tl;dr: don’t click on links to web sites, because they track your web activity and build profiles of you on multiple sites. Instead open a new private/incognito tab and either go to the web site yourself or use the more-privacy-respecting web search site DuckDuckGo.com to search for the specific web page.
How Facebook turns a 30-character URL into 590 characters of tracking information
Esperanza Spalding (Emily’s D+Evolution still my favorite 2000s album) made a Facebook post about her new tour that included the web site link
https://esperanzaspalding.com/
But if you mouse over the link in most desktop browsers which show the URL in the bottom status, or if you right-click on the link and choose Copy link address and paste it into a text editor, the link’s web address (URL) is actually this huge thing:
https://l.facebook.com/l.php?u=https%3A%2F%2Fesperanzaspalding.com%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0GFfm_1kNBGO8_Gj5Jw1yGNg7CcESNuQF_BwID8lNHTPulAv6H0EslEZY_aem_5TmhPsgLAsxp1wYoL52Olw&h=AT3MDVKiM2DFcwX9GNPmFN2eoFP7Al_qnUE95-rD5yu0MPBLkdOYnabANAdpSdtJ8cb6H6KCI8Nt6-RvE-Xg9u1d1afpPlFwIWcB_eUnHbBSzuAP5LDRyXjw-BG7h3GGJxsCpA&__tn__=-UK-R&c[0]=AT3GgPrSUnTQeXGiptq8As6-BdI4v5mUNBKKmoUnmqp9gHqtwaojHVJuXEcRt0DzR1TWKGZVx3maNMdkLwelWZOI1rAULuMQQXFpiMiLH19bndn2Mqi64ggPmK82XxUEh59CayTdVi2Y2ynCr2tOushkNrrwoDDf9JjyVaQWEr8KVDoVmo72gBkaHm-NzOidIV1ydh9H7WXxqubMK49m7-Xs4-ZqQJjMqUZsm_mpZPXgf377qsWTFs5cRA
If you squint you can see the esperanzaspalding URL in there, but it’s surrounded by a bunch of crap.
What you see isn’t where your browser goes
Point 1: the link text that you see in text on computers and phones is not the URL that your browser goes to when you click or tap the link. This isn’t surprising when the link text is, e.g. best power trio jazz-funk-rock-pop album of all time , but when it looks like a web site address, you might expect to go to that web address. (And this is how spammers get you! The link text can be www.apple.com/getRefund
, but the actual link is to a fake login page on a phishing web site.)
So the link you click doesn’t go to her site, it goes to a special Facebook site l.facebook.com
, where ‘l‘ probably stands for “Facebook’s Links processing”, with a bunch of parameters (everything after the question mark) that include the actual web site you thought you were going to visit and a bunch more tracking. In addition, Facebook’s web page can do special tracking in JavaScript when you click (or move the mouse at all) and this could add even more crap to the network request.
Advice 1: right-click and copy URLs. It’s harder for web sites to track your menu actions than your normal mouse clicks.
I followed a guide for Firefox to track actual network activity and it turns out Facebook doesn’t dynamically change the URL when you click; the URL that you can, with effort, view is the same one your browser requests.
What is all 591 characters of crap in the URL?
The great and good inventor of the web Sir Tim Berners-Lee specified how all the parameters after the question mark have to be encoded: briefly each is separated with & and certain characters are represented specially (e.g. colon ‘:‘ becomes %2F), and usually the parameters are name
=
value
, so we can decode them. I used the JavaScript function uuDecodeComponent()
and then put each one on a separate line for clarity:
https://l.facebook.com/l.php
?
u = https://esperanzaspalding.com/?fbclid=IwZXh0bgNhZW0CMTAAAR0GFfm_1kNBGO8_Gj5Jw1yGNg7CcESNuQF_BwID8lNHTPulAv6H0EslEZY_aem_5TmhPsgLAsxp1wYoL52Olw
&
h = AT3MDVKiM2DFcwX9GNPmFN2eoFP7Al_qnUE95-rD5yu0MPBLkdOYnabANAdpSdtJ8cb6H6KCI8Nt6-RvE-Xg9u1d1afpPlFwIWcB_eUnHbBSzuAP5LDRyXjw-BG7h3GGJxsCpA
&
tn = -UK-R
&
c[0] = AT3GgPrSUnTQeXGiptq8As6-BdI4v5mUNBKKmoUnmqp9gHqtwaojHVJuXEcRt0DzR1TWKGZVx3maNMdkLwelWZOI1rAULuMQQXFpiMiLH19bndn2Mqi64ggPmK82XxUEh59CayTdVi2Y2ynCr2tOushkNrrwoDDf9JjyVaQWEr8KVDoVmo72gBkaHm-NzOidIV1ydh9H7WXxqubMK49m7-Xs4-ZqQJjMqUZsm_mpZPXgf377qsWTFs5cRA
The first line shows that the request goes to the “page” l.php on the web host l.facebook.com
. This isn’t a web page that shows something in your browser, it runs a special program which takes all those parameters and does lots of processing of your request to track everything it possibly can about you on Facebook’s servers, and then tells your browser to go to another site. You normally don’t see any visible output in your browser from this link tracking; maybe if you watch carefully you’ll see the URL in your browser’s location field change.
I’m guessing, but the ‘u‘ parameter is likely the actual URL your click should go to. Note that this passes its own nested parameter fbclid
, which stands for Facebook Click ID, Meta explains it as:
a Meta-generated parameter that is passed with the URL of an advertiser’s website when a user clicks an ad on Facebook and/or Instagram. Sharing ClickID can help you attribute more conversions and reach more people, which may drive better ad performance.
So esperanzaspalding.com can use this ID to track how people responded to her Facebook post. I have no idea what the rest of the parameters mean, it’s lots of information that Facebook is sending itself when you click.
Strip everything after the question mark!
In general if you copy the URL of a news story or web page and then paste it into your browser, you can and should remove the question mark and everything after. For example, here’s an MSN link to a news story:
https://www.msn.com/en-us/news/politics/with-democrats-help-senate-votes-to-avert-a-government-shutdown/ar-AA1AW73B?ocid=hpmsn&cvid=2a12bbe42a494edbb0af4b04b8f38dfc&ei=35
The ocid and cvid are probably yet more tracking IDs, who knows what ei does (“economic indicator” net worth level?).
Advice 2: To remove the tracking, open a private/incognito browser tab, then paste in the URL, then delete the question mark and everything after it. In this example, the URL becomes
https://www.msn.com/en-us/news/politics/with-democrats-help-senate-votes-to-avert-a-government-shutdown/ar-AA1AW73B
and only then press Return or click the → arrow to go to the site. But this doesn’t work for Facebook and an increasing number of sites, because the URL you go to is not even the destination web site. If I strip the question mark and everything after from Facebook’s URL for EsperanzaSpalding.com, I just get https://l.facebook.com/l.php
, which doesn’t go to her site.
You are in a maze of tracking
Cookies and site data
There are other ways for sites to track you. They can set “cookies” on your browser or store data other data on your computer or phone, such that every request to the same site re-sends all the cookies it has set and data it has stored on your computer. This is yet more tracking, which is why you should browse in a private/incognito window, and regularly clear cookies and other data that sites have shoved into your browser. If you’re just trying to read a web page, there’s no reason for that web site to store any information.
Advice 3: clear cookies and site data. To clear this information a site has shoved into your browser: in Firefox, while visiting the site, click the shield icon next to the location bar and choose “Clear cookies and site data…”; in Chrome, I think it’s click the lock icon next to the URL, select Site settings, and then Clear data to remove the cache for that specific site. You can set Firefox to “Delete cookies and site data when Firefox is closed”, adding exceptions for sites you want to stay logged into or remember your shopping cart: go to Settings > Privacy & Security (about:preferences#privacy) and set this up in the “Cookies and Site Data” section.
Advice 4: browse as much as possible in a private/incognito browser tab. If you browse sites in private/incognito browser tabs, your browser stores less of the information sites tell it to store.
Advice 5: block “third-party cookies.” That’s where one web site tries to set a cookie on a different web site. There is no legitimate reason to do this except laziness from web site developers, and it’s 99.9% of the time used by data brokers and advertising services.
Link shortening, link trackers
And if the Facebook post uses a link shortener like bit.ly , that is doing its own processing to track your information before directing your browser to the actual site you want to visit. I’ve followed URLs (using the command-line tool curl --dump-header - http/complicated/URL?here
, more details below) that go through four or more web sites. And every single ad and “share this on Facebook/Twitter/Instagram/TikTok” button on the original web site (Facebook) can track your mouse movement with JavaScript and send information to a data broker even if you don’t click on the ad or the sharing link.
Advice 6: browse with Firefox and the uBlock Origin ad-blocking extension. It’s a hassle and web sites will break.
So enter web sites or search for them yourself
The only surefire way to avoid nearlly all of this tracking is to open a new private/incognito browser tab, and enter the URL of the web site itself: esperanzaspalding.com Or, if you want to read a particular web page on a site, you can use a search engine that tracks you less. In general links in DuckDuckGo search results just link to the actual web site with a lot less of these intermediaries and tracking parameter malarkey.
TODO: how does Google do it?
Google search results appear to go to the simple URL of the site. Google must be using JavaScript to send HTTP updates to Google.
Appendix: Following what the browser does
A link sends your browser to a particular web site. But for a link tracker like l.facebook.com or bit.ly, instead of it showing you a web page, that web site redirects you to the actual web site by putting special instructions in its response to your browser. You can follow this on the command-line with the excellent curl utility. You enter:
curl --dump-header - 'https://l.facebook.com/l.php?u=https%3A%2F%2Fesperanzaspalding.com%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0GFfm_1kNBGO8_Gj5Jw1yGNg7CcESNuQF_BwID8lNHTPulAv6H0EslEZY_aem_5TmhPsgLAsxp1wYoL52Olw&h=AT3MDVKiM2DFcwX9GNPmFN2eoFP7Al_qnUE95-rD5yu0MPBLkdOYnabANAdpSdtJ8cb6H6KCI8Nt6-RvE-Xg9u1d1afpPlFwIWcB_eUnHbBSzuAP5LDRyXjw-BG7h3GGJxsCpA&__tn__=-UK-R&c[0]=AT3GgPrSUnTQeXGiptq8As6-BdI4v5mUNBKKmoUnmqp9gHqtwaojHVJuXEcRt0DzR1TWKGZVx3maNMdkLwelWZOI1rAULuMQQXFpiMiLH19bndn2Mqi64ggPmK82XxUEh59CayTdVi2Y2ynCr2tOushkNrrwoDDf9JjyVaQWEr8KVDoVmo72gBkaHm-NzOidIV1ydh9H7WXxqubMK49m7-Xs4-ZqQJjMqUZsm_mpZPXgf377qsWTFs5cRA'
and, oops!, curl responds
curl: (3) bad range in URL position 339:
because Facebook is perverting Sir Tim’s design for HTTP requests by putting square brackets in c[0]=blahblah
without encoding them. We can tell curl to ignore this violation with its --globoff
command-line option, and now you can see that site sends a location
header that tells the browser where to go:
curl --dump-header --globoff - 'https://l.facebook.com/l.php?u=https%3A%2F%2Fesperanzaspaldingblahblahblah rest of long URL
location: https://l.facebook.com/l.php?u=https%3A%2F%2Fesperanzaspalding.com%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR1AHkbuvUzs5O-eggNLo_AYJBT8QW_ENsUyJB99MwLv_anJ6B_x2ZGe-ot8XCTLIw0SYZOTaCz51jjGuG3HB_weYA3G05lh02b1H1V6K4UmRROtpDBPXYi23QM4ZuHQRmn0YqzUfdtP11SJi36hVMCXaFph-5myrQt4vGGEfuswb4qQR_WoBlnGxQvQ
But wait, it’s just redirecting to Facebook’s link processing site again, but with an even longer fbclid parameter! We have to add the --location
flag to tell curl to keep following these ^%$#@! redirects. This shows that the second request issues a different header:
refresh: 1;URL=https://esperanzaspalding.com/?fbclid=IwY2xjawJB0VVleHRuA2FlbQIxMAABHUAeRu69TOzk756CA0uj8BgmyrIstxiKk_O6bKot3tHPBLVAZuf52tMAKA_aem_O0mc9-kOVUE1oYyShfB9uQ
And now, finally, your browser winds up on the site you thought your click would take you to. Facebook is probably pulling other crap when it detects that an actual browser is making the request.