436
YSK: You might be unknowingly doxxing yourself by sharing links containing trackers (lemmy.ca)
submitted 3 days ago by shadysus@lemmy.ca to c/youshouldknow@lemmy.world
69 comments fedilink hide all child comments

cross-posted from: https://lemmy.ca/post/31187638

Earlier today I came across a Reddit comment with a link to an Instagram post. The link had ?igsh= at the end.

When I clicked on the link, I got this popup. It had a name and profile photo that was different from that of the post being shared.

Join Firstname Lastname on Instagram

See photos, videos, and more from Firstname Lastname.

[ Open Instagram ]

not now

I avoid link trackers. However, I did not realize it was this bad.

To my knowledge, TikTok does the same thing and lists the name of the person that shared the link. Assuming this increases engagement, any website could enable such a feature, even on old links that you shared in the past.

You should manually remove any trackers before sharing, or use an app for it.

top 50 comments
sorted by: hot top controversial new old
[-] DillyDaily@lemmy.world 37 points 2 days ago

Yuuuup, found out the hard way that tiktok shows you when someone watches a link you sent them.

My dad loves sending me cat videos on the tiktok, he sends me the links on Facebook.

I have two tiktok accounts because I knew there was a risk that my dad would be able to find me on tiktok through contacts. My dad is a transphobe, so in order to not poke the bear I maintain a cis persona when dealing with him.

But it took him 0.3 seconds to realise that he sent his daughter a link, and then an openly transmasc account user with a similar name opened that link, and then his daughter replied to his message reacting to the link...my ears are still bringing from the phone call he made to me.

So thats how my misunderstanding of tiktok trackers outted me to my transphobic father.

(fortunately I'm a fully grown adult and can cut him out of my life if he doesn't calm down)

[-] chiliedogg@lemmy.world 4 points 2 days ago

I don't remember which site this was, but I remember it being a pretty big one...

Anyway - I shared a link on reddit about 10 years ago, and I got a PM from a user addressing me by my first name telling me to delete the link.

Not only did it say who I was - the link logged people into my account.

[-] DillyDaily@lemmy.world 5 points 1 day ago

Jesus, now that its terrifying!

What would even be the point of a link that allows you that? Like, why was it designed to do that!?

Props to that person who PM'd you the warning.

[-] chiliedogg@lemmy.world 3 points 1 day ago

They were probably just lazy in their site design and the link itself contained the token for the login or whatever.

[-] mouserat@discuss.tchncs.de 7 points 2 days ago

I'm so sorry you have to deal with this. And so terrified that anonymity is wiped out that easily

load more comments (4 replies)
[-] pineapplelover@lemm.ee 41 points 3 days ago* (last edited 3 days ago)

LPT, delete the ? and everything after the link. For example,

https://www.ebay.com/itm/256674765393?_skw=random+search+query&epid=305107635&itmmeta=01JAGAT958A3194F0WWPP0BMWT&itmprp=enc%3AAQAJAAAA8HoV3kP08IDx%2BKZ9MfhVJKlSz7A1nMKFudzMiZtdw6tFu1nh5DJKvXzdjdjHu2RfZAvgDUXQuOSGPo67%2BY3QcM0uz9PYr%2Fm3VgxgBHBi7PN6fzImAOW7S5fPSFRVcKGSbutH5wdKRELjEOI4BoKo0eh0DDrIUR%2FdtTPl9uhzogmFkFB4a47JGFzRO0bqDgnbCfvsInjL1niuaHX%2FSOQFhBjgPKb%2BWrV6D1mf1N0MUU2ckMNZmVhFrxx2422VJE%2FWAVMNowtm4wSnpquUv5dtQmnjdjda8SrXg%2BuARie%2B9k9hT9jThvNFQ8ORlJNg5t%2BA3EXTJ1q%2Fyw%3D%3D%7Ctkp%3ABFBM2pLpitRk

Becomes

https://www.ebay.com/itm/256674765393

While retaining the same product and removes your fingerprinting data.

This also applies for things like youtube, amazon, social media, etc. I have the cleanurls extension on firefox, yet it doesn't do a good job at removing this stuff, so I often have to manually do it before sharing links.

[-] Ephera@lemmy.ml 12 points 3 days ago

Mind that just removing everything after the question mark can break the link, because these parameters can also do useful things.
For example, if you use the search functionality on a webpage, you'll typically be redirected onto a URL with a parameter containing your search query.

And Firefox also has this tracking parameter removal built-in these days. In the right-click menu, you can select "Copy Link Without Site Tracking".
I cannot say, though, if this works better than CleanURLs. Because these parameters can do useful things, it's tricky to automatically remove them without breaking links.

[-] TheCoralReefsAreDying69@lemmy.world 6 points 3 days ago

There's gotta be an extension that does do a good job, right?

[-] Blackmist@feddit.uk 12 points 2 days ago

Firefox already has a copy without tracking built in

[-] Ephera@lemmy.ml 11 points 3 days ago

The problem is that these parameters can also do useful things, i.e. removing them might break the link. There's no inherent criteria to determine whether a parameter is used for tracking or not.

The way these extensions or Firefox' built-in feature works, is that they check for 'well-known' parameters. For example, lots of URLs contain parameters starting with utm_, which is from Google Analytics: https://en.wikipedia.org/wiki/UTM_parameters

As such, it's for example unlikely that someone would build a website which uses a parameter utm_medium with a value of social, without it being used for tracking, so that gets removed.
But if someone builds a website that puts your full name into a parameter called potato, there's just no way to automatically detect and remove that.

[-] tal@lemmy.today 104 points 3 days ago* (last edited 3 days ago)

I tend to manually strip out anything random hash-looking from URLs. Not so much because I'm worried about identity being exposed, but because it just encourages data-mining and figuring out what causes people to post links places.

There's some open-source app I recall on Android in F-Droid that will do this for a set of known sites, "Link Cleaner" or something.

kagis

"Leon -- URL Cleaner". I assume that this is an allusion to the movie.

https://github.com/svenjacobs/leon

I also strip off the extension that the Wikipedia app adds to indicate that Wikipedia links are from the app.

I also strip off "m." leading URLs, like "m.wikipedia.org", since that, by convention, forces desktop users to see a mobile version of a site, which is not normally what they want, whereas a non-.m link will still show the mobile site to mobile users.

[-] CrayonRosary@lemmy.world 1 points 1 day ago

You're the best!

I just installed it. Look at this perfectly anonymous link:

https://www.youtube.com/watch?v=p44G0U4sLCE

[-] oce@jlai.lu 47 points 3 days ago

Latest versions of Firefox offer to copy and paste URL without trackers. I am not sure how it compares to specialized tools.

[-] acockworkorange@mander.xyz 2 points 1 day ago

Apparently it doesn’t work with YouTube. That’s an elephant sized hole.

[-] CrayonRosary@lemmy.world 1 points 1 day ago

Google pays them a lot of money. Are you surprised?

[-] acockworkorange@mander.xyz 1 points 1 day ago

SHOCKED! ~/s~

I’d rather not attribute to malice what is more easily explained by incompetence.

[-] aleq@lemmy.world 12 points 3 days ago

How do I use this feature? I'm a Firefox user since quantum and had no idea this was a thing.

[-] my_hat_stinks@programming.dev 35 points 3 days ago

Just right click a link, it's the option directly under copy link.

[-] aleq@lemmy.world 13 points 3 days ago

Never knew it, very neat!

[-] edgemaster72@lemmy.world 15 points 3 days ago

I also strip off “m.” leading URLs...

Bless you kind netizen

[-] tb_@lemmy.world 18 points 3 days ago

Generally anything that comes after a questionmark in a URL can be safely stripped out, though not always. The random string of characters you get after a youtu.be link is tracking, the ?t=123 is a timestamp.

[-] Ephera@lemmy.ml 8 points 3 days ago

YouTube has an even better example of it being problematic to strip the parameters. The original video links look like this:

https://www.youtube.com/watch?v=dQw4w9WgXcQ

The thing is, the stuff after the question mark isn't inherently bad, we just have the convention that the path (/watch) should identify a static resource on the server, whereas the stuff after the question mark is more variable or user-specific.

But YouTube is older than that convention. If YouTube got built today, that URL would look more like this:

https://www.youtube.com/watch/dQw4w9WgXcQ

On the other hand, the URL of a specific search result page would still look the same, even with today's conventions, because it doesn't identify a static resource:

https://www.youtube.com/results?search_query=never+gonna+give+you+up
[-] tb_@lemmy.world 5 points 2 days ago

Nice example link you used there

[-] Ephera@lemmy.ml 3 points 2 days ago

Thanks, although I don't believe there's any other link I could've used. 🙃

[-] cmnybo@discuss.tchncs.de 22 points 3 days ago

There is a Firefox addon called ClearURLs that automatically removes all of the tracking crap. It works on PC and Android.

[-] TunaLobster@lemmy.world 2 points 1 day ago

I used that so much when I was creating purchase orders. Nobody needs to know how I got to that page.

[-] tb_@lemmy.world 15 points 3 days ago

uBlock Origin also has a filter built-in, though you have to enable it. It's under Filter Lists > Privacy > AdGuard URL Tracking Protection

load more comments (1 replies)
[-] Asifall@lemmy.world 7 points 3 days ago

Yeah I have a habit of doing this and then testing the link to find the smallest possible version. Mostly because I find it annoying when I want to text a link to someone and it takes up an entire page of the chat.

[-] kambusha@sh.itjust.works 10 points 3 days ago* (last edited 3 days ago)

URLCheck may be the app you're thinking of.

Edit: the way it works, is that you set it up as your default browser. Then, whenever you hit a link, it will open up URLCheck first, and you'll get to decide what to do with the link, strip away query parameters, and which app to open the link with.

[-] CrayonRosary@lemmy.world 2 points 1 day ago

you set it up as your default browser

You don't have to. You can just copy any URL and share it to the app. Then copy it from the app.

load more comments (5 replies)
load more comments (1 replies)
[-] huginn@feddit.it 50 points 3 days ago

Note that a TikTok link is un-cleanable. It will always trace back to you. Do not ever share TikTok links unless you're willing to expose your identity to the person you're sharing with.

[-] danda@lemmy.zip 12 points 3 days ago

I think you can go find the video in an incognito tab, then grab the link from there

[-] subtext@lemmy.world 25 points 3 days ago

Specifically, you can “share” it to yourself, open that link in an incognito tab, then strip out everything but the user and video id

https://www.tiktok.com/@USERNAME/video/LONGSTRINGOFDIGITS

You have to do the same thing with Amazon a.co links I think

load more comments (1 replies)
load more comments (1 replies)
[-] jherazob@fedia.io 42 points 3 days ago

MANY apps currently have these unneeded tracker parameters, here's Youtube

[-] Andromxda@lemmy.dbzer0.com 7 points 2 days ago

https://f-droid.org/en/packages/com.svenjacobs.app.leon/

[-] GeneralInterest@lemmy.world 19 points 3 days ago

Good PSA. Personally I'm not that worried because

  1. I don't use Instagram
  2. Firefox has an option to copy links without site tracking, which hopefully would work on Instagram links
  3. I try to only write stuff online that wouldn't be massively embarrassing if anyone does happen to figure out who I am
[-] AlexanderESmith@social.alexanderesmith.com 4 points 2 days ago

Wait, you conduct yourself in a manner consistent with a reputation you'd like to maintain? Even when you don't think anyone will find out who you are?

What kind of responsible shit is that? Don't you know you're on the Internet?

load more comments (4 replies)
load more comments (1 replies)
[-] _____@lemm.ee 18 points 3 days ago

another PSA if you have an Xbox account (even for PC) and have added anyone to friends they get to see your full name, state city. It is very cool to play games while also doxing yourself. thanks Microsoft

[-] QuadratureSurfer@lemmy.world 9 points 3 days ago

You can go into settings and change it so that it doesn't show to anyone. But at some point they made an update and it reset those options to the default setting even if you had previously set it to hidden.

At that point I just went in and changed my name on my account settings.

[-] subtext@lemmy.world 7 points 3 days ago

Hi yes, my name is Tim Microsoft, I live at 123 Microsoft St, Microsoft, CA 12345-6789

[-] sigmaklimgrindset@sopuli.xyz 6 points 3 days ago

I actually have MS Seattle HQ address as my Xbox address lol

load more comments (1 replies)
[-] _____@lemm.ee 4 points 3 days ago* (last edited 2 days ago)

it was on me to use my real name. at the same time for any online purchase I use my real name so I didn't give it second thought.

I just thought it was very wrong of them to expose that to friends list. I pick a nickname for a reason, so people see my nickname.

load more comments (1 replies)
[-] balder1991@lemmy.world 13 points 3 days ago

Ever since I realized TikTok creates a unique share URL that tells the person you’re the one sharing it, I became paranoid with any social media share links that are created dynamically. I won’t share them unless I try them out first.

[-] Shameless@lemmy.world 4 points 2 days ago

Its more effort but I do this if I think its worth sharing a link, test the link in a private browser first. I just also don't want to be doxxing friends and family to the platform in question either.

Let's just share content and not track people and accounts

[-] Randelung@lemmy.world 2 points 2 days ago

It's the reason I don't use share buttons. The YouTube link is clean (afaik, idk if they encode data into the ID) when copying the URL. Same with other services.

load more comments
view more: next ›
this post was submitted on 18 Oct 2024
436 points (98.9% liked)

You Should Know

32856 readers
235 users here now

YSK - for all the things that can make your life easier!

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must begin with YSK.

All posts must begin with YSK. If you're a Mastodon user, then include YSK after @youshouldknow. This is a community to share tips and tricks that will help you improve your life.

Rule 2- Your post body text must include the reason "Why" YSK:

**In your post's text body, you must include the reason "Why" YSK: It’s helpful for readability, and informs readers about the importance of the content. **

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding non-YSK posts.

Provided it is about the community itself, you may post non-YSK posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you harass or discriminate against any individual member, you will be removed.

If you are a member, sympathizer or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- The majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.

Partnered Communities:

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

Credits

Our icon(masterpiece) was made by @clen15!

founded 1 year ago
MODERATORS
_MoveSwiftly@lemmy.world
Thekingoflorda@lemmy.world
ja2@lemmy.world
Rooki@lemmy.world
Boozilla@lemmy.world