Facebook Shadow Profiles
Recently I came across a set of articles talking about Facebook “Shadow Profiles”. If you haven’t read the articles, in a nutshell, Facebook links tremendous amounts of data about your account that you haven’t entered – but that your friends have. For example, if you had an email address you used for friends, and another just for your family, but didn’t tell Facebook about, you would think it wouldn’t be in your profile. However, if you gave that email address to your mom, and she let the Facebook app scan her contacts, it would pull in that email address and silently link it to your account.
Part of the discussion in the article was if Facebook does this for non-Facebook users. The consensus was that they may or may not, but it would be hard to tell. Well, until something that happened this evening.
We are working on an application which requires integration with Facebook. Being a non-Facebook user, I didn’t have an account, so I created a fake one under a fake name, with no information tying back to me in any way, shape or form (completely different email, different name, etc). Facebook flagged it as a potential “fake” account, so they made me take an extra step of texting me a code. Since I can’t fake a phone number, I put in my real cell number, got the code, and entered it in.
Facebook happily accepted it, and then took me right in to see if I wanted to “Add Friends”. And it made some suggestions.
And they were all people I really know. In real life. Many who have my cell number.
Which means that my cell number was stored to a shadow profile that was not linked to any Facebook account. And as soon as I created one, Facebook established that link, enabling all of the suggestions. Which I might have dismissed if I had used my name, but since the only thing that would link me to the huge list of people it suggested was my phone number – well, it certainly confirms my suspicions. Although I would love to hear another way they could have figured it out.
(For the record, I used Chrome Incognito to log in, and Chrome is not my normal daily browser, so I wasn’t logged in to anything in Chrome Facebook could have grabbed to link me)