top | item 32117489

Ask HN: What is with the new URLs on facebook.com?

275 points| thrusong | 3 years ago

Hi HN,

I've noticed recently Facebook has started using URLs which seem to include encoded information.

For example, this URL to Vice: https://www.facebook.com/VICE/posts/pfbid02XdVziPTwhmPU9XzBq...

It's a pretty URL with some kind of hash at the end beginning with "pfbid."

Whereas they used to look like basic sharded URLs: https://www.facebook.com/random.username/posts/1020832750980...

Is this for more targeted tracking on posts and links being shared, a new sharding scheme, a combination of both, or something else entirely?

Appreciate any insights the community can provide.

266 comments

[+] groffee|3 years ago|reply

Firefox recently started stripping out tracking URLs [0] and the most prevalent one is Facebook with it's ?fbclid= so it looks like they're encoding it straight into the URL now to bypass that, Medium does similar also.

[0] https://www.engadget.com/firefox-can-now-automatically-remov...

[+] wahnfrieden|3 years ago|reply

It's opt-in behavior. So Facebook is explicitly countering opt-in requests for privacy (without informing you)

[+] madeofpalk|3 years ago|reply

Tiktok does the same thing when you get a URL to share a video

[+] nchudleigh|3 years ago|reply

+1 this is likely the situation. I would bet that the rest of the url resolves to the old format with the search param after some decoding.

[+] shultays|3 years ago|reply

That was such a naive move by firefox tbh

[+] dom96|3 years ago|reply

Do you have any evidence to say that this is the case other than speculation? It's also possible that they just changed the URL format. FWIW `pfbid` seems to be a shortened version of "post fb id" so why would it include the "cl id"?

[+] thrusong|3 years ago|reply

Makes a lot of sense— thanks!

[+] ape4|3 years ago|reply

I suppose Firefox could remove this new encoding too

[+] gnu8|3 years ago|reply

Why on earth would Facebook think it is ok to bypass that? This should be considered a violation of the CFAA. Start putting Facebook execs in federal prison.

[+] wahnfrieden|3 years ago|reply

This is Facebook actively circumventing their users' explicit requests to not be tracked :) They have no respect for you

[+] daniel_iversen|3 years ago|reply

It’s the price you pay to use the platform because it’s free.

[+] cainxinth|3 years ago|reply

The feeling is mutual

[+] googlryas|3 years ago|reply

Having an extension or something that removes query string parameters is not an explicit request to not be tracked.

[+] tyingq|3 years ago|reply

It appears the the old urls still exist, they are just sort of hidden.

Your VICE link is also here, for example:

https://www.facebook.com/VICE/posts/6037626766270531

Edit: To find the old style url, use /plugins/post.php with the new style url passed as a url encoded param value for "href", like: https://www.facebook.com/plugins/post.php?href=https%3A%2F%2...

Then, there's a timestamp like "10 minutes" ago in the returned page that leads to the old url.

I imagine you could make a browser plugin out of that.

[+] cmg|3 years ago|reply

Along these lines, someone else mentioned that Tiktok embeds direct tracking into URLs already.

Twitter recently started adding a 't=' param to their share links [0] as well, and I can only guess that it's some kind of similar tracking scheme. From watching browser traffic it appears to be generated when you click the share button, but I might be wrong about that.

[0] https://twitter.com/NanoRaptor/status/1548301612246249474?s=... - the first thing in my feed. Link works fine without any of the query params, of course.

[+] propogandist|3 years ago|reply

the params are included when sourcing a shareable link from the website/app (direct links don’t have this). This is a move to mimic tktok’s aggressive tracking practices.

Twitter appears to be just analyzing who shares what with whom, but haven’t moved into using it for ‘growth hacking’ like tiktk yet (i.e. join cmg, who shared this link on Twtr)

[+] benreesman|3 years ago|reply

I don’t have any super-special insight here, but FBID is facebook’s global integer ID namespace (fun fact: Zuckerberg’s account is 3, back in the day he was always getting random friend requests from people’s unit tests). Don’t know what a “p”-FBID is.

I know symmetric encryption is reasonably cheap these days, but anything times “Facebook edge requests” is a lot, I bet any of the cryptographers on here could find out pretty quickly what’s in that blob.

[+] sedatk|3 years ago|reply

"p-FBID" probably means "path FBID" in contrast to query string ones.

[+] jaromir_|3 years ago|reply

4, not 3

[+] NelsonMinar|3 years ago|reply

I have a feeling Facebook looks at URLs as an unfortunate requirement for running their walled garden in browsers. The more opaque, the better for their business.

[+] ynx|3 years ago|reply

I'm 90% certain the old number was an FBID. The new one looks like a different FBID encoding scheme - possibly with the type info included ('p') to reduce the overhead of a second data fetch.

FBIDs are a globally unique id system that they've been using for almost as long as they've been around, if not actually from the beginning.

[+] unknown|3 years ago|reply

[deleted]

[+] steve_taylor|3 years ago|reply

Here's how a browser could counteract this privacy-busting measure:

When the user clicks one of these links, the browser could open it in a headless tab and wait for the URL to change to a non-facebook URL. The browser then remembers that URL, closes the headless tab, and navigates to the underlying URL with tracking parameters stripped.

[+] accrual|3 years ago|reply

I noticed TikTok does something similar. For example, if you copy a link to a creator's page while logged in, your profile is encoded into the URL and your name and photo are displayed alongside the linked content. It's two steps to fix it - open the encoded link yourself, remove the extra data, then send the cleaned link.

[+] evandrix|3 years ago|reply

https://www.ghacks.net/2022/07/17/facebook-has-started-to-en...

[+] FollowingTheDao|3 years ago|reply

Oh it’s nothing, just something to make your life easier. Oh, and to make your life better as well. Just ignore it and keep using Facebook.

[+] cascada|3 years ago|reply

I don't understand. If click on it.... and? How will that make me less private? Or how will it hurt me in any way?

[+] js2|3 years ago|reply

I wonder if this is related to why mbasic.facebook.com links are regularly breaking now.

[+] tester756|3 years ago|reply

Cannot somebody reverse engineer it?

[+] sebastien_b|3 years ago|reply

[deleted]

[+] sebastien_b|3 years ago|reply

[deleted]

[+] johnny_b_g|3 years ago|reply

[deleted]

[+] terrytibbs|3 years ago|reply

[deleted]

[+] Retr0id|3 years ago|reply

Are you a GPT-3 bot?

[+] blantonl|3 years ago|reply

[deleted]

[+] joeferraro|3 years ago|reply

What an embarrassing take. So your retort to people crying foul over privacy is to call them hypocrites?

[+] cypress66|3 years ago|reply

That may be the way you think. But no everybody here thinks that way. Some of us have no interest in giving away our business to investors so they can then push you over and do all kind of crap. And in addition some of us have no interest in extracting the absolute maximum value per user even if it involves unethical things. Because without doing so you can still live an extremely luxirous life.

[+] smarkov|3 years ago|reply

> do everything they can to extract as much value out of you as a non-paying customer as possible

And that leads to a worse user experience in many areas. You use it for free but it sucks and you sacrifice your data. I'd honestly rather pay $2-4/month for a social media that doesn't suck and doesn't harvest my data.

[+] bloqs|3 years ago|reply

Social pressure to make business more respectful of human rights when the business is financially incentivised to ignore them is a force for good. Someone has to clutch the pearls.