167 comments

[ 4.7 ms ] story [ 187 ms ] thread
TLDR: Zuckerberg continues to lie to Congress
This comment breaks the site guidelines. Please post civilly and substantively, or not at all.

You may not owe better to Zuckerberg but you do owe better to the community here.

https://news.ycombinator.com/newsguidelines.html

I am sorry to summarize that a billionaire is an outright liar in a congressional hearing. There is no other way to put it. He might as well say "I am not a crook"
> Lujan: It may surprise you that we’ve not talked about this a lot today. You’ve said everyone controls their data, but you’re collecting data on people who are not even Facebook users who have never signed a consent, a privacy agreement.

> And it may surprise you that on Facebook’s page when you go to “I don’t have a Facebook account and would like to request all my personal data stored by Facebook” it takes you to a form that says “go to your Facebook page and then on your account settings you can download your data.”

This is typically something Facebook should be prepared for considering it's one of the use case of the GDPR.

It's highly likely they are prepared for that but won't show it before the storm.

(comment deleted)
WOW they are discussing the FB trackers now. This may actually get real
Yeah, Congresswoman Dingell is laying it down. She even specifically mentioned the Facebook "pixel" in a technically accurate way!
I'm not sure if she's technically savvy enough to have known that or researched it on her own but if not I'm really glad her interns or subordinates were focused on important talking points that will really help define the problems at hand.
Agreed. Its absolutely not her role to be a specialist. Her role is policy and lawmaking. A good Congressperson would be one who can wield the full force of their team's knowledge and research power.
> A good Congressperson would be one who can wield the full force of their team's knowledge and research power.

In practice I fear it's more that a 'good' (electable) congressperson is the one who can wield the full force of their lobbiest's knowledge and power.

I try hard not to be cynical but as a citizen of the UK the soft control the private sector has over our government is horribly worrying.

However, she focused on statistics, not intent behind those things - what type of data FB collects and why. She was almost there but sort of wasted the opportunity.
(comment deleted)
The carriers and providers, free to collect and sell your data now that the FCC changed regulations and replacement legislation hasn't been passed, don't like competition...
This will get really tricky, because shadow profiles can probably be fuzzy, and how could Facebook guarantee there aren't two or more shadow profiles for the same individual (ex: peggy platter and margaret hill and Hank's wife) and make sure they always get them all?

Especially tricky for people who change genders and/or first names.

They have to anonymize it somehow, because otherwise it wouldnt be legal in germany.

(If i understand everything correctly, which might not the case)

I don't see the problem. Individual tells facebook: "delete data you have about me, here's who I am." and that's it. It doesn't discriminate between different profiles or dataset. If the data can't linked to the individual then it's considered to be anonymized data.
That's more subtle, as individual anonymized data point can not identify an individual, but a linked set of those can, with a very high percentage of confidence. Facebook can always play the card that each data point are anonymous, hence not part of your data, and keep everything.
Exactly this. Assuming that shadow-profiles are derived on-demand, the only way to "delete" one would be to delete the datapoints it's built from.

We know that facebook can use contact info to identify clusters, right? Suppose that I don't have facebook, but a bunch of my friends do, and facebook has all their contacts' phone numbers. They can infer the circle of friends of "whoever owns phone number X" using just this info. This is probably not the extent of a shadow-profile, but I think it's a plausible stab at the underlying mechanics (repeat again with email, with browser fingerprint, etc).

In order to "delete" my phone-shadow-profile, facebook needs to remove my phone number from their internal copies of my friend's contact lists. They also need to keep a copy of my number in a "do not shadow" list, or else they'll just add me back in next time they scrape my friends' contacts. Armed with a such a do-not-shadow list, there's no need to actually do the deletion, rather than simply marking the deletion.

So, assuming my speculations of the nature of shadow-profiles are about right, the only way to really avoid facebook having one is to register your fingerprints with them, so they can tell which parts of their data are you, in order to know not to use that data to draw inferences about you.

That, or give up on drawing inferences between disparate data-sources at all.

> In order to "delete" my phone-shadow-profile, facebook needs to remove my phone number from their internal copies of my friend's contact lists.

This is (potentially) not viable. Your friend's contact list is not your data, it's their data (about you) and they store it on FB servers. Right now it's probably used only for ranking and friend suggestion, so what you suggest would work. But if FB would decide that say messenger should work also as contact sync app (it already allows you to send SMS to people in your contact list), this would cause that your contact could not be synced, and really break user experience, as you would be able to delete your phone number from your friend's phone books.

More philosophical question: if you should be able to do that [delete your phone number from your friend's phone book on FB], should you be able to do that also from google contact sync server? From gmail? From your friends phone? Or from your friends physical (manually written) phone book? Where to draw a line, or how to approach this?

Can I also request all data related to my browser fingerprint?
I tried out the download tool. It's basically things that the user posted directly. They did have FB messenger conversation logs in their too. It doesn't include any likes, comments, attention metrics, or clicks to external links. It doesn't seem like it includes everything they have.
After watching a few of these hearings, you start to realize that there are very careful interpretations of otherwise common language in use here to obfuscate and avoid.

In this case, Facebook 'lets a user download all of [their data]'. Where [their data] is any input a user provided - text, photos, messages, etc. It seems that Facebook considers fingerprints, links, and any other meta-data a user creates or uploads, not the user's data, but FB's data. And that [what they call FB's data] is not available to the user.

Congressman Costello from Pennsylvania asked if AI will be used to recognize the faces of "non-FB users".

Combined with the shadow profiles question by Congressman Lujan from New Mexico, some of these questions are getting closer to what people need to know and understand. Unfortunately, a lot of the rest of questioning seems like blind man's bluff / Marco Polo [0].

It'd be nice if Congress can be asked to host a debate between subject matter experts in the privacy domain (who are knowledgeable and can effectively communicate this knowledge and their concerns to lay people) and tech company C-level executives like Zuckerburg.

2:50 PM EDT: Congressman Duncan from North Carolina is going to give Zuckerburg a small copy of the US Constitution.

[0] https://en.wikipedia.org/wiki/Blind_man%27s_buff

2:59 PM EDT - Edited to add "to lay people".

3:02 PM EDT - Added "Marco Polo". Thanks to caabalis for the reminder.

> It'd be nice if Congress can be asked to host a debate between subject matter experts in the privacy domain (who are knowledgeable and can effectively communicate this knowledge and their concerns) and tech company C-level executives like Zuckerburg.

That'd be amazing. Effectively champion warfare[1] but for civil liberties.

[1]: https://en.wikipedia.org/wiki/Champion_warfare

I'm very glad to have read that wikipedia page, and feel smarter. But I think you'd have reached a broader audience and not required a link if you had just called it Marco Polo.
Oh yeah. I forgot that that was the same thing. Thanks! I'll add it.
> 2:50 PM EDT: Congressman Duncan from North Carolina is going to give Zuckerburg a small copy of the US Constitution.

Showboating... Not to defend Facebook and I admittedly have not watched any testimony or questioning, but I'm sure these politicians made no mention of FOSTA, SOPA, the PATRIOT Act, net neutrality, NSA domestic surveillance... Zuckerberg could have turned this all around on them.

there's more than a handful of things that actually did happen that Zuckerberg could have "turned around" on them. And he didn't. Don't you wonder why?
No, he is clearly in damage control mode, trying desperately to keep his monopoly without any major concessions.

Will be interesting to see how that works out for him, probably fairly well I would guess.

Really? By my read Congress is begging him to do their jobs for them, asking the fox to design the henhouse.
Indeed, They want, Facebook to "fix itself" to some meaningful degree. Except Facebook has little desire for actual change, so like I said, I imagine very little in practice will change, just a lot more "yay we <3 privacy" spam from their PR department.
(comment deleted)
He knows regulation is inevitable and upsetting politicians would put him in a worse lobbying position. I still wish he would have turned it around on them.
> Don't you wonder why?

No, his job at the hearing is to present an image of a corporate leader detached from the political fray, and specifically not to provide any fuel to any possible partisan political fire, which cannot possibly help him at this point.

Or Equifax.

FB is a giant company that has produced billions of dollars in value.. to complete the cliche, it was literally started in a college dorm room. Congress and the Senate want to look good, but they don't want to hurt the company. (Quite the opposite, the company's story is the stuff of American legends and there isn't a single elected rep or senator that wouldn't ask FB to consider their state if there was some sort of FB "HQ2" project.) More to the point, they have no idea how to "fix" the situation. Facebook does what it does and users freely give them tons and tons of valuable information. Equifax and company do what they do and it's all behind the scenes, it's not even possible to opt out and it would be devastating to your credit if you could. Facebook helped some electioneers target ads better and maybe moved the needle in an election, that shit has been happening since there have been elections. Equifax and company have cost countless people billions or even trillions of dollars in extra payments because their proprietary credit algorithm says they're a higher risk and we have no idea if it's a valid algorithm or not, but banks trust it.

Speaking of moving to their state:

There was actually a Congressman (Mr. Cramer, North Dakota) who mentioned Silicon Valley bias, and thought that the moderators themselves were there too. He asked Zuckerburg to consider opening a Facebook location in middle America (name dropping a city or two in his own state of North Dakota). Zuckerburg clarified that the moderators were located around the world. [0]

[0] https://youtu.be/h3vkyVC7Qj8?t=14044

you can opt out to a degree. you can freeze your credit making most queries impossible. i’ve paid deposits for utilities and cell service rather than unfreeze my credit.

the opt out aspect isn’t perfect of course since id thieves can still steal the data, but with frozen credit at least it’s harder for them to use for critical purposes.

Showboating is part of how politics works in a democracy but it can still produce real results.
A few did mention net neutrality and sex trafficking, but it was mostly (if not completely) patting themselves on the back for their part in stop government overreach for the former, and protecting the vulnerable / punishing bad actors in the latter. I'm just adding this to fill you in.

The part that I found odd in terms of topics were the questions about:

(1) apparent bias against conservatives from some Facebook-employed moderators because of incorrect or delayed actions taken.

(2) the idea that Obama campaign "did the same thing".

(3) Facebook allowing ads from allegedly illegal pharmacies in the wake of the opioid crisis.

I'd actually go as far as to say that around 20% of the questions that the Senate and the House asked were unrelated to the events surrounding Facebook and their relationship with Cambridge Analytica.

He'll never do it, because if he makes their lives difficult, they'll Standard Oil his ass posthaste.
> It'd be nice if Congress can be asked to host a debate between subject matter experts in the privacy domain (who are knowledgeable and can effectively communicate this knowledge and their concerns to lay people) and tech company C-level executives like Zuckerburg.

I'd love to see him try to field some questions from the EFF or ACLU.

> It'd be nice if Congress can be asked to host a debate between subject matter experts in the privacy domain (who are knowledgeable and can effectively communicate this knowledge and their concerns to lay people) and tech company C-level executives like Zuckerburg.

Funny, I suggested the same thing on IRC, My suggestion was that they should have had the EFF write the questions ;).

That would be pay per view.

He also denied knowing the political orientation of his content police(during yesterday's Cruz question), however, he's Facebook, so he knows everyone's political biases.
Are you seriously suggesting Facebook use it's employee's private account data as part of hiring & performance management?
Why would they not? Any other employer is allowed to, so why not Facebook?
Facebook has a different level of access. Seems to me like that would be all kinds of unethical.
And clearly, Facebook would not use personal information for unethical purposes.
Because the liability is not worth it.
> Any other employer is allowed to, so why not Facebook?

No. This is explicitly illegal in some states.

Edit: I just realized you were probably talking about it being explicitly illegal to discriminate based on political affiliation in some states which is true.
Nope. In some states it is illegal for your employer or a potential employer to make decisions based on your social media history.
Even if the employee sends their social media posts directly to the employer or a potential employer and stores them on their systems? I am interested to read the legislation do you know what states?
As of 2013, it was Illinois, California, New Jersey, Michigan, Maryland, and Delaware.

https://www.cnet.com/news/six-states-outlaw-employer-snoopin...

That only bans employers from asking for passwords. Facebook doesn't need to do this because they already have all your data, no passwords needed.

Also I read through the text of those laws and they all specifically say that they are not limiting the employers right to monitor their own systems in any way. So Facebook looking up how their employees use Facebook would be completely fine under those laws.

No, there is a difference between what should do, what they can do and what they are doing. I would interpret the OP as saying they can know, if they wanted to. But that doesn’t really have much to do with Zuckerberg denying knowledge.
That's because it was a stupid question? It was clear that Cruz was just trying to paint Zuckerberg as a liberal-leaning censor. "Do you know the political orientation of those 15,000 to 20,000 people engaging engaged in content review? Are you aware of any ad or page that has been taken down from Planned Parenthood?" How is he supposed to answer these?
I’m glad someone is asking about the collection of non-user data and data collection outside Facebook sites, but I can’t help wanting someone qualified to speak on such technical subjects that would be able to effectively question without a prepared list.
It's an important concern but anyone who has Google Analytics, or any other analytics tool, installed on their website is collecting non-user data. This happens pretty much across the board.

There's also the concern about derived data, like some kind of user embedding vector from clustering, that provides a lot of information about the user that is not available in the raw source data.

I think this is a bad analogy.

If site-usage data is being collected via use of your site, then by definition it’s on users.

That’s not the same thing as buying files on individuals who don’t use your site from data brokers.

That is why GA doesn't allow PII (personally identifiable information). They can't track a GA session back to a real person.
That really isn’t the same thing at all. Facebook collects data from people who never visit their site and offer no way to prevent this data collection. One of my biggest annoyances is so many companies and groups posting things only on Facebook, especially Facebook events.
Some thoughts about the possiblities:

1) he's lying ... which would be dangerous since it only takes one disgruntled employee to expose emails and work projects that merged in 3rd-party data (e.g. Acxiom).

2) he's not "lying" ... by doing his version of Clinton's "depends on what the meaning of 'is' is".[0] Let's say Facebook has an internal system that collects data on non-Facebook identities into a holding area. Maybe they internally call it "deferred profiles" or "pre-activated profiles" but not exactly "shadow profiles". Well, MZ can basically interpret "do you have shadow profiles?" as a hyper-literal question and answer with a hyper-literal answer: "no". Again, a Facebook insider would have to come forward and reveal what the shadow-but-we-dont-call-it-that profile actually is.

3) he's telling the truth by every meaning of the question. Facebook truly has zero data on non-Facebook users.

[0] https://www.youtube.com/results?search_query=depends+on+what...

3) is provably false by the product. Facebook can accurately suggest friends for you immediately after sign-up.
I believe they do this based on emails and phone numbers.
Isn't the social graph they've built of nonusers from address books shared with them part of the "shadow profile"?
Building a system where you input an e-mail address and it spits out likely friends of that e-mail address isn't exactly the same as having pre-built "shadow profiles" for a bunch of e-mail addresses. With such a system it would be trivial to build a social graph for a person quickly after they sign up for facebook (and then suggest friends). But, doing so doesn't necessarily mean facebook had previously built out a social graph for that e-mail address and had a profile waiting for it in the shadows.
They do. That is data that is stored and collected about me without my consent.
The way it works is technically very straightforward. I might have have your number in my contacts list, and I give my contacts list to FB to find my friends. They store that number and if you ever sign up they recommend you follow me as we know each other.

What's complicated about it is the ethics of what's happening. Should FB require permission from you to store data about you even though I gave it to them? Do I have permission to share your number with other people? Why isn't the contact information in my phone my data? This is an interesting problem.

We've had to think about this for GDPR. They are contact details that you're giving to a business to contact people. Your email provider needs them, your phone company needs it, your cloud contact manager does it, etc.

I think it's not worth debating to start arguing that we can't use addresses and phone numbers to contact people. That's their whole point.

It's when they're being gathered without informed consent it's a problem or if they get stored without explicit consent past the reasonable use you needed them for.

If I click a button saying "look for my friends", was there a reasonable expectation that FB or LinkedIn or WhatsApp or whoever would then keep that data forever.

FB will argue that obviously you wanted to keep on checking that list. But what about combining different people's list, processing the data in unexpected ways, actually clearly telling the user the list will be stored indefinitely, etc.

And further to that, what if FB doesn't store the information itself but does store a unique hash of it? They can still do all the data processing and yet claim to have no "personal data" at all.

This is a deep, deep rabbit hole.

Under GDPR simple hashing is not enough. You have to throw away the hashing salt (delink the hash from the profile) in order to be compliant. The whole point is exactly the result, you should not be able to map the profile to the data you have.
Exactly - they should have always discarded any data about non-members.
It's probably not possible that fb has zero data on non users, for example they no doubt have faces in pictures that don't match up to fb profiles. But it is possible that they don't attempt to collate that data in a way that identifies specific individuals who aren't on the platform, e.g. they don't do anything with those unmatched faces.
Or 4) Facebook has shadow profiles, but Zuckerberg's out of touch, doesn't read his critics closely, and is unfamiliar with the terminology ("shadow profiles") they use.
Zuckerberg's out of touch about what his own company is doing?
(comment deleted)
Pretty sure that falls under #2.
He's not under oath, so the consequences of lying are limited.
Why wouldn’t they put him under oath? That just seems weird: the cost of doing it is zero.
Yeah. I'd even go further and say that if you are giving testimony in Congress and answering questions, then you should automatically be under oath unless Congress explicitly waives that requirement before the session.
Perhaps this is more of a show than the real thing
He came without being subpoenaed, so not putting him under oath may have been a courtesy. Many of the congressmen thanked him for coming on his own accord.
The cost for them is 0, the cost for MZ is incredibly high. I don't think he would have agreed if he was under oath.
Possible that if they did every single answer would be "I don't know the exact details, my team will get back to you"
(comment deleted)
Lying to congress is a felony, whether you're under oath or not. It's the same statute that people plead guilty to for lying to the FBI, 18 USC 1001 [1]

[1] https://www.law.cornell.edu/uscode/text/18/1001

That’s not the same as perjury, and relatively few people have been convicted of this. If it were “illegal either way”, then there would be no point to swearing people in. A decision was made to not swear him in, and he knows this.
I’d be willing to bet that the donations to >80% of the panel interviewing him purchased the privilege to not having to ‘swear in’
> relatively few people have been convicted of this

I take it you don’t keep up with current events much. There have been a number of high profile convictions under 18 USC 1001 this past year.

Adding: the penalties for false statements and perjury are roughly the same, although false statements can also carry a heavier sentence in some cases. There are defenses against perjury that are not available under the false statements law. All in all, they are very similar.

You may find the Congressional research Service’s summary of these [1] to be helpful.

[1] https://fas.org/sgp/crs/misc/98-808.pdf

According to your summary document, 1001 has a number of requirements and limitations. It would not surprise me if those were meaningful. You are arguing that there is no additional benefit to being sworn in before Congress, but it is not treated as such when Senators demand that certain testimony be given under oath.
While it's unlikely you'll ever face a problem like this, do know that lying is a punishable offence, which your comment incorrectly demonstrates. You need to take a moment and review "18 U.S. Code § 1001 - Statements or entries generally" [1] sooner than later.

[1] https://www.law.cornell.edu/uscode/text/18/1001

> Maybe they internally call it "deferred profiles" or "pre-activated profiles" but not exactly "shadow profiles".

I can't find the article now, but a few weeks ago I saw an article stating that they call them "Future users" or something similar.

That’s somehow much creepier than “shadow profiles”.
4) He's regurgitating verbatim, everything his army of attorneys coached him to say.

At least he's not saying the magic 4 words - I DO NOT RECALL - that every other senator or congressman or CEO says in their hearings, also not smirking or mocking the committee like Pharma Bro did, so I'll give him that.

> At least he's not saying the magic 4 words - I DO NOT RECALL - that every other senator or congressman or CEO says in their hearings

Of five Zuckerberg responses in the linked excerpt, three are “I don't know...” or “I'm not familiar with...”.

Lujan: It’s been admitted by Facebook that you do collect data points on non-[Facebook users]. My question is, can someone who does not have a Facebook account opt out of Facebook’s involuntary data collection?

Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not

Is this not just an outright lie? You literally have to use their services to turn off/opt out anything.

This isn't a lie. You can opt out of interest based ads without having to be a Facebook user by visiting https://www.facebook.com/ads/settings which redirects you to http://www.aboutads.info/choices/.
Found the Facebook shill account. Created one hour ago with copy paste responses.
Its probably technically true, if you trust facebook. They might respect the DoNotTrack header. If not, most legit advertisers, including facebook, will [claim to] respect AdChoices optout flows: optout.aboutads.info. https://www.facebook.com/help/568137493302217 directs you to these sites.

Now, they obviously could lie and still record things. Also, this probably doesnt include things like person A has phone number Z and person B as phone number Z so theres some sort of link there, but presumably thats not used for ads.

I worked for an ad company that respected the optout/DNT as best we could.

When could you not?
assuming you mean respecting settings. historical data from before you blocked tracking wasnt explicitly deleted, but it was marked as ignored and rolled out of the system after a month or so(lots of caching). id guess with fb having orders of magnitude more data they do something similar.

DNT is easy, thats a header on every call so just drop it on the floor. Unfortunately firefox was always threatening to make it on by default, and IE actually did i believe...and basically all the big ad providers threatened to ignore it if it went on by default. Management basically said we'd do whatever the industry does, but is currently respected.

The problem with the opt out flow is how do you store that someone wants you not to store information about them without storing info about them. The standard way is drop a cookie that says dont track, but if you clear cookies youd have to opt out again... which is shitty UX and unexpected. also, since its cookies its opting out the browser, not the user or computer.

As a consumer, it sucks because you have no way of knowing if the ad/tracking companies are respecting any of this. And while I'm positive we tried to respect it, and im not aware of any, bugs can happen. That code was part of the most heavily tested stuff since it hit critical paths.

On most targeted ads(including but not limited to on facebook) theres a little adchoices(blue triangle) button. If you click on it you can see which company targeted you, some info on what type of targeting, and a link to optout.

Appreciate the lengthy response!

Are you still in the industry?

np - theres plenty to be upset about but the ads stuff is pretty standard for google and the like too.

I wish people were more vocal about the amount of info publishers leak by embedding fb like / g+ like / etc buttons in their sites. Dont even have to interact with it and fb gets to track that you loaded that page.

left a year or two ago.

The phrase "for ads" probably plays a critical role in his response. Just like the liberal application of "generally" during yesterday's questioning.
He slipped up yesterday and opened the door to the biggest issue of them all, coersion and brainwashing of users for profit, and the Senator who caught him in a lie didn't explore it further. No wonder they were testing if they can make you happy or sad by manipulating your feed when they sell the OUTCOME not just the impression.

https://youtu.be/6ValJMOpt7s?t=2h36m49s

Senator: If somebody advertises on facebook and somebody purchases something. Does facebook get a percentage or any kind of fee associated with any kind of successful purchase from the advertiser.

Zuckerberg: The way that the system works is advertisers bid how much it's worth it to them to show an ad or when an action happens. So, it's not that we would get a percentage of the sale but... let's just use an example. Lets say you're an app developer and your goal is you want to get more people to install your app. You could bid in the ad system and say that I will pay $3 anytime someone installs this app and then we basically calculate, on our side, which ads are going to be relevant for people and we have an incentive to show people ads that are going to be relevant because we only get paid when it delivers a business result and that's how the system works.

Link is dead. Can you post what lie it was?
He was maintaining that all Facebook does is sell innocent ads. Then was asked if Facebook gets a cut of 3rd party business or if they get paid based on outcomes. He said no, but his example revealed that in fact they do sell outcomes, which is what makes them so compelling to companies who bid. It's in Facebook's financial interest to gain as much power of its users as possible in order to achieve higher success rates for its customers.

This something the vast majority of users don't understand. The Facebook experience is engineered to make you do things in a much more sophisticated way than any other advertising business to date. They can recursively manipulate your emotions to drive up their outcome compensation.

Isn't anyone who has Google Analytics installed on a page collecting information and creating "shadow" profiles?

I watched the entire hearing, it was pretty interesting. I was surprised how ignorant many of the senators were of the subject matter on hand. Some of them clearly didn't understand the difference between Facebook and the Internet. Or they thought that Facebook, Google, Twitter, were all the same thing, this mysterious "Internet" and somehow Zuckerberg was in charge of it all.

Some of the questions were impossible to answer because they made no sense and they kept hammering him for not answering it.

Then there were senators basically trying to guilt trip him into endorsing their bill when he already said he supports the principle behind it but it would depend on the details.

> Isn't anyone who has Google Analytics installed on a page collecting information and creating "shadow" profiles?

No, but you could argue that Google are.

Both Google Analytics and Facebook's interest based ads/"shadow" profiles work similarly.

You can opt out of Google's interest based ads via https://adssettings.google.com and Facebook's interest based ads via https://www.facebook.com/ads/settings without having to have an account with either.

I don't believe either "shadow" profiles are every associated with an account or personal details even when you make an account on the associated service.

> I don't believe either "shadow" profiles are every associated with an account or personal details even when you make an account on the associated service.

Based on what? Did you talk to someone in the know? Are you just speculating?

> Isn't anyone who has Google Analytics installed on a page collecting information and creating "shadow" profiles?

No. They are asking for permissions (cookies law in the EU) because the GA code works that way. They bundle the consent in the legal text of the cookie notice. Users give consent, everything's fine. Then the site managers send this data over to Google with the GA code. Google applies it's labeling machine to the data, link it to a user with its super cookie tech and finally give an anonymised report to the site's manager.

If the site manager is asked by a user to remove data the standard answer should be something like "we don't have it and so we can't delete it, call Google". Then when a user asks to Google for removal of its data things'll get interesting because Google will be removing a droplet from its ocean of data and a tenth digit will be rounded somewhere.

That's how a site manager who uses only GA/pixel should manage the situation. Proving they didn't leak that private data and aren't using it.

That's not going to fly in about a month under GPDR:

1. A standard cookie notice is nowhere near granular enough about different possible uses to qualify as informed consent.

2. I'm pretty sure Google Analytics is just a "processor" rather than a "controller" under GDPR, so much of the onus for following the regulations is still on the person using GA rather than on GA itself. Processors would not be responsible for handling deletion requests from individual; they would just need to make it possible for controllers to handle them. Obviously processors that take as much of the responsibility as possible will be much more attractive service providers for controllers, but the controllers can't just pass the buck to processors.

Just one question, following Zuckeberg's congress show-and-dance: are the next CEOs to be called in front of the committee the ones from Equifax, Experian and TransUnion?

Because the way I see it, they're collecting millions of "shadow profiles", with no consent, no remedy, no removal procedures. Furthermore, they sell that data to 3rd parties at will.

I'd also look into a possible connection between one of these and Facebook. I imagine if someone crosses your social profile with actual credit records, real name, address, car, etc. then you have nothing private left to protect save the thoughts in your head.

This is not the time for whataboutism. The Equifax case is still being pursued. This happened a week ago: "Massachusetts can sue Equifax over data breach, judge rules" https://www.cnbc.com/amp/2018/04/05/massachusetts-can-sue-eq...
The term "whataboutism" is quickly becoming my least favorite word. We're allowed to talk about issues in a wider context. It's often helpful.

I'm very much interested in this issue as a whole and not just singling out Facebook as if they're the only bad actors. I'd appreciate letting that discussion take place rather than using some newly minted word to try and stifle it.

Agreed. It's not really being used correctly any time I see it being used (aside from describing actual propaganda, which is what this term comes from) -- "whataboutism" is a very specific tactic. The intent to distract from the issue at hand is a necessary component. Bringing in relative context in a productive manner != whataboutism.
Whataboutism isn't about "talk[ing] about issues in a wider context." It's about distracting from the issues at hand and derailing discussions.
Whataboutism is pointing to your opponent's flaws to change the subject from yours. I think OP is suggesting that both social media and consumer financial profilers need closer scrutiny, not that SM should be excused.
It's a good word when debating facts but, you're right, when debating subjective things like this, bringing up the credit reporting agencies sure seems like it is on topic.
I wasn't really trying to go down the "what about" route in my comment. I think these companies (and many more) are part of the same issue: collecting so-called "shadow profiles" on non-consenting "customers", and not providing (meaningful) ways to opt out.

As for the article you pointed to: it deals with the fallout of the leak. I want to deal with why were they allowed to collect that information to begin with.

Equifax isn’t being used as a vehicle to manipulate the political process. This isn’t just about data privacy.
(comment deleted)
I highly doubt it isn't being used for political purposes. Not that I think it matters tbh they shouldn't have so much data regardless.
Equifax may have your bank statements, and whatever sensitive numbers they can collect, but they do not literally have have your inner thoughts, in the same way that Facebook and Google have.

That is an important distinction.

Surveillance like this is harmful, either way. Not just the leaks, but the actual data gathering itself should be criticized. Why is it that during the Equifax leak nobody criticized the data gathering in the first place? It was all about the leak. In this case I am glad that the data gathering is being put into question.

But anyway, my main point is that they are collecting different sets of private data.

Are you sure about what data those companies have? Example: it seems like you can't sign in to Starbucks wifi any more (via Google) without giving a real email address that is verified through Experian's API. There is surely more going on than consumers know.
The cost of equifax losing my data is far greater than the cost of fbook losing my data.
You can opt out of interest based ads/shadow profiles without having to be a Facebook user by visiting https://www.facebook.com/ads/settings.

It's just not very well publicized.

Commenting to mention that you have to click to expand the "Manage Online Interest-Based Ads" section then click the "Digital Advertising Alliance" in order to opt out.

Most of these things FB has put up where you can get information without having an account seem to be obfuscated on purpose.

You'd hate to know what private investigators can [legally] do. Of course that's a bit different since mega-databases have millions of persons' data compared with manual effort that doesn't scale. I hate meatspace data brokers too but they have the defense that most of the data points were public to begin with (except for loan history).
Am I missing something or has the beacon functionality of the Like button not come up yet in the hearing? I think it's critical to note that the Like button can---and probably is---being used to build non-user profiles as well as user profiles. The critical technical thing is that the load of the Like button is the critical signal; whether the user actually liked something is secondary. It seems like Senator Gardner got close yesterday but had some technical misunderstandings about just how powerful the Like button is.
It came up yesterday. A question was asked wether or not Zuckerberg thought user understood that Facebook had the ability to track every website they visit when Facebook social media icons appear on those pages.
That's what I was referring to regarding the exchange with Gardner: it was talking about users and implied that Facebook had to be open at the same time.

>> Senator Gardner: if you're logged in to Facebook with a separate browser and you log in to another — log in to another article, open a new tab in the browser while you have the Facebook tab open, and that new tab has a Facebook button on it, you track the article that your reading.

So it wasn't emphasizing that this tracking is ubiquitous and could be used to construct quire information-rich shadow profiles. I still don't think the senators are aware of this.

[1] https://www.washingtonpost.com/news/the-switch/wp/2018/04/10...

Facebook OpenGraph v2 stopped the ability of api app developers from getting friend data without their consent.

For the most part 'shadow profiles' are dead as of 2013-ish when OpenGraph v2 came out. Lots of scammy Facebook companies died because of this, if you remember many game companies also suffered a bit like Zynga and threatened to leave, they were given special access to still do it for a while and I assume others like CA possibly.

With v2 they also shut off using global Facebook user ids and moved them to a per app basis so you can't correlate outside your app, you'd have to correlate with other identifiers like email or deeper data comparing.

Facebook also turned friend access into invitation lists where the other user had to agree and join the app themselves before you could pull their data.

Facebook knew about shadow profiles and they already addressed it.

> For the most part 'shadow profiles' are dead as of 2013-ish when OpenGraph v2 came out.

> Facebook knew about shadow profiles and they already addressed it.

No, I think you're confused. IIRC "shadow profiles" are the profiles Facebook builds of non-users based on data those people didn't share, like their friend's contact lists.

The shadow profile issue has nothing to do with Facebook's public API. It's all about what data they're collecting and what they chose to do with it, regardless if the results are accessible to 3rd parties or not.

There are multiple separate problems with Facebook, Cambridge Analytica is just one (and the one Zuck probably wants to focus on because it makes him look the best and is not structurally threatening to FB's business model).

> IIRC "shadow profiles" are the profiles Facebook builds of non-users based on data those people didn't share, like their friend's contact lists.

From a development standpoint I clearly defined the 'shadow profile' you just explained.

Facebook provides OpenGraph APIs that app developers can access personal data that is granted by a user. Previously to OpenGraph v2 you could access all friend data and pull down the whole social graph for any friend level shared data through one initial person, those were shadow profiles. For each individual permission you only needed one friend to agree to it if the other friend shared at the privacy defaults of friend access to everything.

That has been shut down at of OpenGraph v2, look back on that time where they added it, lots of scammy sites were mad they couldn't build shadow profiles anymore. I built games on Facebook at the time and this was obvious to many game companies that were just there to collect data on users to sell not about the game. Remember all the birthday apps and zombie infection games? All data syphons. Facebook shut it down back then, not really because of privacy but partly, mostly largely because they were scared other companies were getting access to the whole social graph like many did including Zynga, CA, others.

Were 'shadow users' a problem, yes, but go try to pull friend data or personal messages today, those are unique permissions you have to be granted by each user that you access and for each action, you also have to undergo a Facebook app review and justify use of them like you do with background geolocation on Apple.

Part of this attack on Facebook is to bring in the government filter and firewall [1] as an extension of FOSTA / SESTA and most of these issues are resolved at Facebook already.

If you don't want a government censorship filter [1] that the ISPs and large companies like Facebook will run, then understand that this is opening that can of worms.

[1] https://www.wired.com/2017/04/internet-censorship-is-advanci...

EDIT: for the people arguing details about 'shadow profiles'

> So what is a Facebook shadow profile, and where does yours lurk? [2]

> A Facebook shadow profile is a file that Facebook keeps on you containing data it pulls up from looking at the information that a user’s friends voluntarily provide. [2]

> You’re not supposed to see it, or even know it exists. This collection of information can include phone numbers, e-mail addresses, and other pertinent data about a user that they don’t necessarily put on their public profile. Even if you never gave Facebook your second email address or your home phone number, they may still have it on file, since anyone who uses the “Find My Friends” feature allows Facebook to scan their contacts. So if your friend has your contact info on her phone and uses that feature, Facebook can match your name to that information and add it to your file. [2]

[2] https://www.digitaltrends.com/social-media/what-exactly-is-a...

that's not what shadow profiles are
Explain how pulling friend data through one individual into a 'shadow profile' that they themselves didn't give you access to isn't a 'shadow profile'?

What is YOUR definition of a 'shadow profile'? If it is the same as the guy above we are talking about the same thing just from a more dev/api perspective.

Yes Facebook ALSO developed user profiles who had never joined Facebook but those are ALSO 'shadow profiles' and not the majority of the data groups like CA used. They used more 'shadow profiles' like I mentioned. They connected users across many apps via their global facebook id and harvested users friend data as well.

Why don't you go google "shadow profile" and clear this up? The term is not typically used to refer to what you seem to think it means.
I know what they are, why don't you describe it to include all types. I clearly highlighted both types in my other reply to you.

A 'shadow profile' in any system is profile information attained about a user through indirect means like through some friend permission or contact list pull. Are there different types of 'shadow profiles', yes. Is Facebook still doing it? Yes. Can app developers still build them via the API? No not as of OpenGraph v2.

The non public information they build on you like call logs to later match up to real people is bad but you can't just go grab all that data from Facebook like CA did in the past before. Facebook actively doesn't want other entities having that data as it runs their entire ad platform and is their gold mine.

Here is a source since you are arguing semantics about 'shadow' profiles/users:

> So what is a Facebook shadow profile, and where does yours lurk? [1]

> A Facebook shadow profile is a file that Facebook keeps on you containing data it pulls up from looking at the information that a user’s friends voluntarily provide. [1]

> You’re not supposed to see it, or even know it exists. This collection of information can include phone numbers, e-mail addresses, and other pertinent data about a user that they don’t necessarily put on their public profile. Even if you never gave Facebook your second email address or your home phone number, they may still have it on file, since anyone who uses the “Find My Friends” feature allows Facebook to scan their contacts. So if your friend has your contact info on her phone and uses that feature, Facebook can match your name to that information and add it to your file. [1]

[1] https://www.digitaltrends.com/social-media/what-exactly-is-a...

> Facebook provides OpenGraph APIs that app developers can access personal data that is granted by a user. Previously to OpenGraph v2 you could access all friend data and pull down the whole social graph for any friend level shared data through one initial person, those were shadow profiles.

So you're saying if someone uploaded their phone's contact list to Facebook, you used to be able to access that data (about their contacts) from Facebook's API?

Just to be clear, the person with a "shadow profile" doesn't necessarily even have Facebook account.

I still think you're mistaken and trying to map "shadow profiles" to the profile scraping that was done by Kogan and Cambridge Analytica.

'Shadow profiles' are anything that Facebook got without asking for direct permission to get.

It could come through a friend list on Facebook back when you could do that or through harvesting the contact lists on mobile. Both are shadow profiles and both weren't granted access but Facebook got to it (or app developers did) via a friend permission or from the native mobile apps contact list harvesting and tracking.

The most you could get about a user that wasn't part of Facebook was their email, name and anything in their contact list and they probably eventually tracked that user through various means, many companies still do this and other bigs did as well such as LinkedIn. Even on LinkedIn though, one initial user had to use their app or their import feature to get to the 'shadow profiles'. Most 'shadow profiles' came from initial granting by a 'friend' or associate.

They are both 'shadow profiles', anyone that got their data pulled without being directly asked is one. Facebook shut down the friend list and global user id tracking/correlation nearly 5 years ago. Most of the problems were back in 2007-2014 when app development on Facebook was bigger and games were huge there because of this.

Zuckerberg: Congressman, I’m not, I’m not familiar with that.

Zuckerberg: I do not know off the top of my head.

Zuckerberg: Congressman, I do not know off the top of my head but I can have our team get back to you afterward.

This guy must have a whole team of people coaching him on what he can overtly lie about, what he can obfuscate - and when he can't do either, how to change the subject.

It's obvious why he's doing this: it gives him time to come up with a response, in a non public setting, with the help of his legal team. There's no reason for him to answer difficult questions while testifying.
(comment deleted)
Zs response was more to the tune that 'shadow profile' is not a term that he or Facebook uses to describe the said concept, and not denying that it may collect some data pertaining to non members.
If so, that's a pretty legalistic interpretation of the question.
No, the question was a follow-up after he explicitly acknowledged gathering non-user data; the question about that non-user data was “So these are called shadow profiles, is that what they’ve been referred to by some?”

It was literally a question about whether that term was commonly applied to the data Zuckerberg had already acknowledged FB was gathering. Answering “I'm not familiar with that” because you aren't aware of the use of the isn't “pretty legalistic”, it's the only kind of answer that makes sense.

Can your face be tagged when you don't have a Facebook account? I would be very upset if this is true.
Yes. Ive never used facebook in my life, yet thanks to someone sharing a picture of me 10 years ago, and tagging it, it knows my name and will auto tag me in others.
And holding data about people who never consented to it should bite them hard.
No way to remove your data is even worse. I cannot opt-out without making an account. I don't want to have a Facebook account.
When I google my own first and last name, the 4th result is a Facebook “public figure” page of me. I deleted my account years ago though. Creepy.
I find it incredible how many congressmen seem interested in Facebook implementing a rich person mode where you pay them money to not share your data. They aren't worried so much about Facebook gathering data, but that there isn't an exception for the 1%.
"Listen, we've been working our asses off to create Rich/Poor tracks for the Legal system and law enforcement practices, how do we get you in on that action? Who do I have to bribe at facebook?"
What a liar, it's getting more ridiculous every day.
I sure wish Equifax were questioned about collecting information with equal outrage.
Can anyone find an interview or video where he (or his senior team) contradicts him?
(comment deleted)
The title is extreme clickbait; he acknowledged the existence of nonuser data collection (and discussed one use of it), but denied knowledge of the common use of the term “shadow profiles” to refer to the data thus collected.
“So you’re directing people that don’t even have a Facebook page to sign up for a Facebook page to access their data”

That sounds like a simple solution. Yeah right.