In response to the WSJ article that revealed Facebook apps collecting and selling user information to ad networks and other data mining outfits, Facebook today said that they would be offering encryption services for user IDs in near future.
“In last few days, some developers started using techniques like redirects or “double framing” to remove UIDs from URL. While apps are able to address this issue on their own, we wanted to find a solution that would address this issue for all apps on Facebook Platform.
To address this inadvertent sharing of UIDs, we plan to start encrypting the parameters that we pass to iframe-based apps. We’ve technical details of the proposal on developers site.
The proposal builds on recent support for a parameter called “signed request” which’s inspired by our discussions in OAuth community. We’ll start encrypting this parameter as well, using the app’s secret key, so that only the app will be able to read this info. This’ll prevent the accidental disclosure of this information via HTTP headers,” explained Facebook.