Tracking URLs

2025-04-05T00:00:00-04:00

Earlier today, my friend asked my if I have any good sources discussing a tracking risk that’s ben plagueing online activist spaces and Signal groups for years. Unfortunately, the resources that are currently available are all somewhat lacking. So I decided to make my own.

What are URL tracking parameters?

URL tracking parameters aren’t exactly an unknown aspect of the modern web, but by no acident, most people don’t know what they are or how to remove them from the links they share. They usually use obscure and intentionally meaningless names like utm_source, mc_cid, ref, etc.

Using these identifiers, advertisers and data brokers follow you across the internet and put together maps of who you are, what content you read, and most importantly, who you talk to, These maps can then be used by anyone with access to the data to identify not only what posts you share, but also who you’re sharing them with.

The threat

Under normal circumstances, data brokers claim to only use this data foir targeting ads. While this is already creepy (they’re spying on you so they can more effectiely convince you to drop money on things you don’t need), this also ignores the fact that data brokers usually also sell this data to anyone any everyone including police, stalker ex’s, private investigators, governments, professional scammers, and anyone else willing to pay.

Especially as fascism tightens across the United States and globally, this data is more crucual than ever to protect. Data brokers are uniquely positioned to collect information that not even fully-fledged intelligence agencies are easily able to collect on their own, This data has already been used by the US military to track users based on their religion. Even though the advertising industry claims to anonymize user data, “real-time bidding” allows users to be tracked anyway. And because the data is collected by private companies and not by the goernment directly, there’s no legal protection requiring cops to get a warrant to access this data.

URL trackers aren’t the only way companies spy on users, but as links, social media posts, and news articles get shared, they become an easy way to figure out who’s talking to each other, This creates extra risk both for the people sharing links, but more importantly, for the people trying to access share content.

How to remove URL trackers

The best way to avoid putting comrades at risk is to send content directly (screenshot relevant information or transcribe it into messages directly beore sharing). You can also use services like archive.org and archive.today to act as trusted intermediaries. Browser extensions like ClearURLs can automatically remove URL trackers either before sharing a link or after someone has already shared a link without removing trackers. [note that other tools exist but most tools only know about a few of the most common URL trackers]

Removing trackers manually

If you don’t want to use a separate tool to remove URL trackers or use a device that ClearURLs won’t run on, you can remove URL trackers manually. Let’s look at a real-world example:

https://www.gofundme.com/f/in-memory-of-roman-valencianos-kind-heart?attribution_id=sl:6e23973a-61ff-43bf-a5e6-64aa7fc85388&utm_campaign=pd_ss_icons&utm_content=amp17_control-amp20_t2&utm_medium=customer&utm_source=copy_link (I have manually randomized the identifiers to protect the person who shared the URL and the people who clicked it)

If you look at this URL it can be broken down into 3 parts:

The website it points to
- https://www.gofundme.com/
The specific page being visited
- /f/in-memory-of-roman-valencianos-kind-heart
URL-based “GET” parameters
- ?attribution_id=sl:ee7f2634-52af-4f69-a929-da5847ddbf76: Main URL tracking parameter. Uniquely identifies who shared the URL
- &utm_campaign=pd_ss_icons: The name of the ad campaign - ie. how the original found the page
- &utm_content=amp17_control-amp20_t2: What the user specifically clicked to visit the site
- &utm_medium=customer: How the URL was shared - in this case, the person viewing the page shared it themselves
- &utm_source=copy_link: Which site brought the user to this URL - in this case, the link was shared with a “share” button that automatically inserted trackers before the user copied it

Notice the 3rd part of this URL: the GET parameters. These are where most URL trackers are found. The first GET parameter is separated with a ? but the rest are separated from each other by &s. In our case, the main tracker is attribution_id which has the value sl:ee7f2634-52af-4f69-a929-da5847ddbf76. This string of random letters and numbers is used to uniquely identify the user who shared the link and can be used to link anyone who visits the shared URL.

Common misconceptions

Hello World!