Ask HN: What is with the new URLs on facebook.com?
Hi HN,
I've noticed recently Facebook has started using URLs which seem to include encoded information.
For example, this URL to Vice: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...
It's a pretty URL with some kind of hash at the end beginning with "pfbid."
Whereas they used to look like basic sharded URLs: https://www.facebook.com/random.username/posts/1020832750980...
Is this for more targeted tracking on posts and links being shared, a new sharding scheme, a combination of both, or something else entirely?
Appreciate any insights the community can provide.
277 comments
[ 1.3 ms ] story [ 327 ms ] thread[0] https://www.engadget.com/firefox-can-now-automatically-remov...
Beyond privacy I'm interested in generally a browser extension that disables things that provide free labor to for-profit enterprises, such as hiding the moderation queue (which even has an annoying persistent badge) on StackExchange sites, the one that asks me to provide unpaid labor to private equity and has various rules that sound nice if it were a public utility but primarily work to improve their SEO.
https://www.facebook.com/plugins/post.php?href=URL_ENCODED_N...
Returns references to the older style url in the returned html.
I also noticed it's calling that new style base64 string a "story_token" in places, and uses it in conjunction with "page_token" set to "VICE" in this case.
For example in France: « Obstructing or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a fine of €150,000. »
I have remembered a fake birth date, fake home address, and other details that I use for all these sites, unless they're related to commerce or legally justified purposes. We do not need to provide accurate info to private companies that mis-use our data (provided it is not required for our own reputational purposes).
Twitter is also fast becoming my least favorite thing to use as well because of a habitually botched user experience.
I think a good place to start would be with user awareness
Sorry about the quote marks; from memory, so probably not an exact quote.
I don't like be spied on but gees, they aren't getting free labor. They're paying like crazy. As someone that once at a > $1000 phone bill it's amazing to me I can video chat with friends all over the world via FBs services and pay no direct money to do it and that to keep up with them I can now just post to fb instead of send out a newsletter or write each individual person
Facebook controls the barely tech literate crowd by offering an aol type experience.
These services are popular with the masses. No one cares that they give data to facebook so they can be sold more things and leave them poorer.
You end up paying facebook no direct money but you have less money and spent when you didn't need to.
Companies are having a field day with all this data collection. I hope they get real karma for the deception.
https://news.ycombinator.com/item?id=32118404
That is, when copying a FB URL, you'd take the supplied value, feed that to the proxy, get the translated (and presumably canonical OR), and feed that to the clipboard buffer or share dialogue.
Needless to say, a fucking PITA.
One alternative, which would require significant effort and investment but would be a brilliant way to outsmart Facebook's crap, would be to accumulate pbfids in a common pool such that, if a given pbfid points to post X, fetch a different random pbfid that points to post X. If the initial pbfid is not recognised, add it to the pool once the post is determined, either as a new alternative for a known post, or as a novel entry.
Of course, FB would hate it and would either try to expire old pbfids (and risk breaking "legitimate" links) or use legal threats, which would require them to openly admit that they don't give a shit about people's privacy preferences.
So, upon seeing a new one, you’ll have to resolve it. Only then would you be able to tell what other URLs it’s equivalent to.
One way to gain anonymity there is to do that from a proxy, but such proxies would be detectable from the amount of pages they request from Facebook.
It also looks like they already thought about replays of URLs. For me, https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq... currently says:
“It looks like you were misusing this feature by going too fast. You’ve been temporarily blocked from using it.
If you think that this doesn't go against our Community Standards, let us know.”
So, chances are they also thought about users exchanging URLs (e.g. by having each running instance of Firefox read Facebook URLs for other instances). It is possible that (a part of) your Facebook user ID also is encoded in each URL.
Or encode some versioning scheme, and keep trying various versions until one comes up with a valid link. If we can think of these things in seconds, so can the engineers at FB.
Piece of s**
This would have to be through an extension or an internal browser function.
The canonicalisation request would have to be w/o the initial person's FB identifiers as part of the request (e.g., cookies, etc.). FB might cotton on to immediate re-requests after URL provision, though that would be an interesting approach and yet further signs of expressly violating expressed intent.
https://gizmodo.com/firefox-update-stop-url-tracking-chrome-...
Tracking has been a grey area in technology. Now that regulations and users are trying to scrape back some control over their privacy, it's going to be a lot clearer to see the line between moral and amoral behavior in companies.
Any complaints about ATT should've been considered admissions of guilt by the EU regulators and promoted investigations.
Not to mention the giant groups of people working at FAANG here, directly complicit with this behavior, afraid their salary and stock options will tank if anything changes.
Companies have the willpower and money to fight any sort of check on their power, well after the rest of us are all beyond exhausted.
We think the problem is just the big corp circumventing moral, ethics and even law for make a profit, but how many people here support this behavior?
We are not only talking about people working there, but people from the outside, completely unrelated, telling they are right and that they should keep doing what they are doing.
Maybe we can not fight big corps because they have all the money and power, but people, we definitely can fight them.
I'm allowed to move my arms like I want, but that doesn't give me the right to push people off cliffs.
In both cases, sites are attempting to tie content consumption to content monetization, and users are attempting to get the content without the monetization because they dislike side effects of the monetization.
It's also further defending hostile dark patterns and evading explicitly expressed personal intent.
The browser is a user agent, not a publisher or advertiser agent.
The will of the (informed) visitor doesn’t matter when they are visiting a place. I can’t have an intention to take a painting from a museum, ranging about the museum making it hard
https://en.wikipedia.org/wiki/The_Logic_of_Collective_Action
It's quite interesting when the doc intended for a specific recipient is opened in 15 different geographical areas. Even more interesting when that specific recipient was under an NDA.
My question to you is if this should be made illegal? (since it is the same action facebook appears to be doing)
Can you provide references?
Facebook informs you of their tracking via the privacy policy you agree to when using their services
OP: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...
Me: https://www.facebook.com/VICE/posts/pfbid0TbuHEaGP2fLTRDFRTu...
There were also a bunch of other query params junk after that I omitted here for brevity.
Perhaps there are benefits to everything; is the cost, i.e. losing privacy, worth it?
Second, this only applies to Facebook users, and yet they also track non-users despite them not even going to be showed any advertising.
https://stackoverflow.com/q/10982911/149428
→
https://stackoverflow.com/q/10982911
→
https://stackoverflow.com/questions/10982911/creating-tempor...
I have some serious reservations about social media generally, which is why I left to begin with, but between TikTok and Instagram I know hands down who I trust more.
> “Everything is seen in China,” said a member of TikTok’s Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a “Master Admin” who “has access to everything.” (While many employees introduced themselves by name and title in the recordings, BuzzFeed News is not naming anyone to protect their privacy.)
[1] https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-...
How does this differentiate them from domestic governments exactly?
Your question is phrased in a way that would be exactly the kinds of things that foreign adversaries want to achieve online: make people hate their local government so they throw their baby out with the bath water, meanwhile the foreign adversary keeps power with an iron fist and censorship so they don’t suffer the same consequences.
Dd we really need foreign governments for this? They do it, but we get plenty of it right here at home. Covid made that plain enough, but so have decades of attacks on education and the middle class. In the US we even have government investigations into our own government for wanting to destabilize the country, cast doubt on our democracy and promote civil war.
I'm not saying foreign governments don't play these kinds of games too, but if pointing out my own nations very real problems and deficiencies makes me sound like foreign adversaries maybe those foreign governments aren't the biggest problem we have and we'd be better served cleaning house and looking at the problems within before pointing fingers at folks outside.
Covid made plain that psyops work extremely well. A huge amount of disinformation came that way, in addition to a domestic audience that was very happy to incorporate it. Having a mistrust of authority in the first place makes this frictionless because it means you trust whatever you read online instead of your local authorities. That makes psyops easy peasy.
You can both not want foreign meddling and want to improve your local situation at the same time. Geopolitical issues are never a serial process, and they never end. There will never be a point where everyone agrees the domestic issues are now “fixed and everything is perfect” so now we can focus on the constant foreign attacks. That’s a false start.
Don’t throw the baby out with the bath water. When you burn it all down you’re just left with ashes, and whatever the replacement is almost always cheaper and worse.
I trust Instagram more because I was in the room when we said “using dwell as the signal and turning the online learning rate to who-the-fuck-cares is a bit much even for us”.
FB/Meta/IG’s bad, bad misses are just policy at ByteDance.
If anyone is going to display a modicum of social responsibility around this new lowest common denominator, it’s almost certainly FB.
It’s weird to find myself defending FB but in this instance it’s merited.
Nationalism is the belief that your country is inherently better than others just because it is your country.
If everyone held this view then there would be no path that doesn’t lead away from national conflict, because all Chinese would choose China and all US people would choose US in these situations, rather than focusing on objective bad actors.
Not saying that's an excuse for badness, but let's also not pretend that all governments are equally bad. I would rather the US violate my privacy than China, if those were my only choices.
Granted, currently I'm more or less physically out of reach of China's law enforcement, but well within the US's reach. So China having my data -- at least in the short term -- probably can't hurt me all that much. But longer term? Who knows.
Have I seen shit? Yeah! Are you full of shit? Also yeah, unfortunately.
So not much surprise here.
What tiktok (and it looks Facebook is starting to do) is generate you a completely unique URL when sharing a video. Copy a tiktok video URL and you get something like tiktok-dot-com/video/abc456def - that ID at the end is unique to you. There's no tracking params to remove from the video because they encode the video ID and your user ID in the same 'field'
Your comment is somewhat accurate, but not the whole story.
A copied Tiktok share URL looks like this:
When pasted into a browser though, it redirects to the normal post URL: From there the tracking ID can be easily removed (by one's self) from the query params. This is in contrast to Facebook's new approach.This is an arms race firefox would lose. I think if anything, firefox trying to race it is now negatively affecting anyone that were able to manually remove tracking id themselves (or use a browser extension)
I don't have to defeat you if I can make you look bad enough to all the observers.
Sites blocked functioning without cookies or JS.
Then we had adblockers.
Sites blocked functionality with adblockers installed.
Then we had Do Not Track.
Sites LOLWUTFU
Then we had GDPR.
Sites: Multi-thousand-word EULAs, TOU, "Accept" vs. "Pound Sand" options, multi-hundred click "choice" dialogues, "your privacy is very important to us (to invade and violate)", and mass geoblocking.
Then we had UTM and FBPID URL tracking parameter stripping.
Sites: Encode tracking data directly into URL as a hash.
Firefox's action isn't simply meant to solve the problem. It's there to highlight the repeated and escallated violation and negation of express personal intent and preference.
No means no.
Do you know that almost every "share on Facebook" button on a random news article/blog post collects data from you, if you don't have strong privacy protection enabled? That means even if you have never registered a Facebook account, Facebook could gather your page view data and use that to show ads targeting you on another page.
Same thing here.
I agree that Facebook also collects data in other ways, but this is entirely unrelated.
What a gibberish. Tell me, how will it technically do that?
On what "another page"? On the same website - yes. So what? Each website can do that.
So, if you don't like that or have moral issues or whatever hangups you want to conjure up to hate on them: don't be a customer. And don't be an investor. Its as simple as that.
For example, Facebook also abuses the privacy of people who aren’t customers (or more accurately, users). Or maybe cutting yourself off from Facebook would mean cutting yourself off from family or friends. Maybe WhatsApp is essential for your work, or for a community organisation you are part of. Or if you have a pension fund, it almost certainly invests in Meta. There are lots of conflicting priorities and issues that can come up when trying to think about the costs of being a users of a particular platform.
In reality it’s totally fine to think that a service you use is doing something wrong, to complain about them doing it, and to want them to stop. Some might choose to leave the service; others might want to spread awareness about the issue, or call for regulation. And others might shrug their shoulders and accept it anyway.
I’m not sure why you seem so convinced that the only two valid positions are “silently embrace anything they do” and “cut yourself off entirely”.
How about bots, can you use your account sometimes and other times give it to your bot essentially simulating activity and throwing gravel into machinery or will they shut you down?
Maybe if you could find a way to fill their logs with the kinds of data that actually matter (fake your precise GPS location, fake contacts/friends/relatives with detailed fake histories and fake contacts of their own, fake credit card statements showing fake purchase history, etc) it might be more worthwhile, but you'd still be taking a chance because ultimately your life is going to be changed because of what ends up in the logs being collected.
You could get turned down for a job because your fake bot was a little too interested in drug/alcohol related websites, or maybe you'll be charged more or denied healthcare coverage because your bot made it appear that you were living an unhealthy lifestyle. The fake location data you sent might get you arrested by police if you were one of only a few people logged within a 2 mile radius of a crime.
You can't break down the system by messing with the specifics in your dossier. The system will process your data (the real and the false) just fine and keep right on running. Real or fake, that data will follow you for the rest of your life and it will be all be used against you any time someone thinks it might benefit them to do so.
we can sit around for apple to subvert it (as ppl often celebrate here), except that they're doing the subverting itself subversively: they're pleasing the masses with privacy improvements (chiefly as a competitive edge - it's profitable for their model), while leaving critical options opt-in so that the result is most people stay uneducated and leave enough tracking on to reap partners and the economy huge returns over the last 15 years off ad tracking that end of the day happened on apple's platforms. these kind of solutions make us feel like the capitalists are caring for us in their competition and pacify us, particularly the ones savvy enough to be happy about these privacy options and otherwise savvy enough to have organized people against it if they hadn't felt it was solved for them.
The point is that the cost of tracking stays unchanged no matter what the data you feed it says. It's also just as meaningful in that it will still be collected, sold, used against you and will still have very real impacts on your life. The contents of your data will not and does not impact the machine or its functioning at all. All that matters is that there is data to collect and to leverage against you.
You're right we can't trust companies to save us here. The only solution to this is strong regulation with oversight and teeth. Until we get that, we can only do what little we can to limit the amount of data we give up and increase awareness of what's happening and how it harms us all.
It's expensive, it's rarely performed correctly, the actual signal still exists within the noise and can generally be determined.
I'm not saying "don't try", but really, don't bet your life (or anyone else's) on it.
No one has to accept this false dichotomy. There are far more options. Severely regulate this behavior, force them to break up into smaller companies, declare privacy a right and thus something you can't legally bargain away through accepting a Terms of Service agreement, etc, etc.
You don't suddenly decide to stop doing evil for just a few percentage points after all.
I'm not sure that's a given. It seems like mass data collection is profitable in a vast number of ways that have nothing to do with ads which could themselves be more than enough to incentivize google and facebook to continue collecting it.
It's used to set you how much you pay for things like health insurance. You just see your rates go up. You don't know it's because they saw you spent too much at bars or that people in your zip code increased their spending on fast food over the last 6 months.
Everyone wants their hands on your data to abuse in any way they can to give them an advantage over you. To take advantage of you.
It's being used to manipulate you and to shape your views. It's used to decide if you will be offered a job, or get an apartment. It's sold and resold over and over, to data brokers, but also to governments (including US companies selling that data to the US government). There's an entire multi-billion dollar a year industry around buying and selling the most mundane aspects of your life for this reason.
Every scrap of data that is taken from you can be leveraged against you or sold to someone else on the promise that it could be.
The only way to win is not to use term.
The only way to win is to bend over backwards to block all of their various tracking garbage that is hiding in the majority of internet websites.
And I suspect that even the most stalwart soldier in this fight is probably still losing somehow.
? That doesn't make sense. It is most certainly not "free" and the real price is one that is far more than the costs of providing their services. The problem is that joe user doesn't understand the value of what they are paying so Facecrook is selling trinkets to the natives for land.
https://news.ycombinator.com/item?id=32118404
As a user have no debt to them just because they offer something for free. Maybe you psychologically feel that way (reciprocity is a common psychological effect that is exploited in marketing)
This is akin to you saying you hate McDonalds hamburgers and then you grudgingly march on into McDonalds every Friday and order one. Make your own hamburgers dude.
Also, your argument is basically vicitim blaming imo
(Well, it's an arsehole-capitalist concept, but isn't that pretty much what "libertarian" means in practice nowadays?)
___
[1]: User, product, whatever you want to call them.
That comes from products advertised through FB, most of which are marketed toward the roughly 1 billion wealthiest residents of the world: US, EU, Japan, and a few other rich countries.
Some complex maths suggests this works out to $117 per individual ($468 for a household of four), whether or not they use Facebook.
Facebook is not without costs, either in direct monetary support or externalised costs of the network.
Facebook tracks individuals outside of its platform, including those who do not have accounts on the platform at all.
The fact that participation has no gated cost is an intentional design of the system --- Facebooks users are the product sold to Facebook's customers, the advertisers.
People have a right to criticize and protest independent of whether they are customer, product, unwilling supporter, or collateral damage.
> Some complex maths suggests this works out to $117 billion per individual
I think you might need some slightly more complex maths
Thanks.
Point remains that FB extracts a real and significant direct monetary cost.
Your VICE link is also here, for example:
https://www.facebook.com/VICE/posts/6037626766270531
Edit: To find the old style url, use /plugins/post.php with the new style url passed as a url encoded param value for "href", like: https://www.facebook.com/plugins/post.php?href=https%3A%2F%2...
Then, there's a timestamp like "10 minutes" ago in the returned page that leads to the old url.
I imagine you could make a browser plugin out of that.
I completely removed advertising from one platform, and for my paying customers, I have made the conscious decision to not automatically charge and bill my customers for their subscriptions unless they explicitly opt-in for reoccurring charges. Those two "good will" components have generated enormous good will with my customer base at the expense of significant revenue.
The flip side of that is that unfortunately good will doesn't really have much business value if you are completely revenue and profit driven in a competitive marketplace. And if I'm wrong, and good will eventually does win out over something like Facebook's privacy practices, and the free markets determine the winner, then never forget that the markets can stay irrational longer then you can stay solvent.
Yes, you are damn right I'm calling out some of you as hypocrites, because as some of you around here build and scale your products and begin to build out social components of your businesses, you will absolutely walk right up to the line of regulation when it comes to your user's privacy over making your investors happy.
And that leads to a worse user experience in many areas. You use it for free but it sucks and you sacrifice your data. I'd honestly rather pay $2-4/month for a social media that doesn't suck and doesn't harvest my data.
I run my businesses with this in mind, my user's privacy is at the utmost importance to me, and the way I approach managing my business is to gain the good will of my customers first and provide a quality product. And my business is wildly successful.
But I'm under no illusions to the reality of the situation, and I've been around HN long enough to know that the hypocrisy here can be deafening sometimes with regards to social media. The downvotes on my post prove it.
Edit: just to bolster my point, the vast majority of ANY app developer around here on HN will have been to integrate every ad supported SDK in their apps, which literally invades the privacy of those users probably worse than Facebook does, all for a little bump in revenue.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
Twitter recently started adding a 't=' param to their share links [0] as well, and I can only guess that it's some kind of similar tracking scheme. From watching browser traffic it appears to be generated when you click the share button, but I might be wrong about that.
[0] https://twitter.com/NanoRaptor/status/1548301612246249474?s=... - the first thing in my feed. Link works fine without any of the query params, of course.
Twitter appears to be just analyzing who shares what with whom, but haven’t moved into using it for ‘growth hacking’ like tiktk yet (i.e. join cmg, who shared this link on Twtr)
I know symmetric encryption is reasonably cheap these days, but anything times “Facebook edge requests” is a lot, I bet any of the cryptographers on here could find out pretty quickly what’s in that blob.
VKontakte, the Russian Facebook, has another ID system entirely: each namespace kinda gets its own ID sequence. Pavel Durov is unsurprisingly ID 1. Group 1 is the group for app developers, but no idea what it was initially. Other objects are identified by a (type, owner ID, object ID) triplet, the object ID is unique within the type and the particular database server that's chosen based on the owner ID. Really simple to work with once you get into it. Does Facebook use a single global ID namespace for everything?
It’s 4 because he was prototyping the ID system.
Facebook, as well as VK, have gotten quite fancy since about partitioning 64 bits.
Lmao. To be honest, it's surprising VK works as well as it does. Especially with all those custom, written-from-scratch databases aka "KittenDB". Oh and did you know that all strings are stored internally in the Windows-1251 encoding? And because it's an 8-bit Cyrillic encoding, characters that can't be represented in it, are stored as HTML entities. The API used to spit strings out exactly as they were stored, except converted to UTF-8, and it has caused me a lot of pain as an app developer. Their removal was a big thing: https://vk.com/wall85635407_3133 (btw here you can see the ID structure: "wall" is the type, wall post, 85635407 is the owner, 3133 is the post ID).
Some ancient version of KittenDB is open source: https://github.com/vk-com/kphp-kdb, I managed to set it up on my server, but tbh you'll be better off using just about any other sufficiently popular database out there. This thing uses a binlog, keeps as much data as possible in-memory, and the schema is very fixed. It's basically a *-engine per every possible purpose.
FBIDs are a globally unique id system that they've been using for almost as long as they've been around, if not actually from the beginning.
When the user clicks one of these links, the browser could open it in a headless tab and wait for the URL to change to a non-facebook URL. The browser then remembers that URL, closes the headless tab, and navigates to the underlying URL with tracking parameters stripped.