Two-Faced Facebook: Foils Privacy Plugins by Encrypting URLs

Facebook is rolling out a new link schema—to fight privacy browsers and privacy plugins. The updated URLs hide Facebook’s user-tracking IDs so they can’t be stripped off.

Firefox and Brave browsers used to be able to strip off these tracking bugs. And there are plugins that did the job for other browsers. But now they’ve all been thwarted by Facebook.

Mark Zuckerberg (pictured), speaking in 2019, grandly promised to “replumb” Facebook and “work openly” to support a new “privacy vision.” In today’s SB Blogwatch, we revisit old keynotes that didn’t age well.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Kiss.

“I’m committed to doing this well.”
—M. Zuckerberg, 2019

What’s the craic? Martin Brinkmann reports—“Facebook has started to encrypt links to counter privacy-improving URL Stripping”:

Facebook is using encryption now to track users
Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers … use to improve privacy and prevent user tracking. [For example] Firefox removes tracking parameters from web addresses automatically [and] Brave Browser strips known tracking parameters … as well.

It appears that Facebook is using encryption now to track users. … It is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. … There is no option currently to prevent Facebook’s tracking of users via links.

Who discovered it? We think Martin was tipped off by thrusong:

Is this for more targeted tracking?
I’ve noticed recently Facebook has started using URLs which seem to include encoded information. … It’s a pretty URL with some kind of hash at the end beginning with “pfbid” … whereas they used to look like basic sharded URLs.

Is this for more targeted tracking on posts and links being shared, a new sharding scheme … or something else entirely?

Way back in 2019, Mark Zuckerberg uttered these hostage-to-fortune words:

Privacy vision
Today, we’re going to talk about building a privacy focused social platform. Privacy gives us the freedom to be ourselves. … This is the next chapter for our services.

I know that we don’t exactly have the strongest reputation on privacy right now—to put it lightly. But I’m committed to doing this well. … We’re committed to working openly.

We’re also … replumbing the whole infrastructure … to support this privacy vision. It’s not going to happen overnight. … If we get this right, [it’s] going to be a fundamentally different experience a few years from now.


Hmmm, those promises didn’t age well at all. But is it similar to what Twitter does? Here’s u/Ununoctium117’s answer:

No, this is explicitly worse and different. Twitter tracking is in the form of two URL parameters which you can simply remove. This is about how Facebook has started merging the URL parameters with the content address to prevent removing the tracking information.

Clever, eh? Not really, thinks bradley13:

Putting the tracking information into the URL itself, instead of as an extra parameter is not magic, or even difficult. Scummy, yes, but then, Facebook is a scummy company.

I haven’t been on Facebook in years. The very few businesses dumb enough to have only a Facebook page and no website? They clearly don’t need my business.

But isn’t this just the usual cat-and-mouse game? Much more, says ehnto, dubbing it “duplicitous” and “amoral”:

See also: all the companies scrambling to circumvent App Tracking Transparency, in which they are not only being duplicitous, they’re also breaking the new agreements formed with the app store and the customer.

Now that regulations and users are trying to scrape back some control over their privacy, it’s going to be a lot clearer to see the line between moral and amoral behavior in companies.

What can be done? u/dubyakay suggests the nuclear option:

It’s easy: just stop clicking FB links altogether.

That’s a bit extreme. This Anonymous Coward wants to stay that way:

The “big tech” … advertising companies are all about building ever more oppressive silos. … The issue is not this or that technical measure. It’s the silo-ising mindset.

I wonder what it’ll take for the … public to catch on and stop using these abusive data-hoarding bullies.

This should be illegal! An exasperated Jasper sighs thuswise:

How many “this should be illegal”s are we going to see … before people realize that powerful platforms have the money, power and politics to lobby their way out of everything? A huge chunk of this was made illegal through the GDPR, and for years … everyone said it was a massive overreach.

Or maybe … spend 5 years making this specific thing illegal and they circumvent it all in two weeks. Or they just ignore it and pay the paltry fines as a cost of doing business.

Companies have the willpower and money to fight any sort of check on their power, well after the rest of us are all beyond exhausted.

Meanwhile, another Anonymous Coward neatly sums up their feelings on the matter:

**** you and **** your incessant tracking.

And Finally:

Señor Coconut vs. Prince

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Anthony Quintano (cc:by; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 615 posts and counting.See all posts by richi

Secure Coding Practices