Facebook Proposes Encryption to Stop Application Privacy Leaks

Facebook plans to roll out encryption to prevent applications from sharing Facebook User IDs.

Facebook plans to use encryption to block Facebook applications from leaking user identification numbers.

The data exposure was reported earlier this week, and was due to the sharing of user IDs via the HTTP Referrer Header. The culprits included some of the site's most popular applications, including games such as FarmVille and Texas HoldEm Poker.

In a blog post, Facebook engineer Mike Vernal announced that the company plans to address the issue by encrypting the parameters it passes to iframe-based applications.

"The proposal builds on our recent support for a parameter called signed request which is inspired by our discussions in the OAuth community," he wrote. "We will start encrypting this parameter as well, using the application's secret key, so that only the application will be able to read this information. This will prevent the accidental disclosure of this information via HTTP headers."

"Our plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs," he continued. "Once the design is finalized, we will work with our developers to ensure a speedy transition to encrypted parameters."

Facebook has made technical details of the proposal available here.

The fallout from the revelations has already led to a lawsuit against Facebook app developer Zynga - the creator of some of the site's most popular games, including FarmVille and Mafia Wars - as well as an inquiry from two Congressmen seeking answers from Facebook CEO Mark Zuckerberg.

While he said the problem had been exaggerated, Vernal noted that user ID numbers can be used to identify Facebook users and "link actions at other Web sites to a Facebook identity."

"When a Facebook user requests a Web page with images or other resources, the user's browser may send HTTP header information that includes the URL of the Web page," he wrote. "For a particular type of Facebook Platform application, an iframe-based canvas application that includes a third-party iframe or resource, the HTTP Referrer header may include the user's UID number once the user has authorized the application...[The User ID number is] what allows Web pages to include information about one's friends. Unfortunately, it can also compromise user privacy, particularly if the user is not aware that his or her UID is being shared."

While the encryption proposal will address the inadvertent sharing of this information on Facebook, it will not fix the underlying issue of data sharing via HTTP headers, which is a Web-wide problem, he added.

"We look forward to working with the Web standards community and browser vendors over the coming months to help address this issue," Vernal blogged.