Firefox’s “Query Parameter Stripping” feature, explained

Firefox is continuing its efforts to defend user privacy with a new feature that removes URL identifiers and trackers when you follow a link. It’s intuitively called “Query Parameter Stripping” and it’s a handy feature if you don’t want to be tracked around the web, as some sites like Facebook use URL strings to bypass cookie blocking.

It’s easier to understand with an example. You’ve probably noticed that when you copy and paste a URL after following it on social media or an email newsletter, there are often a lot of extra bits added to the end.

Grab this link to our story about sharks learning to love coastal towns. The URL that was posted on Facebook was: https://www.popsci.com/environment/sharks-near-coastal-cities/.

However, the actual URL when I clicked on it on Facebook was: https://www.popsci.com/environment/sharks-near-coastal-cities/?utm_campaign=trueanthem_AI&utm_medium=social&utm_source=facebook&fbclid=IwAR0e807ix9JPTB_PwVoVw422Y7cXJ-iw-NvqamcKqCpe1Imgdc4f2u1

Anything after the question mark makes no difference to the link – it just provides Facebook (and, as a full disclosure, PopSci) with information about who clicks which links and why.

All “UTM” elements (short for Urchin Tracking Module) – in this case, utm_campaign, utm_medium and utm_source – are used by web analytics applications such as Google Analytics to measure the effectiveness of marketing campaigns and compare sources of traffic. You can see that this link was from social media, specifically Facebook, and was part of a marketing campaign called “trueanthem_AI”. If the link was posted on Twitter, utm_campaign and utm_medium would be the same, and utm_source would be different. This, in and of itself, isn’t particularly insidious as it only paints a general picture of what drives traffic to particular stories.

The fbclid URL query parameter, however, is a bit more invasive. It’s used by Facebook to track who visits which websites and clicks on which links, even if the site they’re visiting doesn’t have Meta Pixel (Facebook’s tracking tool) installed. This is so Facebook can collect data, serve ads, and generally invade your privacy for profit.

It’s important to note that Facebook isn’t the only service doing this, nor are the sites the URLs link to fully aware of what’s going on. Almost every site that serves ads relies on some sort of profile of who you are and what interests you to maximize their ad revenue. Features like Firefox’s “Cookie Jar” can make this profile quite meaningless and incomplete, but without such protections in place it can reveal shocking personal information about you.

Although Bleeping Computer discovered that Firefox’s new feature blocked URL tracking parameters from Olytics, Drip, Vero, HubSpot, Marketo, as well as Facebook, it comes with some caveats. Firefox isn’t the only browser that blocks URL trackers – Brave has had a similar feature for some time – but it’s the most popular. Also, blocking URL tracking is not enough if you want to stay anonymous on the web. This is a great fallback strategy for ad tech companies when cookie-based tracking isn’t working, but if you haven’t enabled Total Cookie Protection, it won’t make much of a difference.

If you are using Firefox, you can enable query parameter stripping by going to about: setupwhich you can type in the URL bar, and set privacy.query_stripping.enabled.pbmode at true. Make sure you also have Enhanced Tracking Protection (it’s in Settings > Privacy and Security) set to strict to kill cookies too.

Comments are closed.