Structure is Not Security: The Architecture of Shadow Profiling
How I became a node in a Knowledge Graph I never joined.
I received a link from a connection on Alignable. I confirmed it was valid and not spam, so I proceeded to figure out what the platform was.
Before I even finished creating a profile, it prompted me to connect with five people. They are all real contacts. One of them is a good friend and a prominent data engineering coach.
I got curious. At one point, the platform asked to import my contacts list. Instead, I backed up and started playing with variations of my own email addresses.
The results shifted instantly.
The platform was dynamically matching me to connections based entirely on who had that specific email saved in their uploaded contacts list. My friend hadn’t foreseen this, but by simply syncing their address book, they had provided the platform with my data.
I was already an active node in a knowledge graph I never agreed to join.
By prompting users to “Import Contacts,” platforms use a legal loophole to turn a colleague’s convenience into your vulnerability. Their Terms of Service provides legal structure, but structure is not security. They don’t need your permission to build a shadow profile of your network; they just need one person in it to hand it over.
Here is exactly how the architecture of this loophole works.
When a user clicks “Import Contacts,” the UX presents it as a frictionless onboarding step. But the legal framework immediately shifts all liability onto the user making the upload.
Take Alignable’s legal documentation as a prime example of this industry-standard playbook.
In their Privacy Policy, under “Contacts Information”, they state:
“By providing email addresses or other information of non-Users to Alignable, you represent that you have authority to do so.“
They enforce this explicitly in their Terms of Service, Section 1.a:
“...you represent, warrant, and covenant that: (a) at the time of sending any communication using the Services, you have or will have obtained any and all necessary consents required... from your contacts to use their email address...”
And in their Code of Conduct, they forbid the following:
“Do not share information of Users or non-Users without their express consent;”
This is the shadow profiling playbook.
The platform builds a feature designed to ingest massive amounts of raw data (your email, your name, your proximity to the uploader) in a single click. Legally, they require the user to act as the compliance firewall.
The platform should know with high degree of certainty that nobody calls their 500 email contacts to get explicit legal consent before clicking “sync.” They abstract away the human context of the relationship to aggressively map the nodes.
By forcing the user to agree to an impossible condition in the ToS, the platform harvests the knowledge graph while immunizing itself against data privacy laws.
They didn’t scrape my data; my friend “authorized” it.
I am sharing this to break down how our data actually flows in the wild.
Privacy isn’t an individual setting anymore; it’s a collective vulnerability.
The next time an app asks to “Find your friends” or “Import contacts,” remember what you are actually doing. You aren’t just saving yourself five minutes of typing. You are unilaterally volunteering the personal data of everyone in your professional network into a system they never vetted.
Protect your nodes. Stop clicking sync.
About the Author
Ramona C. Truta is an Independent Researcher, Solutions Architect and Educator who brings over 20 years of rigorous database engineering experience to the world of AI. A former university lecturer who taught databases, software engineering and web development to 1,400+ students, she now focuses on System Integrity - applying the strict determinism of data engineering to the probabilistic nature of AI Agents. Her work bridges the gap between deep technical theory and practical, secure implementation.
Great post!
Nicholas Carr does a great job in Superbloom showing how Americans willingly handed over their privacy to the Internet, after a long history of valuing it above all.
ZH