Data & Privacy
The Shadow Profile You Never Agreed To
The most detailed file a tech company holds on you was built almost entirely from data you never gave them.
The Idea
Most people picture data collection as a transaction: you use a service, you hand over some information. But the architecture of modern data collection is far stranger and more expansive than that bargain implies. The truly revealing data isn't what you submit — it's what gets inferred, triangulated, and assembled from sources you've never interacted with at all. Consider what a single ad network can observe in a few seconds: your device's hardware fingerprint (a near-unique signature built from screen resolution, font list, battery level, and dozens of other signals), your IP address and the rough location it implies, the referral chain showing where you came from, how long your mouse hovered before you clicked, and the exact rhythm of your scrolling. None of this requires you to log in or consent to anything. You simply loaded a page. Now multiply that across thousands of websites carrying the same invisible tracking pixel. The company assembles a longitudinal portrait — your daily rhythms, your anxieties (inferred from health searches), your financial stress (inferred from payday-adjacent browsing), your political leanings, your relationship status. The profile isn't stored under your name; it's stored under a persistent identifier tied to your device. The distinction is largely cosmetic. What makes this particularly disorienting is the category of 'shadow profiles' — records built on people who have never used a service. When your contacts sync their phone, they upload your number, your name, the label they've saved you under. You become a node in someone else's graph before you've ever opted in to anything.
In the World
In 2018, a Belgian researcher named Paul-Olivier Dehaye submitted a formal data access request to Facebook — a right granted under European law — and asked for everything the platform held on him. What came back included the expected material: posts, likes, messages. But buried in the archive was something more unsettling: detailed records of websites he'd visited that had nothing to do with Facebook, captured via the 'Like' button embedded invisibly on third-party pages. Facebook had been logging his browsing even when he wasn't on Facebook, even when he hadn't clicked anything. More striking was the data Facebook held on people in his network who weren't Facebook users. Their phone numbers, the names his contacts had stored them under, interaction patterns — all present, all inferred. Dehaye had become a passive data collection point for people who had made an active choice to stay off the platform. This is the mechanism behind Meta's long-running 'shadow contact' practices, documented repeatedly by researchers and eventually acknowledged by the company itself during Congressional testimony in 2018 when Mark Zuckerberg confirmed to Senator Richard Blumenthal that yes, Facebook does collect data on non-users. The senator looked genuinely surprised. Most people still are. The consent framework we've been handed — tick a box, read a policy — was never really designed to capture this. It was designed to cover the transaction you can see, not the architecture operating underneath it.
Why It Matters
Knowing this shifts something practical in how you can reason about your own exposure. The instinct to simply 'be careful what you post' dramatically underestimates the surface area. Your browsing behaviour, your device characteristics, your position in other people's contact lists — these are generating a record whether or not you're paying attention to it. This also reframes the value of privacy tools. A VPN masks your IP; it does nothing about your browser fingerprint. Deleting an app removes its direct access; it doesn't erase the data already sold downstream to data brokers. Opting out of one platform's tracking leaves seventeen others untouched. None of this means you're helpless — browser-level fingerprint resistance (built into Firefox and Brave), aggressive cookie partitioning, and simply using fewer third-party services all genuinely reduce your footprint. But the more important shift is cognitive: moving from a model where privacy is about what you share, to one where privacy is about what can be inferred about you from the world around you. Those are very different problems, and only the second one reflects how data actually flows in 2024.
A Question to Ponder
If a detailed profile of your anxieties, habits, and beliefs exists somewhere — assembled without your knowledge and never shown to you — does it matter that your name isn't attached to it?
Get a new one of these every morning.
Start learning with Thinkable