Facebook shadow profiles. Surely you’ve seen the term bouncing across tech news the past few days, and you’ve got a sense it’s probably some nefarious privacy violation—or just the first fun feature Facebook has introduced in years.

But seriously, are shadow profiles real? Do I have one? Are they bad?

If you use Facebook, then “yes” to all three.

Let’s take a trip into Facebook’s shadowy recesses.

Why are shadow profiles in the news?

Last Friday, right when most journalists were ready to go home for the weekend, Facebook released some embarrassing news. A bug had exposed the private email addresses and phone numbers of 6 million of its users.

Though Facebook tried to downplay the significance of the bug, journalists rudely forced to work on a weekend quickly realized there was more to the story than just another data leak: Many of the email addresses and phone numbers exposed were not necessarily ever intentionally given to Facebook.

Instead, they were collected on the sly, stored in Facebook’s secret behind the scenes scaffolding, where it collects troves of data on you you’ve never known about. That data on you that you didn’t know Facebook has? That’s a “shadow profile.”

Who has a shadow profile? Are they real?

Well, potentially everyone who has a Facebook account. They contain a certain amount of information you’re not surprised Facebook knows about you—your name, your interests, your relationship status, how many times you’ve liked your friends posts. But at the same time, Facebook’s been able to smartly collect other data about you. Even if you’ve never told Facebook your phone number, for instance, it might have it. As well as your second and third and fourth email addresses.

So where did Facebook get this data?

Your friends! Or maybe even friends of friends. You can thank anyone who allowed Facebook to scan their mobile phone contacts through the “find friends” feature.

When someone uses this feature, Facebook downloads all of a phone’s contact data to its own servers. This includes mostly emails and phone numbers. At the same time, Facebook is also collecting harder-to track data on how you and all your friends and friends of friends are connected to each other. That’s how it finds people to recommend for its “people you may know” feature.

The company’s mobile app even tells you it will do this:

“Find Friends uploads contacts from your device and stores them on Facebook’s servers where they may be used to help others search for people or to generate friend suggestions for you and others.” (Emphasis added)

Does Facebook have shadow profiles on non-Facebook users?

It makes sense that, with all the contact lists uploaded to its servers every day, Facebook would be able to learn a whole lot of information about people who don’t even have Facebook accounts. But while it has stayed mum on shadow accounts as a whole, the company has asserted it does not collect information on people who don’t actually use Facebook.

Is that legal?

In the United States, probably. Facebook mentioned collecting phone contacts in the Terms of Service that all users must agree to before using the site, so unless the company is collecting additional information it didn’t disclose, users have already given their consent.

But Europe’s data protection laws are much stronger. Max Schrems, owner of Europe vs. Facebook and privacy rights advocate, launched a complaint against Facebook’s European offices, headquartered in Ireland, citing seven different instances where shadow profiles potentially violate the country’s Data Protection Act (read the PDF here). Schrems asserts that the profiles gathered “excessive amounts of information about data subjects without notice or consent by the data subject. In many cases these information might be embarrassing or intimidating for the data subject.”

How long has this been going on?

Facebook said that its user data has been leaking for over a year. Shadow Profiles have been catalogued at least since August 2011, when Schrems filed his complaint against the company. Facebook has had an iPhone app since August 2007, and the “Find Friends” feature launched on iPhone and Android in April 2011.

Should I be concerned?

Probably! Especially in light of the recent revelations regarding the National Security Agency’s intrusive spying campaign, PRISM. Facebook was one of nine companies the NSA made deals with to turn over information about users. Since Facebook won’t even confirm it hosts “shadow profiles,” its unclear if that information from shadow profiles could have also been passed along to the NSA. But it’s certainly possible.

In other words, you may have an email address that you’ve never listed anywhere for anyone else to see, but because one of your friends added it to their contact list, a snooping government agency might just discover it.

UPDATE: Following the publication of this article, a Facebook representative reached out to the Daily Dot. He denied any data from shadow profiles were handed over to the NSA as a part of the PRISM program.

Photo by Jason Reed