Skip to content(if available)orjump to list(if available)

Ask HN: What is with the new URLs on

Ask HN: What is with the new URLs on


·July 16, 2022

Hi HN,

I've noticed recently Facebook has started using URLs which seem to include encoded information.

For example, this URL to Vice:

It's a pretty URL with some kind of hash at the end beginning with "pfbid."

Whereas they used to look like basic sharded URLs:

Is this for more targeted tracking on posts and links being shared, a new sharding scheme, a combination of both, or something else entirely?

Appreciate any insights the community can provide.


Firefox recently started stripping out tracking URLs [0] and the most prevalent one is Facebook with it's ?fbclid= so it looks like they're encoding it straight into the URL now to bypass that, Medium does similar also.



It's opt-in behavior. So Facebook is explicitly countering opt-in requests for privacy (without informing you)


See also: all the companies scrambling to circumvent App Tracking Transparency, in which they are not only being duplicitous, they're also breaking the new agreements formed with the app store and the customer.

Tracking has been a grey area in technology. Now that regulations and users are trying to scrape back some control over their privacy, it's going to be a lot clearer to see the line between moral and amoral behavior in companies.


App Tracking Transparency only forces you to do what you must have already been doing to comply with the GDPR (and potentially even the earlier ePrivacy Directive).

Any complaints about ATT should've been considered admissions of guilt by the EU regulators and promoted investigations.


This is the kind of thing that should be illegal.


Once upon a time, I would ship word docs with a remote image using a unique URL that I host. When someone opens the word doc (and accepts remote images) the URL is fetched and I know when someone opened a doc that was destined for a particular recipient.

It's quite interesting when the doc intended for a specific recipient is opened in 15 different geographical areas. Even more interesting when that specific recipient was under an NDA.

My question to you is if this should be made illegal? (since it is the same action facebook appears to be doing)


And who do you think has the lobbying, law-making, and regulatory advantage here? Facebook or 5 billion disaggregated people around the world?


You should be a able to change how URLs work for your own website. They're not making any promise of stability here.


How many "this should be illegal"s are we going to see on this website before people realize that powerful platforms have the money, power, and politics to lobby their way out of everything? A huge chunk of this was made illegal through the GDPR, and for years on this website everyone said it was a massive overreach. Or maybe we make this spend 5 years making this specific thing illegal and they circumvent it all in two weeks. Or they just ignore it and pay the paltry fines as a cost of doing business.

Not to mention the giant groups of people working at FAANG here, directly complicit with this behavior, afraid their salary and stock options will tank if anything changes.

Companies have the willpower and money to fight any sort of check on their power, well after the rest of us are all beyond exhausted.


There are laws against it (in certain parts of the world at least). Of course, those laws do allow tracking in certain situations. Of course that makes enforcement harder - enforcers need to figure out if this is not an allowed case. Moreover, enforcement agencies vary in execution, with the Irish DPA so bad, their actions are indistinguishable from actively undermining GDPR.


> So Facebook is explicitly countering opt-in requests for privacy (without informing you)

Facebook informs you of their tracking via the privacy policy you agree to when using their services


Right, that’s totally legible to most users.


Tiktok does the same thing when you get a URL to share a video


It’s really creepy too if you don’t know the share url can leak your account name (if you were trying to keep that private)


Just to add some clarity, it's not that it "can leak" your account name, it deliberately pops up your account name and profile photo above the video to anyone that clicks the link.


It is but try to explain this to a regular user and they will call you a tinfoil hat nerd


Not that it makes it any less shitty but you can disable that behaviour in the settings


ByteDance has done a really good job making me reconsider whether I’d ever work for Big Tech again.

I have some serious reservations about social media generally, which is why I left to begin with, but between TikTok and Instagram I know hands down who I trust more.


What’s your exact concern with TikTok?


This sort of nationalism is not useful; when pattern of life data is used to quietly blackmail or extort you it doesn't really matter whether it's your own or a foreign government doing it.


As does StackOverflow


It's not encoded though, your user ID is right there and you can strip it out. I agree that it could be clearer like /question/1234?utm_user=5678 instead of /question/1234/5678


You could argue that SO at least gives you some benefit - there are badges you can earn for popular shared links.


Instagram does the same as well with your user ID as a query param when you share or copy a link.


Tracking query string params in urls is nothing new, and its easy to spot.

What tiktok (and it looks Facebook is starting to do) is generate you a completely unique URL when sharing a video. Copy a tiktok video URL and you get something like tiktok-dot-com/video/abc456def - that ID at the end is unique to you. There's no tracking params to remove from the video because they encode the video ID and your user ID in the same 'field'


Instagram === Facebook

So not much surprise here.


+1 this is likely the situation. I would bet that the rest of the url resolves to the old format with the search param after some decoding.


That was such a naive move by firefox tbh


Perhaps a bit more explanation is needed considering the downvotes:

This is an arms race firefox would lose. I think if anything, firefox trying to race it is now negatively affecting anyone that were able to manually remove tracking id themselves (or use a browser extension)


Ad-blocking, like content piracy, are activities that are ignored and can flourish in the fringes. Once they go mainstream and become threats to profit margins, considerable resources will be brought to bear to fight them.


It is enough for Firefox to make the trackers have to be more invasive.

I don't have to defeat you if I can make you look bad enough to all the observers.


What nonsense. The negative effects are due to Facebook, not because Firefox took defensive actions.


Don't blame the victim, blame the abuser


First we had toggleable cookie and JS settings.

Sites blocked functioning without cookies or JS.

Then we had adblockers.

Sites blocked functionality with adblockers installed.

Then we had Do Not Track.


Then we had GDPR.

Sites: Multi-thousand-word EULAs, TOU, "Accept" vs. "Pound Sand" options, multi-hundred click "choice" dialogues, "your privacy is very important to us (to invade and violate)", and mass geoblocking.

Then we had UTM and FBPID URL tracking parameter stripping.

Sites: Encode tracking data directly into URL as a hash.

Firefox's action isn't simply meant to solve the problem. It's there to highlight the repeated and escallated violation and negation of express personal intent and preference.

No means no.


Do you have any evidence to say that this is the case other than speculation? It's also possible that they just changed the URL format. FWIW `pfbid` seems to be a shortened version of "post fb id" so why would it include the "cl id"?


Rule #n of the internet: If Meta does anything which doesn't explicitly protect the privacy of users, you can safely assume that it harms the privacy of users.


I went to Vice's fb page, found the same post that OP linked to and checked the URL. The pfbid part is exactly the same to me. The URL by default has some additional params attached like __cft__ and __tn__, which can be stripped, and those are probably tracking-related. Based on this, I don't think that pfbid is connected to tracking


If I were Meta, this is how I would implement this. First, get everyone used to the new opaque base64 encoded blob, by using it just like the previous numeric post id. Then, after all the initial speculation dies down, encode other stuff in it.


Are you sure about that? It's not the same for me.



There were also a bunch of other query params junk after that I omitted here for brevity.


Facebook will Facebook, that's a given. But why aren't FB employees (anonymously) responding here and explaining how this "pfbid" thing can be circumvented or even what it contains? Where are the actual privacy activists that will do a grep through the FB sourcecode for pfbid and give us the scoop??


It looks like one already explained what this is:


probably takes a certain mentality to still be working at facebook and the people who cared enough to do this sort of thing left instead


Multiple other companies doing the same thing would point to a trend.


what's the reason to change from the old format if that's all it does?


Makes a lot of sense— thanks!


I suppose Firefox could remove this new encoding too


Not that easy, unless the URL pbfid thingy can be easily parsed into separate "post id" and "tracking id" parts — which I bet it cannot.

One alternative, which would require significant effort and investment but would be a brilliant way to outsmart Facebook's crap, would be to accumulate pbfids in a common pool such that, if a given pbfid points to post X, fetch a different random pbfid that points to post X. If the initial pbfid is not recognised, add it to the pool once the post is determined, either as a new alternative for a known post, or as a novel entry.

Of course, FB would hate it and would either try to expire old pbfids (and risk breaking "legitimate" links) or use legal threats, which would require them to openly admit that they don't give a shit about people's privacy preferences.


Problem, I think, is that only Facebook can know the X such a url points to without accessing it.

So, upon seeing a new one, you’ll have to resolve it. Only then would you be able to tell what other URLs it’s equivalent to.

One way to gain anonymity there is to do that from a proxy, but such proxies would be detectable from the amount of pages they request from Facebook.

It also looks like they already thought about replays of URLs. For me, currently says:

“It looks like you were misusing this feature by going too fast. You’ve been temporarily blocked from using it.

If you think that this doesn't go against our Community Standards, let us know.”

So, chances are they also thought about users exchanging URLs (e.g. by having each running instance of Firefox read Facebook URLs for other instances). It is possible that (a part of) your Facebook user ID also is encoded in each URL.


Smart but now there’s another third entity you have to trust to aggregate all this personal information from a slew of users just to… avoid the same situation initially? Sort of seems like only a marginal improvement.


Not really. pbfid needn't be a hash. You can take the plain text url, which can be ".../random.user/post/post_number", happened a random salt, and encrypt it using a key which is a function of "f(random.user)". That way you get unique encodings for each shared URL and every time you decrypt just discard the random bit. Defeats all pooling/reverse engineering efforts and offers perfect user isolation (each user has their own key).


> try to expire old pbfids (and risk breaking "legitimate" links)

Or encode some versioning scheme, and keep trying various versions until one comes up with a valid link. If we can think of these things in seconds, so can the engineers at FB.


presumably they've encrypted/MAC'ed it, so you can't without breaking the link


Sounds like this calls for some browser extensions

Beyond privacy I'm interested in generally a browser extension that disables things that provide free labor to for-profit enterprises, such as hiding the moderation queue (which even has an annoying persistent badge) on StackExchange sites, the one that asks me to provide unpaid labor to private equity and has various rules that sound nice if it were a public utility but primarily work to improve their SEO.


By your same logic, participating on HN is free labor to a VC firm. I don't see how you can draw the line with a general-purpose extension other than simply actively avoiding things you don't want to do through your own volition.


Most likely can’t be fixed by an extension and also to the parent poster, Firefox can’t strip this info out because the encoded string (how I read the original question) includes the actual metadata about what’s to be displayed. Looks like fb won this round.


free labor lol, they're providing a service. For free where free = no money, They give user a way to share with each other, ways to organize events, ways to sell things, ways to send messages with each other, ways to make calls to each other, ways to have video chat with each other, all for free (again free = no money). In return they put ads in your face and to make those ads more relevant they look at whatever data they can gather.

I don't like be spied on but gees, they aren't getting free labor. They're paying like crazy. As someone that once at a > $1000 phone bill it's amazing to me I can video chat with friends all over the world via FBs services and pay no direct money to do it and that to keep up with them I can now just post to fb instead of send out a newsletter or write each individual person


Isn't answering on questions providing free labor to StackOverflow too? Providing way more value to their company? Do you draw a line between answering and reviewing?


The extension would likely need some sort of FB proxy in order to decode the provided URL to its canonical source.

That is, when copying a FB URL, you'd take the supplied value, feed that to the proxy, get the translated (and presumably canonical OR), and feed that to the clipboard buffer or share dialogue.

Needless to say, a fucking PITA.


Facebook could also just make it completely opaque, and just add random data to their urls(by which I mean a+b=c, not a+b=ab), and then subtract it on their end. Then you literally might not be able to see anything, not even the webpage directory.


So: pass the URL to FB to decode to canonical value, and return that for further operations (share, copy/paste, etc.).

This would have to be through an extension or an internal browser function.

The canonicalisation request would have to be w/o the initial person's FB identifiers as part of the request (e.g., cookies, etc.). FB might cotton on to immediate re-requests after URL provision, though that would be an interesting approach and yet further signs of expressly violating expressed intent.


Here is a good way to do it, block the entire domain :)

Piece of s**


They literally just announced they were doing it.


That's the old encoding (fbclid), not the new one (pfbid).


Wouldn't be the first time they implemented direct anti Facebook features.


Even if it can, it won't the next one. Which fb simply encrypts to url (assuming it is not encrypted already)


Why on earth would Facebook think it is ok to bypass that? This should be considered a violation of the CFAA. Start putting Facebook execs in federal prison.


I'm all for throwing facebook execs behind bars, but what part of the CFAA would cover encoding tracking data in a URL?


This is Facebook actively circumventing their users' explicit requests to not be tracked :) They have no respect for you


It’s the price you pay to use the platform because it’s free.


Are you implying they would not do it if it was paid? The Samsung TV I paid for is filled with ads in the home screen. I pay $30 a month for cable tv and I'm still forced to see 30 minutes of ads for every mere 5 minutes of actual content. They would absolutely still do this even if Facebook was paid.


It’s not as simple as that I believe. It’s a combination of user awareness, free market forces, mission and values, shareholder expectations, greed and unit economics (which, the latter, isn’t an issue for fb). Facebook responds to their shareholders, but luckily they don’t have a monopoly anymore (anecdotally from what I can read, besides the small but growing number of adults that are leaving the platform a decent amount of the younger generation isn’t even on it to begin with). I think it’s simply about those handful of metrics and forces that makes them do what they do.


It is interesting you say that because there are other means of advertising than user tracking. Take context sensitive advertising for instance, you currently look at an article about harddrives it is likely you may be interested in computer hardware - so let's display computer ads.


The behaviour of facebook and google for the past ten years suggests that revenue from tracking based ads must be multiple times that of plain old contextual ads, hence the continued push down this path?

You don't suddenly decide to stop doing evil for just a few percentage points after all.


This doesn't work because articles articles about hard drives don't represent enough ad impressions to fullfil the volume requirements of an ad campaign.


That’s what AdSense did for over a decade. Then they switched to user interest based ads, because they convert a lot better.


Facebook is in the business as a public company to drive shareholder value, and one way they do that is by tracking users and generally abusing the privacy of their users.

So, if you don't like that or have moral issues or whatever hangups you want to conjure up to hate on them: don't be a customer. And don't be an investor. Its as simple as that.


Each family of four in the 1 billion population of the wealthiest nations (US, EU, Japan, Canada, Australia, NZ, ..) are paying on average $486 to Facebook through ad spend subsidised by their purchases, whether they use the site or not.


I don't use the platform, and I don't accept that cost


But if you don't use the platform then this new link format doesn't affect you?


Except facebook still tracks you, knows who you're friend are and knows where you've been (even if your friends weren't there you're in the backgorund of a strangers photo)


this is the way


They would not stop tracking you even if you pay. There are countless examples of this.

The only way to win is not to use term.


If only it were that easy!

The only way to win is to bend over backwards to block all of their various tracking garbage that is hiding in the majority of internet websites.

And I suspect that even the most stalwart soldier in this fight is probably still losing somehow.


FB is an advertising platform that depends on the number of eyeballs. This number is already dropping. The more user-hostile they become, the worse for their bottom line in the long term, in spite of potential short-term gains, if any.


I wouldn't expect a market solution for privacy woes


There can be a lot of pain and harm delivered before the market becomes rational.


> It’s the price you pay to use the platform because it’s free.

? That doesn't make sense. It is most certainly not "free" and the real price is one that is far more than the costs of providing their services. The problem is that joe user doesn't understand the value of what they are paying so Facecrook is selling trinkets to the natives for land.




The feeling is mutual


Your annual cost is $0, tbf


Facebook's 2021 revenues were $117 billion, virtually all advertising income.

That comes from products advertised through FB, most of which are marketed toward the roughly 1 billion wealthiest residents of the world: US, EU, Japan, and a few other rich countries.

Some complex maths suggests this works out to $117 per individual ($468 for a household of four), whether or not they use Facebook.

Facebook is not without costs, either in direct monetary support or externalised costs of the network.

Facebook tracks individuals outside of its platform, including those who do not have accounts on the platform at all.

The fact that participation has no gated cost is an intentional design of the system --- Facebooks users are the product sold to Facebook's customers, the advertisers.

People have a right to criticize and protest independent of whether they are customer, product, unwilling supporter, or collateral damage.


0 justification for privacy abuse, tbf

As a user have no debt to them just because they offer something for free. Maybe you psychologically feel that way (reciprocity is a common psychological effect that is exploited in marketing)


They can show ads to users in exchange for the users getting a service for free, without being incredibly intrusive in how they target ads.


I don't agree. If the data is worth something, I think they owe its users a share of it. So I'd argue the users are being forced to leave money on the table and it's actually a negative transaction.


I’m not responsible for the business decisions Facebook makes. It’s their choice to make it $0. Can I pay if I wanted to? No.


Your ability to participate is also optional.


Having an extension or something that removes query string parameters is not an explicit request to not be tracked.


Not sure why you're getting downvoted, but yeah there's no public API and promise of stability there.


that's completely obvious. do you two want some more clarity?




It appears the the old urls still exist, they are just sort of hidden.

Your VICE link is also here, for example:

Edit: To find the old style url, use /plugins/post.php with the new style url passed as a url encoded param value for "href", like:

Then, there's a timestamp like "10 minutes" ago in the returned page that leads to the old url.

I imagine you could make a browser plugin out of that.


Cool find— thanks!


Along these lines, someone else mentioned that Tiktok embeds direct tracking into URLs already.

Twitter recently started adding a 't=' param to their share links [0] as well, and I can only guess that it's some kind of similar tracking scheme. From watching browser traffic it appears to be generated when you click the share button, but I might be wrong about that.

[0] - the first thing in my feed. Link works fine without any of the query params, of course.


the params are included when sourcing a shareable link from the website/app (direct links don’t have this). This is a move to mimic tktok’s aggressive tracking practices.

Twitter appears to be just analyzing who shares what with whom, but haven’t moved into using it for ‘growth hacking’ like tiktk yet (i.e. join cmg, who shared this link on Twtr)


I don’t have any super-special insight here, but FBID is facebook’s global integer ID namespace (fun fact: Zuckerberg’s account is 3, back in the day he was always getting random friend requests from people’s unit tests). Don’t know what a “p”-FBID is.

I know symmetric encryption is reasonably cheap these days, but anything times “Facebook edge requests” is a lot, I bet any of the cryptographers on here could find out pretty quickly what’s in that blob.


"p-FBID" probably means "path FBID" in contrast to query string ones.


4, not 3


What are/were IDs 1, 2, and 3 for, then?

VKontakte, the Russian Facebook, has another ID system entirely: each namespace kinda gets its own ID sequence. Pavel Durov is unsurprisingly ID 1. Group 1 is the group for app developers, but no idea what it was initially. Other objects are identified by a (type, owner ID, object ID) triplet, the object ID is unique within the type and the particular database server that's chosen based on the owner ID. Really simple to work with once you get into it. Does Facebook use a single global ID namespace for everything?


Facebook engineers know that VK engineers are serious as a heart attack.

It’s 4 because he was prototyping the ID system.

Facebook, as well as VK, have gotten quite fancy since about partitioning 64 bits.


Haha that’s right, good catch. You can tell it’s been awhile since I tested in prod. :)


I have a feeling Facebook looks at URLs as an unfortunate requirement for running their walled garden in browsers. The more opaque, the better for their business.


I'm 90% certain the old number was an FBID. The new one looks like a different FBID encoding scheme - possibly with the type info included ('p') to reduce the overhead of a second data fetch.

FBIDs are a globally unique id system that they've been using for almost as long as they've been around, if not actually from the beginning.




Here's how a browser could counteract this privacy-busting measure:

When the user clicks one of these links, the browser could open it in a headless tab and wait for the URL to change to a non-facebook URL. The browser then remembers that URL, closes the headless tab, and navigates to the underlying URL with tracking parameters stripped.


I noticed TikTok does something similar. For example, if you copy a link to a creator's page while logged in, your profile is encoded into the URL and your name and photo are displayed alongside the linked content. It's two steps to fix it - open the encoded link yourself, remove the extra data, then send the cleaned link.


Oh it’s nothing, just something to make your life easier. Oh, and to make your life better as well. Just ignore it and keep using Facebook.