I have a self-written set of userscripts that does this, as well as unsetting javascript link rewrites and including bitly link expansion and Amazon URL decluttering. I would love to be able to use it on Firefox for Android again, but I don't see them enabling e.g. Tampermonkey any time soon.
If any shortlink uses bitly as a backend, you can expand it yourself by copying the link and adding a "+" at the end, bringing you to the bitly properties page for that link.
ClearURLs is being discussed. It changes the URL you are visiting to remove tracking info. There are preexisting plugins that do the same thing with shortened URLs—unmasking them and thus untrackifying them.
So mock and downvote all you want. I don't see why ClearURLs couldn't add this functionality.
Edit: Or am I just being downvoted by people who don't want anybody to know that it's possible to stop this form of tracking?
I fail to understand how you'd "unmask" a backend-obfuscated URL (where you just have an ID, and there's no way to get the target URL by just looking at the URL) without opening the URL, defeating the purpose of improving privacy we're discussing here.
Or maybe you and OP don't care about the privacy part of the problem, and you just want to automate getting the "canonical" / "non-personal" one from the "masked" one?
a service expanding that link one time to give you the underlying static url without tracking before sharing is far better than even one real person clicking it, wouldnt you agree? the trackers would know at least one person clicked it but thats about it?
To you and sibling comment: oooookay, you're thinking from the position of an obfuscated link sharer/sender, not receiver.
You want ClearURLs (or something else) to always resolve to a canonical link, so that you're easily able to share this canonical URL, and to never have a tracked URL in your URL bar so that you don't share it by mistake. Makes sense.
This works if the sender of the shortened link wants to protect other's privacy preemptively. Then they could certaintly follow the link, log a single click, then grab the final url and share that.
But the average person isn't going to do that. They will share the nice, short, pretty url that tiktok gives them. But once someone gives you that shortened url, there is no way for you to view the video on the other end of that URL without being tracked. You would need to follow the link, tiktok would track you, only after they have logged the data will they send your browser a redirect to the proper url.
1. When I go to share a link, automatically trace it and remove all tracking so I get the final URL without any tracking parameters attached.
2. When I am sent a link with tracking parameters as a part of it, or a shortened link, send it to a remote server which will follow the links until it finds the final destination and removes tracking parameters, then send it back to me.
Both approaches have downsides. The first is nice for when I send a link to a friend but not when I get a link in an email from a company. This happens to me all the time and since I use NextDNS to block trackers I often can’t even get to the final website because of the various trackers I would have to go through to get to it which are blocked at the DNS level. I am still trying to figure out a good solution to this.
The second has the obvious privacy problem: who is watching the watchers?
ronjouch explains how it's not really possible to stop this form of tracking below. In order to unmask the URL, you need to pretty much visit the URL, which registers the tracking data, so even if you, as a user, gets a stripped URL that's safe to use, you will still have effectively clicked the link.
If you are "unmasking" the URL it's because either you already visited or you are going to visit it? The masked URL and the unmasked URL are hosted by the same entity.
Unmasking (by the sender or a trusted intermediary, such as Tor) removes the risk of leaking the sender data to the (transitive) recipient
>I don't see why ClearURLs couldn't add this functionality.
I think the problem is that, for security reasons, ClearURLs can't change URLs arbitratily. It can only remove parts of it, so the actual URL would have to be a parameter. See [1] for a relevant comment by the extension's author.
> Or am i just being downvoted by people who don't want anybody to know that it's possible to stop this form of tracking?
I think you are confused how this works. Because it would NOT be possible to stop this type of tracking. That is why you are being downvoted. The downvotes are because you are simply wrong, not because there is a conspiracy on HackerNews of people that don't want other people to know that it is possible to stop tracking.
Here's how it works: In the example given above, you only have the url vm.tiktok.com/[short-url-id]. This URL does not represent anything on its own. When you click the link, it goes to a tiktok server that looks up the `[short-url-id]` portion of the url in a database, which contains the actual video id/url that is trying to be shared, along with additional metadata about the share such as the person that shared it and the device the user is coming from, etc. This information is then logged in a data warehouse or sent down a data firehose to eventually perform advanced analytics to TikTok. All of this is happening while you are waiting to get the real url of the video back. Yes it's only a few milliseconds, but by the time you get the url of the video back so that you can actually watch the video, the data has already been logged. Your privacy is already compromised.
So your suggestion is to "unmask" the url and "untrackify" it and then give the user the end-url with the actual video. The problem is that the only way to get the real url and to "untrackify" it, you need to contact TikTok and they will already log the data before you can get the real url back. You can't simply "unmask" it. Only TikTok knows what the real URL is. In order to get the real url you need to ask them (by following the short url link) and they will log your data before they give you the real url. There isn't any way around this (other than not using the vm.tiktok share links).
I am not sure if the "real url" that tiktok gives you contains url parameters in it or not. It probably does. So you could theoretically remove those. For example turn tiktok.com/video-url?sharing_user=username123&device=iphone into tiktok.com/video-url. This would be possible. But it wouldn't do anything to protect your privacy. It would simply remove the "[First Last] is on TikTok" message. But the data already got logged when you exchanged the short-url for the long-url. So the privacy damage has already been done. This is why "unmasking" simply doesn't do anything other than give you the illusion of privacy, without any change to real privacy.
By contrast, when you see a url like cnn.com/news-story-url?utm_source=facebook and you remove the parameters from that type of link, you can actually overt a certain level of tracking because the tracking hasn't been logged yet when you remove the parameters. So removing the params into the link cnn.com/news-story-url and following that, will avoid the tracking because the tracking is done on the actual visit with that specific url. Since you removed the tracking parameters, the website now has no data to actually track.
As others have mentioned, it does depend on what exactly you're defending against.
Preemptively opening the link as the sender will send a request to TikTok, but they're not really gaining any useful data there since you just watched the video, hit share (this is what they know so far), and now you opened the link that you had generated. So their database only learned that you shared a video with yourself, which you immediately opened.
The more valuable data is when various intended recipients open the link, allowing TikTok to associate you with them to serve more targeted videos based on implicit social graph, etc.
Moreover, opening the link yourself to get the "canonical url" protects yourself if you're sharing the link broadly since others can't obtain your name [and potentially more?] from the shortlink.
Now, if you're the recipient, there's not much you can do to avoid the tracking link, besides opening it up in as much of an anonymous environment as possible. But interestingly enough, I find the privacy threat greater to the sender. The sender has a TikTok account to aggregate data quite straightforwardly, unlike the recipient. The sender is also being associated with a number of recipients, vs. the recipient with only one sender, and again only through cookies, IP, or something of that sort.
It's entirely possible for Apple or Mozilla (just for example) to run a service checking URLs. In fact they already do this IIRC. They could easily replace all of these redirect links with the real link. Thus every unique link would be visited exactly once. By Apple. Not tracked.
And that's actually stopping it. Even if you don't want to do that, there's real utility in an incremental step where if I go to re-share a Tiktok video I don't accidentally help them track others.
that's not the problem, you can easily expand the url with curl (it will probably be a redirect) and manually remove the parameters. the problem is that it is not obvious to you that the link contains personally identifiable information.
