Facebook has started to encrypt links to counter privacy-improving URL Stripping
Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking.
Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.
Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.
Both web browsers use lists of known tracking parameters for the functionality. The lists need to be updated whenever sites change tracking parameters.
Facebook could have changed the scheme that it is using, but this would have given Facebook only temporary recourse. It appears that Facebook is using encryption now to track users.
Previously, Facebook used the parameter fbclid for tracking purposes. Now, it uses URLs such as https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__[0]=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-R instead.
The main issue here is that there it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. Removing the entire construct after the ? would open the main Facebook page of Ghacks Technology News, but it won't open the linked post.
Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.
Closing words
There is no option currently to prevent Facebook's tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can't link it if no persistent data is available.
Users who don't sign into Facebook and clear cookies and site data regularly, may avoid most of the company's tracking.
Now You: what is your take on this development? Beginning of a cat and mouse game, or game over for privacy already? (thanks N.J.)
I bet that adds to the URL’s carbon footprint!
Facebook v. our planet
Yep, although I don’t have a Facebook account(or any social media), many other users often share these links in chat groups. URL tracking prevention is tough and dare I say it, an impossible task. But solution is already in the article which works or atleast reduces tracking – ‘Users who don’t sign into Facebook and clear cookies and site data regularly, may avoid most of the company’s tracking.’ I would elaborate this for every website, don’t sign-in on a website for the sake of it and if clear all data is too much, make site exceptions and clear everything else.
Clever, they ended this cat and mouse game before it even began.
I suppose using a privacy front-end is the only realistic solution for this issue.
https://github.com/mendel5/alternative-front-ends
This list has some of them, though I personally only use a handful.
“…Users could avoid Facebook, but that may not be possible all the time.”
Sure it is:
1) Delete your Facebook account.
2) Add the following to uBlock Origin.
||fb.*$important
||facebook.*$important
||fbcdn.*$important
||fbsbx.*$important
||atdmt.com^$important
||instagram.com^$important
3) F*ck Facebook
@ECJ: where would you put that in uBO: My filters or My rules?
Yes, “My Filters”.
To be clear though, this isn’t a fix for their URL tracking parameters – this outright blocks Facebook and Instagram.
The premise of this article is incorrect. The example URL *can* be stripped of the ?search portion, leaving only http://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl — which leads to the Intel Arc A750 article just like the full link does. It can be further burnt down to fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl
The pfbid contains an encoded version of the old fbid; and a timestamp which isn’t the timestamp of the post. So far I haven’t figured out how to decode any more of it than the timestamp. (Learned the fbid through a different trick: 7733554110019848 — fb.com/7733554110019848 leads once again to the Arc A750 article.
Fully linked versions of those:
https://fb.com/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl
https://fb.com/7733554110019848
One could argue that if you use links provided by/thru facebook, then you deserve whatever tracking you get. This, though, adds more impetus to the idea that “friends don’t let friends use facebook.” Nope, facebook must not like you (facebook users) very much.
Facebook has started to encrypt links. My take on this development would start with a few exotic words shouldn’t the weather be so hot.
Zen. Facebook now using encryption to track users. This confirms a company’s total lack of respect for of users’ privacy. No surprise even if I confess occasional stuns when I discover a company’s privacy red line moves further than I could have imagined.
> Beginning of a cat and mouse game, or game over for privacy already?
The game has been over for all users of Facebook since the very beginning. The only way to keep winning is to avoid Facebook and to block all access to the company’s servers : Facebook as well as the GAFAM companies, not to mention twitter and a few others, track users even if they’ve logged out and even if they have no account in these companies.
Facebook is totally avoidable. Google requires fine tuning in order to allow access to its servers only for what we consider as the strict necessary. Remains sites connecting to Google for a font, a script … the ‘LocalCDN’ extension handles that quite extensively.
Personally? No Facebook account and totally blocked. No Google account and partially blocked (only Google Maps and mainly for its Street View, otherwise I prefer the OpenStreetmap display). No longer YouTube itself (Piped pipes YT very nicely, even for many embedded YouTube videos (Iframed).
URL stripping handled here with uBO and dedicated filter lists : ‘ClearURLs for uBo’, ‘ Actually Legitimate URL Shortener Tool – Affiliate tag allowlist’ and ‘Actually Legitimate URL Shortener Tool’. Firefox’s own Privacy query stripping is disabled given uBO and given I have no idea of what exactly is stripped, but it must be close to nothing.
That’s not about it because if I had to state all that is done on this machine to block, circumvent, bypass the increasing amount of privacy intrusions — OS, applications, browsers, websites — It’d be far too long to detail.
What has become of the Web? What have they done to our Web, ma. A Wild, Wild Web.