• Mark Zuckerberg told Congress on Wednesday that Facebook collects data on people who don’t use the social network for “security purposes.”
  • Zuckerberg says that Facebook likes to keep track of people who repeatedly try to access its services, to detect when someone is trying to improperly gather user data.
  • Facebook also targets non-users with ads, even if they never consented to the practice.

One of Facebook’s little-known, highly controversial practices is in the spotlight: The fact that it collects data on people who have never signed up for the social network.

CEO Mark Zuckerberg testified to the US Congress on Wednesday for his second day of grilling by lawmakers following a string of scandals for the company. The 33-year-old CEO has been questioned on everything from Cambridge Analytica’s misappropriation of up to 87 million users’ data, to allegations of anti-conservative bias at his company.

Representative Ben Luján (D-NM) drilled down on Facebook’s privacy practices, asking Zuckerberg how many data points the social network collects on each user, citing reports that it could be up to 29,000. The 33-year-old executive’s answered that he didn’t know.

Luján then asked how many data points Facebook collects on non-users. Again, Zuckerberg had no answer. When asked specifically about whether Facebook has “detailed profiles on people who have never signed up for Facebook,” Zuckerberg responded that it was primarily about security.

"In general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to," he said.

Though he didn't mention it in front of Congress, Facebook also targets people with ads on other websites even if they don't have an account. "For non-Facebook members, previously we didn't use [Facebook's Audience Network ad service]," exec Brian Bosworth said in 2016. "Now we'll use it to better understand how to target those people."

Luján then asked Zuckerberg if users could opt-out of having Facebook build these profiles of them. The CEO responded that "Anyone can turn off and opt out of any data collection for ads, whether they use our services or not," but suggested Facebook still needed to collect some kind of data on non-users for security reasons.

"In order to prevent people from scraping public information […] we need to know when someone is repeatedly trying to access our services," he said.