Soo this seems to be when you use the "share" button on Youtube rather than doing the simple universal old-as-www thing of.. copying the URL from the URL bar. Of course, people these days have no idea what a URL or URL bar is, as it's often hidden anyway... :(
Of course, people these days have no idea what a URL or URL bar is, as it's often hidden anyway
...and if you didn't think this wasn't one of the goals of that trend, now you do. Those in power hate it when people can consume information from and communicate outside of their sanctioned methods.
We saw it coming when they started dumbing down browsers and hiding things from users --- not because the majority wouldn't use them, but to deliberately make users less inclined to learn.
Nearly 10 years ago(!) when that started happening, I made a comment here about how many YouTube users at the time realised what was the important part of the URL (the video ID) and began to use that in comments: https://news.ycombinator.com/item?id=7678729
Google has been working with great deal of effort for decades to stop people from using urls. From the integration of the search function in the address bar to the famous mangling of links returned by Google searches. It's why sites like urlclean exist.
I just looked at the full URI of very simple google search and it includes my browser for one thing... Why do they need those 387 characters beyond the original query...
If you right click on the progress bar at the bottom of the video, one of the options is: "Copy video URL at current time". (Although YouTube might also start adding extra IDs to that URL in the future.)
That's like asking how to right click on a television. Mobile devices are designed primarily for mindless content consumption and personal data collection so basic functionality is crippled by design
I get that "Use a real computer" isn't helpful though, so I'd recommend getting an app like NewPipe since you can use the "share" button there to copy the video's URL with the current timestamp included to your clipboard or paste it directly into apps of your choosing.
Yeah, I remember that. Specifically what I remember is a discussion on reddit about how a lot of youtube videos have useless stuff in the first ~30% and someone who joined the comments -- wadsworth -- also happened to work at youtube. Apparently with enough freedom to have an extra parameter check deployed to production. Probably around 2012. The parameter I remember was wadsworth=1.
Edit: Got the story wrong. Wadsworth was just a commenter with an opinion and someone who worked at youtube had a sense of humor.
Wadsworth's constant lives on in spirit via SponsorBlock blocking all the intro BS and allowing users to set a timestamp as a highlight with a button to skip to said highlight. I use that feature all the time.
>Of course, people these days have no idea what a URL or URL bar is, as it's often hidden anyway... :(
The vast majority of users have no idea what an address or address bar is, let alone a Universal Resource Locator. Hell, most users don't understand files and folders in a computing context either.
As much as I hate how iOS, Android, MacOS, and presumably even Windows these days are obfuscating the file system and nearly everything pertaining to it, I do think it's a necessary step in the right direction. Most users do not address, and as computing hardware and software engineers, designers, and nerds we have an obligation to provide computers that all users can easily understand.
It is not a good idea to assume that users are stupid, uncurious and can’t learn. The end-state of this philosophy is that citizen can’t get informed and can’t vote properly, we need to tell them who to vote for, and do it instead of them.
What differenciated the Middle Ages from the Enlightenment periods is the understanding that people aren’t that stupid, we don’t have to hide the Bible behind Latin, we can translate it to the local language and they’ll learn by themselves instead of going through clercs, and the same goes for law, physics, sciences and philosophy.
And we’re much better off with populaces able to make decisions for themselves (ie copy from the URL and drop one letter by mistake) than dumbing down everything to have control over them.
Knowing how to navigate to websites directly seems important for laypeople to understand.
There is point where dumbing down technology doesn't make it meaningfully more accessible but just serves to harm users. Hiding the URL bar is past that point.
I'm a computer nerd, I just use Google to look up and go to most websites I want these days.
Why? Because I'm not confident I can type their URLs properly and any typos are a one-way ticket to Scam City. Chances are reasonable Google has the correct website URL. Bookmarks, you say? Can't be arsed.
Between inconvenience, unintuitiveness, and "I ain't got time for this" mentality it's no surprise why file system structures are obfuscated away.
Look boy, my time only becomes ever more valuable as I age. I literally ain't got time for 'puter nonsense anymore.
Did I really type in amazon.com correctly? Not amazn.com? amazon.cm? Or some other stupid typo that will send me straight to Scam City?
In that time I could have gone to Google (which is my browser home page), typed in something vaguely resembling "amazon", and the first or second link will be amazon.com 99% of the time.
Same, shaking my head. Your “users” are full grown adults with full time jobs and kids. They dont have time to understand nothing. iOS model of simplifying everything is far more intuitive and better.
Don’t get me wrong, I’m all in for a dev-switch which would enable scripting and open up everything in OSes. But tell me how you are gonna do that without scammers telling grandmas “Copy this thing to here, yeah…”. Currently the dev switch is e.g. a Mac and $99/year, for iOS.
Damn. I noticed this happening a while back and I didn't think much of it. I just deleted the si= part because I knew it's not necessary for a Youtube link to work! I was curious about why this has been added and figures there's been something nefarious going down.
I kept using the app (with ads) because despite my hate for Google I still thought it was the right thing to do. And using YouTube in a browser on mobile felt clunky. But I noticed that identifier in the shared url too and that, plus the increase in ads, finally pushed me to ditch the official app and go with NewPipe. No more ads, no tracking in the URL, sharing the URL can be done with timestamp, when tapping a yt Link in another app, I get asked if I want to play it right away, enqueue it, play it in the background or play it in a little floating window.
At least on Apple devices, it allows you to “paste” things in surprisingly unlikely places. With some finesse, you can even add custom actions on MacOS like passing it to a shell script that downloads and then pipes it into ffmpeg or whatever. Yeah I use it a lot
Same thing I've noticed for Instagram links and many other different apps. Most of them have started tagging the link, to track the user, or check who interacts who, I think.
Those who don't want clean link manually, can use link cleaner apps or uBlock origin in browser.
Right, first I noticed Twitter doing it and then YouTube. I thought, someone sold those corporations new tracking tool or an existing one got a new feature.
Ever since the first time I spotted this I've been removing it manually. Any browser addons to help with this, anyone?
The fact that Google has to resort to this is amusing. To me it means they can't do it any other way and are now leaving themselves wide open for us the techies to strip that tracking ID; which we absolutely will do.
ClearURLs implemented the rule to remove the si attribute on November 5th[1].
I think a better approach though is to whitelist allowed attributes rather than blacklist disallowed attributes. For example, if you get a URL starting "https://www.youtube.com/watch?" then the only allowed attributes are v, t, etc and everything else would be stripped.
> The fact that Google has to resort to this is amusing. To me it means they can't do it any other way and are now leaving themselves wide open for us the techies to strip that tracking ID; which we absolutely will do.
I don't think it means that (although I wish it did): it's just another connecting datapoint, and more connecting datapoints are always good from their perspective.
(I think it's helpful to think about these things from Google's perspective: they're running a service that ~billions of people access and share daily. 95% or more of those people won't know how to strip those identifiers; the 5% or so that do are put on the slightly-less-happy-path for social graph discovery.)
Oh I am sure it will have positive impact on their tracking; that much is guaranteed.
What I am saying is that they chose a very lame way to do it and this robs them of very valuable data they could get from those 5% and I'd argue that they really would want to know how you and me are moving and discovering stuff when we're outside YouTube.
Trying hard not to have the protagonist syndrome here but I'd think they are more interested in how the non-couch-surfers do stuff.
Though a very good counter-argument would be that they can now target ads better and probably gain slightly higher conversation regardless of us the 5% stripping the tracking parameter, and that would still be a huge financial win for them.
All in all, my stance is: let them have it, but I still find it reassuring that they are not even covert about it which gives us a lot of options on how to deny them.
Finally, there's the possibility of various browsers and addons to start automatically removing the tracking parameter, though such movements usually take years.
Yeah but we will not go away. Let them keep trying, they will have to start banning IPs and they will be taken them to court because I pay for Premium and I can share links to their videos however I wish.
The theory has been at some point they'll remove the separate ID and have a single ID that encompasses both. Due to things such as Apple's automatic tracking link removal (but also many others):
https://9to5mac.com/2023/06/08/ios-17-link-tracking-protecti...
If you click on the link, you can see all the tracking parameters in the URL bar. Whosever link this is used the official Reddit iOS app to generate the unique URL.
Not a browser extension, but an Android app. URLChecker[0]. You can "share" to this app, and can clean the URLs (uses ClearURLs database) and check for redirects. You can also do more advanced URL rewrites (such as Twitter -> Nitter) and open URLs in specific browsers
This is purely an extra data point; without it, there is 0 attribution for which user is responsible for a link to a video causing that video to go viral, besides the referrer header.
They have experimented with other ways to do this in the past. For example, they used to have a direct friends list on YouTube where you could share videos to
specific friends or groups of friends at once.
They can obviously generate indistinguishably unique urls for video sharing links if they wanted, this is just easier to implement (though not by much).
Also there’s no treachery afoot here… go ahead and remove it, the stakes here are very low.
Well exactly, they are outright adding an URL parameter and of course I'll remove it. Doesn't mean that they don't rely on less tech-inclined people to never even notice, and I am sure that's a core part of their strategy anyway.
As for the indistinguishable URLs, you have a solid point there but I'd think there would be a lot of outrage because people want those URLs to generate previews when pasted in pages, social media comments etc.
Not to mention all the false positives generated by people embedding such URLs.
So I think for now we're safe on that front, they would poison their own well if they went ahead with encoded URL identifiers, happily.
But again, I am very amused that they just outright added "?si=..." -- to me that reeks of desperation and I have to admit that I enjoy it when Google is struggling.
If this "reeks to you of desperation", then you're putting a lot more emotional energy into the situation than is necessary. There is no world in which this is desperation on the part of YouTube, that's not a reasonable view.
Pretty sure it's way older than that. My YouTube ReVanced version is installed early March and it has this behaviour. I'm quite sure I've seen it also last year too.
Right, but nothing prevents YouTube to get rid of public video IDs and simply share an opaque version of (user, video) whenever possible.
It'd be awful, but Google nowadays is willing to do shitty stuff like this and atrocious stuff like engage with the military too (because obviously the only flaw of project maven was being discovered)
It's not just a tracking tag on Reddit; the shared links largely obfuscate the thread or comment, requiring one to go through the tracking link to find out what is behind it. An example for anyone curious:
Another pattern that I hate is that Reddit will create an account for you if you are using a browser profile that does not have an associated Reddit account. It will then prompt you to 'personalise' the username and password.
URL obscuring gives a URL a shelf life that URL parameters don’t. The URL only ends up functioning as long as the redirect service is functional whereas a URL will work no matter what garbage parameters you throw in after the ? in a URL. If the page can do something with the parameters it will, but if it can’t, it just gets ignored.
True, but that redirect service can be stupid simple if the URL has all the information it needs to do the redirect encrypted in the URL. So no new DBs.
The URL gets a little longer, but a format-preserving encryption scheme might be able to help a bit.
Sure you can. Even if the key is rotated monthly for 20 years, we're talking ~4 KB of memory for all the keys.
But remember that this isn't being done for security; it's just adding a minor barrier to casual removal of the tracking information. And if users really want to circumvent it on the links they generate all they'd need to do is copy the regular URL instead of using the Share button.
(Again, not that I want to see them do any of this.)
If 20 year old keys remain valid and URLs encrypted with them still work, you’re not getting any value out of key rotation. If an old key leaks or is cracked, the entire system is useless.
Remember the point of encryption here is basically integrity - to verify that the parameters were generated by the site’s own share capability.
I only claimed a minor barrier to unmotivated tracker stripping. By that I mean a hurdle, not tamper resistance. So in the worst case you're no worse off than what the existing unencrypted system affords you.
Indeed, rotating the key here serves very little benefit.
Thinking out loud: I suppose if they strayed further from the light and started restricting timestamp linking to share button URLs they might want to rotate the key to frustrate anyone looking to generate anonymous timestamp links. In that case, you could do something like include some indicator of which key was valid on the day it was uploaded. That limits the blast radius of a leaked/cracked key to the ability to generate timestamp links for all videos created during that period. Still low stakes, but now we need care more about integrity. Also, I wouldn't be surprised if updating the video ID scheme is a huge ask, so at that point a new DB might be the easier solution.
> And if users really want to circumvent it on the links they generate all they'd need to do is copy the regular URL instead of using the Share button.
At that point, why even replace it with something common? Just use the uniqe urls always.
Not even that, I'm surprised they don't just encode it into the actual uri and dynamically generate those on share and decode when someone clicks it. I'm not seeing why they need this as a parameter in the query string to begin with.
I wonder if that shows up in some error log of failed &si= lookups in their tracking database. Maybe some random engineer at Google will see it and be amused for about 10 seconds.
When Unique Resource Locator becomes Unique User Tracker.
I believe Douyin is the most notorious of them all. Each video doesn't expose unique ID at all. Every link is a short link uniquely bond to your device/app/browser.
Thankfully you can fix that by following the share link yourself, which will redirect to a full URL to that video, which you can then strip the tracking parameter from.
Very annoying to have to remember to do that though.
So does Stack Overflow, although they tell you very clearly that your user ID is embedded in the link, right in the "share" box (and it's not obfuscated in any way).
SO goes so far as to give you little notifications and achievements whenever a certain number of unique visitors follow one of your shared links.
I have been fixing this manually since I noticed it a few weeks ago; I just option+del to remove the value, and it still works with an empty parameter. I've got so far as to look briefly into writing a clipboard-watcher application to strip it for me. It's obnoxious and obvious.
I'm as surprised with how long it took Youtube and Twitter to add tracking IDs to their links, as with the fact that Instagram and TikTok still have proper URLs at all instead of generating a new unique URL each time you load some content.
Those TikTok urls aren't proper. They weren't before. They might be better now but don't think TikTok is new to the idea of tracking you to that level.
The comments section mentioned TikTok, of course, because it's a Chinese company!
Chinese tech giants have long been ahead of the curve in terms of privacy infringement compared to various Western countries.
The practices of YouTube are already outdated in China. For instance, China's largest video platform, Bilibili, prefers to compress video links containing a large number of tracking parameters into short links, making it impossible for you to use something plugins to remove tracking parameters.
While I'm not sure if it's user tracable, Reddit also started changing the link that is produced when you share a link to a post. It is a /s/<id>, which I absolutely despise.
I share links to things when I'm logged in, but I want to ensure that the receiver has no way of tracing back the sent link to my Reddit identity.
I have the latest Firefox (non-developer), and it has the "Copy Without Site Tracking" option in the right-click menu on the URL bar. Is that what you mean?
https://nitter.net/OldRowSwig/status/1732112446943269347