(econsultancy)

Earlier this week, Facebook found itself embroiled in yet another privacy "breach". And on cue, the media, politicians, and lawyers (yes, those lawyers) were ready to pounce.

At issue: the fact that Facebook user IDs were being shared with advertising and analytics companies through Facebook applications.

In most cases, this undisclosed sharing really wasn't Facebook's doing. Because user IDs are included in URLs used by Facebook applications, advertising and analytics companies were able to access them through referrer data. Despite the uproar, it still isn't clear how many companies were intentionally keeping track of, or sharing, user IDs.

While it's hard to blame Facebook for the scourge of referrers (note sarcasm), Facebook isn't exactly a victim here: it certainly knew that user IDs could be exposed in this fashion and used in violation of its rules. For whatever reason, it seems to have simply ignored this.

But faced with more unwanted attention that reminds the world that what happens on Facebook doesn't always stay on Facebook, Facebook has proposed a solution: encrypt user information. Developers of Facebook applications would have to decrypt the user information within their applications; information, such as user IDs, would no longer be visible in plain text in URLs.

Is this a viable solution? Unfortunately not. While it would prevent inadvertent tracking and sharing of user IDs, it will do nothing to prevent intentional tracking and sharing of user IDs. An application developer who decides that the value of this data exceeds the risk of being banned by Facebook could still decrypt this information in his or her application and then transmit it to third parties...
(more)