Facebook has started to encrypt links to counter privacy-improving URL Stripping

Martin Brinkmann
Jul 17, 2022
Updated • Jul 20, 2022
Added Facebook comment.
Facebook
|
47

Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking.

facebook encrypted links

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Update: Facebook contacted us to provide us with their side of the story. According to the company, the change has nothing to do with URL stripping and user tracking, but as a countermeasure against scrapers.

"We changed the ID component of these URLs as a privacy measure intended to deter scrapers from collecting and potentially misusing people's Facebook IDs. These modified IDs aren’t used to track people, and have not been designed to prevent browser tools from removing tracking components from the URL." - a Meta spokesperson

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

Both web browsers use lists of known tracking parameters for the functionality. The lists need to be updated whenever sites change tracking parameters.

Facebook could have changed the scheme that it is using, but this would have given Facebook only temporary recourse. It appears that Facebook is using encryption now to track users.

Previously, Facebook used the parameter fbclid for tracking purposes. Now, it uses URLs such as https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__[0]=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-R instead.

The main issue here is that there it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. Removing the entire construct after the ? would open the main Facebook page of Ghacks Technology News, but it won't open the linked post.

Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

Closing words

There is no option currently to prevent Facebook's tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can't link it if no persistent data is available.

Users who don't sign into Facebook and clear cookies and site data regularly, may avoid most of the company's tracking.

Now You: what is your take on this development? Beginning of a cat and mouse game, or game over for privacy already? (thanks N.J.)

Summary
Facebook has started to encrypt links to counter privacy-improving URL Stripping
Article Name
Facebook has started to encrypt links to counter privacy-improving URL Stripping
Description
Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers use to improve privacy and prevent user tracking.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. captain obvious said on July 20, 2022 at 6:45 pm
    Reply

    One more reason to avoid using FB altogether. There are so many scandals around FB that politicians look like saints when compared to FB.

  2. /dev/null said on July 20, 2022 at 3:28 pm
    Reply

    I saw a review of this post by an academic researcher/professor that challenges the very basis of this article.

    https://ws-dl.blogspot.com/2022/07/2022-07-19-review-of-facebook-has.html

  3. Jacques said on July 20, 2022 at 10:34 am
    Reply

    Altough its not really encrypted for now, just concatenated, this method is not new. some http server use a correspondance table to deliver content and ca there add as many column wanted in addition to the content to serve.
    therefore, you can very simply provide an unique ID for each link you make, wich will contain all the markers you want.
    there are some hiccups to that architecture though… first the table become a weak point, of security. if its gone, your content is gone to, with your measurment. second the request process is an O^ more than the simple fact to link a file or program address to a http adress… in a company like FB the difference could be a big deal, and could more vulnerable to a brute force attack (Ddos…)
    in my opinion thats why FB just concatenate the adress, for now

  4. brightspark said on July 20, 2022 at 2:02 am
    Reply

    Do I sense a certain irony here. Pardon my ignorance, but that is “?_m=3n%2e0038%2e2800%2edh0ao06kf3%2e2xjz” tacked on to the end of the URL pointing to this article?

  5. Daniele Mte90 said on July 19, 2022 at 4:09 pm
    Reply

    My Firefox extension will not work anymore… https://github.com/Mte90/facebook-direct-links

    It was only for Firefox because Chrome web store is very awful but I am very sad after all the work on that but also now firefox strip for the user those parameters and let me remove some extensions and work on other things…

  6. Trusha said on July 19, 2022 at 3:50 am
    Reply

    What if hackers and other bad actors piggyback on this to do their things?

  7. Meg said on July 19, 2022 at 3:49 am
    Reply

    This is honestly so disgusting

    How does this not violate any sort of privacy law or GDPR?

  8. João Fernandes said on July 19, 2022 at 1:11 am
    Reply

    It would be nice if the share buttons included networks that do not adhere to the abusive models that include practices such as the one depicted in this article.

    Please consider including decentralized and free/libre social networks in your share buttons.

    Only criticizing the unethical medium for years will not do much to change the actual state of things for better. Supporting the existing solutions that are based on Ethics and community will.

  9. tty said on July 18, 2022 at 8:29 pm
    Reply

    First party isolation and containers also prevent facebook from third party tracking data, even while logged in.

  10. Peter said on July 18, 2022 at 8:07 pm
    Reply

    I have been using this blocklist on my DNS servers: https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all

    This will block all of Meta’s services, including Facebook and WhatsApp etc. completely. If I mistakenly click on a Facebook link or get redirected to one, the site will just not load at all and I can stay free of their cookies. Still of course, clearing all cookies in my browsers on a regular basis is an important thing to do!

    1. owl said on July 19, 2022 at 9:35 am
      Reply

      @Peter,
      > I have been using this blocklist on my DNS servers:
      https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all

      Thanks for the very useful information.
      I have added that list to the hosts file.
      README.md:
      https://github.com/jmdugan/blocklists#readme

      1. owl said on July 19, 2022 at 1:38 pm
        Reply

        Useful tools for editing (adding and deleting) and updating the “hosts file”:
        CWP-Utilities: Combined Windows Privacy Utilities | Hosts file updater, block list manager, and more. Open source tools for Windows users, to help ensure privacy & security. Block ads, spyware domains, and other malicious activity/traffic, all through a simple interface.
        https://github.com/bongochong/CWP-Utilities#readme
        Defaults Hosts File Sources:
        https://github.com/bongochong/CWP-Utilities/blob/master/MoreInfo/DefaultHostsLists.md

  11. Bruno Fontes said on July 18, 2022 at 5:22 pm
    Reply

    Well, if Facebook already knows a user is logged in and which links are being presented, a browser can always fetch the URL to get the last redirection and then replace it on the page.

    This will break the tracking as all URLs are going to be opened as soon as they appear in the page and not when the user clicks on it, with lower risk of breaking something. :)

  12. Andy Prough said on July 18, 2022 at 2:28 pm
    Reply

    We are getting multiple articles a month now on why it is imperative to clear cookies. And clear them as soon as you leave a site if at all possible.

    1. Tom Hawack said on July 18, 2022 at 3:29 pm
      Reply

      @Andy Prough, of course it is imperative to clear cookies, those we don’t wish/need anyway, be it immediately (site exit) with an extension such as ‘Cookie Autodelete’, be it on Firefox exit.

      But cookies have nothing to do with parameters added to the web address : you can have all cookies denied and that won’t stop the efficiency of url parameters, be they tracking parameters or redirects :

      Tracking parameters example :

      [https://destination_example.com?source=https://source_example.com]
      Destination knows where you come from.
      We want : [https://destination_example.com]

      Redirect parameters example :

      [https://redirector_example.com/?destination=https://destination_example.com/]
      Source knows where you’re going.
      We want : [https://destination_example.com/]

      What Facebook is doing concerns the former : tracking parameters, which become encrypted and are no longer detectable with traditional tools. But it may as well concern the latter (redirect) : not sure at this time.

      Of course collected data then feeds cookies but it remains data even without cookies.
      The best tool IMO to handle both tracking and redirects is the ‘CleanLinks’ extension.
      For tracking parameters only, the uBO extension with these three filter lists :

      ‘ClearURLs for uBo’
      ‘Actually Legitimate URL Shortener Tool’
      Actually Legitimate URL Shortener Tool – Affiliate tag allowlist’

      But that won’t handle Facebook’s encrypted links. The best is to avoid Facebook. It’s has-been anyway.

      1. smac said on July 18, 2022 at 7:32 pm
        Reply

        Redirects aren’t tracking parameters, and a site knowing where an (unknown) visitor came from, or is going 1) Is very useful to the site, and 2) does not harm whatsoever to the (unknown) visitor.
        True tracking parameters would include a unique identifier (e.g., a browser fingerprint.) In this case, the identity of the visitor is still unknown, but the site operator knows if several actions were all taken by the same browser.

      2. Tom Hawack said on July 19, 2022 at 9:17 am
        Reply

        @sma, I have to disagree.

        > Redirects aren’t tracking parameters […]

        Anything added to a url is potentially a tracking parameter.

        There is NO reason that the link :
        [https://github.com/gorhill/uBlock#ublock-origin]

        once modified by Mozilla becomes ;

        [https://outgoing.prod.mozaws.net/v1/788d66e7299bdfb1da05832994551640d0ad441e148a3e29afe8dd0a5a90800c/https://github.com/gorhill/uBlock#ublock-origin]

        > […] and a site knowing where an (unknown) visitor came from, or is going 1) Is very useful to the site, and 2) does not harm whatsoever to the (unknown) visitor.”

        Are you joking? A destination knows a user’s IP and knowing that the user comes from Source is a contribution to the worshiped referrer all sites are fond of and participates to cross-site tracking.

        > True tracking parameters would include a unique identifier (e.g., a browser fingerprint.) In this case, the identity of the visitor is still unknown, but the site operator knows if several actions were all taken by the same browser.

        The visitor’s identity is his IP.

        A basic url :
        [https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/]

        modified by the source to become :
        [https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search]

        may indeed feed the site’s stats in order to understand its users’ movements as it may as well track the user when linked to his IP.

        We all know that the nec plus ultra of tracking is very similar to the basic methods of Intelligence : never initiate what can be performed by simply re-orienting natural facts. Cookies are nice, referrers are nice, built-in browser tools and features are all nice, pertinent, useful for the user… until they get re-oriented for tracking purposes. So I repeat what I’ve always said : the methods used by tracking break the very usefulness of features they re-orient for their profit. From there on it’s up to the user to choose between three attitudes:

        1- Let it be
        2- Shoot ‘m’ all
        3- Live and let live, which means shoot the intruders only, which is the hardest given the intruder is often hidden among the good guys or fakes to be a user’s compatriot.

        A fine user’s defense philosophy is, IMO, built on the third approach, need to say.

  13. Mystique said on July 18, 2022 at 2:26 pm
    Reply

    From personal experience those frontends or apps are not up to scratch with their respective official apps. For one you cannot share videos at all to friends on either of them or send images efficiently as you otherwise would be able to do on the official apps.

    Facebook/meta should never have been allowed to buy instagram or whatsapp as they went from bad to worse.

    Finding a decent free chat app that does not require a phone number is near impossible also. The difficult thing about these communication apps and social media type services is that they have to be simple and accessible enough whilst also offering great features to be useful to everyone because you can’t just be happy with an app or service yourself and expect your family and friends to be on the same technical level as you.
    Try convincing your friends and family to get away from facebook or whatsapp for example and you will be met with so much resistance that it becomes futile.

    1. Fred said on July 21, 2022 at 7:10 am
      Reply

      “Finding a decent free chat app that does not require a phone number is near impossible also”

      Hint: have a look at Threema. Because it costs huge amounts of money it keeps the rifraf out (and by ‘huge amounts’ I mean a shocking $3 – once). By gnerating income, it does not need ‘alternative’ sources of income like selling user details – the company is 100% viable without.

    2. João Fernandes said on July 19, 2022 at 1:18 am
      Reply

      > Facebook/meta should never have been allowed to buy instagram or whatsapp as they went from bad to worse.

      Yes, we live in times where huge mergers, hostile takeovers, monopolies and cartels are not being regulated. Microsoft buying Activision | Blizzard, for example, should never have gone through.

      We need to have regulators and justice agencies braking up those companies, and not letting them stay under the same Holding, direction, etc.

      Those 5 giant bad actors are shaping the digital age, which should be built on community and federation, not centralization and mono/oligo-polies.
      In the end of the day, they are leeches trying to assimilate themselves to the very structure they parasitate.

  14. Emilia said on July 18, 2022 at 10:48 am
    Reply

    https://fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl
    https://fb.com/7733554110019848

    I guess the link above is not encrypted, i would rather say encoded, in my opinion if the long link would contain any part about your privacy data then you should find many similar longs URLs which all are directed to same post. But i tested to check link to the post from different IPs and browsers and the link was same.

    On fb are too many posts and comments and current length of id does not provide sufficient of unique combinations.

  15. Robert said on July 17, 2022 at 10:32 pm
    Reply

    The only use I have for FB is for a community organization. Damned if I will give those bastards my private information.

  16. Facebook should be said on July 17, 2022 at 10:31 pm
    Reply

    How about blocking Facebook all together…

  17. Iron Heart said on July 17, 2022 at 10:01 pm
    Reply

    Here is how you can still mess with Facebook despite this:

    (1)

    > There is no option currently to prevent Facebook’s tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can’t link it if no persistent data is available.

    Indeed. Cookie AutoDelete does this, it removes cookies and other local data after you close the related tab or go to another website within the same tab: https://chrome.google.com/webstore/detail/cookie-autodelete/fhcgjolkccmbidfldomjliifgaodjagh

    Also don’t forget to set your browser to delete cookies and cache upon shutdown.

    (2)

    You can also use a privacy-respecting Facebook frontend, Android has the following apps:

    SlimSocial, Frost

    (3)

    If you are not a Facebook user and you want to boycott the company entirely, here is a link to a filter list which does that: https://www.github.developerdan.com/hosts/lists/facebook-extended.txt

    You can add this to uBlock Origin or Brave’s native adblocker, this will block all Meta / Facebook-owned domains.

    1. Yash said on July 18, 2022 at 11:00 am
      Reply

      That filter list is very good. Thanks.

  18. Anonymous said on July 17, 2022 at 8:56 pm
    Reply

    Its time they fined for this as well.

  19. Tom Hawack said on July 17, 2022 at 6:43 pm
    Reply

    Facebook has started to encrypt links. My take on this development would start with a few exotic words shouldn’t the weather be so hot.

    Zen. Facebook now using encryption to track users. This confirms a company’s total lack of respect for of users’ privacy. No surprise even if I confess occasional stuns when I discover a company’s privacy red line moves further than I could have imagined.

    > Beginning of a cat and mouse game, or game over for privacy already?

    The game has been over for all users of Facebook since the very beginning. The only way to keep winning is to avoid Facebook and to block all access to the company’s servers : Facebook as well as the GAFAM companies, not to mention twitter and a few others, track users even if they’ve logged out and even if they have no account in these companies.

    Facebook is totally avoidable. Google requires fine tuning in order to allow access to its servers only for what we consider as the strict necessary. Remains sites connecting to Google for a font, a script … the ‘LocalCDN’ extension handles that quite extensively.

    Personally? No Facebook account and totally blocked. No Google account and partially blocked (only Google Maps and mainly for its Street View, otherwise I prefer the OpenStreetmap display). No longer YouTube itself (Piped pipes YT very nicely, even for many embedded YouTube videos (Iframed).

    URL stripping handled here with uBO and dedicated filter lists : ‘ClearURLs for uBo’, ‘ Actually Legitimate URL Shortener Tool – Affiliate tag allowlist’ and ‘Actually Legitimate URL Shortener Tool’. Firefox’s own Privacy query stripping is disabled given uBO and given I have no idea of what exactly is stripped, but it must be close to nothing.

    That’s not about it because if I had to state all that is done on this machine to block, circumvent, bypass the increasing amount of privacy intrusions — OS, applications, browsers, websites — It’d be far too long to detail.

    What has become of the Web? What have they done to our Web, ma. A Wild, Wild Web.

  20. allen said on July 17, 2022 at 5:22 pm
    Reply

    One could argue that if you use links provided by/thru facebook, then you deserve whatever tracking you get. This, though, adds more impetus to the idea that “friends don’t let friends use facebook.” Nope, facebook must not like you (facebook users) very much.

    1. egcg said on July 20, 2022 at 7:48 pm
      Reply

      I’m interested in figuring out a method to convert from the new pfbid URL to the old post IDs at scale—do you have any guidance on how to un-hash the former into the plain integer ID?

  21. B.L. said on July 17, 2022 at 4:54 pm
    Reply

    The premise of this article is incorrect. The example URL *can* be stripped of the ?search portion, leaving only http://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl — which leads to the Intel Arc A750 article just like the full link does. It can be further burnt down to fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl

    The pfbid contains an encoded version of the old fbid; and a timestamp which isn’t the timestamp of the post. So far I haven’t figured out how to decode any more of it than the timestamp. (Learned the fbid through a different trick: 7733554110019848 — fb.com/7733554110019848 leads once again to the Arc A750 article.

    1. Anonymous said on July 18, 2022 at 6:05 pm
      Reply

      That’s interesting! How did you decode it?

      1. Peter in FtL said on July 20, 2022 at 1:37 am
        Reply

        My guess would be the marker is the question mark after …VKpl. What follows after that is probably the tracker.

      2. Peter in FtL said on July 20, 2022 at 1:45 am
        Reply

        Oops. I just noticed (how did I miss it?) that the OP says exactly that. D’oh.

  22. ECJ said on July 17, 2022 at 4:45 pm
    Reply

    “…Users could avoid Facebook, but that may not be possible all the time.”

    Sure it is:

    1) Delete your Facebook account.

    2) Add the following to uBlock Origin.

    ||fb.*$important
    ||facebook.*$important
    ||fbcdn.*$important
    ||fbsbx.*$important
    ||atdmt.com^$important
    ||instagram.com^$important

    3) F*ck Facebook

    1. Anonymous said on July 22, 2022 at 3:26 am
      Reply

      If only that applies to everyone. FB is extremely popular here in the Philippines and even used as an alternative to call and text. You could use the mobile Messenger app or even the FB app sans images and videos without mobile load; you just need a working SIM card and good signal. If not for keeping in contact with friends and relatives, I would’ve left FB by now.

    2. Klaas Vaak said on July 17, 2022 at 5:15 pm
      Reply

      @ECJ: where would you put that in uBO: My filters or My rules?

      1. Iron Heart said on July 17, 2022 at 10:04 pm
        Reply

        @Klaas Vaak

        Just add this URL to uBlock Origin or Brave’s native adblocker under brave://settings/shields/filters …

        https://www.github.developerdan.com/hosts/lists/facebook-extended.txt

        Blocks all Meta / Facebook-owned domains, including WhatsApp and Instagram. That’s a list for a total Facebook boycott.

      2. Klaas Vaak said on July 18, 2022 at 6:28 am
        Reply

        @Iron Heart: thanks a lot. Everything OK?

      3. ECJ said on July 17, 2022 at 6:09 pm
        Reply

        Yes, “My Filters”.

        To be clear though, this isn’t a fix for their URL tracking parameters – this outright blocks Facebook and Instagram.

      4. Klaas Vaak said on July 18, 2022 at 6:19 am
        Reply

        @ECJ: thanks. No prblem it blocks those sites, I don’t use them and dislike them intensely.

  23. Jeremy said on July 17, 2022 at 4:25 pm
    Reply

    Clever, they ended this cat and mouse game before it even began.
    I suppose using a privacy front-end is the only realistic solution for this issue.
    https://github.com/mendel5/alternative-front-ends
    This list has some of them, though I personally only use a handful.

  24. Yash said on July 17, 2022 at 4:23 pm
    Reply

    Yep, although I don’t have a Facebook account(or any social media), many other users often share these links in chat groups. URL tracking prevention is tough and dare I say it, an impossible task. But solution is already in the article which works or atleast reduces tracking – ‘Users who don’t sign into Facebook and clear cookies and site data regularly, may avoid most of the company’s tracking.’ I would elaborate this for every website, don’t sign-in on a website for the sake of it and if clear all data is too much, make site exceptions and clear everything else.

    1. Thomaso said on July 18, 2022 at 10:01 pm
      Reply

      Signing in is not an issue if you have Site Isolation enabled and block Facebook on third-party websites. Which is something essential if you care about privacy at all.

      1. Yash said on July 19, 2022 at 11:51 am
        Reply

        Even if site isolation is enabled with Facebook disabled on 3rd party websites, main issue is Facebook will always know the source of the link which is unavoidable unless a user doesn’t visit that link in the first place.

        The advice Martin gave is not for Facebook link tracking as that is unavoidable but for other forms of tracking. And that’s why I wrote that part in my comment.

  25. Gavin B. said on July 17, 2022 at 3:59 pm
    Reply

    I bet that adds to the URL’s carbon footprint!
    Facebook v. our planet

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.