[jacobajit]

A particularly bad instance of link tracking I've found is in TikTok's link sharing feature.

If you share a link from the TikTok app, it gives you a vm.tiktok.com/[xyz] link to send/post elsewhere. It gives you no indication that this isn't a generic link to the post, nor does it give you an option to expose the generic link to the post.

Instead, when you share that link and someone clicks on it and does not have the app, it opens with a header saying "[First Last] is on TikTok." On the other hand, once you do click on that link (if and only if you don't have the app installed), you get redirected to the static link to the video and finally obtain it.

This is an anti-pattern that enables further tracking and potentially unknowingly exposes user data when links are shared publicly. And there's no indication to the user that this is happening, since the link is structured as if it does not contain any tracking. Ie a tool like this wouldn't be able to "strip out" the tracking since it isn't tacked on in any way, but embedded as the generated link itself.

[gonehome]

That’s pretty bad. I think TikTok’s risks are higher than people think. It’s better to avoid it.

https://stratechery.com/2020/the-tiktok-war/

Any company running out of mainland China is going to have serious privacy problems due to CCP influence and their need to comply with both local laws and the government’s interest in influencing public sentiment.

[madeofpalk]

As a non-american, we don't really have a choice of using a "native" social network that only has interference from our own government.

[gonehome]

That doesn’t make the two equivalent.

Also, hopefully soon you will: https://urbit.org/

[bb010g]

Digital land ownership! Just what the internet desperately needed. /s

[h0p3]

I will not defend Urbit, though I count myself lucky to read fossuser's posts where I find them. I would argue about digital land ownership and what the internet's users (and possible future users) need though. I'm interested in what the internet is for (like everything else). Would you like to have a serious conversation about that? That does seem a worthy topic, even if Urbit does not address it effectively enough (I'm still not convinced it won't centralize power). I suggest the workers must own the means of production. What do you think?

[gonehome]

These knee-jerk responses are lame.

- IDs stop the spam problem and give people control over something that keeps its reputation (and they're cheap).

- Federated systems normally suck because administering the servers and keeping decentralized versions in sync is hard. Urbit's design fixes this.

- Encrypted by default, ability to be as easy to run as FB (eventually, not right now). Peer to peer with the address space and key issues solved from first principles.

- Stability over long time horizons due to design (goal being indefinite), the urbit abstraction layer doesn't change and state can always be recomputed - changing pieces are implemented via jets to communicate with whatever underlying OS is doing the normal stuff.

It's a clever design and solves a lot of problems with modern computing, people often dismiss it out of hand because Yarvin's politics are stupid (he's no longer involved in the project and hasn't been for some time). Peter Thiel's Trump support was stupid too, but that doesn't mean he doesn't get a lot of other stuff right.

https://urbit.org/blog/the-understanding-urbit-podcast/

[earthboundkid]

LOL, if you don't like a social network run by communists or capitalists, try the one run by don't-call-them-fascists.

[Siira]

Still, it’s obvious that the CCP is more competent in executing centralized, longterm plans, and has much less cultural/institutional pressure not to seriously screw over people.

[smnrchrds]

It also has much less ability to screw over people unless they live in China. China cannot project power the way US can.

[Teever]

This isn't totally accurate.

You are correct that China cannot project power in the sense that they can't easily invade a country or level shattering economic sanctions but they have proven themselves quite capable of targetting individuals in other nations both online and in the real world.

Either way, there is a moral imperative to prevent China from gaining the ability to project power the way the US can. The US being able to project that kind of power is shitty, and the two entities being able to do that is even shittier.

[jrochkind1]

I appreciate that you recognize the US being able to do it is shitty.

I wonder how many non-Americans think two entities being able to do it is better than one, because at least they can counter-balance each other.

Not just with force; I was recently thinking about how the US during the cold war tried to be "nice" to the "third world" to keep them out of the "sphere of influence" of the Soviet Union. Currently China is trying to project it's "soft power" that way too to get less developed countries into it's patronage, but the US isn't really doing that at the moment (see for instance approaches to distributing covid vaccine...).

I (who is a usa citizen) personally am not really sure which is preferable, only one super-power, or two. Either way the world is in for a rough ride.

[djhn]

Cannot for now.

[fsflover]

Have a look at Mastodon, PeerTube, PixelFed etc.

[chmod775]

Many countries have their own domestic social networks with varying popularity - some are way more active than FB, others are more or less dead. Russia is an example of the former.

Other countries don't use social media much, because they are culturally just not as interested in it.

There's a few countries where you can't really avoid being on any social network and that social network is not domestic, but those you can probably count on one hand. Off the top of my head I can just come up with Australia, India and Indonesia.

[absove]

Curious in which category you think the majority of European countries fall into? The domestic social network one, or the don't use social media one? Because as far as I can tell US social networks are the norm there and there very much is a social expectation that you are reachable on them, even if it's not government mandated.

[chmod775]

> there very much is a social expectation that you are reachable on them

I disagree. People will (somewhat) expect you to have a WhatsApp in many European countries, but hardly anyone will expect you to use Facebook.

At least in my circles Facebook is a wasteland. Many people haven't even posted anything in years, and if I was trying to reach anyone via Facebook I'd settle in for a long wait - until they check it in a month or two.

You won't notice it if you just open Facebook, because Facebook will fill your feeds with people who are active, but when I go through my list of contacts there it's obvious less than one in five are still actively using it.

I don't claim total knowledge of the situation everywhere, but I do keep in contact with people of a lot of different countries.

[MomoXenosaga]

Europe has been deeply colonised by US tech companies.

I do not agree with Chinese stance on democracy or human rights but I admire their willingness to play by their own rules. Not opening their markets and rolling out the red carpet for Silicon valley was wise.

[jrochkind1]

I wonder how many of those are in fact infiltrated by the NSA, the Chinese equivalent, or both though. :(

[calvinmorrison]

Any company running out of mainland USA is going to have serious privacy problems due to USA influence and their need to comply with both local laws and the government’s interest in influencing public sentiment.

[wongarsu]

Yes, if you care about privacy both the large Chinese services and the large American services are bad.

If you use Facebook or Instagram assume that the NSA has all your data, and that someone might try to manipulate you. If you use TikTok assume that China has all your data, and someone might try to manipulate you. You either choose your poison, or you stay on services that aren't in the limelight

[gonehome]

One big difference is in the US the companies are not required to manipulate content to serve USG interests. TikTok may downrank or censor HongKong videos because the government forces them to - the same does not happen at American companies.

I think the 'assume they have all of your data' is paranoid (particularly for encrypted stuff like whatsapp), but people should probably more careful about this kind of thing than they are anyway. The US has laws and rules around access, you may not agree with them - but they are far and away better than the CCP's approach.

The CCP is running concentration camps for a minority population of their own citizens, invading and taking over neighboring countries (HK with an eye towards Taiwan), and censoring pooh bear from the internet because of a light hearted comparison to Xi. The police call foreign students in the US to threaten them over their internet activity: https://www.vice.com/en/article/jgxdv7/chinese-police-are-vi...

The comparisons are not valid.

[wongarsu]

> particularly for encrypted stuff like whatsapp

End-To-End encryption is useless if like in the case of WhatsApp you don't control the client, but a company beholden to US secret courts does. "“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments" [1]

> The US has laws and rules around access

I'm not a US citizen and reside outside the US, which from my limited legal understanding means that the US law doesn't give a crap about me

I agree that in recent decades China has a worse human rights record, which is a major factor when you "choose your poison".

1: https://www.propublica.org/article/the-nsas-secret-campaign-...

[gonehome]

All reasonable points, though I think whatsapp is secure - I think for most people the best choice is Signal for general messaging and assuming everything else is largely public.

Even in Signal people can and do take screenshots, so really probably just best to be cautious of anything in writing that you wouldn't want published.

This is one reason I'm excited about Urbit - I think it'll be cool to get out of the dependence on centralized services.

[leephillips]

You're right about Chinese government behavior. But “the same does not happen at American companies.” --- no, but they censor the internet in obedience to Pakistani demands.

[gonehome]

You're right, and I think that's wrong: https://zalberico.com/essay/2020/06/13/zoom-in-china.html

[lurkerasdfh8]

Not sure why you think those are exclusive. All companies mentioned have offices and comply with law on both regions.

[ebruchez]

If you think the two are actually comparable in degree, you are seriously misled.

[gonehome]

Whataboutism style arguments (which are always the knee-jerk reactions that show up) are wrong.

I wrote about this at length here: https://zalberico.com/essay/2020/06/13/zoom-in-china.html and won’t rehash it again in the comments.

[imiric]

It's really frustrating how often whataboutism is used whenever China is criticized, particularly towards the US.

Yes, we know other countries have similar issues, but we can't excuse the blatant wrongdoings of the CCP by pointing the finger elsewhere.

It often feels like the work of bots or government shills anytime it happens, but good luck getting to the bottom of that.

[brabel]

Why is it frustrating when others point out that the most popular services, which are usually from the USA, also have the same kind of problem of being under the influence of the respective government, but nobody seems to be as worried about it? The criticism almost always comes up whenever a service provided by a Chinese company is mentioned in any context. China has shown no interest that I know of in spying on non-Chinese citizens, so I feel like it's probably less problematic to use a chinese service than an American one if your only worry is that someone is spying on you, specially considering how there's plenty of evidence of the USA spying on the whole bloody planet, including heads of state of allied countries, for f'sake...

>It often feels like the work of bots or government shills

Do you think I'm a bot because I disagree with you? Maybe you are the bot... how can we verify you're not? :D good luck getting to the bottom of that.

[Teever]

> China has shown no interest that I know of in spying on non-Chinese citizens

Assuming that this assertion is true what motivates China to be so authoritarian towards their citizens but not so to the rest of the world? Is it altruism or inability?

Does China only spy on their own citizens but not the rest of the world because they like the rest of the world more than their own citizens and they want the rest of the world to have rights and freedoms that they believe their own citizens don't deserve?

If it comes down to an inability to spy on the rest of the world what do you think will happen when China does develop the ability to spy on the rest of the world?

[shard]

> China has shown no interest that I know of in spying on non-Chinese citizens

I believe China has kept tabs on 2 groups of non-Chinese citizens: 1. foreign nationals within China borders, and 2. foreign nationals who are ethnically Chinese.

[imiric]

It's frustrating because it's not the topic of conversation, and it only serves to derail it as we're doing now.

If we're discussing the high cost of apples and someone brings up oranges, it doesn't change the fact that apples are expensive.

> Do you think I'm a bot because I disagree with you?

No, but a lazy comment doing s/China/USA/ certainly reads like it. And if you've seen some of the threads on Reddit or Twitter it becomes pretty clear some accounts search for any negative discussion about China and interject with whataboutism, which would be pretty easy to automate.

[sm4rk0]

> Why is it frustrating when others point out

Because it's painful to be awaken from the "American dream".

[userbinator]

With websites, at least you can just copy the URL from the address bar and clean it. Of course, people are being slowly dumbed down by browser's (mostly Chrome, but Firefox seems to follow its stupid trends not long afterwards) attempts at removing or hiding the URL, which is no surprise when you realise that herding the userbase to use dedicated "share" buttons (complete with tracking) is one of the reasons they're doing that.

[DangerousPie]

What's to stop a website to do the same thing with the URLs in your address bar?

[ryankrage77]

They absolutely do that, but when you copy-paste them to share elsewhere, you can manually strip all the tracking info out.

For example, when I search Google for 'Hacker News', the URL I arrive at is "https://www.google.com/search?client=firefox-b-d&q=hacker+ne...". If I want to send that to a friend, I would edit the link to be "https://www.google.com/search?q=hacker+news".

The dedicated share buttons will often give you a link generated on the fly, with all the tracking info on the back end. For example, if google was to do this (which they thankfully don't), the link might look like "google.com/?query=cce1602b-5af6-4d95-965b-e88450afc266", and in the database there would be all sorts of tracking info tied to it. I can't edit that URL to dissaciate from that information, so if I share it, they would know it was me who shared it, and not someone else visiting it on their own.

Of course, companies can and do track you via less obvious means all the time, but this is just one small way you can foul a data point for them.

[Black101]

> They absolutely do that, but when you copy-paste them to share elsewhere, you can manually strip all the tracking info out.

If they create custom urls for everyone that look like https://website.com/uuid/ and don't redirect you to the real url... it is not possible to strip anything unless you do some research to find another URL that redirects you to the same page. Not sure what that would do to your search engine rankings though...

[imiric]

Stack Overflow does something similar, and adds a user tracking ID to any shared link, though apparently it's possible to remove it without breaking the link[1].

I only noticed when I received a badge for how many times it was clicked, and even though it's not nefarious I'd still prefer it to be opt-in rather than done by default.

[1]: https://meta.stackoverflow.com/q/277769

[joshstrange]

Yes, I regularly warn people on Reddit that their full name is being leaked in the TikTok link they shared. I have an iOS shortcut that expands the URL and chops off the gross tracking stuff so I can share links in private/public without exposing my TikTok "name" (I don't link any accounts and my name is made up).

[ehsankia]

> I have an iOS shortcut that expands the URL and chops off the gross tracking stuff

Ooo, that's pretty neat. I wonder if something similar can be achieved on Android. I usually manually paste it in chrome and copy the redirect, although I also enable desktop view to not get the mobile link.

[joshstrange]

You might want to look at some basic Android automation tools. I'm pretty sure I've seen some before but I don't know any off the top of my head. It was really simple to write the iOS Shortcut, all I did was:

* Accept a URL as input

* Expand the URL to the full link

* Find the "?" in the new url and snip everything after and including it.

Originally I looked for ".html?" but some TikTok links don't have the ".html" anymore so I had to switch to just "?". Tasker for Android [0] might be what you are looking for but I can't be sure. You might want to ask on the subreddit [1] for help or search there for something similar.

[0] https://play.google.com/store/apps/details?id=net.dinglisch....

[1] https://www.reddit.com/r/tasker/

[ehsankia]

I didn't realize iOS shortcuts were so powerful, that's awesome. I do believe tasker should be able to do it, thanks!

[Breza]

VRBO is another egregious example. My friend asked what I thought about a house she was thinking of renting for a trip. VRBO wouldn't let me view the link on my phone unless I downloaded their app. I had her copy and paste the house's description which I then Googled to get to the right listing.

[milofeynman]

When twitter's snowflake was lengthened recently I was worried they might be doing this too. I'm afraid of the big ones moving to this. Spotify, instagram, twitter, etc

[ddorian43]

Where was it lengthed ?

[space_fountain]

A fun/weird result of this that the interface in the link is in the language of whoever generated the link not your browser’s language

[1vuio0pswjnm7]

Assuming any certificate pinning can be defeated, it is easy to manipulate URLs with a loopback-bound forward proxy. Would be great if someone provided example of one of these TikTok URLs so we could investigate.

[jtbayly]

But this can be solved, too, can’t it? It’s effectively a Bitly link. Just need to auto-expand to the final destination, right?

[plorg]

I have a self-written set of userscripts that does this, as well as unsetting javascript link rewrites and including bitly link expansion and Amazon URL decluttering. I would love to be able to use it on Firefox for Android again, but I don't see them enabling e.g. Tampermonkey any time soon.

If any shortlink uses bitly as a backend, you can expand it yourself by copying the link and adding a "+" at the end, bringing you to the bitly properties page for that link.

[jamesdwilson]

Beware that Bit.ly and others themselves often do malicious redirects.

https://news.ycombinator.com/item?id=9508150

[anoncake]

The UX is garbage, but if you use the nightly there is a way to use arbitrary extensions.

[yewenjie]

I use Universal Bypass for these kind of links.

https://universal-bypass.org/

[black_puppydog]

Piece of cake. I'm sure there's an app for that, which incidentally needs access to your location data... /s

[jtbayly]

ClearURLs is being discussed. It changes the URL you are visiting to remove tracking info. There are preexisting plugins that do the same thing with shortened URLs—unmasking them and thus untrackifying them.

So mock and downvote all you want. I don't see why ClearURLs couldn't add this functionality.

Edit: Or am I just being downvoted by people who don't want anybody to know that it's possible to stop this form of tracking?

[ronjouch]

I fail to understand how you'd "unmask" a backend-obfuscated URL (where you just have an ID, and there's no way to get the target URL by just looking at the URL) without opening the URL, defeating the purpose of improving privacy we're discussing here.

Or maybe you and OP don't care about the privacy part of the problem, and you just want to automate getting the "canonical" / "non-personal" one from the "masked" one?

[netcraft]

a service expanding that link one time to give you the underlying static url without tracking before sharing is far better than even one real person clicking it, wouldnt you agree? the trackers would know at least one person clicked it but thats about it?

[ronjouch]

To you and sibling comment: oooookay, you're thinking from the position of an obfuscated link sharer/sender, not receiver.

You want ClearURLs (or something else) to always resolve to a canonical link, so that you're easily able to share this canonical URL, and to never have a tracked URL in your URL bar so that you don't share it by mistake. Makes sense.

[jacurtis]

This works if the sender of the shortened link wants to protect other's privacy preemptively. Then they could certaintly follow the link, log a single click, then grab the final url and share that.

But the average person isn't going to do that. They will share the nice, short, pretty url that tiktok gives them. But once someone gives you that shortened url, there is no way for you to view the video on the other end of that URL without being tracked. You would need to follow the link, tiktok would track you, only after they have logged the data will they send your browser a redirect to the proper url.

[IgorPartola]

I can think of two ways of doing this:

1. When I go to share a link, automatically trace it and remove all tracking so I get the final URL without any tracking parameters attached.

2. When I am sent a link with tracking parameters as a part of it, or a shortened link, send it to a remote server which will follow the links until it finds the final destination and removes tracking parameters, then send it back to me.

Both approaches have downsides. The first is nice for when I send a link to a friend but not when I get a link in an email from a company. This happens to me all the time and since I use NextDNS to block trackers I often can’t even get to the final website because of the various trackers I would have to go through to get to it which are blocked at the DNS level. I am still trying to figure out a good solution to this.

The second has the obvious privacy problem: who is watching the watchers?

[fouc]

because the service accesses the link and follows the redirects and then returns the final link to you, with tracking removed

[teolandon]

Please stop complaining about downvotes.

ronjouch explains how it's not really possible to stop this form of tracking below. In order to unmask the URL, you need to pretty much visit the URL, which registers the tracking data, so even if you, as a user, gets a stripped URL that's safe to use, you will still have effectively clicked the link.

[gowld]

If you are "unmasking" the URL it's because either you already visited or you are going to visit it? The masked URL and the unmasked URL are hosted by the same entity.

Unmasking (by the sender or a trusted intermediary, such as Tor) removes the risk of leaking the sender data to the (transitive) recipient

[mimimi31]

>I don't see why ClearURLs couldn't add this functionality.

I think the problem is that, for security reasons, ClearURLs can't change URLs arbitratily. It can only remove parts of it, so the actual URL would have to be a parameter. See [1] for a relevant comment by the extension's author.

[1] https://github.com/ClearURLs/Addon/issues/102#issuecomment-8...

[jacurtis]

> Or am i just being downvoted by people who don't want anybody to know that it's possible to stop this form of tracking?

I think you are confused how this works. Because it would NOT be possible to stop this type of tracking. That is why you are being downvoted. The downvotes are because you are simply wrong, not because there is a conspiracy on HackerNews of people that don't want other people to know that it is possible to stop tracking.

Here's how it works: In the example given above, you only have the url vm.tiktok.com/[short-url-id]. This URL does not represent anything on its own. When you click the link, it goes to a tiktok server that looks up the `[short-url-id]` portion of the url in a database, which contains the actual video id/url that is trying to be shared, along with additional metadata about the share such as the person that shared it and the device the user is coming from, etc. This information is then logged in a data warehouse or sent down a data firehose to eventually perform advanced analytics to TikTok. All of this is happening while you are waiting to get the real url of the video back. Yes it's only a few milliseconds, but by the time you get the url of the video back so that you can actually watch the video, the data has already been logged. Your privacy is already compromised.

So your suggestion is to "unmask" the url and "untrackify" it and then give the user the end-url with the actual video. The problem is that the only way to get the real url and to "untrackify" it, you need to contact TikTok and they will already log the data before you can get the real url back. You can't simply "unmask" it. Only TikTok knows what the real URL is. In order to get the real url you need to ask them (by following the short url link) and they will log your data before they give you the real url. There isn't any way around this (other than not using the vm.tiktok share links).

I am not sure if the "real url" that tiktok gives you contains url parameters in it or not. It probably does. So you could theoretically remove those. For example turn tiktok.com/video-url?sharing_user=username123&device=iphone into tiktok.com/video-url. This would be possible. But it wouldn't do anything to protect your privacy. It would simply remove the "[First Last] is on TikTok" message. But the data already got logged when you exchanged the short-url for the long-url. So the privacy damage has already been done. This is why "unmasking" simply doesn't do anything other than give you the illusion of privacy, without any change to real privacy.

By contrast, when you see a url like cnn.com/news-story-url?utm_source=facebook and you remove the parameters from that type of link, you can actually overt a certain level of tracking because the tracking hasn't been logged yet when you remove the parameters. So removing the params into the link cnn.com/news-story-url and following that, will avoid the tracking because the tracking is done on the actual visit with that specific url. Since you removed the tracking parameters, the website now has no data to actually track.

[jacobajit]

As others have mentioned, it does depend on what exactly you're defending against.

Preemptively opening the link as the sender will send a request to TikTok, but they're not really gaining any useful data there since you just watched the video, hit share (this is what they know so far), and now you opened the link that you had generated. So their database only learned that you shared a video with yourself, which you immediately opened.

The more valuable data is when various intended recipients open the link, allowing TikTok to associate you with them to serve more targeted videos based on implicit social graph, etc.

Moreover, opening the link yourself to get the "canonical url" protects yourself if you're sharing the link broadly since others can't obtain your name [and potentially more?] from the shortlink.

Now, if you're the recipient, there's not much you can do to avoid the tracking link, besides opening it up in as much of an anonymous environment as possible. But interestingly enough, I find the privacy threat greater to the sender. The sender has a TikTok account to aggregate data quite straightforwardly, unlike the recipient. The sender is also being associated with a number of recipients, vs. the recipient with only one sender, and again only through cookies, IP, or something of that sort.

[jtbayly]

It's entirely possible for Apple or Mozilla (just for example) to run a service checking URLs. In fact they already do this IIRC. They could easily replace all of these redirect links with the real link. Thus every unique link would be visited exactly once. By Apple. Not tracked.

And that's actually stopping it. Even if you don't want to do that, there's real utility in an incremental step where if I go to re-share a Tiktok video I don't accidentally help them track others.

[zuppy]

that's not the problem, you can easily expand the url with curl (it will probably be a redirect) and manually remove the parameters. the problem is that it is not obvious to you that the link contains personally identifiable information.

[3np]

Discord does something very similar

[vagrantJin]

This is needlessly alarmist.

A short video platform can hardly be expected to be a paragon of security and privacy. It has no utility whatsoever. I don't see where the concern comes from. A video of someone drinking coffee does not particularly invoke a point of concern.

What may be the real concern is China and the fact that the app is tied to it. Thats more race/geo-politics/war-mongering issue than a privacy concern.

[oauea]

You can't be serious. If what the gp says is true, then tiktok leaks your full name to anyone you share a link to. I see your HN username, nor bio, mentions your full name. Perhaps you are comfortable sharing this with anyone you communicate with online, but I'm not.

[vagrantJin]

Well, my grandmothers logic and wise advice still holds. You have a problem with it - don't use it. It's genius.

Just like you wouldn't stand there listening to a drunk person complain about alcohol related health issues, I'm not about to entertain people complain about privacy when they have the agency and choice.

[kevinh]

People don't know that they're sharing personal info when they're sharing the links. It's like spiking someone's drink and then blaming them for getting drunk.

[oauea]

I don't. This is one of the many reasons why I never will. I don't see how that is relevant to the discussion, however. Say hi to your grandmother for me.