In today’s world, identity theft is a very real and potential threat to one’s economic well-being. It is only sensible to keep track of our social security numbers and account numbers in order to prevent potential malicious use. Such information can be used to mine for more information, set up fake bank and credit accounts, and more.

But no matter how careful you try to be, there are some numbers that uniquely identify you that you may not be aware of. And if you are a typical computer user, there is a good chance that you have at some point been on Facebook. In fact, with over 500 million users, there is a really good chance you have partaken. And if you have, there is a unique number assigned to only you – the Facebook UID.

What is the Facebook UID

When you sign up for a Facebook account, a unique user ID (UID) is assigned to your account. This UID acts as a lookup for your account, and subsequently your information. With the UID, a developer using the Facebook API can look up you information as needed, assuming that they have the permission to do so. So it sounds like the UID would be reasonably protected.

Recent UID Abuse

But recent events have proven that UID abuse is readily active. In fact, Facebook has just denounced a collection of developers for selling their UID collections to a data broker. Facebook has taken steps which more or less equal a slap on the wrist – they are exiled from the communication channels for six months, and will have their future data practices independently audited. But what about the data that was exchanged with the third party?

Facebook has negotiated with that party, Rapleaf, to delete the UIDs in its possession. Of course, it might be a case of “too little too late”, since Rapleaf has been actively linking the UIDs to their own data collection and selling it to other parties.

Real Life Mafia Wars?

It is not just the small developers that are potentially guilty of brokering your Facebook UID. Zynga, maker of such extremely popular games as Mafia Wars and Farmville, is currently being sued for collecting and sharing UIDs of players. How many UIDs could have been abused in the process? According to the latest reports, around 218 million (yes, million) users could have had their information distributed.

Facebook is actively working to prevent the incident from exploding – after all, the last thing they want is another privacy flap. According to Facebook engineer Mike Vernal,

“Moving forward, our policy will state that UIDs cannot leave your application or any of the infrastructure, code, and services you need to build and run your application. You can use services, such as Akamai, Amazon Web Services and analytics services as long as those services keep UIDs confidential to your application.”

You may note that the response from Facebook still pretty much says that you can use the UIDs as long as you promise to be nice. But it was already against the terms of use when Zynga became a UID broker of choice. It was already wrong to do so, so how does restating the obvious help?

Facebook Business Model Encompasses UID Use

It should be apparent that Facebook intends for the UID to be a major part of its business model. With the UID an advertiser could theoretically look up a user and mine their activity for targeted ads in many other facets of the user’s life. Mention that you like pancakes in a comment to your cousin? You could find Aunt Jemima syrup coupons on your receipt when you go shopping.

This is just an example of legitimate data use. When you consider how that information could be used in more nefarious ways… it does get scary. From targeting users that foolishly post about being away on vacation to announcing expensive product purchases, the UID ties together your core information to the data that would otherwise be simple small talk. It should be no wonder that many will find the UID to be very valuable for all sorts of uses.

How Do You Protect Your Facebook UID?

The first thing to remember about your Facebook UID is that protecting it directly is out of your hands. The UID is only as secure as Facebook allows it to be handled, and by this time the words “Facebook” and “security” should not be closely linked in anyone’s mind. You are at the mercy of the relationship between third party Facebook developers and Facebook themselves.

Your only recourse, outside of blind trust, is to limit the information you provide to Facebook. I would urge caution about entering home addresses and phone numbers – unless, of course, you like being marketed to in new and exciting ways. And that is just the best case scenario.

While any use of online social media comes with inherent risk, there are nonetheless things that we can do to minimize potential damage when (not if) a breach occurs. But no matter how smart you try to be, the end fact is this – the Facebook UID is only the latest example of personal unique identifiers that need to be protected, and more are on the horizon. Some are in our power to protect, and we should strive to do so. But for others, we may just find that the monster is one of our own creations by careless use. And I am not sure that we can even avoid playing Dr. Frankenstein completely.