Over the course of his two-day testimony in Congress, Facebook CEO Mark Zuckerberg repeatedly returned to a few particular points, ones that ostensibly serve to quell the rising privacy concerns in the wake of data leaks by Cambridge Analytica.

  • You control your data. Anything that you upload, you can also delete.
  • You can control your privacy settings, and restrict access to your data.
  • Facebook is optional. You can delete all your data by deleting your account.

These points are all true, to a degree. They are also carefully designed to obscure the terrifying nature of the actual privacy problem that Facebook poses to all of us, whether we use Facebook or not. A line of questioning from House Representative Ben Ray Luján of New Mexico struck at the heart of the matter when he addressed the so-called “shadow profiles” that Facebook keeps on people who do not even have Facebook accounts.

The existence of shadow profiles has been repeatedly reported over the years, though Facebook—and today, Mark Zuckerberg himself—prefers not to confirm their existence. These profiles include all sorts of information that could be used to identify a given person, their name and phone number, email addresses, physical addresses, and so on.

Facebook gets this information not from the people themselves, but from people who know them. Let’s say I upload my address book to Facebook in an attempt to find my friends on the service. If I know you, then congratulations, Facebook knows your phone number now.

YOUR PHONE NUMBER, UPLOADED BY ME, IS MY DATA.

Whose data is your phone number? It seems blindingly obvious: It’s yours! It points to you! But Facebook’s version of privacy and data control relies on a different definition: Data belongs to its uploader. Your phone number, uploaded by me, is my data.

This distinction has wide-ranging implications, which Facebook will occasionally acknowledge. For instance, in response to Gizmodo’s reporting on shadow profiles and Facebook’s creepy “People You May Know” feature, Facebook spokesman Matt Steinfeld alluded to the difficulty of controlling contact information that refers to you. “Once a contact is deleted, we remove it from our system—but of course it is possible that the same contact has been uploaded by someone else.”

In other words: If you really want to remove private information that identifies you from Facebook, your only recourse is to petition everyone who may have uploaded it. Similarly, Facebook would likely argue that “shadow profiles” do not technically exist because there is no explicit collection of data on you, non-Facebook user! There is merely a decentralized network of other people’s data that happens to refer to and identify you. And what is at stake here is much more than just some phone book-grade information. These webs of who-knows-who data can map out the entirety of who you are and associate with, where you work, and even connect folks who would never otherwise know that they share you in common, potentially to embarrassing or disastrous effect.

This definition of ownership lets Facebook defend certain kinds of privacy infringement by claiming to be protecting the privacy of others. Facebook could coherently say it can’t reveal what it knows about you because to do that would be a violation of other people’s data. Zuckerberg has spent the past two days playing this game. When he asserts your ability to control your data, he’s not talking about protecting your freedom to remove data that identifies you—to banish your name and phone number Facebook’s ever-growing web of who knows who. He’s talking instead about your mother’s/friend’s/boss’s/ex-husband’s/father-in-law’s right to allow that data to live on Facebook as part of their data.

The matter gets even stickier when you bring metadata into the equation. That is Facebook’s data about your data. Your data may include the things that you upload: pictures of your cat, your address, status updates that you post. But this is not Facebook’s primary interest. Instead, Facebook collects information on how you interact with its platform, things that you share and like, things that you click and don’t, when you use it, what devices, where those devices are located and so on.

2026 Update: What Changed

This section was refreshed on 2026-06-24 to reflect current risk, business impact, and operational guidance. Organizations should treat this topic as part of a recurring governance cycle: inventory the affected systems, validate ownership, measure exposure, and document the control evidence that proves the issue is managed.

For business leaders, the practical priority is not only understanding the technology but also knowing which teams own remediation, how progress is reported, and what customer, compliance, or availability risks remain if action is delayed.

Current Research Signals

Recent external coverage shows continued market attention around this topic:

Frequently Asked Questions

Why does this topic matter in 2026?

It matters because AI adoption, cloud dependency, and changing security expectations have made this area a board-level operational issue rather than a purely technical detail.

What should businesses check first?

Start by identifying the affected systems, owners, business processes, access paths, and monitoring gaps. Then prioritize fixes by exposure and operational impact.

How often should this be reviewed?

Review the controls at least quarterly, and immediately after major vendor updates, incidents, architecture changes, or regulatory requirements.

What is the biggest mistake teams make?

The biggest mistake is treating the topic as a one-time configuration project instead of an ongoing governance, testing, and measurement process.

What is the practical next step?

Create a short action plan with owners, deadlines, evidence requirements, and a review cadence. Track progress until the risk is reduced or accepted.

Last Updated: 2026-06-24

Related Guides

LEAVE A REPLY

Please enter your comment!
Please enter your name here