Previously we covered how to protect your privacy by preventing people from tagging your photos in both Facebook and Picasa. Consider this a follow-up as it looks like Facebook is a bit more involved in privacy intrusions than anyone had previously thought.

In a recent bug fix, Facebook inadvertently revealed that it’s creating dossier-like profiles on its users based on third-party information. This applies even if you never signed up for a Facebook account. But what does that mean exactly?

When someone “connects” to Facebook using their Gmail, Yahoo, Twitter, Outlook or whatever account, Facebook will ask for permission to access your contacts to “find your friends on Facebook”. While Facebook may actually be trying to find their friend’s profiles on Facebook, Facebook is also harvesting all of that contact data and using it to create “shadow profiles” based on name and email address information. Ouch… And before you ask if Facebook notifies anyone about this process, apparently this page which is ambiguous at best is an attempt. Unfortunately this also isn’t the first time this month that Facebook flagrantly invaded user privacy without permission.

What is a Facebook Shadow Profile?

Have you ever tried using Photoshop, Paint.net, or another image editing software that uses ‘layers’? A shadow profile is much like an invisible layer that isn’t normally visible on the Facebook front-end but is still there on its servers. These profiles contain additional information which you likely didn’t submit to your Facebook account yourself through the automated methods mentioned earlier. It’s visible only to Facebook.

For a while, this information was available to people using the “download my data” feature due to a bug in the Facebook system, which has now been corrected. Although this information is no longer publicly available, it is still being collected by Facebook. And, these profiles may store information on people who don’t even have a Facebook account.

The part where this becomes scary is when you consider that Facebook is pulling information from a large variety of sources, but worst of all: smartphones. When you install the Facebook app on your phone it requires permission to read your contacts, call log, location, accounts, and application data. Let’s also consider that many Android phones now come with Facebook pre-installed or baked into the operating system.

How can you protect your privacy?

The short answer is, you can’t. The responsibility relies on others not to upload contact data to Facebook which includes you. Even when security company Packet Storm questioned Facebook they received the following response from Facebook:

“they think of contacts imported by a user as the user’s data and they are allowed to do with it what they want. To clarify, it’s not your data, it’s your friends. We went on to ask them if Facebook would commit to having a privacy setting that dictates Facebook will automatically delete any and all data uploaded about me via third parties (“friends”) if it’s not in scope with what I’ve shared on my profile (and by proxy, is out of band from my privacy settings)? We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation.”

Conclusion

Facebook is mapping the human population one social connection at a time with or without your help. Although Facebook is unlikely to be the only corporation among its peers involved in mapping the population, perhaps Facebook should take note how one of its peers provides a solid opt-out process for its users.