Meta stops unauthorized data scraping on Facebook

Meta stops unauthorized data scraping on Facebook

As part of ongoing series about addressing data misuse, Meta has created new Facebook identifiers to deter unauthorized data scraping and make it harder for attackers to guess, connect, and repeatedly access data on Facebook.

Today, we’re detailing Meta’s approach to deterring the scraping of Facebook Identifiers (FBIDs) on Facebook.

What Is an Identifier?

Most companies use unique identifiers within the URLs of their website. Identifiers are a way to uniquely reference people or content such as posts, pictures, and videos. Within Facebook, these identifiers are known as FBIDs and are used to load content for people.

Scraping is the automated collection of data from a website or app and can be both authorized and unauthorized. Unauthorized scraping often involves guessing identifiers or using purchased identifiers to scrape people’s data. In some cases, scrapers collect identifiers and cross-reference phone numbers or other publicly-available data to create reusable data sets that are sometimes sold for profit.

New Facebook Identifiers

Meta created Pseudonymized Facebook Identifiers (PFBIDs), which combine timestamps and FBIDs to generate a unique time-rotating identifier. As they phase out the ability to access the original identifiers, this helps deter unauthorized data scraping by making it harder for attackers to guess, connect, and repeatedly access data.

These identifiers are not designed to prevent browser tools from removing tracking components from the URL. Meta used this process to better protect people’s privacy from certain types of enumeration and time-delayed attacks while preserving the ability to have long-lived links.