Facebook’s problems just keep accumulating, drip by drip—or more like splash by splash. It’s now been discovered that Facebook not only collects and uses the personal data of its members but also collects the data of those who never signed up for Facebook.

So if you’re one of those who blames Facebook users for allowing their personal data to be compromised, don’t be so smug. Facebook may be sharing your personal data as well.

Daniel Kahn Gillmor, senior staff technologist at the ACLU, discovered that, although he never joined Facebook or any other social network, Facebook has a detailed profile on him.

Facebook obtains information from those not on Facebook in two different ways: from other Facebook users and by tracking people who visit other other sites on the web.

When people sign up for Facebook, they’re encouraged to upload their contacts to make it easier for Facebook to connect them with their friends. That allows Facebook to access personal contact information for people who never signed up for the platform or gave their permission to share their information. Facebook knows that these contacts are friends of the new Facebook user, and can start compiling additional details on these non-members.

Gillmor explained, “I received an email from Facebook that lists the people who have all invited me to join Facebook: my aunt, an old co-worker, a friend from elementary school, etc. This email includes names and email addresses — including my own name — and at least one web bug designed to identify me to Facebook’s web servers when I open the email.” He added, “Facebook records this group of people as my contacts, even though I’ve never agreed to this kind of data collection.”

“Similarly, I’m sure that I’m in some photographs that someone has uploaded to Facebook — and I’m probably tagged in some of them. I’ve never agreed to this, but Facebook could still be keeping track.”

Facebook also tracks individuals when they visit other websites. Whenever they click a “like” button on the website, that information often gets fed back to Facebook, along with a list of the websites visited and any Facebook-specific cookies the browser might have collected. Facebook calls this a “third-party request.” As individuals do this over time, Facebook is able to accumulate a detailed profile, again, even though they never signed up for a Facebook account.

Now you might think, so what? Facebook could not possibly know who the person is. Gillmor notes that “the profiles Facebook builds on non-users don’t necessarily include so-called ‘personally identifiable information’ (PII) like names or email addresses, but they do include fairly unique patterns.”

He then conducted a test. “Using Chromium’s NetLog dumping, I performed a simple five-minute browsing test last week that included visits to various sites — but not Facebook,” he wrote. “In that test, the PII-free data that was sent to Facebook included information about which news articles I was reading, my dietary preferences, and my hobbies,” said Gillmor. “Given the precision of this kind of mapping and targeting, ‘PII’ isn’t necessary to reveal my identity. How many vegans examine specifications for computer hardware from the ACLU’s offices while reading about Cambridge Analytica?”

In another startling revelation about how Facebook is reaching out beyond its members, CNBC reported that Facebook has been in discussions with a number of hospitals, including the Stanford Medical School and American College of Cardiology, asking that they share data about their patients, such as illnesses and prescription info, as part of a research project.

Facebook’s intent was to match this data with user information it had collected. It said that, while the data it received would not identify the patients’ names, it would allow Facebook to try and help the hospitals figure out which patients might need special care or treatment.

A Facebook spokesman said, “This work has not progressed past the planning phase, and we have not received, shared, or analyzed anyone’s data.”

Facebook said they avoid identifying patients’ names by using “hashing,” a computer science technique that would match individuals who existed in both sets of data.

Taking these two new revelations together, we can’t believe much of anything Facebook tells us, especially about protecting a person’s identity. But it does seem clear that Facebook has an unquenchable thirst for everyone’s data, members and non-members alike, at home, at work and even in hospital beds.