Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Facebook Firefox Privacy

Report: Facebook has Started Encrypting Links to Counter Browsers' Anti-Tracking Measures (ghacks.net) 163

"Facebook has started to use a different URL scheme for site links," writes the technology blog Ghacks, "to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking." Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well....

It is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address.

This discussion has been archived. No new comments can be posted.

Report: Facebook has Started Encrypting Links to Counter Browsers' Anti-Tracking Measures

Comments Filter:
  • by Ritz_Just_Ritz ( 883997 ) on Monday July 18, 2022 @06:45AM (#62711652)

    is its own reward.

    Why people continue to use Facebook at all is a mystery to me.

    • by bozzy ( 992580 )
      It's designed to be addictive. Same reason people still smoke.
    • Mystery? You mean you don't understand why people continue to consume entertainment in exchange for something they don't give even the slightest shit about (privacy)? How out of touch are you?

      Find out more by clicking this link which will be reported to Microsoft via Windows, Google via Chrome, Facebook view their tracking, and countless other entities via JavaScript.

      And consumers feel what?

      Until there is actually a negative impact why would they care? /Disclosure: this post almost certainly tracked by Sams

  • by Koyaanisqatsi ( 581196 ) on Monday July 18, 2022 @06:49AM (#62711656)

    Not that it is any less annoying, but that's not a new discovery by FB.

    • by AmiMoJo ( 196126 ) on Monday July 18, 2022 @08:29AM (#62711936) Homepage Journal

      No it hasn't. Twitter links encode tracking in the URL without any obfuscation, and are trivial to strip. Their links take this format:

      https://twitter.com/%5Baccount [twitter.com] name]/status/[tweet ID]?s=[share type]&t=[unique tracker]

      You can strip the share type and unique tracker, and the links still work just fine. There is no encryption at all.

    • by AmiMoJo ( 196126 ) on Monday July 18, 2022 @08:31AM (#62711946) Homepage Journal

      Edit: Should have used preview, trying again...

      No it hasn't. Twitter links encode tracking in the URL without any obfuscation, and are trivial to strip. Their links take this format:

      hxxps://twitter.com/[account name]/status/[tweet ID]?s=[share type]&t=[unique tracker]

      You can strip the share type and unique tracker, and the links still work just fine. There is no encryption at all. The following works just fine:

      hxxps://twitter.com/[account name]/status/[tweet ID]

      • by _xeno_ ( 155264 ) on Monday July 18, 2022 @10:04AM (#62712280) Homepage Journal

        Yes, it has, you're referring to sharing tweets, which Twitter embeds easy-to-remove tracking information in because there's not really any way for them to avoid it. (The tweet ID has to be somewhere, and once you have that, you can create the link to the tweet.) However, links within a tweet have an un-removable tracking ID.

        The way it works is that any link you make in a tweet is automatically converted to a t.co link which is basically just t.co/random ID. The t.co link in return sends you through analytics.twitter.com (gee, wonder what that's for) before redirecting you to the original link. (No, I couldn't tell you why it has to start at t.co and then forward to analytics.twitter.com before forwarding to the real destination. You'd think they could do the tracking within the t.co handler, but apparently not.)

        Twitter claims this benefits the user in two ways: first, it's an automatic link shortening service. You only "use up" however many characters are in the t.co link, rather than in the original URL. The second thing it lets them do is block "harmful" links. (It's unclear to me if they just flat-out prevent you from going to the original destination, or if they just warn you, and it's unclear what "harmful" means.)

        But in any case, Twitter has made it impossible to prevent Twitter from tracking you when you visit websites through Twitter for ages, because the only way you can get the original URL is by going through the t.co "URL shortening" system. Well, sort of: a display version of the URL is also within a tweet's metadata, so that when the tweet is "rendered" via the client, you don't see the t.co link, instead you see at least part of the original URL. (So sometimes you could avoid t.co by manually typing in the URL, but if it's "too long," there's no way to get it without going through t.co and analytics.twitter.com.)

        • by Stickybombs ( 1805046 ) on Monday July 18, 2022 @10:14AM (#62712326)
          That's not entirely correct. As you say, Twitter displays the original link, so it is trivial to copy and paste it from the tweet if you wish to avoid the t.co shortening. More critically though, everyone is given the same t.co link, and directed through the same path, so if you wish to block analytics and tracking locally, you stand some chance. If I correctly understand what Facebook is doing, each user is being given a customized, encrypted link, so even if you were to block all tracking locally, Facebook will still know exactly who you are, and where you came from when you followed the link.
        • Does Twitter really use a double redirect? Wow that's crappy if you care about page loading speed.

    • How? I can understand how this might work on Android, where you can register an intent handler to process URLs with a custom scheme, but are they also installing software on desktop computers? And even if they are, how do they get Firefox to go to the page without translating it back to a standard scheme which is then liable to be processed by the same URL sanitising code?

      • The FB pixel/etc Javascript code that companies add to their page gets to sniff this on the URL. (Along with all other parameters.... :-O )

        Does adding trackers to your company's webpage allow them to sniff every login/good bits? Hahaha. Company's marketing team: "do it! It's fun!"

        • by pjt33 ( 739471 )

          If you're executing JS then you've already loaded the page, so this doesn't answer my question as to how the page gets loaded if the browser doesn't know what to do with the URL. Browsers support a rather limited set of schemes: http, https, about, file, data, maybe ftp (although I think most of them have dropped it), maybe one or two others. How is Twitter or Facebook telling them what to do with a custom://foo.bar/quux URL?

  • by splutty ( 43475 ) on Monday July 18, 2022 @06:51AM (#62711660)

    So the next logical step for Facebook would be to start lobbying for a law that makes it illegal to "Modify URLs".

  • Easy solution (Score:5, Insightful)

    by bradley13 ( 1118935 ) on Monday July 18, 2022 @07:00AM (#62711676) Homepage

    Putting the tracking information into the URL itself, instead of as an extra parameter is not magic, or even difficult. Scummy, yes, but then, Facebook is a scummy company.

    There is no option currently to prevent Facebook's tracking of users via links. Users could avoid Facebook, but that may not be possible all the time.

    It's perfectly possible. I haven't been on Facebook in years. The very few businesses dumb enough to have only a Facebook page and no website? They clearly don't need my business.

    • Re:Easy solution (Score:5, Informative)

      by Anonymous Coward on Monday July 18, 2022 @07:09AM (#62711696)

      Facebook tracks you and your browsing habits even if you don't formally have a Facebook account. It does so with embedded "like" buttons and other facebook content on websites that ends up tracking you.

      Facebook once bragged that it could uniquely identify, by name, 90% of all American internet users by their browsing habits, even if they did not have a Facebook account.

      • Re: (Score:2, Informative)

        by tijgertje ( 4289605 )
        Noscript/Privacy badger and bye bye the tracking from Facebook
        • Re:Easy solution (Score:5, Informative)

          by Tony Isaac ( 1301187 ) on Monday July 18, 2022 @08:10AM (#62711854) Homepage

          These only eliminate one class of tracking mechanisms, the kind that depend on quick-and-dirty inclusion of a javascript module in a web page. These tools have no effect on tracking mechanisms that are programmed into the server side of the code.

          • TIL: FB pixel server side code. Why the hell would people do this? Lol. So that way FB doesn't just control your user's browser, but they can read your .env, connect to your "internal" DB, cause all sorts of trouble? To give them access to hack other internal resources? Lol. WTF?

            • Here's a link to the actual Facebook server-side tracking "pixel": https://segment.com/docs/conne... [segment.com].

              Why would anybody do this? Well, because Facebook tracking is a welcome "intruder" for most web sites. In exchange for sharing your data with Facebook, you get lots of "free" marketing analytics from Facebook.

              Same with Google Analytics. You hand over every click to Google, they give you free analytics about your users.

              The motivation is powerful. Every site wants this kind of analytics so badly that nearly al

      • Re:Easy solution (Score:4, Informative)

        by Opportunist ( 166417 ) on Monday July 18, 2022 @07:50AM (#62711786)

        And more reputable sites (possibly due to some EU law, since I tend to see that on EU pages only) now hide those "like" buttons behind a "click here to enable Facebook links" link.

        • Yep, all three of those "more reputable" sites.

          • Yep, all three of those "more reputable" sites.

            They're up to three? Where was the grande announcement of the third? /humor

          • They're actually not that uncommon. Mostly European news outlets.

            • Or so you've been led to believe.

              Take The Guardian for example. It doesn't take long to find out that even if you turn off "all" tracking cookies, there are some that cannot be turned off: https://support.theguardian.co... [theguardian.com]

              These include cookies that are shared with a third party "contributions" manager.

              GDPR doesn't tell sites they are not allow to track, they just have to disclose and ask for consent.

    • Re: (Score:2, Interesting)

      by crmarvin42 ( 652893 )
      I will occasionally find companies with a Facebook Only web presence, but those are generally restaurants/bars when I'm traveling. But as you say, they don't need my business if that is how they want to advertise their existence.

      IIRC, I personally signed off of Facebook back when Trump was first coming to power. (Don't recall if he was still running, or if it was after he'd been sworn in, but around that time IIRC). I have not signed on again since. Took about 2 weeks to break the muscle memory of bringing
      • I honestly cannot see why anyone would need such a place as facebook, twitter, reddit, or linkedin. The "need" is self-inflicted; it's possible to live without them.

        But it does "turn you into a loner" if you don't give in to the crap. We weren't loners before, but we "became" loners when we didn't give in to facebook et al.

        • I honestly cannot see why anyone would need such a place as facebook, twitter, reddit, or linkedin. The "need" is self-inflicted; it's possible to live without them.

          But it does "turn you into a loner" if you don't give in to the crap. We weren't loners before, but we "became" loners when we didn't give in to facebook et al.

          Amen. I was more transitional (and I'll admit _THAT_ was a stupid waste of effort). I didn't follow the sheep into the crap apps (they started as sites, but we all know what ends up happening). I was a loner. I figured something was out of place in my head when everyone seems to be getting into this social thing that brings so many together and gives them so much to talk about and share, so I gave in.

          I was lied to head-on. A friend (found him again after HS on FB) said he was busy with family stuff and

        • My wife is a stay-at-home mom, in a state far from where most of her friends live. I travel up to 50% of the time for work, and we have 4 young children. My wife can make a case that she needed some sort of interaction with adults, and that Facebook et al. filled that need. Particularly when we first moved year a decade ago, Facebook wasn't yet the cesspool it is today, and she didn't have a convenient way to meet new people and build a new social network.

          However, the longer we have been here, the less Fa
      • Your second paragraph reads like a newbie in addiction recovery.
        Whether your presentation was deliberate or sincere, it's consistent with FB's well-documented manipulation of the dopaminergic reward system.

        • ... manipulation of the dopaminergic reward system.

          Now, now. Don't let the (ab)users of it get information like that in their heads. They'll start to want to know more about what dopamine is and how it's being used to affect their daily decisions and feelings... wait, what in the hell am I talking about? Their attention wouldn't stay on your comment long enough to make it there. :) /humor, and so true at the same time. Gag.

        • I can't speak for anyone else, but I think addiction is too strong of a word. When I had other things going on I'd leave FB alone for long stretches of time, but when I was bored it was my first stop.

          Just like any habitual behavior, you'll find yourself starting to do something before you even realize you are doing it. Getting up to go get a snack from the kitchen before you recall your diet. Waking up early for work on a Saturday, before remembering and going back to bed. Reaching for the light switch be
      • Facebook users simply organize into echo chambers over time. The "abuse" reporting system is so malicious that you have to go into private groups to share any interesting content. I don't see that cuckservative bullshit because I'm not consuming random content.

        • Facebook users simply organize into echo chambers over time. The "abuse" reporting system is so malicious that you have to go into private groups to share any interesting content. I don't see that cuckservative bullshit because I'm not consuming random content.

          Could you convince my SO to try that? I'll start my comment to you something she said about two weeks ago, (roughly), with complete sincerity and as a warning and helpful advice: "You'd better go and stock up on mustard, because there's a shortage of it right now."

          I'm saying this because it came from "keeping up with the friends" on Facebook but of COURSE following side links and whatever you call the silly-worded picture things to more picture things to some article that someone posted that stated there's

    • You not clicking a Facebook link doesn't mean you have in any way avoided Facebook. All it means is you haven't consumed any content in exchange for all the data they harvested from you anyway without you knowing.

    • It's perfectly possible. I haven't been on Facebook in years.

      You have, you just don't know about it. Go to any website with a facebook icon on it or a share by Facebook and Facebook is tracking your information, even if you've never had a Facebook account and if you sign up you'll find your feed magically filled with the stuff you're interested in. The websites also don't even need those obvious links to Facebook, google "Facebook pixel".

    • Putting the tracking information into the URL itself, instead of as an extra parameter is not magic, or even difficult. Scummy, yes, but then, Facebook is a scummy company.

      Please don't read on if you don't want to read about what FB influences in a person's mind and what that does to a relationship...

      My significant other got into the smo^H^H^Hfacebook addiction when someone she was a friend with did, years ago. Now, I'll go home from work this evening and she will walk in the door about 2 hours later post-work. She pushes the computer power button as she walks past it into a room to change out of work clothes. She uses that time to let the machine boot. She gets a drink a

  • Affiliate marketing sites do it too. Just avoid sites that garble links.
    • Just avoid sites that garble links.

      In other words, stay off the internet?

    • > Just avoid sites that garble links.

      Nah. I wrote a mod_perl module c. 2002 to handle

      https://example.com/encryptedp... [example.com]

      to avoid HIPAA problems with web proxies for docs checking on their patients or using shared machines.

      The cookies were encrypted too. Even on a single Pentium III 800 server the performance was not measurable beyond noise of the sampling tool.

      The worse risk is letting G-d knows who see your links.
      It's more likely to be spyware post-Snowden than proxies but the premise should alwa

  • I do as much as i can to be as private on the web as i can I use adblocker Ultimate,uBlock Origin,cookie autodelete but the biggest weapon i use is myself. I never ever click on ads ever so any and all spying,scheming is wasted money, by them.
    • You don't have to click on an ad to be tracked by it. If the ad gets displayed, the server already knows you saw it.

  • Wrong approach (Score:5, Interesting)

    by Train0987 ( 1059246 ) on Monday July 18, 2022 @08:04AM (#62711836)

    People who actively avoid and/or block this tracking stuff are actually doing the advertisers a huge favor by self-selecting themselves out of the pool of people who they're paying to annoy. The companies profiting off this depend on stupid people and actively target them with these tactics. What we need are browsers and services that virtually click on everything, all the time, multiple times, pretend to follow every ad, show interest in all of it. Flood these fuckers with noise and pay-for-click fees.

    • by sinij ( 911942 )

      The companies profiting off this depend on stupid people and actively target them with these tactics.

      You forget that companies that rely on social media advertising, when it is well-known that a) it doesn't work as people trained to ignore it b) it mostly reaches bots anyways, are run by stupid people.

    • Re:Wrong approach (Score:4, Informative)

      by Jonathan C. Patschke ( 8016 ) on Monday July 18, 2022 @11:23AM (#62712648) Homepage

      What we need are browsers and services that virtually click on everything, all the time, multiple times, pretend to follow every ad, show interest in all of it.

      This extensions exists, and it's called AdNauseum [adnauseam.io]. I'm sure it wouldn't surprise you to learn that it was available in the Chrome "web store" until Google realized what it actually does. They then categorized it as malware and revoked the developer's signing key.

      The extension does have a fairly heavy footprint in terms of CPU time and network transfer, but that's only because of how pervasive advertising dreck is.

  • by gweihir ( 88907 ) on Monday July 18, 2022 @08:11AM (#62711860)

    At least in the EU under the GDPR. The GDPR prohibits tracking without explicite, informed consent and mandates that all access needs to be possible without it, except where necessary, e.g. session-tracking. But that information may not be stored after the session ends.

    • by AmiMoJo ( 196126 )

      That's an interesting point. I don't recall Twitter asking me for explicit permission to track where I post links. They certainly didn't ask anyone who takes that link and shares it themselves.

      Their get-out might be that the tracking is anonymous, and thus not personal data. It's a tricky one because it's difficult to prove that the links are not anonymous, or can't be de-anonymized trivially.

      This may require some further research.

      • by splutty ( 43475 )

        I'd argue that it's actually been proven again and again that "Anonymous tracking" simply doesn't exist.

        Once your dataset is large enough, you can *always* collate what's what and who's who.

        And I'm pretty sure that the datasets of the companies in question are large enough.

        • by AmiMoJo ( 196126 )

          Very likely. The problem is going to be gathering enough evidence to get a regulator interested, or enough to launch legal action to force them to take an interest.

          None Of Your Business (NOYB) does work in that area. You could contact them maybe.

        • Once your dataset is large enough, you can *always* collate what's what and who's who.

          You can't be argued with because it exists and is paid for every day. It's not a Google or a 'tracking site over there'. One's called Lexis Nexis. And that's just one of them. Auto insurance companies use some of them, banks, of course, do beyond "credit bureaus"... Ugh.

    • At least in the EU under the GDPR. The GDPR prohibits tracking without explicite, informed consent

      If you click a tracked link from a 3rd party site to Facebook and you don't have a currently logged in Facebook session cookie, you will hit a landing page informing you you're going to Facebook and will be tracked along with the option to not do it.

      This has been in place since the GDPR.

  • You just need to be a little more creative. Buy a Raspberry Pi and use Pi-Hole. Blocks FB domains at the network level, with domain lists automatically updated.

  • ...doesn't matter how much poison you throw at them, if it's not a form that gets back to the queen you're just pissing in the wind.

  • If a site's URL breaks my browser's privacy rules or my third-party security app's protection, I don't load the page.

    Simple.

  • There was a simpler time, when a browser was a piece of software that just worked. Not a social movement. The browser would inch towards perfection and completion, becoming just one of many open source components on your system that would serve your interests. Firefox long abandoned what made them different. They are no longer "just a browser", they are a social movement. The problem with social movements is that they sometimes do things you dislike. Facebook is responding to a browser that is trying to ins
    • I can't tell if this is meant to be sarcastic, or is simply ill-informed. From the summary though: "Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict." So a user has to specifically request no tracking in order to cause this behavior in Firefox.
    • Apparently Mark Zuckerberg has followed Putin's example and has his own army of online trolls.

  • con-man like theft (Score:5, Insightful)

    by jsailor ( 255868 ) on Monday July 18, 2022 @10:05AM (#62712282)

    The first and only time I attempted to get an account was ~3 months ago.
    The only reason I tried was that it's the best way to get support for a boat I purchased. I could contact the manufacturer for large issues, but high performance sailboats have a lot more to them and the manufacturer isn't going to post tuning guides or facilitate community discussions for "which product works best for this issue", "has anyone tried this", "who's going to which regatta X", and similar discussions.
    Getting back on point, when I tried to join, FB gathered an email address, phone number, and some other information from me. Then presented me with a list of people I might know - some accurate, some not. I then went through and adjusted any setting that I thought was against my interests and privacy. Other than changing settings, the only task I did was search for one name. I then left to take care of something. About an hour later, I returned and was locked out with a message stating that I violated an unspecified policy and my account was locked. The only way I could get it reinstated was to go through some web process which then demanded a picture of me to confirm my identity. I don't know what they would compare it to since I never provided a picture. Emails to their abuse email address have been ignored. In a nutshell, they grabbed info I would not have otherwise given them. Have given me nothing in return. Kicked me off without explanation and then wanted my picture to, presumably, complete their data set. It's not hard to feel like I was digitally robbed by a con man. I wish there was a way to force them to purge my information, but I haven't found one.

  • by VeryFluffyBunny ( 5037285 ) on Monday July 18, 2022 @11:17AM (#62712610)
    ...it's a legal one, which needs legal remedies. Govts need to do their job & protect their citizens' privacy. Additionally, allowing corporations to build vast databases of citizens' profiles with no effective oversight is a national security & economic risk, e.g. How many govt employees & corporate employees are being tracked by their computers & phones thereby generating detailed profiles of their daily routines, who they meet & spend time with, call & text, etc.? How valuable would those profiles be to competing & hostile govts & corporations? What is there to stop global personal tracking corporations like telcos, Facebook, & Google, & Microsoft from selling those profiles for a handsome profit?

    Legislation & effective oversight are long overdue. The EU's GDPR doesn't go far enough either.
  • A browser plugin would be helpful that would automatically submit three randomized search requests to google every time the user performs a search. In the background, the browser requests two to five of the search results. Even this small amount of traffic would make the tracking data a useless mess.

    This noise effort [makeinternetnoise.com] targets google specifically, but not the embedded page or ISP trackers. There's also this python script [github.com] that could be set up as a cron job on an idle raspberry pi looking for justification not
  • Come on, humans, it's time to abandon Facebook. What are you waiting for? Facebook to start going through your underwear drawer at night?
  • by Archangel_Azazel ( 707030 ) on Monday July 18, 2022 @12:05PM (#62712804) Homepage Journal

    So, they've now encrypted the method that they do the tracking. If someone were to try to reverse engineer that so as to make, say, a browser extension to once again remove the tracking, would that violate the DMCA?

    I ask because suddenly it would seem that if you wanted to do almost anything nefarious such as this tracking, just put even the thinnest tissue paper of security or encryption on it and then let the law take over. Hell, for all I know this has already been done years ago.

    • Maybe. But if their encryption is so poor that you can decrypt it on the client and then re-encrypt without the tracking information, in addition to whatever public spectacles happen, they will then hire somebody marginally competent and future attempts will fail. DVD/Blu-Ray encryption had the disadvantage that there was a lot of hardware to update in order to make a better attempt at encryption. On-the-fly URL encryption would be pretty hard to break and not have it fixed nearly immediately
  • https://slashdot.org/comments.... [slashdot.org]

    So everything this new feature will accomplish is that from now on advertisers will randomize the names of the URL parameters they use for tracking?

  • One of the quickest ways to lose my business is to have your primary contact be some shit show like Facebook. If I click on a link for your product and am presented with a Facebook login page, we're done. Another way to lose my business is to have some shit around like "Rate us 5 stars on {Facebook,Google,Yelp}".

    I just left a company that determined its employees' livelihood by some bullshit web ratings. Every time a customer left they got texted a link to "rate us on (censored)". Most people ignored it.

Genius is ten percent inspiration and fifty percent capital gains.

Working...