Facebook is using data not directly provided by users to create targeted ads, potentially breaching General Data Protection privacy laws.

Research by computer scientists from Princeton University in the US revealed the extent of Facebook’s so-called ‘shadow profiles’ – the collection of data to create a profile of a person and their social connections beyond what is provided on the platform.

This can occur when Facebook users sync their account with their phone’s contact list. Facebook then stores this data and uses it to create a shadow profile of people within that contact list, regardless of whether they are on Facebook or have consented to Facebook using this information.

Advertisers can upload a list of contact information from their own databases to create targeted ad campaigns on Facebook.

To test this, researchers uploaded hundreds of landline numbers from Northeastern University to an advertising campaign, which were unlikely to have been added to a Facebook account. However, these numbers were likely to be in the contact lists of people at the University, who have synced their phonebook with Facebook.

The researchers discovered that the targeted ads appeared in the news feed of Facebook users associated with the landline numbers, despite not linking their number to their account.

The report, originally published on Gizmodo, found that this same technique was being used to send targeted ads to numbers provided to Facebook as an extra layer of security via two-factor authentication.

Facebook shadow profiles: In breach of GDPR?

The latest evidence of Facebook shadow profiles raises further data privacy concerns around the social network. Under the General Data Protection Regulation (GDPR), individuals have the ‘right to object’. Under this right, an individual has “an absolute right to stop their data being used for direct marketing.”

Individuals also have the right to be informed about the “collection and use of their personal data.”

Most are unaware that Facebook has their data stored. “If you look in your profile, it doesn’t show up,” Alan Mislove, one of the study’s authors, told the Telegraph.

“If you look in ad preferences, it doesn’t show up. Even if you download the dump of all your data, it doesn’t show up in there.”

Joseph Carson, chief security scientist at cybersecurity company Thycotic, believes that Facebook is in breach of GDPR.

3 Things That Will Change the World Today

“This poor practice of personal data collection is surely going to find companies such as Facebook being a target from the EU,” he told Verdict.

“If Facebook is indeed selling personally identifiable information to marketers without consent and the marketers use that data to target EU citizens both companies will be liable under EU GDPR and not just Facebook, as failure to gather consent from 3rd party sources is also a failure to comply with EU GDPR.”

A Facebook spokesperson told Gizmodo that contact details belong to the person who owns the address book, creating a data protection grey area.

“We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them,” a Facebook spokesperson said.

The Facebook spokesperson also pointed out that users can set up two-factor authentication without using their phone numbers.

Alan Duric, CTO/COO and co-founder of encrypted communications platform Wire, also believes that Facebook is in breach of GDPR:

“Users have the right to know how their data is being used, pure and simple. Facebook has once again shown their lack of commitment to this right, which is now kicking them where it hurts when it comes to GDPR compliance.

“The law clearly states that any data collected must have a consent from an individual beforehand and it must be clear why and how the data will be used. Using people’s phone numbers to target adverts without any permission is therefore a direct breach of GDPR.”

“Whether fines will be imposed on Facebook is yet to be seen,” he added.

It is also unclear how Facebook’s shadow profiles can be reconciled with the GDPR’s right to be forgotten if an individual is unaware that their data is being held.

Organisations in breach of GDPR can be fined €20m or up to 4% of global annual turnover. In 2017 Facebook’s stood at $40.6bn, meaning a GDPR fine could be as high as $1.6bn.

Facebook’s history of shadow profiling

Facebook CEO Mark Zuckerberg has previously been questioned by US Congress about shadow profiles, but failed to provide clarity about how someone not using its services can opt out of data collection:

“Congressman, anyone can opt out of any data collection for ads, whether they use our services or not,” Zuckerberg said at a hearing in April. “But in order to prevent people from scraping public information, we need to know when someone is trying to repeatedly access our services.”

The latest study adds more evidence to the idea that Facebook is using shadow profiles to collect the data of non-users. Research published last year by Gizmodo reported a number of strange anecdotes that arose from this form of data collection.

Mislove told Gizmodo that there is a lack of understanding among many users about how targeted advertising works:

“In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”