Facebook Moves to Encrypt User IDs

Following a number of stories over the past week about the release of personally identifiable information, Facebook announced on its developer blog today that it looking into ways to address this.

Sponsor

Although Facebook already dictates that user IDs are not to be shared with data brokers, the Wall Street Journal article this weekend contended that this was occurring, regardless of policy. And while many have since questioned the WSJ piece, suggesting it may be overblowing the threat to privacy, Facebook – under pressure from the media and from potential Congressional inquiry – announced today that it is taking steps to address any inadvertent sharing of information.

While the user ID could be obtained by parsing the URL, Facebook is proposing changes to encrypt that information. The proposal reads:

Instead of reading the current fb_sig_* parameters, your application will read only a single parameter, named request. This parameter is generated as follows:

Encode the data in JSON format.

Encrypt the JSON using AES-256-CBC algorithm.

Encode that encrypted binary data with base64url to make the package JSON-safe.

Then, take the encoded encrypted blob and add it to the envelope with key payload. The envelope is just another JSON array that describes the encryption, containing keys algorithm, iv, andissued_at.

Encode the envelope in JSON then base64url.

Take the entire blob, sign it with HMAC-SHA256.

Prepend the signature, then a period “.”, then the blob, and you’re done.

As Facebook note in today’s announcement, “While this proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem.”

Does Facebook’s move to encrypt user IDs a question of “best practices”? Or is it simply a move to appease its critics?

Discuss