Facebook has started to encrypt links to counter privacy-improving URL Stripping
Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking.
Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.
Update: Facebook contacted us to provide us with their side of the story. According to the company, the change has nothing to do with URL stripping and user tracking, but as a countermeasure against scrapers.
"We changed the ID component of these URLs as a privacy measure intended to deter scrapers from collecting and potentially misusing people's Facebook IDs. These modified IDs aren’t used to track people, and have not been designed to prevent browser tools from removing tracking components from the URL." - a Meta spokesperson
Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.
Both web browsers use lists of known tracking parameters for the functionality. The lists need to be updated whenever sites change tracking parameters.
Facebook could have changed the scheme that it is using, but this would have given Facebook only temporary recourse. It appears that Facebook is using encryption now to track users.
Previously, Facebook used the parameter fbclid for tracking purposes. Now, it uses URLs such as https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__[0]=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-R instead.
The main issue here is that there it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. Removing the entire construct after the ? would open the main Facebook page of Ghacks Technology News, but it won't open the linked post.
Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.
Closing words
There is no option currently to prevent Facebook's tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can't link it if no persistent data is available.
Users who don't sign into Facebook and clear cookies and site data regularly, may avoid most of the company's tracking.
Now You: what is your take on this development? Beginning of a cat and mouse game, or game over for privacy already? (thanks N.J.)
One more reason to avoid using FB altogether. There are so many scandals around FB that politicians look like saints when compared to FB.
I saw a review of this post by an academic researcher/professor that challenges the very basis of this article.
https://ws-dl.blogspot.com/2022/07/2022-07-19-review-of-facebook-has.html
Altough its not really encrypted for now, just concatenated, this method is not new. some http server use a correspondance table to deliver content and ca there add as many column wanted in addition to the content to serve.
therefore, you can very simply provide an unique ID for each link you make, wich will contain all the markers you want.
there are some hiccups to that architecture though… first the table become a weak point, of security. if its gone, your content is gone to, with your measurment. second the request process is an O^ more than the simple fact to link a file or program address to a http adress… in a company like FB the difference could be a big deal, and could more vulnerable to a brute force attack (Ddos…)
in my opinion thats why FB just concatenate the adress, for now
Do I sense a certain irony here. Pardon my ignorance, but that is “?_m=3n%2e0038%2e2800%2edh0ao06kf3%2e2xjz” tacked on to the end of the URL pointing to this article?
My Firefox extension will not work anymore… https://github.com/Mte90/facebook-direct-links
It was only for Firefox because Chrome web store is very awful but I am very sad after all the work on that but also now firefox strip for the user those parameters and let me remove some extensions and work on other things…
What if hackers and other bad actors piggyback on this to do their things?
This is honestly so disgusting
How does this not violate any sort of privacy law or GDPR?
It would be nice if the share buttons included networks that do not adhere to the abusive models that include practices such as the one depicted in this article.
Please consider including decentralized and free/libre social networks in your share buttons.
Only criticizing the unethical medium for years will not do much to change the actual state of things for better. Supporting the existing solutions that are based on Ethics and community will.
First party isolation and containers also prevent facebook from third party tracking data, even while logged in.
I have been using this blocklist on my DNS servers: https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all
This will block all of Meta’s services, including Facebook and WhatsApp etc. completely. If I mistakenly click on a Facebook link or get redirected to one, the site will just not load at all and I can stay free of their cookies. Still of course, clearing all cookies in my browsers on a regular basis is an important thing to do!
@Peter,
> I have been using this blocklist on my DNS servers:
https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all
Thanks for the very useful information.
I have added that list to the hosts file.
README.md:
https://github.com/jmdugan/blocklists#readme
Useful tools for editing (adding and deleting) and updating the “hosts file”:
CWP-Utilities: Combined Windows Privacy Utilities | Hosts file updater, block list manager, and more. Open source tools for Windows users, to help ensure privacy & security. Block ads, spyware domains, and other malicious activity/traffic, all through a simple interface.
https://github.com/bongochong/CWP-Utilities#readme
Defaults Hosts File Sources:
https://github.com/bongochong/CWP-Utilities/blob/master/MoreInfo/DefaultHostsLists.md
Well, if Facebook already knows a user is logged in and which links are being presented, a browser can always fetch the URL to get the last redirection and then replace it on the page.
This will break the tracking as all URLs are going to be opened as soon as they appear in the page and not when the user clicks on it, with lower risk of breaking something. :)
Some privacy data are stored inside, here are two different pfbid which target same post…
https://www.facebook.com/VICE/posts/6037626766270531
https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBqkRvU5o7NPXUicAJgVy8kf1a1W51hU7EmgMmCigo9rZWxCjDl
https://www.facebook.com/VICE/posts/pfbid0TbuHEaGP2fLTRDFRTuv4Q1GtJGVfHX7Wx1gNtLoH1Bfbp9cFh6VUK4ACWjBBWsBql
https://brianlovin.com/hn/32117489
We are getting multiple articles a month now on why it is imperative to clear cookies. And clear them as soon as you leave a site if at all possible.
@Andy Prough, of course it is imperative to clear cookies, those we don’t wish/need anyway, be it immediately (site exit) with an extension such as ‘Cookie Autodelete’, be it on Firefox exit.
But cookies have nothing to do with parameters added to the web address : you can have all cookies denied and that won’t stop the efficiency of url parameters, be they tracking parameters or redirects :
Tracking parameters example :
[https://destination_example.com?source=https://source_example.com]
Destination knows where you come from.
We want : [https://destination_example.com]
Redirect parameters example :
[https://redirector_example.com/?destination=https://destination_example.com/]
Source knows where you’re going.
We want : [https://destination_example.com/]
What Facebook is doing concerns the former : tracking parameters, which become encrypted and are no longer detectable with traditional tools. But it may as well concern the latter (redirect) : not sure at this time.
Of course collected data then feeds cookies but it remains data even without cookies.
The best tool IMO to handle both tracking and redirects is the ‘CleanLinks’ extension.
For tracking parameters only, the uBO extension with these three filter lists :
‘ClearURLs for uBo’
‘Actually Legitimate URL Shortener Tool’
Actually Legitimate URL Shortener Tool – Affiliate tag allowlist’
But that won’t handle Facebook’s encrypted links. The best is to avoid Facebook. It’s has-been anyway.
Redirects aren’t tracking parameters, and a site knowing where an (unknown) visitor came from, or is going 1) Is very useful to the site, and 2) does not harm whatsoever to the (unknown) visitor.
True tracking parameters would include a unique identifier (e.g., a browser fingerprint.) In this case, the identity of the visitor is still unknown, but the site operator knows if several actions were all taken by the same browser.
@sma, I have to disagree.
> Redirects aren’t tracking parameters […]
Anything added to a url is potentially a tracking parameter.
There is NO reason that the link :
[https://github.com/gorhill/uBlock#ublock-origin]
once modified by Mozilla becomes ;
[https://outgoing.prod.mozaws.net/v1/788d66e7299bdfb1da05832994551640d0ad441e148a3e29afe8dd0a5a90800c/https://github.com/gorhill/uBlock#ublock-origin]
> […] and a site knowing where an (unknown) visitor came from, or is going 1) Is very useful to the site, and 2) does not harm whatsoever to the (unknown) visitor.”
Are you joking? A destination knows a user’s IP and knowing that the user comes from Source is a contribution to the worshiped referrer all sites are fond of and participates to cross-site tracking.
> True tracking parameters would include a unique identifier (e.g., a browser fingerprint.) In this case, the identity of the visitor is still unknown, but the site operator knows if several actions were all taken by the same browser.
The visitor’s identity is his IP.
A basic url :
[https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/]
modified by the source to become :
[https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search]
may indeed feed the site’s stats in order to understand its users’ movements as it may as well track the user when linked to his IP.
We all know that the nec plus ultra of tracking is very similar to the basic methods of Intelligence : never initiate what can be performed by simply re-orienting natural facts. Cookies are nice, referrers are nice, built-in browser tools and features are all nice, pertinent, useful for the user… until they get re-oriented for tracking purposes. So I repeat what I’ve always said : the methods used by tracking break the very usefulness of features they re-orient for their profit. From there on it’s up to the user to choose between three attitudes:
1- Let it be
2- Shoot ‘m’ all
3- Live and let live, which means shoot the intruders only, which is the hardest given the intruder is often hidden among the good guys or fakes to be a user’s compatriot.
A fine user’s defense philosophy is, IMO, built on the third approach, need to say.
From personal experience those frontends or apps are not up to scratch with their respective official apps. For one you cannot share videos at all to friends on either of them or send images efficiently as you otherwise would be able to do on the official apps.
Facebook/meta should never have been allowed to buy instagram or whatsapp as they went from bad to worse.
Finding a decent free chat app that does not require a phone number is near impossible also. The difficult thing about these communication apps and social media type services is that they have to be simple and accessible enough whilst also offering great features to be useful to everyone because you can’t just be happy with an app or service yourself and expect your family and friends to be on the same technical level as you.
Try convincing your friends and family to get away from facebook or whatsapp for example and you will be met with so much resistance that it becomes futile.
“Finding a decent free chat app that does not require a phone number is near impossible also”
Hint: have a look at Threema. Because it costs huge amounts of money it keeps the rifraf out (and by ‘huge amounts’ I mean a shocking $3 – once). By gnerating income, it does not need ‘alternative’ sources of income like selling user details – the company is 100% viable without.
> Facebook/meta should never have been allowed to buy instagram or whatsapp as they went from bad to worse.
Yes, we live in times where huge mergers, hostile takeovers, monopolies and cartels are not being regulated. Microsoft buying Activision | Blizzard, for example, should never have gone through.
We need to have regulators and justice agencies braking up those companies, and not letting them stay under the same Holding, direction, etc.
Those 5 giant bad actors are shaping the digital age, which should be built on community and federation, not centralization and mono/oligo-polies.
In the end of the day, they are leeches trying to assimilate themselves to the very structure they parasitate.
https://fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl
https://fb.com/7733554110019848
I guess the link above is not encrypted, i would rather say encoded, in my opinion if the long link would contain any part about your privacy data then you should find many similar longs URLs which all are directed to same post. But i tested to check link to the post from different IPs and browsers and the link was same.
On fb are too many posts and comments and current length of id does not provide sufficient of unique combinations.
The only use I have for FB is for a community organization. Damned if I will give those bastards my private information.
How about blocking Facebook all together…
Here is how you can still mess with Facebook despite this:
(1)
> There is no option currently to prevent Facebook’s tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can’t link it if no persistent data is available.
Indeed. Cookie AutoDelete does this, it removes cookies and other local data after you close the related tab or go to another website within the same tab: https://chrome.google.com/webstore/detail/cookie-autodelete/fhcgjolkccmbidfldomjliifgaodjagh
Also don’t forget to set your browser to delete cookies and cache upon shutdown.
(2)
You can also use a privacy-respecting Facebook frontend, Android has the following apps:
SlimSocial, Frost
(3)
If you are not a Facebook user and you want to boycott the company entirely, here is a link to a filter list which does that: https://www.github.developerdan.com/hosts/lists/facebook-extended.txt
You can add this to uBlock Origin or Brave’s native adblocker, this will block all Meta / Facebook-owned domains.
That filter list is very good. Thanks.
Its time they fined for this as well.
Facebook has started to encrypt links. My take on this development would start with a few exotic words shouldn’t the weather be so hot.
Zen. Facebook now using encryption to track users. This confirms a company’s total lack of respect for of users’ privacy. No surprise even if I confess occasional stuns when I discover a company’s privacy red line moves further than I could have imagined.
> Beginning of a cat and mouse game, or game over for privacy already?
The game has been over for all users of Facebook since the very beginning. The only way to keep winning is to avoid Facebook and to block all access to the company’s servers : Facebook as well as the GAFAM companies, not to mention twitter and a few others, track users even if they’ve logged out and even if they have no account in these companies.
Facebook is totally avoidable. Google requires fine tuning in order to allow access to its servers only for what we consider as the strict necessary. Remains sites connecting to Google for a font, a script … the ‘LocalCDN’ extension handles that quite extensively.
Personally? No Facebook account and totally blocked. No Google account and partially blocked (only Google Maps and mainly for its Street View, otherwise I prefer the OpenStreetmap display). No longer YouTube itself (Piped pipes YT very nicely, even for many embedded YouTube videos (Iframed).
URL stripping handled here with uBO and dedicated filter lists : ‘ClearURLs for uBo’, ‘ Actually Legitimate URL Shortener Tool – Affiliate tag allowlist’ and ‘Actually Legitimate URL Shortener Tool’. Firefox’s own Privacy query stripping is disabled given uBO and given I have no idea of what exactly is stripped, but it must be close to nothing.
That’s not about it because if I had to state all that is done on this machine to block, circumvent, bypass the increasing amount of privacy intrusions — OS, applications, browsers, websites — It’d be far too long to detail.
What has become of the Web? What have they done to our Web, ma. A Wild, Wild Web.
One could argue that if you use links provided by/thru facebook, then you deserve whatever tracking you get. This, though, adds more impetus to the idea that “friends don’t let friends use facebook.” Nope, facebook must not like you (facebook users) very much.
Fully linked versions of those:
https://fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl
https://fb.com/7733554110019848
I’m interested in figuring out a method to convert from the new pfbid URL to the old post IDs at scale—do you have any guidance on how to un-hash the former into the plain integer ID?
The premise of this article is incorrect. The example URL *can* be stripped of the ?search portion, leaving only http://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl — which leads to the Intel Arc A750 article just like the full link does. It can be further burnt down to fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl
The pfbid contains an encoded version of the old fbid; and a timestamp which isn’t the timestamp of the post. So far I haven’t figured out how to decode any more of it than the timestamp. (Learned the fbid through a different trick: 7733554110019848 — fb.com/7733554110019848 leads once again to the Arc A750 article.
That’s interesting! How did you decode it?
My guess would be the marker is the question mark after …VKpl. What follows after that is probably the tracker.
Oops. I just noticed (how did I miss it?) that the OP says exactly that. D’oh.
“…Users could avoid Facebook, but that may not be possible all the time.”
Sure it is:
1) Delete your Facebook account.
2) Add the following to uBlock Origin.
||fb.*$important
||facebook.*$important
||fbcdn.*$important
||fbsbx.*$important
||atdmt.com^$important
||instagram.com^$important
3) F*ck Facebook
If only that applies to everyone. FB is extremely popular here in the Philippines and even used as an alternative to call and text. You could use the mobile Messenger app or even the FB app sans images and videos without mobile load; you just need a working SIM card and good signal. If not for keeping in contact with friends and relatives, I would’ve left FB by now.
@ECJ: where would you put that in uBO: My filters or My rules?
@Klaas Vaak
Just add this URL to uBlock Origin or Brave’s native adblocker under brave://settings/shields/filters …
https://www.github.developerdan.com/hosts/lists/facebook-extended.txt
Blocks all Meta / Facebook-owned domains, including WhatsApp and Instagram. That’s a list for a total Facebook boycott.
@Iron Heart: thanks a lot. Everything OK?
Yes, “My Filters”.
To be clear though, this isn’t a fix for their URL tracking parameters – this outright blocks Facebook and Instagram.
@ECJ: thanks. No prblem it blocks those sites, I don’t use them and dislike them intensely.
Clever, they ended this cat and mouse game before it even began.
I suppose using a privacy front-end is the only realistic solution for this issue.
https://github.com/mendel5/alternative-front-ends
This list has some of them, though I personally only use a handful.
Yep, although I don’t have a Facebook account(or any social media), many other users often share these links in chat groups. URL tracking prevention is tough and dare I say it, an impossible task. But solution is already in the article which works or atleast reduces tracking – ‘Users who don’t sign into Facebook and clear cookies and site data regularly, may avoid most of the company’s tracking.’ I would elaborate this for every website, don’t sign-in on a website for the sake of it and if clear all data is too much, make site exceptions and clear everything else.
Signing in is not an issue if you have Site Isolation enabled and block Facebook on third-party websites. Which is something essential if you care about privacy at all.
Even if site isolation is enabled with Facebook disabled on 3rd party websites, main issue is Facebook will always know the source of the link which is unavoidable unless a user doesn’t visit that link in the first place.
The advice Martin gave is not for Facebook link tracking as that is unavoidable but for other forms of tracking. And that’s why I wrote that part in my comment.
I bet that adds to the URL’s carbon footprint!
Facebook v. our planet