
Twitter is being investigated over data collection in its link-shortening system - Korosh
http://fortune.com/2018/10/12/twitter-gdpr-investigation-tco-tracking/
======
hlandau
What's particularly insidious about a lot of these link shorteners is the use
of non-semantic redirects. That is, redirects which are not based on HTTP
Location: headers but things like meta http-equiv="Refresh". I assume this is
done to allow these pages to be loaded with tracking scripts.

Of course this is a completely broken way to implement a link shortener since
it won't work with non-browser tools such as curl. I tried a t.co URL with
curl and it returns a Location: header, which means they're doing user agent
sniffing. If you need to use user agent sniffing to make something practical,
it's generally a good sign you shouldn't be doing that thing.

~~~
LeoPanthera
You are correct:

$ curl -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.0 Safari/605.1.15"
[https://t.co/88MpPkUoJg](https://t.co/88MpPkUoJg)

    
    
      <head><noscript><META http-equiv="refresh" content="0;URL=https://bbc.in/2yDY0F5"></noscript><title>https://bbc.in/2yDY0F5</title></head><script>window.opener = null; location.replace("https:\/\/bbc.in\/2yDY0F5")</script>
    

I had no idea they were doing it that way. How gross.

~~~
eli
I assume it’s to remove the t.co page from the browser history, which of
course is not relevant or useful for curl. There’s nothing in that response
that looks malicious.

~~~
pdkl95
They already return different results based on the user agent header; they
could easily be returning different results based on other HTTP headers, IP
headers, _etc_.

Arguments that implicitly assume everyone receives the same data from a server
are frighteningly common. This is extra strange when it happens on forums like
HN that also regularly assume the same server might be A/B testing or
providing "targeted" advertising - or prices - that is unique for most users.

Any discussion about data from an unknown server should always include some
sort of checksum. Without verification everyone is receiving the same data,
statements about a server's responses don't mean much.

~~~
tdb7893
Couldn't any site be sending different results based on any header? I guess I
don't get how "they could easily be returning different results based on other
HTTP headers, IP headers, etc" doesn't apply to literally every site

------
saagarjha
I really hate it when websites use shortened links instead of real ones.
Twitter’s not the only website that does this; everything from Google to
Discourse seems to be doing this these days. Not only is this horrible for
privacy, it also makes copying links really annoying.

~~~
raverbashing
There is one reason for this: anti-spam/anti-malicious links

If a problematic link is shared, it can be pulled from the platform without
"doing a gigantic grep"

~~~
wlesieutre
On the other hand, link shorteners are also great for _hiding_ malicious links
because you can't see where it's going before you click on it.

~~~
cremp
Just a note:

On bitly, you can add a + to the end, to get to the stats page for that link;
it also gives the destination.

On the goo.gl links, add .info to the end.

------
nyxtom
I forgot why we even needed url shortening until I remembered I used them
specifically for Twitter due to the character limits. It's odd that people
here are surprised by the analytics, and tracking behavior used by t.co links.
Bit.ly is another example of this and they have quite an extensive data
science team devoted to this. That being said bit.ly does use a standard HTTP
redirect

~~~
randomsearch
We don’t _need_ shorteners. Twitter could exclude a URL’s length from the
limit. Etc

~~~
thinkingemote
For some URLs Twitter does exclude it. For example using a url parameter with
the intent API or attaching a gif or video.

------
conquistadog
By obscuring the real destination, it's also terrible for security.

~~~
peterhunt
That’s completely the opposite of reality. The whole point of link shortening
on a social network is to improve security and reduce abuse.

~~~
freehunter
How so? By shortening the link, you're hiding where the link goes to.
bit.ly/12345 could go to amazon.com or big-scam-with-a-virus.com, and until
you click on it you'd never know.

~~~
shpx
With bit.ly specifically, add a "+" at the end of the url to see what it
points to. It also shows you some stats like creation date and number of
clicks over time.

[https://bit.ly/19y8wyr+](https://bit.ly/19y8wyr+)

~~~
TeMPOraL
I also didn't know about that, so thanks. But - how on Earth was I to know?
How are all my non-tech friends to figure it out?

~~~
iuwhagtr
What does that matter? Once they've clicked they'll see the URL in the
location bar

~~~
astura
It's useful to know the domain of the link before you click because some
people might not want to navigate to unknown sites at work, or at least don't
want to navigate to certain sites at work (Facebook, Instagram, YouTube,
pornhub, etc, etc.)

------
woodruffw
Is there a way to disable Twitter's awful auto-linking behavior? It's
extremely annoying to have an example or templated URL become a shortened
link[0].

[0]:
[https://twitter.com/8x5clPW2/status/1043236568394280961](https://twitter.com/8x5clPW2/status/1043236568394280961)

------
djhworld
It will be interesting to see what they are gathering.

My Pi-Hole blocks twitters analytics endpoint so I get an annoying name
resolution failure when clicking t.co links

------
annadane
All these deceptive practices seem to be done by Silicon Valley. The
attitude/approach to people there must be a little... lacking.

~~~
coldacid
That's because they aren't doing these things for people.

------
rdiddly
Wish I could recommend as an alternative, the (satirical, and now defunct) URL
shortening service by David Rees,
[http://urlshorteningservicefortwitter.com](http://urlshorteningservicefortwitter.com)

Who is David Rees? Glad you asked...

[http://www.mnftiu.cc](http://www.mnftiu.cc)

[https://motherboard.vice.com/en_us/article/vvvve8/motherboar...](https://motherboard.vice.com/en_us/article/vvvve8/motherboard-
tv-the-finer-points-of-david-rees-artisanal-pencil-sharpener)

~~~
wlesieutre
I'm a fan of the spaaaccccce.com URL lengthener

[http://spaaaccccce.com/Gotta_go_to_space_Theres_a_star_There...](http://spaaaccccce.com/Gotta_go_to_space_Theres_a_star_Theres_another_one_Star_Star_star_star_Star_Space_Are_we_in_space_Oh_oh_oh_This_is_space_Im_in_space)
(link to HN homepage)

Full URL since HN abbreviates it:

    
    
        http://spaaaccccce.com/Gotta_go_to_space_Theres_
        a_star_Theres_another_one_Star_Star_star_star_
        Star_Space_Are_we_in_space_Oh_oh_oh_This_is_space_
        Im_in_space

------
jwilk
Archived copy without GDPR nag screen:

[https://web.archive.org/web/20181015144639/http://fortune.co...](https://web.archive.org/web/20181015144639/http://fortune.com/2018/10/12/twitter-
gdpr-investigation-tco-tracking/)

~~~
nvr219
I use ublock origin to block those

------
strictnein
> "claimed that it was technically within the company’s aim to determine
> someone’s approximate location"

What does this even mean? It's a weirdly formatted sentence that makes it
sound like Twitter has the magical capability of determining your location...
just like everyone else on the internet can with a geoip database.

~~~
timdavila
Most journalists don't understand how the web works.

------
cpeterso
"Yet Another Twitter Link Expander " is a Firefox extension that expands
shorted t.co links so you can see the destination URL inline in the tweet:

[https://addons.mozilla.org/en-US/firefox/addon/another-
twitt...](https://addons.mozilla.org/en-US/firefox/addon/another-twitter-link-
expander/)

------
pmorici
It strikes me that companies and being squeezed from both ends by government.
On one hand they are getting lambasted for too much data collection. On the
other they are being sued because they don't collect enough data in the case
of Apple not being able to unlock iPhone for example.

~~~
pjc50
Different data and different governments? They're not really the same issue at
all, there's no government level campaign for privacy in the US that
corresponds to the EU approach.

------
nukleosome
this entails that any link-shortening service should be investigated. there's
no reason why the others wouldn't be doing any data collection.

it's also interesting to think about why Google shut down goo.gl, in light of
this and the Google+ story.

------
ndnxhs
Why does twitter even need the redirect links when they could just track what
you click with JS?

~~~
gfosco
Because these links are shared off Twitter.

------
netcan
Is there a reason why Twitter doesn't just support web links?(currently, not
the 3rd party history of how we got to here)

------
dang
Url changed from [https://theblogroom.com/twitter-being-investigated-
collectio...](https://theblogroom.com/twitter-being-investigated-collection-
data-link-shortening-system/), which mentions the original source but doesn't
link to it.

