cross-posted from: https://lemmy.ca/post/31187638

Earlier today I came across a Reddit comment with a link to an Instagram post. The link had ?igsh= at the end.

When I clicked on the link, I got this popup. It had a name and profile photo that was different from that of the post being shared.

Join Firstname Lastname on Instagram

See photos, videos, and more from Firstname Lastname.

[ Open Instagram ]

not now

I avoid link trackers. However, I did not realize it was this bad.

To my knowledge, TikTok does the same thing and lists the name of the person that shared the link. Assuming this increases engagement, any website could enable such a feature, even on old links that you shared in the past.

You should manually remove any trackers before sharing, or use an app for it.

  • tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    105
    arrow-down
    2
    ·
    edit-2
    2 months ago

    I tend to manually strip out anything random hash-looking from URLs. Not so much because I’m worried about identity being exposed, but because it just encourages data-mining and figuring out what causes people to post links places.

    There’s some open-source app I recall on Android in F-Droid that will do this for a set of known sites, “Link Cleaner” or something.

    kagis

    “Leon – URL Cleaner”. I assume that this is an allusion to the movie.

    https://github.com/svenjacobs/leon

    I also strip off the extension that the Wikipedia app adds to indicate that Wikipedia links are from the app.

    I also strip off “m.” leading URLs, like “m.wikipedia.org”, since that, by convention, forces desktop users to see a mobile version of a site, which is not normally what they want, whereas a non-.m link will still show the mobile site to mobile users.

    • oce 🐆@jlai.lu
      link
      fedilink
      arrow-up
      48
      ·
      2 months ago

      Latest versions of Firefox offer to copy and paste URL without trackers. I am not sure how it compares to specialized tools.

      • tb_@lemmy.world
        link
        fedilink
        arrow-up
        16
        ·
        2 months ago

        uBlock Origin also has a filter built-in, though you have to enable it. It’s under Filter Lists > Privacy > AdGuard URL Tracking Protection

        • JadenSmith
          link
          fedilink
          arrow-up
          4
          ·
          2 months ago

          Thank you, I had no idea. Already had uBlock Origin on my phone (FF), so that’s one less extension needed. Works perfectly!

          • tb_@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 month ago

            I assume it blocks something from loading, but I wouldn’t exactly know. I haven’t looked into it.

    • tb_@lemmy.world
      link
      fedilink
      arrow-up
      18
      ·
      2 months ago

      Generally anything that comes after a questionmark in a URL can be safely stripped out, though not always. The random string of characters you get after a youtu.be link is tracking, the ?t=123 is a timestamp.

      • Ephera@lemmy.ml
        link
        fedilink
        arrow-up
        8
        ·
        2 months ago

        YouTube has an even better example of it being problematic to strip the parameters. The original video links look like this:

        https://www.youtube.com/watch?v=dQw4w9WgXcQ
        

        The thing is, the stuff after the question mark isn’t inherently bad, we just have the convention that the path (/watch) should identify a static resource on the server, whereas the stuff after the question mark is more variable or user-specific.

        But YouTube is older than that convention. If YouTube got built today, that URL would look more like this:

        https://www.youtube.com/watch/dQw4w9WgXcQ
        

        On the other hand, the URL of a specific search result page would still look the same, even with today’s conventions, because it doesn’t identify a static resource:

        https://www.youtube.com/results?search_query=never+gonna+give+you+up
        
    • kambusha
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      2 months ago

      URLCheck may be the app you’re thinking of.

      Edit: the way it works, is that you set it up as your default browser. Then, whenever you hit a link, it will open up URLCheck first, and you’ll get to decide what to do with the link, strip away query parameters, and which app to open the link with.

      • CrayonRosary@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        you set it up as your default browser

        You don’t have to. You can just copy any URL and share it to the app. Then copy it from the app.

      • otter@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        5
        ·
        2 months ago
        1. Setting anything as your default “browser” when it’s not a browser is only a little sus — “open” source, or no.

        2. Don’t share a link if you can’t find its complete “verbose” version.

        3. 🤷🏽‍♂️🤞🏽

        • conciselyverbose
          link
          fedilink
          arrow-up
          5
          ·
          2 months ago

          The reasoning is super transparent. It’s the only way it could do what it’s doing. 🤷🏼‍♀️

        • MicrowavedTea@infosec.pub
          link
          fedilink
          arrow-up
          3
          ·
          2 months ago

          How is it more “sus” than setting any other application as default browser? It needs to be default because that’s how Android works.

        • Cheradenine
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          You can also set default browser to ‘none’ then anytime you tap a link a list of browsers and things like Leon, URL check etc. will pop up. In any case they don’t require internet access to work.

    • Asifall@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      2 months ago

      Yeah I have a habit of doing this and then testing the link to find the smallest possible version. Mostly because I find it annoying when I want to text a link to someone and it takes up an entire page of the chat.

    • wrekone@lemmyf.uk
      link
      fedilink
      arrow-up
      3
      ·
      2 months ago

      Leon is great. I try to remember to use it anytime I share a link. As a result, I have found that that some links are just the base url plus a UUID (e.g. mycoolshoppingsite.com/GAJEBKT), so you can’t strip out the tracking without breaking the link entirely.

  • huginn@feddit.it
    link
    fedilink
    arrow-up
    51
    arrow-down
    1
    ·
    2 months ago

    Note that a TikTok link is un-cleanable. It will always trace back to you. Do not ever share TikTok links unless you’re willing to expose your identity to the person you’re sharing with.

    • danda@lemmy.zip
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      2 months ago

      I think you can go find the video in an incognito tab, then grab the link from there

    • kofe@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      It would only show the info relating to the account though, right? I don’t share my Instagram because I can’t figure out how to disconnect it from my Facebook (plus it doesn’t embed on discord - very rude), but I don’t use my real info for any of my other accounts.

  • /home/pineapplelover@lemm.ee
    link
    fedilink
    arrow-up
    42
    ·
    edit-2
    2 months ago

    LPT, delete the ? and everything after the link. For example,

    https://www.ebay.com/itm/256674765393?_skw=random+search+query&epid=305107635&itmmeta=01JAGAT958A3194F0WWPP0BMWT&itmprp=enc%3AAQAJAAAA8HoV3kP08IDx%2BKZ9MfhVJKlSz7A1nMKFudzMiZtdw6tFu1nh5DJKvXzdjdjHu2RfZAvgDUXQuOSGPo67%2BY3QcM0uz9PYr%2Fm3VgxgBHBi7PN6fzImAOW7S5fPSFRVcKGSbutH5wdKRELjEOI4BoKo0eh0DDrIUR%2FdtTPl9uhzogmFkFB4a47JGFzRO0bqDgnbCfvsInjL1niuaHX%2FSOQFhBjgPKb%2BWrV6D1mf1N0MUU2ckMNZmVhFrxx2422VJE%2FWAVMNowtm4wSnpquUv5dtQmnjdjda8SrXg%2BuARie%2B9k9hT9jThvNFQ8ORlJNg5t%2BA3EXTJ1q%2Fyw%3D%3D|tkp%3ABFBM2pLpitRk

    Becomes

    https://www.ebay.com/itm/256674765393

    While retaining the same product and removes your fingerprinting data.

    This also applies for things like youtube, amazon, social media, etc. I have the cleanurls extension on firefox, yet it doesn’t do a good job at removing this stuff, so I often have to manually do it before sharing links.

    • Ephera@lemmy.ml
      link
      fedilink
      arrow-up
      13
      ·
      2 months ago

      Mind that just removing everything after the question mark can break the link, because these parameters can also do useful things.
      For example, if you use the search functionality on a webpage, you’ll typically be redirected onto a URL with a parameter containing your search query.

      And Firefox also has this tracking parameter removal built-in these days. In the right-click menu, you can select “Copy Link Without Site Tracking”.
      I cannot say, though, if this works better than CleanURLs. Because these parameters can do useful things, it’s tricky to automatically remove them without breaking links.

      • Ephera@lemmy.ml
        link
        fedilink
        arrow-up
        12
        arrow-down
        1
        ·
        2 months ago

        The problem is that these parameters can also do useful things, i.e. removing them might break the link. There’s no inherent criteria to determine whether a parameter is used for tracking or not.

        The way these extensions or Firefox’ built-in feature works, is that they check for ‘well-known’ parameters. For example, lots of URLs contain parameters starting with utm_, which is from Google Analytics: https://en.wikipedia.org/wiki/UTM_parameters

        As such, it’s for example unlikely that someone would build a website which uses a parameter utm_medium with a value of social, without it being used for tracking, so that gets removed.
        But if someone builds a website that puts your full name into a parameter called potato, there’s just no way to automatically detect and remove that.

  • DillyDaily@lemmy.world
    link
    fedilink
    arrow-up
    41
    ·
    2 months ago

    Yuuuup, found out the hard way that tiktok shows you when someone watches a link you sent them.

    My dad loves sending me cat videos on the tiktok, he sends me the links on Facebook.

    I have two tiktok accounts because I knew there was a risk that my dad would be able to find me on tiktok through contacts. My dad is a transphobe, so in order to not poke the bear I maintain a cis persona when dealing with him.

    But it took him 0.3 seconds to realise that he sent his daughter a link, and then an openly transmasc account user with a similar name opened that link, and then his daughter replied to his message reacting to the link…my ears are still bringing from the phone call he made to me.

    So thats how my misunderstanding of tiktok trackers outted me to my transphobic father.

    (fortunately I’m a fully grown adult and can cut him out of my life if he doesn’t calm down)

    • chiliedogg@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      2 months ago

      I don’t remember which site this was, but I remember it being a pretty big one…

      Anyway - I shared a link on reddit about 10 years ago, and I got a PM from a user addressing me by my first name telling me to delete the link.

      Not only did it say who I was - the link logged people into my account.

      • DillyDaily@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        2 months ago

        Jesus, now that its terrifying!

        What would even be the point of a link that allows you that? Like, why was it designed to do that!?

        Props to that person who PM’d you the warning.

        • chiliedogg@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          2 months ago

          They were probably just lazy in their site design and the link itself contained the token for the login or whatever.

      • DillyDaily@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        2 months ago

        I’ve been out as queer since I was 14. I’m in my 30, he still hasn’t come around.

        Given his age and health, if he’s planning too come around he’d better get on it quick, at this rate he’s dying a bigot.

        I’m not waiting any more, I put my whole life on hold waiting for him to come around so I could live my life safely. If I need to cut him out of my life I will.

        I appreciate they kind words, but please keep in mind mind that it’s not always smart or safe to tell a trans person to be patient. The individual will know their level of safety, and advice to be patient and understanding can in some cases case be very, very harmful.

          • DillyDaily@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            No idea, he lives on the other side of the state and I only see him 3 times a year for his birthday, father’s day and Christmas. My brother used to live with him but he spends most of his time with mum now.

            I’m certain my dad is getting this rhetoric from social media because he’s a lonely and isolated man in his late 60s with no friends outside of his male dominated blue collar job.

            But it’s not my job to reform him, I don’t have the skill set or energy.

  • GeneralInterest@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    2 months ago

    Good PSA. Personally I’m not that worried because

    1. I don’t use Instagram
    2. Firefox has an option to copy links without site tracking, which hopefully would work on Instagram links
    3. I try to only write stuff online that wouldn’t be massively embarrassing if anyone does happen to figure out who I am
    • XeroxCool@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      2 months ago

      The fingerprinting goes waaaaay beyond Instagram. Maybe not frequently username specific, but it’s still kinda weird to always be throwing out your device type, browser, and prior we page among other things

  • _____@lemm.ee
    link
    fedilink
    English
    arrow-up
    18
    ·
    2 months ago

    another PSA if you have an Xbox account (even for PC) and have added anyone to friends they get to see your full name, state city. It is very cool to play games while also doxing yourself. thanks Microsoft

    • QuadratureSurfer@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      2 months ago

      You can go into settings and change it so that it doesn’t show to anyone. But at some point they made an update and it reset those options to the default setting even if you had previously set it to hidden.

      At that point I just went in and changed my name on my account settings.

        • A_Random_Idiot@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 months ago

          if I ever start a multibillion dollar company, I am totally going to name the road [Company] St, with the address being 123.

          Just so everyone thinks the HQ address is fake.

      • _____@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        2 months ago

        it was on me to use my real name. at the same time for any online purchase I use my real name so I didn’t give it second thought.

        I just thought it was very wrong of them to expose that to friends list. I pick a nickname for a reason, so people see my nickname.

  • Balder@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    2 months ago

    Ever since I realized TikTok creates a unique share URL that tells the person you’re the one sharing it, I became paranoid with any social media share links that are created dynamically. I won’t share them unless I try them out first.

    • shameless@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      2 months ago

      Its more effort but I do this if I think its worth sharing a link, test the link in a private browser first. I just also don’t want to be doxxing friends and family to the platform in question either.

      Let’s just share content and not track people and accounts

  • Randelung@lemmy.world
    cake
    link
    fedilink
    arrow-up
    2
    ·
    2 months ago

    It’s the reason I don’t use share buttons. The YouTube link is clean (afaik, idk if they encode data into the ID) when copying the URL. Same with other services.

  • MachineFab812@discuss.tchncs.de
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Joke’s on you; Almost all of the personalized links whatever app/sites generate for me to share are invalid until I delete massive chunks of them!

    As a result, I anonymize all of them just so I can share stories about random bullshit.

  • unemployedclaquer@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    6
    ·
    2 months ago

    Here I am, mister froggy, and my hat is slay, and I bought a subscription to a VPN controlled by an Israeli company