Earlier today, my friend asked me if I have any good sources discussing a tracking risk that's been plagueing online activist spaces and Signal groups for years. Unfortunately, the resources that are currently available are all somewhat lacking. So I decided to make my own.
URL tracking parameters aren't exactly an unknown aspect of the modern web, but by no accident, most people don't know what they are or how to remove them from the links they share. They usually use obscure and intentionally meaningless names like utm_source, mc_cid, ref, etc.
Using these identifiers, advertisers and data brokers follow you across the internet and put together maps of who you are, what content you read, and most importantly, who you talk to. These maps can then be used by anyone with access to the data to identify not only what posts you share, but also who you're sharing them with.
Under normal circumstances, data brokers claim to only use this data for targeting ads. While this is already creepy (they're spying on you so they can more effectively convince you to drop money on things you don't need), this also ignores the fact that data brokers usually also sell this data to anyone and everyone including police, stalker ex's, private investigators, governments, professional scammers, and anyone else willing to pay.
Especially as fascism tightens across the United States and globally, this data is more crucial than ever to protect. Data brokers are uniquely positioned to collect information that not even fully-fledged intelligence agencies are easily able to collect on their own, This data has already been used by the US military to track users based on their religion. Even though the advertising industry claims to anonymize user data, "real-time bidding" allows users to be tracked anyway. And because the data is collected by private companies and not by the goernment directly, there's no legal protection requiring cops to get a warrant to access this data.
URL trackers aren't the only way companies spy on users, but as links, social media posts, and news articles get shared, they become an easy way to figure out who's talking to each other. This creates extra risk both for the people sharing links, but more importantly, for the people trying to access shared content.
The best way to avoid putting comrades at risk is to send content directly (screenshot relevant information or transcribe it into messages directly before sharing). You can also use services like archive.org and archive.today to act as trusted intermediaries. Browser extensions like ClearURLs can automatically remove URL trackers either before sharing a link or after someone has already shared a link without removing trackers. [note that other tools exist but most tools only know about a few of the most common URL trackers]
If you don't want to use a separate tool to remove URL trackers or use a device that ClearURLs won't run on, you can remove URL trackers manually. Let's look at a real-world example:
https://www.gofundme.com/f/in-memory-of-roman-valencianos-kind-heart?attribution_id=sl:6e23973a-61ff-43bf-a5e6-64aa7fc85388&utm_campaign=pd_ss_icons&utm_content=amp17_control-amp20_t2&utm_medium=customer&utm_source=copy_link (I have manually randomized the identifiers to protect the person who shared the URL and the people who clicked it)
If you look at this URL it can be broken down into 3 parts:
https://www.gofundme.com/f/in-memory-of-roman-valencianos-kind-heartURL-based "GET" parameters
?attribution_id=sl:6e23973a-61ff-43bf-a5e6-64aa7fc85388
Main URL tracking parameter. Uniquely identifies who shared the URL
&utm_campaign=pd_ss_icons
The name of the ad campaign
&utm_content=amp17_control-amp20_t2
What the user specifically clicked to visit the site
&utm_medium=customer
How the URL was shared - in this case, the person viewing the page shared it themselves
&utm_source=copy_link
Which site brought the user to this URL - in this case, the link was shared with a "share" button that automatically inserted trackers before the user copied it
Notice the 3rd part of this URL: the GET parameters. These are where most URL trackers are found. The first GET parameter is separated with a ? but the rest are separated from each other by &s. In our case, the main tracker is attribution_id which has the value sl:6e23973a-61ff-43bf-a5e6-64aa7fc85388. This string of random letters and numbers is used to uniquely identify the user who shared the link and can be used to link anyone who visits the shared URL.
Let's look at another example: https://www.tiktok.com/@private.man52?_r=1&_t=QR-25rsXPQVOOL
Ok, this one's easy. Obviously everything except the username is unnecessary so let's just get rid of all of it. We end up with a nice clean URL https://www.tiktok.com/@private.man52.
But what if we want to share a video? Let's look at a TikTok video...
https://www.tiktok.com/t/QF3UwaN7c (due to the way TikTok trackers work, this link actually points to a random video)
All TikTok /t/ links are trackers generated to uniquely identify the person sharing them. There are services like See TikTok that claim to let you watch them without tracking, but stripping the tracking outright is impossible.
This is why, in order to most effectively remove trackers, you need to know enough about the URL you're sharing to know how it works.
?"A lot of people will tell you to just remove everything after the ? in a URL. While this works for a lot of sites, many sites use GET parameters to store information they actually need to function. This is particularly common with BBCode forums which use URLs like
https://www.phpbb.com/community/viewforum.php?f=14
or
https://bigbluetrains.com/showthread.php?tid=10251
In order to effectively remove tracking parameters from a URL, you should exercise judgment in determining which parameters are relevant to the functionality of the page vs which ones exist purely to track users.