Facebook Not Creating 'Shadow Profiles,' Irish Privacy Audit Finds

The world's biggest social network is not building "shadow profiles" of non-users, an Irish privacy watchdog said Wednesday -- vindication for Facebook of allegations it has hotly denied.

The sensational allegations emerged in a complaint filed in August by Ireland’s Data Protection Commissioner. It alleged that users are encouraged to hand over the personal data of other people -- including names, phone numbers, email addresses and more -- and that Facebook used such data to create "extensive profiles" of non-users. The results of an extensive investigation largely vindicated the social network, said Billy Hawkes, Ireland's Data Protection Commissioner.

“While certain data -- which could be used to build what we have seen termed as a ‘shadow profile’ of a non-user -- was received by Facebook, no actual use of this nature was made of such data,” Hawkes said in a conference call unveiling the results of its months-long investigation. “Neither is there any profile formed of non-users.”

"We carried out a very detailed examination of the data that was collected … and we are satisfied it was not used to target individuals," he said.

It's necessary for certain bits of information to return to Facebook to enable some of the social network's functionality, Hawkes explained. But the company has agreed to limit retention of that data to an extremely brief period.

More On This...

"That sort of information will be deleted very, very quickly after it has been collected," Hawkes said. He did not specify the duration of time that Facebook would hold that information.

The extensive audit also revealed numerous way that the company could improve privacy, suggestions that both the Data Protection Office and Facebook Ireland said the company would attempt to implement.

"Facebook already provides a great deal of control for users as to the type of ads they wish to view," he said. The commission suggested that the group promote those better.

Richard Allan, Director of Public Policy for Facebook EMEA, said he was pleased with the audit, which largely lauded Facebook for the efforts it has taken to ensure user privacy.

"The people who use Facebook take privacy and data protection seriously -- and so do we," wrote Allan in a blog post on the company's website in response to the audit. "We work closely with privacy commissioners and regulators around the world to demonstrate our compliance with legal requirements and to improve our policies and practices."

Hawkes said the Data Protection Commission had detailed specific recommendations to Facebook that the company would improve through the first quarter of next year and on.

The object of the audit was to help Facebook achieve compliance with the law, not to ascertain whether a law had been breached, explained Gary Davis, Deputy Data Protection Commissioner.

The rulings of Ireland's privacy office were relevant for hundreds of millions of users; as recently as September 2010, Facebook's Ireland office was responsible for all users outside of the USA and Canada.

"This is an area that requires constant attention," Davis said.