How to share more private links
Sharing webpage links is common practice these days, especially on social networks, instant messengers and email messages. However, sometimes, you may be unaware of what you are truly sharing.
Some websites offer a “Share” button in their pages, which allows you to automatically share their links on popular social networks. There are also browser plugins that create this button for any webpage you visit. If you don’t have such a button, you can always copy/paste the link manually to share it with your friends. But what do your links say about you?
Here’s a useful keyword: “URL”. This is what the address of a webpage is called. Every time you share a webpage, you are sharing its URL. You can find this on the address bar (usually near the top of your Web browser). The URL of a webpage looks something like this:
http://www.FakeURL.abc/index.php
Let’s break this down.
http:// is the protocol used by your Web browser to communicate with the website. You will want this to say https:// when exchanging sensitive or private data (e.g. credit card transactions), but let’s leave this discussion for another article.
www. is an old World Wide Web habit to indicate that this is a webserver. Some websites have stopped using this prefix, so don’t be alarmed if it’s missing.
FakeURL.abc is the last thing you see before the first slash. This is called the domain name and it shows which website you are on. If you change even a single character of this, you may end up at another website (or nowhere at all).
/, the first single slash, is where the specific webpage information will begin. If you don’t write anything after this slash, it means you are looking for the first page of this website.
index.php is a specific webpage on this website. This part of the URL can get quite long and sometimes includes pieces that you can remove. We’ll focus on this.
OK so far? Let’s look at another URL now:
http://www.FakeURL.abc/articles.php?articleID=123&token=ABCDE
You probably noticed that we have now requested a different webpage: articles.php?articleID=123&token=ABCDE. You may, however, be able to change a few things here in order to make this address shorter and more private.
You must check whether there are any pieces of this webpage-part of the URL you can get rid of. When you look at it you realize that, at some point, it contains a question mark (?). Everything you see after this question mark are parameters and values that you are actually sending to the website.
Some of these parameters are used to help the webserver retrieve the right webpage for you. Some others, however, are not really needed to get to the requested page… They could be there just for tracking purposes. I’ll explain.
In our example above, the part after the question mark reads: articleID=123&token=ABCDE. Remember this:
- every time you see an equals sign (=), you will find a parameter on the left and its value on the right
- every time you see an ampersand (&), a new parameter/value pair begins.
So, this URL has two parameter/value pairs: articleID=123 and token=ABCDE. The first pair is (probably) the ID of the article you are looking for, which means that the website (probably) needs it to display the right page. You can try and remove this pair to see if the URL works without it:
http://www.FakeURL.abc/index.php?&token=ABCDE
If you can no longer see the article, it means this pair was needed, so put it back in there and then check whether you can remove any of the other pairs.
At some point you may find that you removed a pair and nothing changed. You just shortened your URL by a few characters, for sure, but what was that thing you just deleted..?
If the name of the pair started with “utm” (for example: utm_source, utm_medium, utm_term, utm_content, utm_campaign), then that was a Google Analytics parameter used by website owners to track their traffic (i.e. you). The “utm_source” shows where this link came from originally (Google, Facebook, etc.), and the other fields offer additional information, like paid keywords that were used, or ad campaign names. You do not need these parameters there for the URL to work. You can find more details about this on Analytics Help. Other Web Analytics companies use different parameter names. Update: Another example includes Facebook, which now uses “fbclid” to tag and track where a link was clicked from. You can safely remove this part of the URL before sharing it.
Please note: this doesn’t mean that every seemingly useless parameter is used for tracking. They could be there for a different purpose, like selecting the right display language, or adjusting the styles used on the page. However, the ones that actually track you, are there only to serve the online marketing department — not you.
Sometimes, you may find that the URL you are about to click is really short and has no such parameters to remove (examples include URLs from bit.ly, goo.gl, ow.ly, and many others). Websites share shortened URLs either because their articles have long titles, or to hide all these numerous tracking parameters from you (so as not to “confuse” you). Instead of sharing the shortened version with your friends, you can use one of the free short URL resolvers first to check where it takes you, and then share the actual (destination) webpage in its place.
Extra paranoid tip: sometimes the shortened URL is the tracking. Some websites share different short URLs for the same webpage on different media (one for Facebook, one for Twitter, etc.). This way, they know where the link originated from, along with any additional info they have related with each shortener. If you really want to read that shortened webpage, try to find its destination URL using a resolver (see previous paragraph) and enter it directly, instead of using the short version.
Finally, let’s wrap this up with one last trick. A webpage anchor is a link that takes you to a specific part of a webpage. A quite common use for this is the “Back to top” anchor that gets you straight to the top of a page. Anchors are easily identifiable in the URL if you look near its end for a hash (#) followed by some text. For example:
http://www.FakeURL.abc/index.html#top
You are still on index.html— just a different part of it. The only reason to leave the anchor in the URL is if you want your friends to skip straight to that specific part of this webpage. However, beware of this tricky usage of anchors:
http://www.FakeURL.abc/cool-stuff.html#A1b2C3d4
If you land on such a webpage, you may notice that this anchor doesn’t actually take you anywhere on the page. So, what is it doing there? You’ve guessed it: tracking.
This time, using a combination of anchors and JavaScript, tracking can even get personal. When you enter the page, you are assigned with a randomly generated anchor ID that you then share with your friends thinking it’s a necessary part of the Web address. When your friends click on your URL, the website learns that they came from your link, and then they are given a new anchor tracking ID which they will share with their friends, and so on and so forth. So remember to look for hashes near the end of your URLs and always remove any unnecessary anchors before sharing them.
Right… so, why should you care about all this? Even if you have bothered installing antivirus, antispyware and firewall applications, as well as an ad-blocker on all your Web browsers, and even if you only use your browsers in “private” or “incognito” mode, manually copy/pasting each link in a new tab, and if you only browse via anonymous / onion proxies and VPNs, even then, the URLs you enter could still be used to track you if you don’t edit them.
To summarize: before entering or sharing a link, you may want to check if any of the above actions should take place first. It’s true that using these methods won’t help the admen, but your privacy should be your choice — not theirs.
Konstantinos Gkoutzis
https://kgk.gr
PS: When I’d written similar articles regarding privacy issues in the past, I immediately received comments from naysayers, mostly containing phrases like “I don’t care”, “It doesn’t matter”, “Whatever”, etc. Please remember: you have the right not to care about something, but, in order to do so, you first need to become aware of its existence; otherwise, it’s just ignorance.
Post-GDPR Update (May 2018)
PS2: It will be interesting to see how compliant with the new General Data Protection Regulations these campaign trackers truly are, taking in mind that they can be obfuscated behind an innocent-looking shortened URL, monitoring your behavior even before you actually visit the website in order to read (and potentially accept) their updated Terms of Service.
