Facebook: Hopes for tougher questioning over ‘shadow profiles’

Ahead of Mark Zuckerberg’s meeting with the European Parliament tomorrow, researchers from Cliqz, are urging EU lawmakers not to let the Facebook CEO off without being questioned on ‘shadow profiles’ and the social network’s collection of data.

Facebook’s founder Mark Zuckerberg will be questioned by Members of the EU Parliament tomorrow over the Cambridge Analytica scandal, accusations of election interference, and new European privacy laws. EU lawmakers are being urged to question him over ‘shadow profiles’ and the social network’s collection of data.

The talks will be held behind closed doors at a meeting of the Conference of Presidents attended by leaders of the various political groups.

Hopes for tougher questioning

There has been backlash over the fact that Zuckerberg will not be questioned in public. This follows previous controversy over eschewing a direct invitation from the UK parliament, for Zuckerberg, to testify to a committee investigating online disinformation.

>See also: Cambridge Analytica, following Facebook’s scandal, shutting down

With the news of these talks many people have expressed a hope that the EU Parliament will go further than the US Congress did.

The US congress, who questioned Zuckerberg a few weeks ago, have been accused by a variety of commentators for allowing Zuckerberg to get away with not having to discuss “shadow profiles” – which allegedly are used by Facebook to collect data from non users.

While some have commended Facebook for its apparent efforts to better explain and adapt their data and privacy setting to their users, such as their recent introduction of their ‘clear history’ application, others argue that they are getting away with such actions via non-users.

According to a recent study carried out by Cliqz – developer of browser, search and data protection technologies – Facebook’s data collection practice leads to the creation of shadow profiles, which track nearly 30% of global website traffic. Their tracking scripts send data about website visits, and more, back to Facebook. The tracking data contains unique identifiers (UIDs) that theoretically enables Facebook to link behavioural data to individual internet users and to de-anonymise them very easily. This creates – intentionally or not – shadow profiles of the users.

Will ‘shadow profiles’ comply with GDPR?

CEO Jean-Paul Schmetz added: “The collection of data about non-users in a way that leads to shadow profiles is Facebook’s weak spot when it comes to GDPR compliance.

Facebook updated their privacy information and settings to comply with GDPR. At first glance, they’ve done a decent job on getting users’ consent, informing them, giving users at least some limited means to opt-out and even a limited look into what they know about the user.”

>See also: Digital uprising: Delete Facebook movement gains traction in UK

“Fair enough, but this only applies to Facebook users. What about non-users?

Facebook’s tracking scripts monitor one third of your browsing history and grab data about Facebook members and non-members alike, however to execute your ‘GDPR rights’, you have to own a Facebook account.

Non-members or those who deleted their account are still being tracked and can’t do anything to prevent Facebook from building shadow profiles about them.

They still won’t have any means to opt-out or have their data deleted or get insights into the data Facebook has about them.

We think that if Facebook continues to neglect the problem of shadow profiles, the company risks high penalties from the EU for GDPR violation.”

In a letter to the European Parliament, Cliqz founder, Jean-Paul Schmetz, and managing director, Marc Al-Hames, have suggested that lawmakers address the issue of Facebook storing the data of non-users, asking Facebook why it stores the data of people that aren’t using its platform and if these people will be given the opportunity to delete this data.

Here’s the letter in full:

Dear President of the European Parliament,

Dear Members of the Conference of Presidents,

Dear Members of the European Parliament,

Dear Members of the LIBE Committee,

A few weeks ago, the members of the US Congress let Mark Zuckerberg get away with feigning ignorance on the most critical questions about the privacy of all Internet users: Does Facebook create “shadow profiles” – i.e. profiles of non-members – and does Facebook collect information about people outside of the Facebook platform. We are hopeful and confident that our representatives will be more tenacious.

Since the parliamentary hearing was organized as a closed-door meeting to respect Mr. Zuckerberg’s privacy, allow us to suggest some key questions to ask him directly:

Mr. Zuckerberg: Cliqz’s researchers have established that Facebook’s tracking scripts are on more than 1 out of 3 pages of the web, collecting people’s browsing behaviour combined with unique identifiers. The Cambridge Analytica data leak affected 2.7 million EU citizens whereas Off-Facebook data collection affects every single internet user in the world, regardless whether he or she is a Facebook member of not.

Why do you collect this data and do you store this data?

You have announced a few weeks ago that you will offer Facebook members the possibility of deleting this data (which suggests that you do store this data). When will people see the data you have collected and stored? How many months of browsing history did you store? Will non-Facebook members be offered the possibility to see and destroy their data?

Where exactly in your past privacy policies did you tell your users that you were collecting and storing this data? Did you seek to receive consent for this sort of collection from your users in preparation for GDPR?

See also: What Facebook’s results tell us about the platform’s immunity to criticism

Dear Members of Parliament, please do not allow Mr. Zuckerberg to plead ignorance on these important question as he did in front of the US Congress. Even if he did not know at the time, he does know as his announcement a few weeks later made clear. Please insist on clear answers about the extent of tracking of users and non-users outside of Facebook properties. You can pin him down with one simple, unambiguous question: Do you store off-Facebook browsing data collected from non-Facebook users?

For our part, we build tools to keep Facebook and others from creating shadow profiles of internet users. We are a German start-up backed by Burda and Mozilla and we build browser, search and data protection technologies. Our Cliqz and Ghostery browsers make the hidden surveillance network of tracking scripts visible for everyone.

Our data scientists would be more than happy to show you, dear Members of the Parliament, some examples of how dangerous tracking-based data collection is.

Please, do not allow the strong platforms of this world to destroy the privacy of your citizens. As proud citizens of the EU, we count on you!

Yours faithfully,

The Cliqz Team

Marc Al-Hames
Managing Director, Cliqz GmbH

Jean-Paul Schmetz
Founder, Cliqz GmbH

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future