User data privacy has become a major concern for big tech companies, especially Facebook, since the Cambridge Analytica scandal of 2018. As such, tech firms try to be more vigilant on this front by blocking off unauthorized means to access data. One such way is unauthorized data scraping where scripts and tools are used to collect data from a website. Meta has now detailed its latest approach to tackle this problem.
It is important to remember that data scraping isn't inherently illegal. In fact, public data can be scraped through authorized means, but Meta isn't a fan of using automated tools for this process. One tactic used by unauthorized parties is to scrape data by guessing the Facebook ID (FBID) in a URL.
Basically, Facebook URLs have an FBID embedded in them to uniquely identify content so unauthorized scrapers typically either guess them or purchase them from other malicious actors. Content from the URL is then cross-referenced with other data points to create rich profiles and datasets which are then sold.
In order to prevent this from happening, Meta has now replaced FBIDs with Pseudonymized Facebook Identifiers (PFBIDs). These are considerably more secure and difficult to guess because they are generated based on timestamps, which are also rotated. Meta has noted that:
As we phase out the ability to access the original identifiers, this helps deter unauthorized data scraping by making it harder for attackers to guess, connect and repeatedly access data.
These identifiers are not designed to prevent browser tools from removing tracking components from the URL. We use this process to better protect people’s privacy from certain types of enumeration and time-delayed attacks while preserving the ability to have long-lived links.
The idea behind the initiative is to deter attackers from repeatedly accessing user data by guessing an identifier. That said, Meta hasn't highlighted if this change in technical implementation of URLs has resulted in any measurable benefit.
7 Comments - Add comment