Facebook Unveils New Plan for Handling User IDs

Facebook this week announced updated plans for how it will handle the transmission of user IDs, a proposal that will not require the use of encryption.

"After talking with the community, we have updated our proposed solution to use a different mechanism that provides better protection for users while minimizing the impact on existing applications and eliminates the need to use encryption libraries," Mike Vernal, a Facebook engineer, wrote in a blog post.

The proposal would would embed a UID in a HTTP POST body, which means it will not be exposed in any HTTP referrer header at all; encrypted or not.

When a browser loads information, the browser sometimes sends an HTTP header that identifies the URL of the page with that information. Certain types of apps written on Facebook Platform known as iframe-based canvas apps might contain the UID of a Facebook user in its URL after that user has authorized an application.

"This UID is included in order to enable the application to build a personalized experience for the user," Vernal said last month.

At issue is an October Wall Street Journal article said that Facebook apps were sharing that UID information with advertising networks and other Internet-tracking companies. Facebook said it does not condone that behavior and said it would start encrypting the parameters it sends to iframe-based apps.

This new proposal, however, will not require encryption and "will require minimal effort for developers and addresses the feedback that we have received to date," Vernal said. "We do this by creating a [form] element targeted at the application Canvas URL."

Developers who want to try can turn on the "POST for Canvas (Beta)" migration on the Advanced tab of the Developer Application, he said. More detailed information is available on Facebook's POST for Canvas page.

In terms of third-party IDs, Vernal said Facebook has "developed a mechanism for developers to obtain an anonymous but unique identifier for their users, which we call a third-party identifier. Developers can obtain a third-party identifier through either the Graph API or FQL." More details about that are available on the blog post.

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio