Surveillance

Shadow Profiles: The File Platforms Keep on People Who Never Signed Up

July 12, 2026 7 min read Haven Team

Delete Instagram, never sign up for Facebook, refuse every contact sync prompt you're ever offered, and the platform can still hold a working file on you: your phone number, your email, a rough sketch of who you know, built entirely from other people's address books.


The term "shadow profile" describes exactly this: a record a platform assembles about someone who has never created an account, made of fragments contributed by people who did. It's not a hidden conspiracy so much as a predictable side effect of a feature almost every social app ships, contact sync, combined with the fact that the data one person uploads describes other people too.

Where the Data Actually Comes From

Every time someone grants a messaging or social app permission to "find friends," they hand over their entire address book, and every entry in it becomes a data point about a person who never consented to anything. If three of your contacts upload their phone books and you're in all three, the platform now has your number tied to three separate accounts, along with the implied fact that you know all three people.

Photo tagging adds another layer even without contact sync: a name attached to a face in someone else's upload, repeated often enough, builds an identity graph node whether or not that name has ever opened the app. Co-location signals from apps that check nearby devices or shared network activity add a coarser layer still, enough to infer that two phones, and therefore two people, were probably in the same place.

The 2018 Admission That Wasn't Quite an Admission

During Mark Zuckerberg's 2018 congressional testimony, Representative Ben Lujan asked directly whether Facebook builds profiles on non-users. Zuckerberg's answer avoided the term "shadow profile" but confirmed the mechanism: Facebook does collect data for security purposes on people who haven't signed up, largely through the same contact-upload pathway other users trigger. It was the closest the company came to acknowledging on the record what researchers and journalists had already documented for years.

Why the name matters less than the mechanism

Whether a company calls it a "shadow profile," a "security graph," or nothing at all, the underlying fact is the same: an identifier tied to you exists in a system you never opened an account with, contributed by someone else's data, and used to serve that system's own purposes, usually friend suggestions and ad targeting inference.

Why "You Never Agreed to This" Is a Real Legal Problem

Under GDPR, processing personal data requires a legal basis, and a shadow profile is built entirely without the data subject in the room to provide one. This was the substance of Max Schrems's early complaints against Facebook in Europe, filed years before the company's own admission, arguing that data collected about non-users through friends' uploads had no consent behind it at all. The regulatory posture since has been that the mechanism is legally uncomfortable at best; enforcement against it specifically has been slower than the underlying practice.

In the US, there's no federal equivalent forcing the same question, which means the primary constraint on shadow profiles has been reputational pressure and the occasional state privacy law, not a clear statutory prohibition.

Not Just Facebook

LinkedIn faced its own version of this fight years before Facebook's congressional testimony. A 2015 class action, Perkins v. LinkedIn, targeted the company's practice of using imported contact lists to send repeated invitation and reminder emails to people who had never signed up, on behalf of a user who had granted contact access once. LinkedIn settled the case for 13 million dollars without admitting wrongdoing, and changed the flow so a second and third reminder email required a separate, explicit user action rather than firing automatically. The underlying mechanism, contacts imported by one person becoming outreach targeting someone who never opted into anything, is the same shadow-profile pattern, just surfaced as unsolicited email instead of a silent internal record.

What "People You May Know" Reveals About the Model

The clearest visible symptom of a shadow profile is the "people you may know" suggestion that surfaces someone you've never interacted with on the platform, sometimes someone you've only ever exchanged a phone number with in person. That suggestion isn't a coincidence engine; it's the graph surfacing a connection it inferred from someone else's uploaded contacts, doing exactly the job it was built to do.

Signal source What it contributes to a non-user's file
Contact list uploads Phone number and/or email, tied to whoever uploaded it, repeated across every uploader who has you saved
Photo tagging A name attached to a face, reinforced with repetition
Co-location / nearby-device signals An inferred association between two people or devices, without either one's account activity

What Actually Reduces Your Footprint

There's no clean opt-out for a shadow profile, since by definition you don't have an account to manage settings on. The practical levers are all indirect: ask the people closest to you not to sync their contacts to platforms you avoid, since your number sits in their address book whether you have an account or not. If a platform offers a non-user data request or deletion form, usually the result of GDPR or CCPA pressure, use it, though expect the response to be limited. Beyond that, shadow profiles are a structural feature of contact-sync-based social products, and the only complete defense is being someone nobody's address book contains, which isn't realistic advice for most people.

What is realistic: understanding that your digital footprint isn't only what you post, and that the accounts you avoid still learn about you through the accounts your contacts keep.

The Uncomfortable Asymmetry

What makes shadow profiles different from most privacy problems is that the person most affected has the least visibility into what's happened and the least standing to do anything about it. A user can review their own data, download it, close the account. A non-user usually can't log in to see what's been inferred about them, because there's no account to log into, and any data request they file has to be handled as an exception process rather than a standard self-service flow. That asymmetry, the subject of the record having less access to it than almost anyone else in the system, is the part regulators have struggled with longest, since most data protection frameworks were built around the assumption that the person a record describes is also the person who can act on it.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →