I’ve noticed a rise in people sharing links to YouTube, Instagram, Twitter, TikTok, and reddit that include tracking parameters in the URL.
It might largely be harmless for now, but it’s not good to let companies build a web of links between users of this site, and to link the usernames of users on this site to their off-site accounts, which may include sensitive info.
| SM | URL Part | Appearance in URL | Filtration technique |
|---|---|---|---|
| Youtube | Query | ?si=* | Remove query string |
| Query | ?igshid=* | Remove query string | |
| Query | ?t= | Remove query string | |
| Tiktok | Subdomain and path | (vm/vt).tiktok.com/(random_string) | Block |
| Path | /(sub_name)/s/(random_string) | Block |
This site should only allow canonical links to the content to limit the information exposed.
yup. tiktok keeps recommending me to add a user here as a friend because I clicked through from a tracking link on hexbear months ago now.
Yeah I’ve followed half a dozen people from here. Y’all repost good shit.
Yeah… As much as I wish it were not a problem for this site to solve, much like nitter/invidious/etc. links were better solved by a browser extension, It’s such a dangerous practice to allow this for a place that values opsec, that I really think we should get to work on it. Maybe upstream lemmy would accept it as well, we certainly aren’t the only privacy focused instance out there.
Another one I’d add:
| SM | URL Part | Appearance in URL | Filtration technique |
|---|---|---|---|
| StackExchange | Path | /<answer_id>/<referrer_id> | Remove final path element |
Yeah, maybe it’s better to take it to dessalines instead of keeping it on hb
StackExchange
Good call especially since we know the FBI used data from them in one high-profile sting already lol
I am very much in favor of getting as many of these as convenient off Hexbear. I made a smaller thread about I think the twitter ones a long time ago and it didn’t go anywhere at the time.
Don’t forget the general purpose UTM ones:
utm_content=site-enterprise-button&utm_source=organic&utm_medium=website&utm_campaign=null
These are used across the net, various sites document what they are, like this one: https://mailchimp.com/resources/utm-links/
Agreed. This should be easy enough to implement, no?
EDIT: if we’re scrubbing metadata from posted images we should absolutely be doing this.
Oh I know, I mean that the precedent of metadata scrubbing points toward url cleaning as well, imo.
Now that the thread quietened down, I did want to comment on image sharing as well. We already know that Facebook implements tracking in metadata, but there is a concern that they might resort to advanced steganography to link images shared on other sites to their origins. If you’re familiar with unsee(.)cc, they implement this by just straight up plastering your IP over the image, but this could be taken further by encoding dots or some wave pattern. Combatting this is really difficult, and I don’t expect us to be able to do much. Personally I’ve been applying a slight imperceptible distortion to images which I shared from somewhere I expect to get tracked on, but that’s extremely overkill. Just wanted to share, since I doubt I’ll get another outlet.
Firefox started to have “copy without site tracking” on right click as an option.
Doesn’t always work, but at least it’s something. There might websites that do that too, but people here also forget to use archive links so idk how enforceable it is.
At least there’s the bot comments that do a private front end for links to big sites sometimes, but yeah people should be more careful about helping to build shadow profiles that’ll probably exist regardless.
The ClearURLs extension is a great for this as it automatically removes the tracking bit from major sites. It doesn’t detect everything though so still good to be wary
