Skip to main content


This was predictable. Facebook/Meta is now encrypting the QP data so that Firefox and other privacy conscious browsers that strip the tracking data can't. Only way to avoid it is to not use Facebook at all. #DeleteFacebook #SurveillanceCapitalism https://www.ghacks.net/2022/07/17/facebook-has-started-to-encrypt-links-to-counter-privacy-improving-url-stripping/
in reply to Hank G ☑️

Typical cat-and-mouse game. I predict this will go even further: we’ll see libraries for major web servers pop up that would handle query param encryption/decryption on the fly which will make this practice ubiquitous, rendering any existing URL-based tracking prevention irrelevant.
in reply to ilyess

Yeah not sure where the war will go. I'll just avoid Facebook as much as I can, continue using the Facebook Container plugins in Firefox, etc.
in reply to ilyess

As I understood it the blob is encrypted by the server. If done properly there is nothing the client can do. It would be like decrypting a pgp encrypted document.

However, it is plausible for a script to get the URL from the link text (if they display that), but unfortunately you likely won't see the entire url that way unless it is short.
in reply to Gigantos

Yes, it’s done server-side. The library would handle the encryption/decryption so that the web server can continue accessing the query params as if they were in plain text. If done well, it could be a plug-and-play middleware type of deal.
in reply to ilyess

And those JS libraries will be blocked in the next step of the cat-and-mouse game!
in reply to Phel

Those libraries are most likely going to be on the server side so this might be the last round of the game, sadly.
Unknown parent

Hank G ☑️
Yeah to end users it looks no different than the other jumble of characters at the end of links. I can't even manually clean up Facebook links. Craziness.
in reply to Hank G ☑️

Only way to avoid it is to not use Facebook at all.

I'll continue that habit then.
in reply to Hank G ☑️

It certainly was predictable. Now send the URL to a server and let it do the decoding, so Meta gets as little data as possible from the result. Continue driving meta's costs up; the more engineering and CPU they need to throw at this problem, the better.

Or just pass privacy-preserving legislation and avoid the whole situation. Go buy your government official's profiles from a data broker and post them online; that should get things moving.
in reply to Hank G ☑️

The solution to many things is to "not use Facebook at all" (nor Twitter nor Instagram nor Tiktok).
in reply to Hank G ☑️

AES encryption has been basically free, computationally, for 15+ years. What took Facebook so long to do this? Didn't act until enough people were sanitizing their URLs?
in reply to Hank G ☑️

They are shameless and block at the DNS level on my machines.
in reply to Hank G ☑️

I don't really use Facebook either, but it sounds like maybe you can also avoid this by never clicking on outgoing links from Facebook?

(Evil regardless, but it would be useful to have an idea of whether I'll be taking risks if I occasionally log on to message somebody about a party invitation they sent me or something like that.)
in reply to Hank G ☑️

Looking very much forward to when DSA kicks in so I can throw 'Meta' in the bin.
in reply to Hank G ☑️

I guess the only possible defense is to let the browser pop up a big fat warning whenever handling a facebook link. On the source side whenever a user copies a link, a popup should explain what you are targeting your friends with. And the receiving side, a browser should present a warning before opening a Meta link (like most mua's does with external links in mail content)
in reply to Hank G ☑️

Sweet, my decade-long constant avoiding of anything tied to FB at all has paid off!
in reply to Hank G ☑️

throw in the fact unlock origin doesn't work and no support system in place for when the trademarking system doesn't work and you sure have a dumpster fire.
Unknown parent

Hank G ☑️
Good question I'm not sure.
Unknown parent

Hank G ☑️

Content warning: Re: Facebook

in reply to Hank G ☑️

Most of the data Facebook and many, many other companies and data brokers get come from mobile apps. Their SDK's are built-in, constantly spying on the user and relaying tons of info. URL tracking is, by comparison, a quite minor thing.