Although Facebook already dictates that user IDs are not to be shared with data brokers, the Wall Street Journal article this weekend contended that this was occurring, regardless of policy. And while many have since questioned the WSJ piece, suggesting it may be overblowing the threat to privacy, Facebook - under pressure from the media and from potential Congressional inquiry - announced today that it is taking steps to address any inadvertent sharing of information.
While the user ID could be obtained by parsing the URL, Facebook is proposing changes to encrypt that information. The proposal reads:
Instead of reading the current fb_sig_* parameters, your application will read only a single parameter, named request. This parameter is generated as follows:
As Facebook note in today's announcement, "While this proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem."
Does Facebook's move to encrypt user IDs a question of "best practices"? Or is it simply a move to appease its critics?