Skip to content(if available)orjump to list(if available)

Ask HN: What is with the new URLs on facebook.com?

Ask HN: What is with the new URLs on facebook.com?

277 comments

·July 16, 2022

Hi HN,

I've noticed recently Facebook has started using URLs which seem to include encoded information.

For example, this URL to Vice: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...

It's a pretty URL with some kind of hash at the end beginning with "pfbid."

Whereas they used to look like basic sharded URLs: https://www.facebook.com/random.username/posts/1020832750980...

Is this for more targeted tracking on posts and links being shared, a new sharding scheme, a combination of both, or something else entirely?

Appreciate any insights the community can provide.

groffee

Firefox recently started stripping out tracking URLs [0] and the most prevalent one is Facebook with it's ?fbclid= so it looks like they're encoding it straight into the URL now to bypass that, Medium does similar also.

[0] https://www.engadget.com/firefox-can-now-automatically-remov...

wahnfrieden

It's opt-in behavior. So Facebook is explicitly countering opt-in requests for privacy (without informing you)

ehnto

See also: all the companies scrambling to circumvent App Tracking Transparency, in which they are not only being duplicitous, they're also breaking the new agreements formed with the app store and the customer.

Tracking has been a grey area in technology. Now that regulations and users are trying to scrape back some control over their privacy, it's going to be a lot clearer to see the line between moral and amoral behavior in companies.

Nextgrid

App Tracking Transparency only forces you to do what you must have already been doing to comply with the GDPR (and potentially even the earlier ePrivacy Directive).

Any complaints about ATT should've been considered admissions of guilt by the EU regulators and promoted investigations.

akagusu

This is the kind of thing that should be illegal.

grepfru_it

Once upon a time, I would ship word docs with a remote image using a unique URL that I host. When someone opens the word doc (and accepts remote images) the URL is fetched and I know when someone opened a doc that was destined for a particular recipient.

It's quite interesting when the doc intended for a specific recipient is opened in 15 different geographical areas. Even more interesting when that specific recipient was under an NDA.

My question to you is if this should be made illegal? (since it is the same action facebook appears to be doing)

dredmorbius

And who do you think has the lobbying, law-making, and regulatory advantage here? Facebook or 5 billion disaggregated people around the world?

https://en.wikipedia.org/wiki/The_Logic_of_Collective_Action

baby

You should be a able to change how URLs work for your own website. They're not making any promise of stability here.

Jasper_

How many "this should be illegal"s are we going to see on this website before people realize that powerful platforms have the money, power, and politics to lobby their way out of everything? A huge chunk of this was made illegal through the GDPR, and for years on this website everyone said it was a massive overreach. Or maybe we make this spend 5 years making this specific thing illegal and they circumvent it all in two weeks. Or they just ignore it and pay the paltry fines as a cost of doing business.

Not to mention the giant groups of people working at FAANG here, directly complicit with this behavior, afraid their salary and stock options will tank if anything changes.

Companies have the willpower and money to fight any sort of check on their power, well after the rest of us are all beyond exhausted.

Beldin

There are laws against it (in certain parts of the world at least). Of course, those laws do allow tracking in certain situations. Of course that makes enforcement harder - enforcers need to figure out if this is not an allowed case. Moreover, enforcement agencies vary in execution, with the Irish DPA so bad, their actions are indistinguishable from actively undermining GDPR.

e-clinton

> So Facebook is explicitly countering opt-in requests for privacy (without informing you)

Facebook informs you of their tracking via the privacy policy you agree to when using their services

Ar-Curunir

Right, that’s totally legible to most users.

madeofpalk

Tiktok does the same thing when you get a URL to share a video

dawnerd

It’s really creepy too if you don’t know the share url can leak your account name (if you were trying to keep that private)

root_axis

Just to add some clarity, it's not that it "can leak" your account name, it deliberately pops up your account name and profile photo above the video to anyone that clicks the link.

type0

It is but try to explain this to a regular user and they will call you a tinfoil hat nerd

udp

Not that it makes it any less shitty but you can disable that behaviour in the settings

benreesman

ByteDance has done a really good job making me reconsider whether I’d ever work for Big Tech again.

I have some serious reservations about social media generally, which is why I left to begin with, but between TikTok and Instagram I know hands down who I trust more.

azinman2

What’s your exact concern with TikTok?

sneak

This sort of nationalism is not useful; when pattern of life data is used to quietly blackmail or extort you it doesn't really matter whether it's your own or a foreign government doing it.

david_allison

As does StackOverflow

remram

It's not encoded though, your user ID is right there and you can strip it out. I agree that it could be clearer like /question/1234?utm_user=5678 instead of /question/1234/5678

Nextgrid

You could argue that SO at least gives you some benefit - there are badges you can earn for popular shared links.

tedmiston

Instagram does the same as well with your user ID as a query param when you share or copy a link.

madeofpalk

Tracking query string params in urls is nothing new, and its easy to spot.

What tiktok (and it looks Facebook is starting to do) is generate you a completely unique URL when sharing a video. Copy a tiktok video URL and you get something like tiktok-dot-com/video/abc456def - that ID at the end is unique to you. There's no tracking params to remove from the video because they encode the video ID and your user ID in the same 'field'

dredmorbius

Instagram === Facebook

So not much surprise here.

nchudleigh

+1 this is likely the situation. I would bet that the rest of the url resolves to the old format with the search param after some decoding.

shultays

That was such a naive move by firefox tbh

shultays

Perhaps a bit more explanation is needed considering the downvotes: https://news.ycombinator.com/reply?id=32118663&goto=item%3Fi...

This is an arms race firefox would lose. I think if anything, firefox trying to race it is now negatively affecting anyone that were able to manually remove tracking id themselves (or use a browser extension)

sangnoir

Ad-blocking, like content piracy, are activities that are ignored and can flourish in the fringes. Once they go mainstream and become threats to profit margins, considerable resources will be brought to bear to fight them.

vorpalhex

It is enough for Firefox to make the trackers have to be more invasive.

I don't have to defeat you if I can make you look bad enough to all the observers.

Ar-Curunir

What nonsense. The negative effects are due to Facebook, not because Firefox took defensive actions.

jherazob

Don't blame the victim, blame the abuser

dredmorbius

First we had toggleable cookie and JS settings.

Sites blocked functioning without cookies or JS.

Then we had adblockers.

Sites blocked functionality with adblockers installed.

Then we had Do Not Track.

Sites LOLWUTFU

Then we had GDPR.

Sites: Multi-thousand-word EULAs, TOU, "Accept" vs. "Pound Sand" options, multi-hundred click "choice" dialogues, "your privacy is very important to us (to invade and violate)", and mass geoblocking.

Then we had UTM and FBPID URL tracking parameter stripping.

Sites: Encode tracking data directly into URL as a hash.

Firefox's action isn't simply meant to solve the problem. It's there to highlight the repeated and escallated violation and negation of express personal intent and preference.

No means no.

dom96

Do you have any evidence to say that this is the case other than speculation? It's also possible that they just changed the URL format. FWIW `pfbid` seems to be a shortened version of "post fb id" so why would it include the "cl id"?

isametry

Rule #n of the internet: If Meta does anything which doesn't explicitly protect the privacy of users, you can safely assume that it harms the privacy of users.

danijelb

I went to Vice's fb page, found the same post that OP linked to and checked the URL. The pfbid part is exactly the same to me. The URL by default has some additional params attached like __cft__ and __tn__, which can be stripped, and those are probably tracking-related. Based on this, I don't think that pfbid is connected to tracking

tyingq

If I were Meta, this is how I would implement this. First, get everyone used to the new opaque base64 encoded blob, by using it just like the previous numeric post id. Then, after all the initial speculation dies down, encode other stuff in it.

tedmiston

Are you sure about that? It's not the same for me.

OP: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...

Me: https://www.facebook.com/VICE/posts/pfbid0TbuHEaGP2fLTRDFRTu...

There were also a bunch of other query params junk after that I omitted here for brevity.

zo1

Facebook will Facebook, that's a given. But why aren't FB employees (anonymously) responding here and explaining how this "pfbid" thing can be circumvented or even what it contains? Where are the actual privacy activists that will do a grep through the FB sourcecode for pfbid and give us the scoop??

__derek__

It looks like one already explained what this is: https://news.ycombinator.com/item?id=32119684

zem

probably takes a certain mentality to still be working at facebook and the people who cared enough to do this sort of thing left instead

aaomidi

Multiple other companies doing the same thing would point to a trend.

drexlspivey

what's the reason to change from the old format if that's all it does?

thrusong

Makes a lot of sense— thanks!

ape4

I suppose Firefox could remove this new encoding too

Mordisquitos

Not that easy, unless the URL pbfid thingy can be easily parsed into separate "post id" and "tracking id" parts — which I bet it cannot.

One alternative, which would require significant effort and investment but would be a brilliant way to outsmart Facebook's crap, would be to accumulate pbfids in a common pool such that, if a given pbfid points to post X, fetch a different random pbfid that points to post X. If the initial pbfid is not recognised, add it to the pool once the post is determined, either as a new alternative for a known post, or as a novel entry.

Of course, FB would hate it and would either try to expire old pbfids (and risk breaking "legitimate" links) or use legal threats, which would require them to openly admit that they don't give a shit about people's privacy preferences.

Someone

Problem, I think, is that only Facebook can know the X such a url points to without accessing it.

So, upon seeing a new one, you’ll have to resolve it. Only then would you be able to tell what other URLs it’s equivalent to.

One way to gain anonymity there is to do that from a proxy, but such proxies would be detectable from the amount of pages they request from Facebook.

It also looks like they already thought about replays of URLs. For me, https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq... currently says:

“It looks like you were misusing this feature by going too fast. You’ve been temporarily blocked from using it.

If you think that this doesn't go against our Community Standards, let us know.”

So, chances are they also thought about users exchanging URLs (e.g. by having each running instance of Firefox read Facebook URLs for other instances). It is possible that (a part of) your Facebook user ID also is encoded in each URL.

texasbigdata

Smart but now there’s another third entity you have to trust to aggregate all this personal information from a slew of users just to… avoid the same situation initially? Sort of seems like only a marginal improvement.

omegalulw

Not really. pbfid needn't be a hash. You can take the plain text url, which can be ".../random.user/post/post_number", happened a random salt, and encrypt it using a key which is a function of "f(random.user)". That way you get unique encodings for each shared URL and every time you decrypt just discard the random bit. Defeats all pooling/reverse engineering efforts and offers perfect user isolation (each user has their own key).

cmg

> try to expire old pbfids (and risk breaking "legitimate" links)

Or encode some versioning scheme, and keep trying various versions until one comes up with a valid link. If we can think of these things in seconds, so can the engineers at FB.

blibble

presumably they've encrypted/MAC'ed it, so you can't without breaking the link

wahnfrieden

Sounds like this calls for some browser extensions

Beyond privacy I'm interested in generally a browser extension that disables things that provide free labor to for-profit enterprises, such as hiding the moderation queue (which even has an annoying persistent badge) on StackExchange sites, the one that asks me to provide unpaid labor to private equity and has various rules that sound nice if it were a public utility but primarily work to improve their SEO.

Hydraulix989

By your same logic, participating on HN is free labor to a VC firm. I don't see how you can draw the line with a general-purpose extension other than simply actively avoiding things you don't want to do through your own volition.

daniel_iversen

Most likely can’t be fixed by an extension and also to the parent poster, Firefox can’t strip this info out because the encoded string (how I read the original question) includes the actual metadata about what’s to be displayed. Looks like fb won this round.

pronlover723

free labor lol, they're providing a service. For free where free = no money, They give user a way to share with each other, ways to organize events, ways to sell things, ways to send messages with each other, ways to make calls to each other, ways to have video chat with each other, all for free (again free = no money). In return they put ads in your face and to make those ads more relevant they look at whatever data they can gather.

I don't like be spied on but gees, they aren't getting free labor. They're paying like crazy. As someone that once at a > $1000 phone bill it's amazing to me I can video chat with friends all over the world via FBs services and pay no direct money to do it and that to keep up with them I can now just post to fb instead of send out a newsletter or write each individual person

remram

Isn't answering on questions providing free labor to StackOverflow too? Providing way more value to their company? Do you draw a line between answering and reviewing?

dredmorbius

The extension would likely need some sort of FB proxy in order to decode the provided URL to its canonical source.

That is, when copying a FB URL, you'd take the supplied value, feed that to the proxy, get the translated (and presumably canonical OR), and feed that to the clipboard buffer or share dialogue.

Needless to say, a fucking PITA.

lwswl

Facebook could also just make it completely opaque, and just add random data to their urls(by which I mean a+b=c, not a+b=ab), and then subtract it on their end. Then you literally might not be able to see anything, not even the webpage directory.

dredmorbius

So: pass the URL to FB to decode to canonical value, and return that for further operations (share, copy/paste, etc.).

This would have to be through an extension or an internal browser function.

The canonicalisation request would have to be w/o the initial person's FB identifiers as part of the request (e.g., cookies, etc.). FB might cotton on to immediate re-requests after URL provision, though that would be an interesting approach and yet further signs of expressly violating expressed intent.

bamboozled

Here is a good way to do it, block the entire domain :)

Piece of s**

bencollier49

They literally just announced they were doing it.

https://gizmodo.com/firefox-update-stop-url-tracking-chrome-...

tedmiston

That's the old encoding (fbclid), not the new one (pfbid).

nchudleigh

Wouldn't be the first time they implemented direct anti Facebook features.

shultays

Even if it can, it won't the next one. Which fb simply encrypts to url (assuming it is not encrypted already)

gnu8

Why on earth would Facebook think it is ok to bypass that? This should be considered a violation of the CFAA. Start putting Facebook execs in federal prison.

autoexec

I'm all for throwing facebook execs behind bars, but what part of the CFAA would cover encoding tracking data in a URL?

wahnfrieden

This is Facebook actively circumventing their users' explicit requests to not be tracked :) They have no respect for you

daniel_iversen

It’s the price you pay to use the platform because it’s free.

rockbruno

Are you implying they would not do it if it was paid? The Samsung TV I paid for is filled with ads in the home screen. I pay $30 a month for cable tv and I'm still forced to see 30 minutes of ads for every mere 5 minutes of actual content. They would absolutely still do this even if Facebook was paid.

daniel_iversen

It’s not as simple as that I believe. It’s a combination of user awareness, free market forces, mission and values, shareholder expectations, greed and unit economics (which, the latter, isn’t an issue for fb). Facebook responds to their shareholders, but luckily they don’t have a monopoly anymore (anecdotally from what I can read, besides the small but growing number of adults that are leaving the platform a decent amount of the younger generation isn’t even on it to begin with). I think it’s simply about those handful of metrics and forces that makes them do what they do.

sebazzz

It is interesting you say that because there are other means of advertising than user tracking. Take context sensitive advertising for instance, you currently look at an article about harddrives it is likely you may be interested in computer hardware - so let's display computer ads.

dazc

The behaviour of facebook and google for the past ten years suggests that revenue from tracking based ads must be multiple times that of plain old contextual ads, hence the continued push down this path?

You don't suddenly decide to stop doing evil for just a few percentage points after all.

LunaSea

This doesn't work because articles articles about hard drives don't represent enough ad impressions to fullfil the volume requirements of an ad campaign.

coffeeblack

That’s what AdSense did for over a decade. Then they switched to user interest based ads, because they convert a lot better.

blantonl

Facebook is in the business as a public company to drive shareholder value, and one way they do that is by tracking users and generally abusing the privacy of their users.

So, if you don't like that or have moral issues or whatever hangups you want to conjure up to hate on them: don't be a customer. And don't be an investor. Its as simple as that.

dredmorbius

Each family of four in the 1 billion population of the wealthiest nations (US, EU, Japan, Canada, Australia, NZ, ..) are paying on average $486 to Facebook through ad spend subsidised by their purchases, whether they use the site or not.

https://news.ycombinator.com/item?id=32118404

wahnfrieden

I don't use the platform, and I don't accept that cost

jefftk

But if you don't use the platform then this new link format doesn't affect you?

iso1631

Except facebook still tracks you, knows who you're friend are and knows where you've been (even if your friends weren't there you're in the backgorund of a strangers photo)

blantonl

this is the way

tut-urut-utut

They would not stop tracking you even if you pay. There are countless examples of this.

The only way to win is not to use term.

Agamus

If only it were that easy!

The only way to win is to bend over backwards to block all of their various tracking garbage that is hiding in the majority of internet websites.

And I suspect that even the most stalwart soldier in this fight is probably still losing somehow.

hdjjhhvvhga

FB is an advertising platform that depends on the number of eyeballs. This number is already dropping. The more user-hostile they become, the worse for their bottom line in the long term, in spite of potential short-term gains, if any.

wahnfrieden

I wouldn't expect a market solution for privacy woes

dredmorbius

There can be a lot of pain and harm delivered before the market becomes rational.

wintermutestwin

> It’s the price you pay to use the platform because it’s free.

? That doesn't make sense. It is most certainly not "free" and the real price is one that is far more than the costs of providing their services. The problem is that joe user doesn't understand the value of what they are paying so Facecrook is selling trinkets to the natives for land.

hexo

"free"

cainxinth

The feeling is mutual

texasbigdata

Your annual cost is $0, tbf

dredmorbius

Facebook's 2021 revenues were $117 billion, virtually all advertising income.

That comes from products advertised through FB, most of which are marketed toward the roughly 1 billion wealthiest residents of the world: US, EU, Japan, and a few other rich countries.

Some complex maths suggests this works out to $117 per individual ($468 for a household of four), whether or not they use Facebook.

Facebook is not without costs, either in direct monetary support or externalised costs of the network.

Facebook tracks individuals outside of its platform, including those who do not have accounts on the platform at all.

The fact that participation has no gated cost is an intentional design of the system --- Facebooks users are the product sold to Facebook's customers, the advertisers.

People have a right to criticize and protest independent of whether they are customer, product, unwilling supporter, or collateral damage.

wahnfrieden

0 justification for privacy abuse, tbf

As a user have no debt to them just because they offer something for free. Maybe you psychologically feel that way (reciprocity is a common psychological effect that is exploited in marketing)

KoftaBob

They can show ads to users in exchange for the users getting a service for free, without being incredibly intrusive in how they target ads.

lucasyvas

I don't agree. If the data is worth something, I think they owe its users a share of it. So I'd argue the users are being forced to leave money on the table and it's actually a negative transaction.

aaomidi

I’m not responsible for the business decisions Facebook makes. It’s their choice to make it $0. Can I pay if I wanted to? No.

blantonl

Your ability to participate is also optional.

googlryas

Having an extension or something that removes query string parameters is not an explicit request to not be tracked.

baby

Not sure why you're getting downvoted, but yeah there's no public API and promise of stability there.

wahnfrieden

that's completely obvious. do you two want some more clarity?

null

[deleted]

tyingq

It appears the the old urls still exist, they are just sort of hidden.

Your VICE link is also here, for example:

https://www.facebook.com/VICE/posts/6037626766270531

Edit: To find the old style url, use /plugins/post.php with the new style url passed as a url encoded param value for "href", like: https://www.facebook.com/plugins/post.php?href=https%3A%2F%2...

Then, there's a timestamp like "10 minutes" ago in the returned page that leads to the old url.

I imagine you could make a browser plugin out of that.

thrusong

Cool find— thanks!

cmg

Along these lines, someone else mentioned that Tiktok embeds direct tracking into URLs already.

Twitter recently started adding a 't=' param to their share links [0] as well, and I can only guess that it's some kind of similar tracking scheme. From watching browser traffic it appears to be generated when you click the share button, but I might be wrong about that.

[0] https://twitter.com/NanoRaptor/status/1548301612246249474?s=... - the first thing in my feed. Link works fine without any of the query params, of course.

propogandist

the params are included when sourcing a shareable link from the website/app (direct links don’t have this). This is a move to mimic tktok’s aggressive tracking practices.

Twitter appears to be just analyzing who shares what with whom, but haven’t moved into using it for ‘growth hacking’ like tiktk yet (i.e. join cmg, who shared this link on Twtr)

benreesman

I don’t have any super-special insight here, but FBID is facebook’s global integer ID namespace (fun fact: Zuckerberg’s account is 3, back in the day he was always getting random friend requests from people’s unit tests). Don’t know what a “p”-FBID is.

I know symmetric encryption is reasonably cheap these days, but anything times “Facebook edge requests” is a lot, I bet any of the cryptographers on here could find out pretty quickly what’s in that blob.

sedatk

"p-FBID" probably means "path FBID" in contrast to query string ones.

jaromir_

4, not 3

grishka

What are/were IDs 1, 2, and 3 for, then?

VKontakte, the Russian Facebook, has another ID system entirely: each namespace kinda gets its own ID sequence. Pavel Durov is unsurprisingly ID 1. Group 1 is the group for app developers, but no idea what it was initially. Other objects are identified by a (type, owner ID, object ID) triplet, the object ID is unique within the type and the particular database server that's chosen based on the owner ID. Really simple to work with once you get into it. Does Facebook use a single global ID namespace for everything?

benreesman

Facebook engineers know that VK engineers are serious as a heart attack.

It’s 4 because he was prototyping the ID system.

Facebook, as well as VK, have gotten quite fancy since about partitioning 64 bits.

benreesman

Haha that’s right, good catch. You can tell it’s been awhile since I tested in prod. :)

NelsonMinar

I have a feeling Facebook looks at URLs as an unfortunate requirement for running their walled garden in browsers. The more opaque, the better for their business.

ynx

I'm 90% certain the old number was an FBID. The new one looks like a different FBID encoding scheme - possibly with the type info included ('p') to reduce the overhead of a second data fetch.

FBIDs are a globally unique id system that they've been using for almost as long as they've been around, if not actually from the beginning.

null

[deleted]

steve_taylor

Here's how a browser could counteract this privacy-busting measure:

When the user clicks one of these links, the browser could open it in a headless tab and wait for the URL to change to a non-facebook URL. The browser then remembers that URL, closes the headless tab, and navigates to the underlying URL with tracking parameters stripped.

accrual

I noticed TikTok does something similar. For example, if you copy a link to a creator's page while logged in, your profile is encoded into the URL and your name and photo are displayed alongside the linked content. It's two steps to fix it - open the encoded link yourself, remove the extra data, then send the cleaned link.

FollowingTheDao

Oh it’s nothing, just something to make your life easier. Oh, and to make your life better as well. Just ignore it and keep using Facebook.