Facebook works on solution to stop inadvertent user ID sharing

The recent discovery that various third-party application on Facebook were sending users’ ID numbers and/or names to advertising agencies every time the users click on the ads (by way of HTTP referrers) has seemingly spurred the social network into doing something that would prevent this from happening ever again – well, unintentionally at least.

“Our policy is already very clear that UIDs may not be shared with ad networks and data brokers, but we recognize that some developers were inadvertently sharing this information via the HTTP Referrer header,” says Facebook engineer Mike Vernal. Therefore, Facebook has been looking into developing a technical solution that will make the encryption of user IDs (UIDs) possible.

“For one type of application written on Facebook Platform (iframe-based canvas applications), after a user has authorized the application, the URL of the iframe may contain the UID of the user. This UID is included in order to enable the application to build a personalized experience for the user,” explains Vernal, and says they plan to enable the encryption of the parameters that are passed to iframe-based applications.

Details about the possible solution have been shared on Facebook’s Developers blog, where developers can comment and discuss the various aspects. “Our plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs. Once the design is finalized, we will work with our developers to ensure a speedy transition to encrypted parameters,” Vernal notes.

In the meantime, this last privacy incident spurred a woman from Minnesota to sue Zynga – the developers of six of the 10 most popular Facebook games that has been found sharing user IDs with advertisers. According to The Register, if the suit is given class status, other Facebook users could get in on the action.

That’s all good and well, but this is not the first time that Facebook has been found “leaking” ID information. Every time it happens, they apologize and say that from that moment on, they will be extra careful. And then it happens again.

I suppose we shouldn’t be shocked, because, as Bruce Schneier says: “In the end, Facebook will do best for its customers, and that’s not you.” The only thing they have to do for its users is to pretend to make an effort at protecting their privacy.