Surely the need for avoiding userid is that J. Random Hacker could construct and "click on" a link to
http://www.mysite.com/link?userid=1234even if he is not user 1234 on this system (maybe he just values his privacy?!). Likewise, using generated ids starting from one can be faked out, since every low integer ID would "work".
Using a large tracking ID such that only one in a million possible tracking IDs will actually exist, and so do anything, would be a considerable disincentive to Mr. Hacker.
All this somewhat begs the question of why it is worthwhile for Mr. Hacker to confuse mysite.com's marketing efforts... but if there is some reason why it might be worth his while, then using tracking values that are not so easily guessable sounds reasonable to me.
