Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What is with the new URLs on facebook.com?
275 points by thrusong on July 16, 2022 | hide | past | favorite | 266 comments
Hi HN,

I've noticed recently Facebook has started using URLs which seem to include encoded information.

For example, this URL to Vice: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...

It's a pretty URL with some kind of hash at the end beginning with "pfbid."

Whereas they used to look like basic sharded URLs: https://www.facebook.com/random.username/posts/1020832750980...

Is this for more targeted tracking on posts and links being shared, a new sharding scheme, a combination of both, or something else entirely?

Appreciate any insights the community can provide.




Firefox recently started stripping out tracking URLs [0] and the most prevalent one is Facebook with it's ?fbclid= so it looks like they're encoding it straight into the URL now to bypass that, Medium does similar also.

[0] https://www.engadget.com/firefox-can-now-automatically-remov...


It's opt-in behavior. So Facebook is explicitly countering opt-in requests for privacy (without informing you)


See also: all the companies scrambling to circumvent App Tracking Transparency, in which they are not only being duplicitous, they're also breaking the new agreements formed with the app store and the customer.

Tracking has been a grey area in technology. Now that regulations and users are trying to scrape back some control over their privacy, it's going to be a lot clearer to see the line between moral and amoral behavior in companies.


App Tracking Transparency only forces you to do what you must have already been doing to comply with the GDPR (and potentially even the earlier ePrivacy Directive).

Any complaints about ATT should've been considered admissions of guilt by the EU regulators and promoted investigations.


This is the kind of thing that should be illegal.


Once upon a time, I would ship word docs with a remote image using a unique URL that I host. When someone opens the word doc (and accepts remote images) the URL is fetched and I know when someone opened a doc that was destined for a particular recipient.

It's quite interesting when the doc intended for a specific recipient is opened in 15 different geographical areas. Even more interesting when that specific recipient was under an NDA.

My question to you is if this should be made illegal? (since it is the same action facebook appears to be doing)


I didn't know Facebook was protecting documents under NDA.

Can you provide references?


Oh apologies I didn’t realize it was only Facebook that would be specifically targeted in the law. By all means, please continue!


And who do you think has the lobbying, law-making, and regulatory advantage here? Facebook or 5 billion disaggregated people around the world?

https://en.wikipedia.org/wiki/The_Logic_of_Collective_Action


You should be a able to change how URLs work for your own website. They're not making any promise of stability here.


You can. The problem is that they're changing them to actively and intentionally circumvent the expressed wills of people visiting their site.

I'm allowed to move my arms like I want, but that doesn't give me the right to push people off cliffs.


Very poor metaphor.

The will of the (informed) visitor doesn’t matter when they are visiting a place. I can’t have an intention to take a painting from a museum, ranging about the museum making it hard


Should we also ban sites formatting their pages so that you can't easily block their ads?


That's changing the topic and avoiding the question.

It's also further defending hostile dark patterns and evading explicitly expressed personal intent.

The browser is a user agent, not a publisher or advertiser agent.


Yes, this kind of tricks by corporations.


I believe the problem is not the ads but the tracking.


Formatting pages to make ad blocking difficult is another example of websites making a conscious choice to thwart user intent.

In both cases, sites are attempting to tie content consumption to content monetization, and users are attempting to get the content without the monetization because they dislike side effects of the monetization.


Most websites track users. Even if they don't try to monetize content or show ads.


you're ignoring political purposes, and the political engagement of even the most vocally apolitical orgs. and you're ignoring abuse of access granted through neglect


Intent matters.


Many sites do this very intentionally, including Facebook. Look sometime at the markup on their "sponsored" disclosures


I would be in favor


I guess they should just be done with it and say if you don’t opt in don’t use FB.


Not when it impacts peoples' right to privacy and control over their own data. Do you work for Facebook?


I'm all in for making this kind behaviour illegal by big corporations which is used by large population.


This is a bold opinion


The times I've seen these corporations doing cunning harmful actions, I've left with zero sympathies for them.


How many "this should be illegal"s are we going to see on this website before people realize that powerful platforms have the money, power, and politics to lobby their way out of everything? A huge chunk of this was made illegal through the GDPR, and for years on this website everyone said it was a massive overreach. Or maybe we make this spend 5 years making this specific thing illegal and they circumvent it all in two weeks. Or they just ignore it and pay the paltry fines as a cost of doing business.

Not to mention the giant groups of people working at FAANG here, directly complicit with this behavior, afraid their salary and stock options will tank if anything changes.

Companies have the willpower and money to fight any sort of check on their power, well after the rest of us are all beyond exhausted.


So we should just give up? Yes it's a hard problem trying to regulate the behavior of companies with the resources and determination to subvert consumer rights, but it's not binary, incremental progress is possible. If you have ideas for a better approach perhaps you could share them here.


there are more radical options than incremental reform under a widening power imbalance


One of many benefits of posting "this should be illegal" is that it exposes what people think about the problem.

We think the problem is just the big corp circumventing moral, ethics and even law for make a profit, but how many people here support this behavior?

We are not only talking about people working there, but people from the outside, completely unrelated, telling they are right and that they should keep doing what they are doing.

Maybe we can not fight big corps because they have all the money and power, but people, we definitely can fight them.


another way to put it is that even if there isn't consensus on a legal solution (particularly when those kind of solutions involve state power and violence), it's fine to express and promote a moral stance


There are laws against it (in certain parts of the world at least). Of course, those laws do allow tracking in certain situations. Of course that makes enforcement harder - enforcers need to figure out if this is not an allowed case. Moreover, enforcement agencies vary in execution, with the Irish DPA so bad, their actions are indistinguishable from actively undermining GDPR.


> So Facebook is explicitly countering opt-in requests for privacy (without informing you)

Facebook informs you of their tracking via the privacy policy you agree to when using their services


Right, that’s totally legible to most users.


Tiktok does the same thing when you get a URL to share a video


It’s really creepy too if you don’t know the share url can leak your account name (if you were trying to keep that private)


Just to add some clarity, it's not that it "can leak" your account name, it deliberately pops up your account name and profile photo above the video to anyone that clicks the link.


It is but try to explain this to a regular user and they will call you a tinfoil hat nerd


I don’t think this is that big of a problem today, after so many privacy leaks people are a bit more aware, at least in my experience. Also tiktok actually shows a popup that the link contains information about your account.


Ya, most people get that there is no privacy. Where I think you get more of the "tinfoil hat" accusations is that a lot of people don't care or don't recognize the far reaching implications of lack of privacy.


In my experience most people do understand the basic structure of a URL even if they don't know the proper names for the parts. It doesn't take being a software developer to empirically figure out which parameters are responsible for tracking and delete them before sharing — especially if you see your own username in one of them.


Do “regular folk” really do this though? It is a serious, non provocative question. I strip all cruft off URLs but consider myself privacy aware and technically adept. I don’t think my non-technical friends have any idea about this.


Take a look at the URL you get when you try and share a tiktok video, and tell me which part to delete to remove the tracking


You have to visit it yourself to resolve it to a long link, then you'll get a long URL that has /@username-of-uploader/videos/[video id]?[huge amount of tracking variables]. For now, you're ok with dropping everything after the ? after you resolve out the vm.tiktok.com link shortener.


Not that it makes it any less shitty but you can disable that behaviour in the settings


Until that setting dissapears when things get suffled up after an update or something like that.


I actually had no idea that was an option.


ByteDance has done a really good job making me reconsider whether I’d ever work for Big Tech again.

I have some serious reservations about social media generally, which is why I left to begin with, but between TikTok and Instagram I know hands down who I trust more.


What’s your exact concern with TikTok?


Not sure if this is theirs, but [1]:

> “Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.” (While many employees introduced themselves by name and title in the recordings, BuzzFeed News is not naming anyone to protect their privacy.)

[1] https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-...


Why is this linked to “big tech”? Big tech usually means FAANG which is American when you point out an issue with information going to China.


Sorry I'm not the person who wrote that comment, so I don't know if this is what they were thinking, it was just a guess. It is confusing for me what they meant too.


This sort of nationalism is not useful; when pattern of life data is used to quietly blackmail or extort you it doesn't really matter whether it's your own or a foreign government doing it.


Why would you assume I was being national (implication: racial) about it. The national and cultural loyalties of the people working on these two products is highly similar.

I trust Instagram more because I was in the room when we said “using dwell as the signal and turning the online learning rate to who-the-fuck-cares is a bit much even for us”.

FB/Meta/IG’s bad, bad misses are just policy at ByteDance.


FB deliberately didn’t build this product because it’s kind of intense even as social media goes. Well ByteDance has decided that we’re all selling crack cocaine to 13-year-olds.

If anyone is going to display a modicum of social responsibility around this new lowest common denominator, it’s almost certainly FB.

It’s weird to find myself defending FB but in this instance it’s merited.


Nationalism is not racial. The implication is that you have more of a problem that China is seeing your data vs America just because it’s not your country, rather than both being equally bad (third party seeing and potentially using your data against your best interests or not compensating you for it).

Nationalism is the belief that your country is inherently better than others just because it is your country.

If everyone held this view then there would be no path that doesn’t lead away from national conflict, because all Chinese would choose China and all US people would choose US in these situations, rather than focusing on objective bad actors.


Are there even any good actors, when it comes to national governments?

Not saying that's an excuse for badness, but let's also not pretend that all governments are equally bad. I would rather the US violate my privacy than China, if those were my only choices.

Granted, currently I'm more or less physically out of reach of China's law enforcement, but well within the US's reach. So China having my data -- at least in the short term -- probably can't hurt me all that much. But longer term? Who knows.


"Equally bad" is objectively subjective. The reality is, especially on a long timeline, corrupt is corrupt and a degree of corruption is largely irrelevant. Instead we use the perceived degree of less corruption to justify nationalism and other things, and it's largely a matter of perspective. You probably wouldn't believe me but you ask the average Chinese person and they think the American government is just as corrupt as the Chinese. You may differ in your opinion. Who's right? Who knows? But I know one thing for sure, and it's that it doesn't matter who is less or more corrupt.


I’m on full take with both NSA and GHCQ minimum. I cut power to hardware when I want privacy. My ex-girlfriend is CIA, but uncle works for a defense contractor, and just for fun: I’m one of 10 or 20 colorful figures in tech who make a great story in the last ten years.

Have I seen shit? Yeah! Are you full of shit? Also yeah, unfortunately.


I don’t understand what you’re trying to tell me. Could you elaborate?


I would disagree here. The incentives are quite different, as there are many foreign governments who are actively hostile and use the internet for extremely effective psyops. Social media is the #1 place for psyops with great success.


> The incentives are quite different, as there are many foreign governments who are actively hostile and use the internet for extremely effective psyops.

How does this differentiate them from domestic governments exactly?


For obvious reasons: they want to disrupt society, drop placement in the world, cause internal fractions that divert attention abroad to domestic strive, actively harm populations by spreading dangerous information, move fringes into the center to replace those who are effective with those who are not, cause macro economic harm, replace narratives of foreign adversaries to make them seem friendly or sow doubt that they are in fact doing bad things, rewrite narratives with their value systems instead, destabilize countries and cause civil war, cast doubt on things like democracy to shift the world to autocratic rule, etc etc.

Your question is phrased in a way that would be exactly the kinds of things that foreign adversaries want to achieve online: make people hate their local government so they throw their baby out with the bath water, meanwhile the foreign adversary keeps power with an iron fist and censorship so they don’t suffer the same consequences.


> For obvious reasons: they want to disrupt society, drop placement in the world, cause internal fractions that divert attention abroad to domestic strive, actively harm populations by spreading dangerous information,

Dd we really need foreign governments for this? They do it, but we get plenty of it right here at home. Covid made that plain enough, but so have decades of attacks on education and the middle class. In the US we even have government investigations into our own government for wanting to destabilize the country, cast doubt on our democracy and promote civil war.

I'm not saying foreign governments don't play these kinds of games too, but if pointing out my own nations very real problems and deficiencies makes me sound like foreign adversaries maybe those foreign governments aren't the biggest problem we have and we'd be better served cleaning house and looking at the problems within before pointing fingers at folks outside.


First of all, why would you want additional malfeasance? This is indefensible. It’s like saying with all the police shootings, who cares if foreign army’s are going around and shooting people.

Covid made plain that psyops work extremely well. A huge amount of disinformation came that way, in addition to a domestic audience that was very happy to incorporate it. Having a mistrust of authority in the first place makes this frictionless because it means you trust whatever you read online instead of your local authorities. That makes psyops easy peasy.

You can both not want foreign meddling and want to improve your local situation at the same time. Geopolitical issues are never a serial process, and they never end. There will never be a point where everyone agrees the domestic issues are now “fixed and everything is perfect” so now we can focus on the constant foreign attacks. That’s a false start.

Don’t throw the baby out with the bath water. When you burn it all down you’re just left with ashes, and whatever the replacement is almost always cheaper and worse.


You can safely assume that any big company in a G8 country is spilling data to the spook arm of the other 7.


Perhaps but it’s different when it’s an ally and intelligence gathering to face larger threats. That’s not the same thing as trying to bring down another society at large.


As does StackOverflow


It's not encoded though, your user ID is right there and you can strip it out. I agree that it could be clearer like /question/1234?utm_user=5678 instead of /question/1234/5678


Amazon does similar, along with a generally crap description of the product that isn't necessary, you only need the 'dp...' ID.



You could argue that SO at least gives you some benefit - there are badges you can earn for popular shared links.


FB also claims their tracking is beneficial, they can show you more relevant ads this way.

Perhaps there are benefits to everything; is the cost, i.e. losing privacy, worth it?


True but the same can be achieved with just asking the person about their needs/interests or using only public data for ad targeting.

Second, this only applies to Facebook users, and yet they also track non-users despite them not even going to be showed any advertising.


Instagram does the same as well with your user ID as a query param when you share or copy a link.


Tracking query string params in urls is nothing new, and its easy to spot.

What tiktok (and it looks Facebook is starting to do) is generate you a completely unique URL when sharing a video. Copy a tiktok video URL and you get something like tiktok-dot-com/video/abc456def - that ID at the end is unique to you. There's no tracking params to remove from the video because they encode the video ID and your user ID in the same 'field'


Well I didn't say this was "something new".

Your comment is somewhat accurate, but not the whole story.

A copied Tiktok share URL looks like this:

    https://www.tiktok.com/t/<unique_id>/?k=1
When pasted into a browser though, it redirects to the normal post URL:

    https://www.tiktok.com/@<author_username>/video/<video_id>?_t=<tracking_id>&_r=1
From there the tracking ID can be easily removed (by one's self) from the query params. This is in contrast to Facebook's new approach.


Instagram === Facebook

So not much surprise here.


+1 this is likely the situation. I would bet that the rest of the url resolves to the old format with the search param after some decoding.


That was such a naive move by firefox tbh


Perhaps a bit more explanation is needed considering the downvotes: https://news.ycombinator.com/reply?id=32118663&goto=item%3Fi...

This is an arms race firefox would lose. I think if anything, firefox trying to race it is now negatively affecting anyone that were able to manually remove tracking id themselves (or use a browser extension)


Ad-blocking, like content piracy, are activities that are ignored and can flourish in the fringes. Once they go mainstream and become threats to profit margins, considerable resources will be brought to bear to fight them.


So the ultimate question is: how do we make sales executives look like a threat to profit margins?


The only way I can think of is to make profits above a certain level unprofitable by taxing them at a high rate with ratcheting without bracketing (i.e. any amount up to $X billion taxed at 10%, but anything greater than $X + $0.01 will be taxed at 60% for the entire amount, resulting in a tax graph that is discontinuous for profit vs. tax). Profits can be tinkered with, so perhaps do that with revenue instead. Then, for companies of a certain size will have no need for sales executives, and will be punished by Wall Street for exceeding optimal sales targets.


This will make whole internet fragmented, why serve customers beyond revenue target, so best products will be available only to most profitable customers.


One could say the car industry is also "fragmented": but we have up-market OEMs and Toyota/Honda.


Isn’t this already the common theme in capitalism?


It is enough for Firefox to make the trackers have to be more invasive.

I don't have to defeat you if I can make you look bad enough to all the observers.


What nonsense. The negative effects are due to Facebook, not because Firefox took defensive actions.


Don't blame the victim, blame the abuser


First we had toggleable cookie and JS settings.

Sites blocked functioning without cookies or JS.

Then we had adblockers.

Sites blocked functionality with adblockers installed.

Then we had Do Not Track.

Sites LOLWUTFU

Then we had GDPR.

Sites: Multi-thousand-word EULAs, TOU, "Accept" vs. "Pound Sand" options, multi-hundred click "choice" dialogues, "your privacy is very important to us (to invade and violate)", and mass geoblocking.

Then we had UTM and FBPID URL tracking parameter stripping.

Sites: Encode tracking data directly into URL as a hash.

Firefox's action isn't simply meant to solve the problem. It's there to highlight the repeated and escallated violation and negation of express personal intent and preference.

No means no.


Do you have any evidence to say that this is the case other than speculation? It's also possible that they just changed the URL format. FWIW `pfbid` seems to be a shortened version of "post fb id" so why would it include the "cl id"?


Rule #n of the internet: If Meta does anything which doesn't explicitly protect the privacy of users, you can safely assume that it harms the privacy of users.


I went to Vice's fb page, found the same post that OP linked to and checked the URL. The pfbid part is exactly the same to me. The URL by default has some additional params attached like __cft__ and __tn__, which can be stripped, and those are probably tracking-related. Based on this, I don't think that pfbid is connected to tracking


If I were Meta, this is how I would implement this. First, get everyone used to the new opaque base64 encoded blob, by using it just like the previous numeric post id. Then, after all the initial speculation dies down, encode other stuff in it.


Are you sure about that? It's not the same for me.

OP: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...

Me: https://www.facebook.com/VICE/posts/pfbid0TbuHEaGP2fLTRDFRTu...

There were also a bunch of other query params junk after that I omitted here for brevity.


Facebook will Facebook, that's a given. But why aren't FB employees (anonymously) responding here and explaining how this "pfbid" thing can be circumvented or even what it contains? Where are the actual privacy activists that will do a grep through the FB sourcecode for pfbid and give us the scoop??


It looks like one already explained what this is: https://news.ycombinator.com/item?id=32119684


probably takes a certain mentality to still be working at facebook and the people who cared enough to do this sort of thing left instead


Multiple other companies doing the same thing would point to a trend.


what's the reason to change from the old format if that's all it does?


Makes a lot of sense— thanks!


I suppose Firefox could remove this new encoding too


Not that easy, unless the URL pbfid thingy can be easily parsed into separate "post id" and "tracking id" parts — which I bet it cannot.

One alternative, which would require significant effort and investment but would be a brilliant way to outsmart Facebook's crap, would be to accumulate pbfids in a common pool such that, if a given pbfid points to post X, fetch a different random pbfid that points to post X. If the initial pbfid is not recognised, add it to the pool once the post is determined, either as a new alternative for a known post, or as a novel entry.

Of course, FB would hate it and would either try to expire old pbfids (and risk breaking "legitimate" links) or use legal threats, which would require them to openly admit that they don't give a shit about people's privacy preferences.


Problem, I think, is that only Facebook can know the X such a url points to without accessing it.

So, upon seeing a new one, you’ll have to resolve it. Only then would you be able to tell what other URLs it’s equivalent to.

One way to gain anonymity there is to do that from a proxy, but such proxies would be detectable from the amount of pages they request from Facebook.

It also looks like they already thought about replays of URLs. For me, https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq... currently says:

“It looks like you were misusing this feature by going too fast. You’ve been temporarily blocked from using it.

If you think that this doesn't go against our Community Standards, let us know.”

So, chances are they also thought about users exchanging URLs (e.g. by having each running instance of Firefox read Facebook URLs for other instances). It is possible that (a part of) your Facebook user ID also is encoded in each URL.


So create an extention which feeds the URL to FB when it is first requested, find the canonical URL, and return that to the clipboard / share dialogue.


Smart but now there’s another third entity you have to trust to aggregate all this personal information from a slew of users just to… avoid the same situation initially? Sort of seems like only a marginal improvement.


The third party can’t really do much with this data.


The third party can still see which users decode the exact same string, thus derive relationship networks. (If i regularily share links to my friends they all resolve it at the third party to te "canonical" form, that third party then knows that all those are my friends)


Assuming you can even decode it. Could just be an encrypted string.


It doesn't even need to be that. If I were facebook, that string would just be an index in some internal Facebook key-value store.


Not really. pbfid needn't be a hash. You can take the plain text url, which can be ".../random.user/post/post_number", happened a random salt, and encrypt it using a key which is a function of "f(random.user)". That way you get unique encodings for each shared URL and every time you decrypt just discard the random bit. Defeats all pooling/reverse engineering efforts and offers perfect user isolation (each user has their own key).


> try to expire old pbfids (and risk breaking "legitimate" links)

Or encode some versioning scheme, and keep trying various versions until one comes up with a valid link. If we can think of these things in seconds, so can the engineers at FB.


presumably they've encrypted/MAC'ed it, so you can't without breaking the link


Sounds like this calls for some browser extensions

Beyond privacy I'm interested in generally a browser extension that disables things that provide free labor to for-profit enterprises, such as hiding the moderation queue (which even has an annoying persistent badge) on StackExchange sites, the one that asks me to provide unpaid labor to private equity and has various rules that sound nice if it were a public utility but primarily work to improve their SEO.


By your same logic, participating on HN is free labor to a VC firm. I don't see how you can draw the line with a general-purpose extension other than simply actively avoiding things you don't want to do through your own volition.


I agree with the logic, and am free to criticize even if I engage as an individual without power

I think a good place to start would be with user awareness


That's called hypocrisy :)


I'm well aware and don't give a shit, I'm not the one as an individual causing the problems in the first place and have no individual power to correct it. But you're free to go spend your time and energy attacking victims of these behaviors as complicit, like a "gotcha" for why these powers deserve to go unchecked


"And yet, I see you participate in society."

Sorry about the quote marks; from memory, so probably not an exact quote.



Most likely can’t be fixed by an extension and also to the parent poster, Firefox can’t strip this info out because the encoded string (how I read the original question) includes the actual metadata about what’s to be displayed. Looks like fb won this round.


At least for now, facebook has an endpoint that converts from new to old.

https://www.facebook.com/plugins/post.php?href=URL_ENCODED_N...

Returns references to the older style url in the returned html.

I also noticed it's calling that new style base64 string a "story_token" in places, and uses it in conjunction with "page_token" set to "VICE" in this case.


Thanks for digging this up! Looks like a path forward


Nit picky but isn't this action actually illegal in some jurisdictions ?

For example in France: « Obstructing or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a fine of €150,000. »


maybe! lots of reasonable anti-capitalist action is illegal. it's good to be aware but nothing to be respectful of


But fetching data from an http server by giving it a URL is what it's for; how can that be "Obstructing or distorting" it?


I was actually wondering why the big trackers haven't implemented this yet and how much time it will take them to switch. I mean, the tracking part of the URL is so obvious it's just sitting there and asking to be removed. Most tech people do that, also some extensions, and now Firefox. So it was just a question of time.


Not true if people just choose to stop or slow their use of Facebook. Most of my friends there are barely active. I never use the app, only desktop with ad blocking, but still, nothing there is really interesting to me, so I'm rarely on FB at all. Across the web I never use it to authenticate, and if a private company asks me for any personal info, it's usually inaccurate info that I enter.

I have remembered a fake birth date, fake home address, and other details that I use for all these sites, unless they're related to commerce or legally justified purposes. We do not need to provide accurate info to private companies that mis-use our data (provided it is not required for our own reputational purposes).


Golly is Facebook extremely boring, dull, and utterly a user experience nightmare... I miss all my friend's birthdays frequently because the experience is so undesirable and unenjoyable on it.

Twitter is also fast becoming my least favorite thing to use as well because of a habitually botched user experience.


the point isn't the one individual service or actor, these behaviors are incentivized and enabled systematically and will repeat


free labor lol, they're providing a service. For free where free = no money, They give user a way to share with each other, ways to organize events, ways to sell things, ways to send messages with each other, ways to make calls to each other, ways to have video chat with each other, all for free (again free = no money). In return they put ads in your face and to make those ads more relevant they look at whatever data they can gather.

I don't like be spied on but gees, they aren't getting free labor. They're paying like crazy. As someone that once at a > $1000 phone bill it's amazing to me I can video chat with friends all over the world via FBs services and pay no direct money to do it and that to keep up with them I can now just post to fb instead of send out a newsletter or write each individual person


Many sites offer these things for free without the need to track you around the internet. Facebook's business model breaks social expectations of privacy. They make a lot of money because they sell other people your data through ad targeting.

Facebook controls the barely tech literate crowd by offering an aol type experience.

These services are popular with the masses. No one cares that they give data to facebook so they can be sold more things and leave them poorer.

You end up paying facebook no direct money but you have less money and spent when you didn't need to.


The only time I fill out pop-up surveys is when I want to enter wildly inaccurate data bout myself. That time back when Facebutt forced everyone to use their government names (as if it was an authentic requirement) I was shocked at how many people caved into entering their full name.

Companies are having a field day with all this data collection. I hope they get real karma for the deception.


there'll be no karmic payback or redemption story without organized action against the root of these behaviors. there's certainly no hope in a market solution


FB costs each family of four in the US, EU, Japan, and other wealthy nations roughly $468/year whether they use the survice or not.

https://news.ycombinator.com/item?id=32118404


I don't care, there are ways to build public goods services


Isn't answering on questions providing free labor to StackOverflow too? Providing way more value to their company? Do you draw a line between answering and reviewing?


yeah I would like to have a public space to help my peers and am trying to build that in adjacent spaces


The extension would likely need some sort of FB proxy in order to decode the provided URL to its canonical source.

That is, when copying a FB URL, you'd take the supplied value, feed that to the proxy, get the translated (and presumably canonical OR), and feed that to the clipboard buffer or share dialogue.

Needless to say, a fucking PITA.


Facebook could also just make it completely opaque, and just add random data to their urls(by which I mean a+b=c, not a+b=ab), and then subtract it on their end. Then you literally might not be able to see anything, not even the webpage directory.


So: pass the URL to FB to decode to canonical value, and return that for further operations (share, copy/paste, etc.).

This would have to be through an extension or an internal browser function.

The canonicalisation request would have to be w/o the initial person's FB identifiers as part of the request (e.g., cookies, etc.). FB might cotton on to immediate re-requests after URL provision, though that would be an interesting approach and yet further signs of expressly violating expressed intent.


Here is a good way to do it, block the entire domain :)

Piece of s**


They literally just announced they were doing it.

https://gizmodo.com/firefox-update-stop-url-tracking-chrome-...


That's the old encoding (fbclid), not the new one (pfbid).


Wouldn't be the first time they implemented direct anti Facebook features.


Even if it can, it won't the next one. Which fb simply encrypts to url (assuming it is not encrypted already)


Why on earth would Facebook think it is ok to bypass that? This should be considered a violation of the CFAA. Start putting Facebook execs in federal prison.


I'm all for throwing facebook execs behind bars, but what part of the CFAA would cover encoding tracking data in a URL?


This is Facebook actively circumventing their users' explicit requests to not be tracked :) They have no respect for you


It’s the price you pay to use the platform because it’s free.


Are you implying they would not do it if it was paid? The Samsung TV I paid for is filled with ads in the home screen. I pay $30 a month for cable tv and I'm still forced to see 30 minutes of ads for every mere 5 minutes of actual content. They would absolutely still do this even if Facebook was paid.


It’s not as simple as that I believe. It’s a combination of user awareness, free market forces, mission and values, shareholder expectations, greed and unit economics (which, the latter, isn’t an issue for fb). Facebook responds to their shareholders, but luckily they don’t have a monopoly anymore (anecdotally from what I can read, besides the small but growing number of adults that are leaving the platform a decent amount of the younger generation isn’t even on it to begin with). I think it’s simply about those handful of metrics and forces that makes them do what they do.


It is interesting you say that because there are other means of advertising than user tracking. Take context sensitive advertising for instance, you currently look at an article about harddrives it is likely you may be interested in computer hardware - so let's display computer ads.


The behaviour of facebook and google for the past ten years suggests that revenue from tracking based ads must be multiple times that of plain old contextual ads, hence the continued push down this path?

You don't suddenly decide to stop doing evil for just a few percentage points after all.


> The behaviour of facebook and google for the past ten years suggests that revenue from tracking based ads must be multiple times that of plain old contextual ads, hence the continued push down this path?

I'm not sure that's a given. It seems like mass data collection is profitable in a vast number of ways that have nothing to do with ads which could themselves be more than enough to incentivize google and facebook to continue collecting it.


What other revenue source they have from this data?


There are countless ways this data is used to extract as much money from you as possible. The data being collected by companies and sold by data brokers are used for things like determining how much money you pay for something vs your neighbor. A company might tell you their prices, services, or return policies are on thing, but tell the next person who walks in something much more favorable. Companies have been seen using this data to decide how long to keep people on hold. You aren't told you were bumped to the bottom of the queue to make room for people with a better "Consumer Score", you're just left waiting.

It's used to set you how much you pay for things like health insurance. You just see your rates go up. You don't know it's because they saw you spent too much at bars or that people in your zip code increased their spending on fast food over the last 6 months.

Everyone wants their hands on your data to abuse in any way they can to give them an advantage over you. To take advantage of you.

It's being used to manipulate you and to shape your views. It's used to decide if you will be offered a job, or get an apartment. It's sold and resold over and over, to data brokers, but also to governments (including US companies selling that data to the US government). There's an entire multi-billion dollar a year industry around buying and selling the most mundane aspects of your life for this reason.

Every scrap of data that is taken from you can be leveraged against you or sold to someone else on the promise that it could be.


targeted ads for political purposes are also popular


This doesn't work because articles articles about hard drives don't represent enough ad impressions to fullfil the volume requirements of an ad campaign.


That’s what AdSense did for over a decade. Then they switched to user interest based ads, because they convert a lot better.


Facebook is in the business as a public company to drive shareholder value, and one way they do that is by tracking users and generally abusing the privacy of their users.

So, if you don't like that or have moral issues or whatever hangups you want to conjure up to hate on them: don't be a customer. And don't be an investor. Its as simple as that.


I’m sure you appreciate that the reality is a bit more complex than that, for lots of reasons.

For example, Facebook also abuses the privacy of people who aren’t customers (or more accurately, users). Or maybe cutting yourself off from Facebook would mean cutting yourself off from family or friends. Maybe WhatsApp is essential for your work, or for a community organisation you are part of. Or if you have a pension fund, it almost certainly invests in Meta. There are lots of conflicting priorities and issues that can come up when trying to think about the costs of being a users of a particular platform.

In reality it’s totally fine to think that a service you use is doing something wrong, to complain about them doing it, and to want them to stop. Some might choose to leave the service; others might want to spread awareness about the issue, or call for regulation. And others might shrug their shoulders and accept it anyway.

I’m not sure why you seem so convinced that the only two valid positions are “silently embrace anything they do” and “cut yourself off entirely”.


> only two valid positions are “silently embrace anything they do” and “cut yourself off entirely”.

How about bots, can you use your account sometimes and other times give it to your bot essentially simulating activity and throwing gravel into machinery or will they shut you down?


I see this idea thrown around a lot. Random browsing, random posts/comments, etc. I'm not convinced that anyone collecting your data cares about how accurate it is, and it's clear that the people using that data against you don't care all that much either.

Maybe if you could find a way to fill their logs with the kinds of data that actually matter (fake your precise GPS location, fake contacts/friends/relatives with detailed fake histories and fake contacts of their own, fake credit card statements showing fake purchase history, etc) it might be more worthwhile, but you'd still be taking a chance because ultimately your life is going to be changed because of what ends up in the logs being collected.

You could get turned down for a job because your fake bot was a little too interested in drug/alcohol related websites, or maybe you'll be charged more or denied healthcare coverage because your bot made it appear that you were living an unhealthy lifestyle. The fake location data you sent might get you arrested by police if you were one of only a few people logged within a 2 mile radius of a crime.

You can't break down the system by messing with the specifics in your dossier. The system will process your data (the real and the false) just fine and keep right on running. Real or fake, that data will follow you for the rest of your life and it will be all be used against you any time someone thinks it might benefit them to do so.


the point is not individual solutions for these world-scale problems. the point is collective action (or steps toward collective action), to change the "meta". to make tracking more expensive and meaningless at scale, etc.

we can sit around for apple to subvert it (as ppl often celebrate here), except that they're doing the subverting itself subversively: they're pleasing the masses with privacy improvements (chiefly as a competitive edge - it's profitable for their model), while leaving critical options opt-in so that the result is most people stay uneducated and leave enough tracking on to reap partners and the economy huge returns over the last 15 years off ad tracking that end of the day happened on apple's platforms. these kind of solutions make us feel like the capitalists are caring for us in their competition and pacify us, particularly the ones savvy enough to be happy about these privacy options and otherwise savvy enough to have organized people against it if they hadn't felt it was solved for them.


> to change the "meta". to make tracking more expensive and meaningless at scale, etc.

The point is that the cost of tracking stays unchanged no matter what the data you feed it says. It's also just as meaningful in that it will still be collected, sold, used against you and will still have very real impacts on your life. The contents of your data will not and does not impact the machine or its functioning at all. All that matters is that there is data to collect and to leverage against you.

You're right we can't trust companies to save us here. The only solution to this is strong regulation with oversight and teeth. Until we get that, we can only do what little we can to limit the amount of data we give up and increase awareness of what's happening and how it harms us all.


it's a good option, there are more radical options and it seems a bit capitalist realist to promote regulation as the only option available


I'm open to alternatives, even radical ones, but I'm not sure how many of those would be practical. Storming the offices of facebook and burning data centers to the ground seem pretty radical, but are unlikely to be effective. Throwing CEOs in prison seems radical, and I'm all for it, but only after they violate laws that were put into effect which would criminalize their actions.


you might be interested to learn from mark fisher's capitalist realism concept


or if you’re less interested in that concept and would rather see demonstrations of alternatives (and post agriculture, in societies with much higher than dunbar’s number nonsense), graeber/wengrow’s dawn of everything is a mind-altering read that collects modern anthro/archaeological evidence


Fuzzing works very poorly.

It's expensive, it's rarely performed correctly, the actual signal still exists within the noise and can generally be determined.

I'm not saying "don't try", but really, don't bet your life (or anyone else's) on it.


there was a browser extension that showed up on HN some years back that intentionally sends misleading spam to tracking endpoints as you browse


adnauseam


> don't be a customer. And don't be an investor

No one has to accept this false dichotomy. There are far more options. Severely regulate this behavior, force them to break up into smaller companies, declare privacy a right and thus something you can't legally bargain away through accepting a Terms of Service agreement, etc, etc.


this is the classic "neoliberal" take: you as an individual of the poor or working class should focus your energy on fixing worldwide problems through careful consideration of your consumer decisions as individual actors (purchase this product instead of that one, etc.)


[flagged]


I see we've reached your end of this conversation


Does providing targeted ads have to be a privacy violation? If no human ever learns my interests then do I care that a server somewhere "knows" I like fishing rods?


Your religion, political affiliation, taste of porn, etc could also be on a server somewhere too.


that knowledge is actively used for precisely targeting things like inciting genocide lol. we're not all coddled and gentle hobbyists


Each family of four in the 1 billion population of the wealthiest nations (US, EU, Japan, Canada, Australia, NZ, ..) are paying on average $486 to Facebook through ad spend subsidised by their purchases, whether they use the site or not.

https://news.ycombinator.com/item?id=32118404


I don't use the platform, and I don't accept that cost


But if you don't use the platform then this new link format doesn't affect you?


Define "use the platform"

Do you know that almost every "share on Facebook" button on a random news article/blog post collects data from you, if you don't have strong privacy protection enabled? That means even if you have never registered a Facebook account, Facebook could gather your page view data and use that to show ads targeting you on another page.

Same thing here.


We are talking about a new style of Facebook link that has built-in tracking parameters, so that when you click through to a page on Facebook it gets logged in connection with how you got there. If someone never visits Facebook, this new style of link does not affect them.

I agree that Facebook also collects data in other ways, but this is entirely unrelated.


"button on a random news article/blog post collects data from you, " " That means even if you have never registered a Facebook account, Facebook could gather your page view data and use that to show ads targeting you on another page."

What a gibberish. Tell me, how will it technically do that?

On what "another page"? On the same website - yes. So what? Each website can do that.


so what, jesus christ


they still collect a dossier on you, shadow profile.


I thought we were talking specifically about the privacy implications of the new link format? Which is entirely orthogonal to shadow profiles.


idk why you're nitpicking the logic of a discussion that you kicked off w "why would you care about something that doesn't directly affect you specifically". it's embarrassing that hn requires a civil response to that instead of dismissing and moving on lol


Except facebook still tracks you, knows who you're friend are and knows where you've been (even if your friends weren't there you're in the backgorund of a strangers photo)


It's not that Facebook collects that data and knows it. It's rather that you who has no idea how web works, what's it's capable of and what's not. As a result, you're coming up with honour stories.


this is the way


They would not stop tracking you even if you pay. There are countless examples of this.

The only way to win is not to use term.


If only it were that easy!

The only way to win is to bend over backwards to block all of their various tracking garbage that is hiding in the majority of internet websites.

And I suspect that even the most stalwart soldier in this fight is probably still losing somehow.


FB is an advertising platform that depends on the number of eyeballs. This number is already dropping. The more user-hostile they become, the worse for their bottom line in the long term, in spite of potential short-term gains, if any.


I wouldn't expect a market solution for privacy woes


There can be a lot of pain and harm delivered before the market becomes rational.


> It’s the price you pay to use the platform because it’s free.

? That doesn't make sense. It is most certainly not "free" and the real price is one that is far more than the costs of providing their services. The problem is that joe user doesn't understand the value of what they are paying so Facecrook is selling trinkets to the natives for land.


"free"


The feeling is mutual


Your annual cost is $0, tbf


Facebook's 2021 revenues were $117 billion, virtually all advertising income.

That comes from products advertised through FB, most of which are marketed toward the roughly 1 billion wealthiest residents of the world: US, EU, Japan, and a few other rich countries.

Some complex maths suggests this works out to $117 per individual ($468 for a household of four), whether or not they use Facebook.

Facebook is not without costs, either in direct monetary support or externalised costs of the network.

Facebook tracks individuals outside of its platform, including those who do not have accounts on the platform at all.

The fact that participation has no gated cost is an intentional design of the system --- Facebooks users are the product sold to Facebook's customers, the advertisers.

People have a right to criticize and protest independent of whether they are customer, product, unwilling supporter, or collateral damage.


> Facebook's 2021 revenues were $117 billion

> Some complex maths suggests this works out to $117 billion per individual

I think you might need some slightly more complex maths


Wups, typo. Corrected.

Thanks.

Point remains that FB extracts a real and significant direct monetary cost.


Advertising isn’t always negative. For example it could alert you to new valuable products or services. Moreover if not FB then advertisers would just go somewhere else. It’s not like it’s the only option for ads.


0 justification for privacy abuse, tbf

As a user have no debt to them just because they offer something for free. Maybe you psychologically feel that way (reciprocity is a common psychological effect that is exploited in marketing)


What is your expectation then? There is a really simple explanation to this: vote with your feet and don't use Facebook.

This is akin to you saying you hate McDonalds hamburgers and then you grudgingly march on into McDonalds every Friday and order one. Make your own hamburgers dude.


That argument doesn't work in light of shadow profile etc.


What if all your friends were going to McDonald's and refused to enter any other restaurant? Would it be easy to stop spending time with them just so you don't have to go to McDonald's?


Same way we have dealt with industry bad actors for hundreds of years. Regulations.


don't care


They can show ads to users in exchange for the users getting a service for free, without being incredibly intrusive in how they target ads.


I don't agree. If the data is worth something, I think they owe its users a share of it. So I'd argue the users are being forced to leave money on the table and it's actually a negative transaction.


The users get a share of it by being able to use Facebook for free


aka a shit deal


It's entirely their choice to make.


lol ok, the off topic libertarian response


Entering an agreement with expected benefits for both parties isn't some libertarian concept.


But the well-informed player playing up the percieved benefits to, and hiding the not-directly-monetary costs for, the chump[1], that very much is.

(Well, it's an arsehole-capitalist concept, but isn't that pretty much what "libertarian" means in practice nowadays?)

___

[1]: User, product, whatever you want to call them.


I’m not responsible for the business decisions Facebook makes. It’s their choice to make it $0. Can I pay if I wanted to? No.


Your ability to participate is also optional.


Until you cannot contact companies and organizations via anything but facebook and whatsapp. I've stopped using facebook 10 years ago and have ran into this several times. A lot of information is only available on facebook.

Also, your argument is basically vicitim blaming imo


Debatable given it's well known Facebook are tracking users not logged in or even signed up to their services.


Having an extension or something that removes query string parameters is not an explicit request to not be tracked.


Not sure why you're getting downvoted, but yeah there's no public API and promise of stability there.


that's completely obvious. do you two want some more clarity?


It would be better to just provide it instead of asking.


I'll think about how to make it clearer to you two


It appears the the old urls still exist, they are just sort of hidden.

Your VICE link is also here, for example:

https://www.facebook.com/VICE/posts/6037626766270531

Edit: To find the old style url, use /plugins/post.php with the new style url passed as a url encoded param value for "href", like: https://www.facebook.com/plugins/post.php?href=https%3A%2F%2...

Then, there's a timestamp like "10 minutes" ago in the returned page that leads to the old url.

I imagine you could make a browser plugin out of that.


Cool find— thanks!


Along these lines, someone else mentioned that Tiktok embeds direct tracking into URLs already.

Twitter recently started adding a 't=' param to their share links [0] as well, and I can only guess that it's some kind of similar tracking scheme. From watching browser traffic it appears to be generated when you click the share button, but I might be wrong about that.

[0] https://twitter.com/NanoRaptor/status/1548301612246249474?s=... - the first thing in my feed. Link works fine without any of the query params, of course.


the params are included when sourcing a shareable link from the website/app (direct links don’t have this). This is a move to mimic tktok’s aggressive tracking practices.

Twitter appears to be just analyzing who shares what with whom, but haven’t moved into using it for ‘growth hacking’ like tiktk yet (i.e. join cmg, who shared this link on Twtr)


I don’t have any super-special insight here, but FBID is facebook’s global integer ID namespace (fun fact: Zuckerberg’s account is 3, back in the day he was always getting random friend requests from people’s unit tests). Don’t know what a “p”-FBID is.

I know symmetric encryption is reasonably cheap these days, but anything times “Facebook edge requests” is a lot, I bet any of the cryptographers on here could find out pretty quickly what’s in that blob.


"p-FBID" probably means "path FBID" in contrast to query string ones.


4, not 3


What are/were IDs 1, 2, and 3 for, then?

VKontakte, the Russian Facebook, has another ID system entirely: each namespace kinda gets its own ID sequence. Pavel Durov is unsurprisingly ID 1. Group 1 is the group for app developers, but no idea what it was initially. Other objects are identified by a (type, owner ID, object ID) triplet, the object ID is unique within the type and the particular database server that's chosen based on the owner ID. Really simple to work with once you get into it. Does Facebook use a single global ID namespace for everything?


Facebook engineers know that VK engineers are serious as a heart attack.

It’s 4 because he was prototyping the ID system.

Facebook, as well as VK, have gotten quite fancy since about partitioning 64 bits.


> Facebook engineers know that VK engineers are serious as a heart attack.

Lmao. To be honest, it's surprising VK works as well as it does. Especially with all those custom, written-from-scratch databases aka "KittenDB". Oh and did you know that all strings are stored internally in the Windows-1251 encoding? And because it's an 8-bit Cyrillic encoding, characters that can't be represented in it, are stored as HTML entities. The API used to spit strings out exactly as they were stored, except converted to UTF-8, and it has caused me a lot of pain as an app developer. Their removal was a big thing: https://vk.com/wall85635407_3133 (btw here you can see the ID structure: "wall" is the type, wall post, 85635407 is the owner, 3133 is the post ID).

Some ancient version of KittenDB is open source: https://github.com/vk-com/kphp-kdb, I managed to set it up on my server, but tbh you'll be better off using just about any other sufficiently popular database out there. This thing uses a binlog, keeps as much data as possible in-memory, and the schema is very fixed. It's basically a *-engine per every possible purpose.


Also you can integer overflow vk ids and they still work (ex. https://vk.com/id18446744073709551617 and https://vk.com/id1 go to the same place)


Haha that’s right, good catch. You can tell it’s been awhile since I tested in prod. :)


I have a feeling Facebook looks at URLs as an unfortunate requirement for running their walled garden in browsers. The more opaque, the better for their business.


I'm 90% certain the old number was an FBID. The new one looks like a different FBID encoding scheme - possibly with the type info included ('p') to reduce the overhead of a second data fetch.

FBIDs are a globally unique id system that they've been using for almost as long as they've been around, if not actually from the beginning.


Here's how a browser could counteract this privacy-busting measure:

When the user clicks one of these links, the browser could open it in a headless tab and wait for the URL to change to a non-facebook URL. The browser then remembers that URL, closes the headless tab, and navigates to the underlying URL with tracking parameters stripped.


I noticed TikTok does something similar. For example, if you copy a link to a creator's page while logged in, your profile is encoded into the URL and your name and photo are displayed alongside the linked content. It's two steps to fix it - open the encoded link yourself, remove the extra data, then send the cleaned link.



Oh it’s nothing, just something to make your life easier. Oh, and to make your life better as well. Just ignore it and keep using Facebook.


I don't understand. If click on it.... and? How will that make me less private? Or how will it hurt me in any way?


I wonder if this is related to why mbasic.facebook.com links are regularly breaking now.


Cannot somebody reverse engineer it?


If Facebook engineered this competently, and I’m sure they have competent engineers, it’s either encrypted or totally opaque. If you can break this, you can probably break TLS.


[flagged]


[flagged]


Can you please stop posting unsubstantive and/or flamebait comments to HN? It's not what this site is for, and it destroys what it is for.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.


[flagged]


Are you a GPT-3 bot?


[flagged]


What an embarrassing take. So your retort to people crying foul over privacy is to call them hypocrites?


It's social media dude. We've not talking about access to clean water or some other basic human condition where you are trading your privacy for a basic human right.

Yes, you are damn right I'm calling out some of you as hypocrites, because as some of you around here build and scale your products and begin to build out social components of your businesses, you will absolutely walk right up to the line of regulation when it comes to your user's privacy over making your investors happy.


That may be the way you think. But no everybody here thinks that way. Some of us have no interest in giving away our business to investors so they can then push you over and do all kind of crap. And in addition some of us have no interest in extracting the absolute maximum value per user even if it involves unethical things. Because without doing so you can still live an extremely luxirous life.


I concur.

I run my businesses with this in mind, my user's privacy is at the utmost importance to me, and the way I approach managing my business is to gain the good will of my customers first and provide a quality product. And my business is wildly successful.

But I'm under no illusions to the reality of the situation, and I've been around HN long enough to know that the hypocrisy here can be deafening sometimes with regards to social media. The downvotes on my post prove it.

Edit: just to bolster my point, the vast majority of ANY app developer around here on HN will have been to integrate every ad supported SDK in their apps, which literally invades the privacy of those users probably worse than Facebook does, all for a little bump in revenue.


You might be a great and ethical person whose cynicism about the behavior of others grew from experience, but "the vast majority of ANY app developer around here on HN will have been to integrate every ad supported SDK in their apps" is just making up a statistic and getting angry about it.


> do everything they can to extract as much value out of you as a non-paying customer as possible

And that leads to a worse user experience in many areas. You use it for free but it sucks and you sacrifice your data. I'd honestly rather pay $2-4/month for a social media that doesn't suck and doesn't harvest my data.


Social pressure to make business more respectful of human rights when the business is financially incentivised to ignore them is a force for good. Someone has to clutch the pearls.


Good will has business value too.


I completely agree with this. I have direct experience in good will to my users on my businesses.

I completely removed advertising from one platform, and for my paying customers, I have made the conscious decision to not automatically charge and bill my customers for their subscriptions unless they explicitly opt-in for reoccurring charges. Those two "good will" components have generated enormous good will with my customer base at the expense of significant revenue.

The flip side of that is that unfortunately good will doesn't really have much business value if you are completely revenue and profit driven in a competitive marketplace. And if I'm wrong, and good will eventually does win out over something like Facebook's privacy practices, and the free markets determine the winner, then never forget that the markets can stay irrational longer then you can stay solvent.


People still use Facebook


billions of people, yes.


if that's a question: yes I do!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: