EDIT: This question is wrong, see end.

I’m in the midst of integrating Facebook with my website and am following the standard client/server authentication setup, with all of its amusing token exercises, permission requests and what have you. This is necessary because we want to utilize extended permission data, execute posts etc.

But if we were only interested in Facebook as an authentication method, it seems we could do the whole thing without the user even knowing about it. If we only need a way to keep track of a user’s behavior on our site and remember it from visit to visit, we just need to be able to persistently and uniquely identify him or her. To this end, the Facebook userid is adequate and can be easily queried with the js or php sdk–without the user ever seeing or approving of anything.

This seems a bit indelicate in terms of privacy but is fully within the publicly available information/tools that Facebook supplies. It also makes a lot of sense for a lot of applications–person tries out your site and later decides to sign up for real and they can inherit all of their past activity, fully authenticated users can see what their friends have done on the site even if those friends didn’t agree to be tracked…

Is this in violation of Facebook’s ToS or otherwise unfeasible? I’m surprised that I haven’t encountered it more often (unless it’s just well-hidden 🙂 ).

EDIT: This question is based on an incorrect interpretation of my debug data and thus on incorrect premises. Getting the userID would indeed be the enormous privacy hole that it appears to be and would require at least a little bit of hacking to extract.