What does the Facebook security thing mean to users?

You might have read a lot about the Facebook issue over the last couple of days. The technical description of this is pretty complicated but the implications are pretty clear. When you use applications on Facebook and they use a technology called ‘iframes’ to host their application (like Farmville) and then partner with other companies for advertising it is possible that your UID gets passed all the way from Facebook to the third-party advertising sites. This happens because of the details of how browsers work with referrers, third party javascript includes and iframes. At that point they could take that UID and set a cookie on your browser so that whenever they see you, wherever you are on the web, they know that it is you and can lookup your public Facebook information and use that information to target ads, customize content, etc.

People can argue that this information is public, however, the fact that the information is tied to your browser and can be accessed anywhere that the advertiser has an ad makes it especially powerful. For example, I could use the information to create advertisements on another website (not Facebook) that includes photos of you and your friends. I could address you by name in the ad, use the names of your parents or children, whatever you might have made available on Facebook to the world at large. My Facebook account is pretty tied down, however there is a certain base level of publicness about Facebook that makes the possibility of creating very creepy, misleading ads across the internet.

Here is what I can discover about myself using only my UID and publicly accessible URLs via the Facebook Open Graph API:

Name: Sam Pullara
First Name: Sam
Last Name: Pullara
Link: http://www.facebook.com/spullara
Gender: Male
Locale: en_US
Picture:

If you want to do the same and see what is available for you, start here https://graph.facebook.com/[your uid]?metadata=1 and try each of the links in the connections subsection to see what is easily available.

Using web scraping, I can discover even more information about me:

It is a good thing for Facebook to not allow this kind of UID transfer to third parties with whom you have no connection, especially when cookies are involved. Other large scale internet services go to great lengths to avoid this kind of data transfer. Facebook should fix the URLs so it isn’t inadvertently transferred from their application partners to the application partner’s advertisers.