In the second Congressional hearing on Facebook’s data practices, several House representatives brought up the issue of Facebook tracking users even when they log out or when they don’t even have accounts. The company has long been accused of creating these "shadow profiles."
Facebook’s Long History With Shadow Profiles
Facebook introduced the "Like" button for web pages in 2010. Months later, a Dutch security researcher discovered that the button was sending data about the pages you were visiting to Facebook, even if you never clicked on it. Facebook said that what the researcher found was a bug and promised to fix it.
When the Wall Street Journal found that Facebook’s Like button was still collecting data in May, 2011, Facebook reiterated that the Like button is not used nor intended to be used for tracking. Later that year, Facebook began auto-sharing what people were reading with their friends. At first, people thought that simply logging out of Facebook would stop this sort of tracking, but others soon discovered that it actually didn’t work. Facebook promised to fix the issue so that users are no longer tracked when they log out of their accounts. The company also added that it doesn’t track users or target ads at them via the Like button, and that it deletes or anonymized the data after 90 days of using it.
In 2014, Facebook announced that it will use the Like button and other widgets to track users and to create more targeted ads against that data.
In 2015, Facebook was threatened with a 250,000 euro per day fine unless it stopped this sort of tracking against internet users who didn’t even have Facebook accounts. The company claimed it was using Like button tracking for security reasons, in order to stop fake accounts and botnets. The company had initially won the lawsuit based on a jurisdiction issue.
However, as the jurisdiction issue clarified in the following years, a Belgium district court eventually ruled that Facebook must end its shadow tracking, delete all the shadow profiles it had illegally created over the years, and comply with EU privacy laws. Otherwise, the company would have to pay a fine of 250,000 euro a day until it made those changes.
Congress Confronts Zuckerberg Over Shadow Profiles
Today, in the second hearing Congress has done on Facebook’s data policies and the recent Cambridge Analytica scandal, Congressman Ben Luján from New Mexico asked Zuckerberg about shadow profiles. However, he claimed he was not aware of that term. After explaining it, Luján confronted Zuckerberg about his statement that all users control their data when internet users whose data has been collected by Facebook through shadow tracking in fact have few ways to do so.
Zuckerberg said that non-Facebook users can only opt out of ad tracking. However, considering he also said that the company tracks all users who visit pages with Facebook widgets on them for security purposes, that means not all tracking will stop. Luján then pressed him on how many data points the company collects on both users and non-users, but Zuckerberg said he doesn't know.
In an earlier discussion with another Congressman, Zuckerberg also said that users can download or delete all the data they’ve ever posted or that has been created through their own interactions with the Facebook. However, he also implied that the data Facebook may have collected about individuals through other means may not be deleted.
Although Facebook may be forced to stop using tracking non-users in the European Union, that may not be the case in the U.S. and elsewhere, even if the company has promised to bring GDPR privacy controls to everyone.
The only way the company may stop its shadow tracking in the U.S. is either if the FTC’s new investigation concludes that this behavior is illegal, or if new regulation requiring consent for all use of consumer data would ban the company from doing it without explicit user permission.