Facebook's Clear History won't solve the problem of shadow profiles

If you don't have a Facebook account, you can't view or delete the data collected about you on third-party websites and in apps, nor disable tracking. Cliqz considers this a violation of the GDPR.

Björn GreifEditor

Facebook’s Mark Zuckerberg announced a new privacy feature at the F8 developer conference in San Jose last week: Clear History will allow Facebook users to delete the data that the Social Network collects about them on third-party websites and in third-party apps. In addition, Facebook users will be able to turn off this data collection.

This is a good step forward, but what about the non-users? After all, Facebook’s tracking scripts monitor the browsing behavior of all Internet users, whether they are Facebook users or not.

Shadow profiles reveal almost everything about users

In our assessment, Facebook’ data collection practice leads to the creation of shadow profiles. Facebook tracks nearly 30% of global website traffic, as a study by Cliqz and Ghostery shows. Their tracking scripts send data about website visits and more home to Facebook. The tracking data contains unique identifiers (UIDs) that theoretically enable Facebook to link behavioral data to individual Internet users and to de-anonymize them very easily. This creates – intentionally or not – shadow profiles of the users.

The evaluation of “only” one third of all the websites we visit is enough to know more about us than our closest relatives do: Our Internet history reveals almost everything about our buying and travelling habits, our financial status, our state of health, our sexual preferences, our political attitudes, etc. Those who have access to this data get detailed insights into our way of life.

No privacy for non-members

With Clear History, Facebook improves privacy for its members in response to ongoing criticism from politicians and consumer protection groups, but all Internet users without a Facebook account must continue to accept shadow profiles. They would need to sign up with the social network first to object to the data collection and to view and delete the data Facebook has collected about them via tracking. We at Cliqz consider this a violation of the European General Data Protection Regulation (GDPR) which will become effective on May 25. Cliqz CEO Jean-Paul Schmetz explains:

The collection of data about non-users in a way that leads to shadow profiles is Facebook’s weak spot when it comes to GDPR compliance. Facebook updated their privacy information and settings to comply with GDPR. At first glance, they’ve done a decent job on getting users’ consent, informing them, giving users at least some limited means to opt-out and even a limited look into what they know about the user. At the F8 developer conference, Zuckerberg even announced a tool that lets users erase data collected “Off-Facebook” and opt-out of this data collection.
Fair enough, but this only applies to Facebook users. What about non-users? Facebook’s tracking scripts monitor one third of your browsing history and grab data about Facebook members and non-members alike, however to execute your ‘GDPR rights’, you have to own a Facebook account. Non-members or those who deleted their account are still being tracked and can’t do anything to prevent Facebook from building shadow profiles about them. They still won’t have any means to opt-out or have their data deleted or get insights into the data Facebook has about them. We think that if Facebook continues to neglect the problem of shadow profiles, the company risks high penalties from the EU for GDPR violation.

Instead of waiting for Facebook to improve privacy of non-members, you should take the initiative to protect yourself from being tracked online. One proven means are anti-tracking tools such as Ghostery or Cliqz, which are available for free download.