.

What can you do to protect your privacy? Ok, so you know what shadow profiles are, you know what they’re used for, and you know they have some pretty bad privacy implications. At this point, you’re probably wondering what you can do to protect your privacy when it comes to shadow profiles. Unfortunately the answer is not much. If it was just a matter of limiting the amount of data that *you’re* providing, it would be one thing, but in this case it’s data that your *friends* are providing – and you don’t have much control over that. Even if your friends understand your privacy concerns, all it takes is one person with your contact info to slip up and use the “find friends” feature in Facebook’s mobile app.

There’s only one way to avoid Facebook shadow profiles, and it’s got some pretty specific requirements: First, you need to have never created a Facebook account (and no, deleting your existing account won’t work). Second, you need to have never shared your contact information with anyone who uses Facebook. And that’s assuming that Facebook is limiting their shadow profile data collection to the “find friends” feature in their app. If they’re collecting the data from other sources, there’s absolutely no guaranteed way to avoid a shadow profile being generated for you.

Ok, so what if you’re not trying to completely avoid having a shadow profile, but you’re just trying to keep a specific phone number or e-mail address out of Facebook’s massive database of information? That might be more realistic, but you’ve still got to follow a pretty strict set of rules:

– Don’t use the private contact information when signing up for any app or service that connects with Facebook in any way.

– Only give the phone number or e-mail address to people you know you can trust to keep it private (and be sure to explain the situation to them!). That includes things like not using the phone number or e-mail address to contact someone you don’t trust.

– Make sure that people who have the private contact information don’t enter it into their address book app or share it publicly (and this rule applies doubly if they have the Facebook app installed on their phone!).

– Keep in mind that all it takes is one mistake on the part of you or the people you trust and it’s game over as far as keeping that information secret from Facebook goes.

That sounds much more like steps a spy would take to stay undercover than anything else, doesn’t it? Yeah, the unfortunate truth is that it is incredibly hard to keep things like private contact information secret in this day and age of information data mining. Things have gotten a lot more complicated since the days of unlisted phone numbers in the white pages.

While we normally like to end our episodes on an optimistic note, that can’t always be the case. Facebook and the other social media titans are going to collect whatever data they can, either from you, your friends, or other sources, and there’s not much you can do to protect against it as far as current data privacy laws go.

The best thing you can do is to educate your friends about the privacy concerns posed by shadow profiles. Additionally, stay on top of legal news when it comes to online privacy, and contact your legislators to let them know that data privacy is important to you. Consider supporting organizations that fight for your privacy rights, such as the Electronic Frontier Foundation.

If you’d like more information on this topic, or if there’s a specific one you’d like to see us cover on a future episode, send us an e-mail at checklist@securemac.com!

Join our mailing list for the latest security news and deals