On Thursday, EFF released a new version of Privacy Badger featuring a new, experimental way to protect your privacy on—and crucially, off—Facebook. It specifically targets link tracking, Facebook’s practice of following you whenever you click on a link to leave facebook.com.

Download Privacy Badger

What is link tracking?

Say your friend shares an article from EFF’s website on Facebook, and you’re interested. You click on the hyperlink, your browser opens a new tab, and Facebook is no longer a part of the equation. Right?

Not exactly. Facebook—and many other companies, including Google and Twitter—use a variation of a technique called link shimming to track the links you click on their sites.

When your friend posts a link to eff.org on Facebook, the website will “wrap” it in a URL that actually points to facebook.com: something like https://l.facebook.com/l.php?u=https%3A%2F%2Feff.org%2Fpb&h=ATPY93_4krP8Xwq6wg9XMEo_JHFVAh95wWm5awfXqrCAMQSH1TaWX6znA4wvKX8pNIHbWj3nW7M4F-ZGv3yyjHB_vRMRfq4_BgXDIcGEhwYvFgE7prU. This is a link shim.

When you click on that monstrosity, your browser first makes a request to Facebook with information about who you are, where you are coming from, and where you are navigating to. Then, Facebook quickly redirects you to the place you actually wanted to go.

That’s just how basic link shimming works. Facebook’s approach is a bit sneakier. When the site first loads in your browser, all normal URLs are replaced with their l.facebook.com shim equivalents. But as soon as you hover over a URL, a piece of code triggers that replaces the link shim with the actual link you wanted to see: that way, when you hover over a link, it looks innocuous. The link shim is stored in an invisible HTML attribute behind the scenes.

Tracking link replacement on hover

When you hover over a link shim, Facebook hides the tracking URL in an HTML attribute behind the scenes.

The new link takes you to where you want to go, but when you click on it, another piece of code fires off a request to l.facebook.com in the background—tracking you just the same.

Privacy Badger to the rescue

To combat this, the latest version of Privacy Badger finds all new link shims as they’re added to the page, replaces them with their "unwrapped" equivalents, and blocks the tracking code that would run when you hover over or click on them. We owe special thanks to Michael Ziminsky, whose code for the extension Facebook Tracking & Ad Removal formed the basis for this feature.

Privacy Badger already blocks third-party trackers. But Facebook performs a tremendous amount of first-party tracking as well—logging your browsing habits when you’re on facebook.com or using their mobile app. Some of that is consensual. When you decide to “like” a post or leave a comment, you are voluntarily sharing information with Facebook and with your friends. Facebook has legitimate uses for that information that serve you, the user.

But much of it, like link tracking, happens without your knowledge or consent. That’s where we hope Privacy Badger can make a difference.

According to Facebook's official post on the subject, in addition to helping Facebook track you, link shims are intended to protect users from links that are "spammy or malicious." The post states that Facebook can use click-time detection to save users from visiting malicious sites. However, since we found that link shims are replaced with their unwrapped equivalents before you have a chance to click on them, Facebook's system can't actually protect you in the way they describe.

Facebook also claims that link shims "protect privacy" by obfuscating the HTTP Referer header. With this update, Privacy Badger removes the Referer header from links on facebook.com altogether, protecting your privacy even more than Facebook's system claimed to.

Privacy Badger has been performing link unwrapping on Twitter, which uses “t.co/...” shim links, for some time. And Privacy Badger already blocks many of the ways Facebook tracks you around the web, including "like" buttons and third-party cookies.

More to come

This update is our first foray into blocking first-party trackers on Facebook. Moving forward, we’ve noticed that some tracking still occurs in Firefox when users click on links with the middle and right mouse buttons. And we’ve just scratched the surface of the behind-the-scenes tracking Facebook actually does.

In the coming months, we’ll continue investigating the kinds of tracking that Facebook, Google, Twitter, and others do on their own sites to see where it makes sense for Privacy Badger to get involved. We’ll keep you updated on our progress. In the meantime, if you’re a developer and would like to help, check us out on Github. And if you haven’t yet, be sure to install Privacy Badger!