Imagine an entire Facebook profile of you that appeared out of nowhere — even if you'd never signed up for the social-networking service.
The profile would be based on personal data that had been input by other users, such as friends who'd mentioned you or emailed you, posted your photo on their Facebook pages or listed you in their smartphones' address books.
Facebook says it doesn't create such "shadow profiles" of non-users, despite allegations to the contrary. Another social-networking company called Klout has admitted that it does, by using information gleaned from existing Facebook accounts. And there are rising concerns that such shadow profiles could become a rich source of information for both data-mining private companies and for governments.
Political heat
Facebook's record on privacy recently got a new look from Congress in the wake of complaints in Europe that it was using data on users in ways they didn't agree to or anticipate.
[ Top 6 Facebook Annoyances and How to Fix Them ]
On Dec. 8, four members of the U.S. House of Representatives Energy and Commerce Committee's Subcommittee on Oversight and Investigations sent a letter to Facebook CEO Mark Zuckerberg demanding answers.
"With more than 800 million active users and an untold number of non-users visiting Facebook or partnering websites every day, your company has the opportunity to collect vast amounts of data about an enormous number of people," read the letter, which was signed by subcommittee chairman Rep. Cliff Stearns (R-Fla.) and Ranking Member Diana DeGette (D-Colo.), as well as Joe Barton ( R-Texas) and Ed Markey (D-Mass.). "As we examine online privacy issues, we are interested in learning about the privacy principles by which your company abides."
The four House members demanded that Facebook clearly state what information it collects about users and non-users, whether it informs users it's doing so, how it does so and whether individuals can opt out.
The letter also asks why Facebook gives each user only five days (since expanded to seven) to edit personal information before it goes live in the new "Timeline" feature, and why Facebook's privacy policy has ballooned to more than 5,000 words.
"While Facebook has a privacy policy, it is extremely lengthy and difficult for the average consumer to decipher," Stearns told SecurityNewsDaily. "I would encourage Facebook to simplify this language so consumers can more easily understand how their information is being used."
Stearns' office confirmed to SecurityNewsDaily that a response to the letter had been received from Facebook, but said its contents were not being made public.
Running afoul of European privacy laws
The subcommittee's inquiries were sparked by 22 complaints filed with the Irish Data Protection Commissioner in August and September by Austrian law student Max Schrems. (Facebook's European offices are in Ireland.)
The letter from Congress references Schrems' complaint, along with a settlement with the Federal Trade Commission announced Nov. 29 and Facebook's practice of tracking users Internet activity via the "Like" button.
Schrems leads Europe-v-Facebook.org, a group he started to track and publicize Facebook's actions — or lack thereof — on privacy.
Among Schrems' complaints is that Facebook is gathering data on people who are not users. A person who has never joined Facebook, Schrems asserts, can be tracked via a " shadow profile " — a picture of that person's activity online and off that can be built from ancillary data Facebook has already gathered.
Every mention of that person on Facebook, every comment another user makes about him or her, every time that person comes up in Facebook users' iPhone or email contacts — it all can be used to construct such a profile. (By default, Facebook smartphone apps copy each phone's address book to the website upon installation.)
Schrems' concern is that the controls on using such data aren't enforced well. Using social networks generates a lot of data, and that data can be used to build a picture of you — even if you never sign on. That data is the crux of Schrems' complaint.
Groups are another problem. When a user creates a Facebook group, it asks which users you want to add. Those users will be notified they are now part of the group, but Schrems noted that doesn't equate to consent.
Groups connected with politically sensitive issues might cause problems for some people, and by the time one finds out, it may be too late to stop any reputational damage. Users can remove themselves from a group.
Facebook's not the real bad guy
The problem, Schrems says, isn't just whether some advertiser wants to buy data on you and sell something. He notes that governments can use that data too.
"The really juicy information, such as political affiliation, Facebook isn't really interested in," he said. "But governments are. They can say 'Hey, the data is there.'"
He noted that during the riots in Britain last summer, government authorities were monitoring Twitter accounts and Facebook activity.
In July, the government of Israel blocked pro-Palestinian activists from entering the country, citing plans and discussions the activists had made on social-networking sites. The Israeli government said it had used only publicly available statements, but there was nothing stopping the Israeli authorities from requesting the ancillary data Schrems is concerned about.
Facebook's privacy policy says it responds to legitimate requests from authorities, but it isn't clear what counts as legitimate. Facebook spokesman Andrew Noyes referred to Facebook's law enforcement guidelines, but they are geared towards authorities in the United States and assume a subpoena has been filed.
Users who live in European Union countries, where such disclosure is mandatory if asked for, can request the data that Facebook has on them. (That can be done here ). Schrems said he got 1,200 pages of personal data from Facebook. A number of other users have made similar requests, but Facebook has cut the number of categories of data it will release.
In the United States, there are laws that govern disclosure of data. The Children's Online Privacy Protection Act, which went into effect in 2000, says that websites have to be explicit about the type of information they gather about minors. But for the most part, European Union privacy laws are stricter than their U.S. equivalents, and Facebook says it complies with the EU standard.
Other sites go further
The problems go beyond Facebook. Another social-networking site, Klout, has already run into problems by generating profiles — in this case, profile pages for non-users that look as if the people profiled created them.
Klout aggregates and analyzes data from several social-networking sites, including Twitter, Linkedin and Facebook. It looks at the links people make with each other to calculate social-networking influence, or "klout," and translates that into an individual score ranging from 1 to 100. (Someone like teen idol Justin Bieber would get a score of 100.)
Tonia Ries, a business reporter who has written extensively about social networks and how businesses and consumers use them, wrote in a blog posting in October that her 21-year-old son had a generated profile on Klout, even though he'd never signed up for the service and his data on Facebook was set to "private."
It turned out that he'd commented on a photo his mother posted on Klout. Other users have noted that Klout was creating profiles for minors (including Justin Bieber).
Klout's CEO, Joe Fernandez, said the company was addressing the issue, and indeed Klout said in early November that it would no longer generate profiles.
Megan Berry, senior marketing manager at Klout, wrote in an email that Klout wasn't interested in the influence of minors. But that leaves open the question of how the minors' profiles were created in the first place.
Ries noted that Facebook asks users for their birthdays before they can set up an account, and insists that all users be at least age 13. It isn't clear whether Facebook shares such personal data with other companies that link to the Facebook application programming interface.
Facebook spokesman Andrew Noyes said Facebook was looking into whether Klout had violated Facebook's terms of service.
People-finders find too much
Klout is just one example of the larger problem. "People-finding" sites such as PeekYou or Pipl aggregate and display a lot of personal data on private citizens as well, and if someone looks up his or her own name on the sites, they'll see some of it.
Ries noted that PeekYou is relatively transparent about its use of data. Facebook is not, and that is the crux of the problem. If Klout can create a profile and measure influence (via connections) without someone ever signing up, there's nothing preventing another site from doing the same thing.
Ries said transparency is the key point. When Klout started linking to Facebook and permitting logins using Facebook usernames, Klout never told its users it was "turning on" that link.
"Where all these [sites] go wrong is treating users like idiots," she said. "If Facebook was completely up front with what they do and how — saying 'here are the pledges we make' — and they tell you exactly what they are doing with the data — then you are giving me a choice."
Without giving users the option to take back their own data, and without giving users better information on what's being done with that data, social-networking sites will continue to run into privacy problems.
"Give users a choice and don't play games," Reis said, "or you'll eventually violate the law or violate people's trust."