Firefox’s privacy crusade now targets a key form of tracking
Some sites use URL strings as a workaround when cookies are blocked. Firefox's new user privacy feature stops this.
Firefox is continuing its push to defend user privacy with a new feature that strips out URL identifiers and trackers when you follow a link. It’s intuitively called “Query Parameter Stripping” and it’s a handy feature if you don’t want to be trailed around the web since some sites like Facebook use URL strings to get around cookies being blocked.
This is easiest to understand with an example. You’ve probably noticed that when you copy and paste a URL after following it from social media or an email newsletter, there’s often a lot of extra bits tacked on the end.
Take this link to our story on sharks learning to love coastal cities. The URL that was posted to Facebook was: https://www.popsci.com/environment/sharks-near-coastal-cities/.
However, the actual URL when I clicked it on Facebook was: https://www.popsci.com/environment/sharks-near-coastal-cities/?utm_campaign=trueanthem_AI&utm_medium=social&utm_source=facebook&fbclid=IwAR0e807ix9JPTB_PwVoVw422Y7cXJ-iw-NvqamcKqCpe1Imgdc4f2u1Ccuc.
Everything that comes after the question mark doesn’t make a difference to the link—it just provides Facebook (and, as a full disclosure, PopSci) with information about who is clicking on what links and why.
All the “UTM” stuff (that’s short for Urchin Tracking Module)—in this case, utm_campaign, utm_medium, and utm_source—are used by web analytics apps like Google Analytics to measure the effectiveness of marketing campaigns and compare sources of traffic. You can see that this link came from social media, specifically Facebook, and that it was part of a marketing campaign called “trueanthem_AI”. If the link was posted to Twitter, the utm_campaign and utm_medium would be the same, and the utm_source would be different. This, by itself, isn’t particularly insidious as it is just painting a broad picture of what drives traffic to particular stories.
The fbclid URL query parameter, however, is a little more invasive. It’s used by Facebook to track who visits what websites and clicks on what links even if the site they’re visiting doesn’t have the Meta Pixel (Facebook’s tracking tool) installed. It’s all so Facebook can collect data, serve ads, and generally undermine your privacy for the sake of profit.
It’s important to note that Facebook isn’t the only service that does this, and nor are the sites that the URLs link to entirely unaware of what’s happening. Almost every site that serves ads is relying on some kind of profile it has of who you are and what you’re interested in to maximize its ad revenue. Features like Firefox’s “Cookie Jar”, might make this profile fairly meaningless and incomplete, but with no such protections in place, it can reveal shockingly personal information about you.
Although Bleeping Computer found that the new Firefox feature blocked URL tracking parameters from Olytics, Drip, Vero, HubSpot, Marketo, as well as Facebook, this comes with a couple of caveats. Firefox isn’t the only browser that blocks URL trackers—Brave has had a similar feature for a while—but it is the most popular. Also, just blocking URL tracking isn’t enough if you want to stay anonymous on the web. It’s a great fallback strategy for ad tech companies when cookie-based tracking doesn’t work, but if you don’t have Total Cookie Protection enabled, it won’t make much difference.
If you use Firefox, you can enable Query Parameter stripping by going to about:config, which you can type into the URL bar, and setting privacy.query_stripping.enabled.pbmode to true. Make sure you’ve also got Enhanced Tracking Protection (it’s in Settings > Privacy & Security) set to Strict to kill the cookies too.