

Invisible Click Tracking Using “Empty” UTF-8 Characters - konstruktors
http://kaspars.net/blog/web-development/invisible-click-tracking

======
thegeomaster
Just to point out that hovering over the link shows URL-encoded codepoints,
i.e. %u200B (in Firefox, for me, at least). I do think it's a better solution
than the existing approach with GET parameters which does look clumsy.

~~~
detaro
Interesting. Chrome on Windows doesn't.

~~~
mschuster91
Here neither. But even then, for very long URLs (can easily happen with that
SEO crap), just hide your tracking byte so that when Chrome/FF truncates the
URL for display, the bytes will be inside the hidden area.

------
shared4you
Nitpick:

> The idea is to use zero-width and space characters of UTF-8 such as U+200B,
> U+200C, U+200D

That must be Unicode, not UTF-8.

~~~
konstruktors
Fixed it, thanks!

------
mrgriscom
Isn't this exploiting the same kind of Unicode ambiguity that allowed phishing
sites to impersonate trusted domains by substituting certain latin characters
with identical-looking cyrillic equivalents? I would expect this capability to
last long in the wild.

~~~
konstruktors
Interestingly, none of those "zero-width" characters are allowed in IDN domain
names [http://unicode.org/faq/idn.html#22](http://unicode.org/faq/idn.html#22)

------
imjustsaying
Anyone have a suggestion of how this would be used in practice for uniquely
identifying something?

So there are a certain number of non-width space characters. As far as I can
find in the links in the OP, U+FEFF, U+180E, U+200B, U+200C, U+200D would make
5.

So we have at least 5 values to work with, which would make... 120
combinations if they're ordered differently? Surely we would need more if we
want to uniquely identify something such as a referral, or are there more non-
width spaces?

I'm kind of dumb and bad at probability, also. You're encouraged to correct my
thoughts on this and show me the errors of my thinking.

~~~
aidos
Surely you could put as many of them in there as you wanted? So you have an
alphabet of 5 characters to make an infinite number of words from.

~~~
imjustsaying
Good point. 0-9 work the same way. Glad I asked :)

------
boscomutunga
i don't see any variables in the url when i run the inspector.

~~~
falcolas
Copy and paste the link into python, like so:

    
    
        >>> repr('http://kaspars.net/blog/web-development/invisible-click-tracking')
        "'http://kaspars.net/blog/web-development/invisible-click-tracking\\xe2\\x80\\x8b'"
    

EDIT: Yeah, they didn't show up anywhere in the Safari inspector for me
either.

~~~
rwmj
I'm not seeing this in Python either. Perhaps the URL on the article has been
"fixed"?

------
theunixbeard
So who would pay for a tool to make creating/handling/analyzing these links as
easy as using UTM parameters?

~~~
Mahn
It's not that big of a deal to have these fields visible in the first place.
The post is a nice trick, but I doubt it has a market for a startup.

------
jkot
There are only a few chars, so urls grow huge, once click count increases. JS
is probably better

------
cturhan
Post as many as character you want and it will work. Here:

[http://kaspars.net/blog/web-development/invisible-click-
trac...](http://kaspars.net/blog/web-development/invisible-click-
tracking?​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​)

------
belorn
Does this also work in mail readers?

~~~
_jomo
I tested this in Thunderbird by subscribing to the blog's feed. It didn't show
the characters when hovering although Firefox does.

------
andybak
I actually like this. Assuming you agree there are non-creepy reasons to track
clicks (not a given on HN) then this lets you keep your urls nice and clean
when people just want to copy and paste them.

I imagine it might break in some scenarios (the url ends up with junk in it
from bad unicode conversion) but it's up to you to be permissive in the urls
you accept.

~~~
matt_morgan
There are non-creepy reasons for click-tracking--e.g., you're a nonprofit
supporting a cause, trying to identify preferences of your supporters. But
caution: it might become creepy when you /appear/ to be hiding the tracking
from your supporters. Why not give them readable URLs and be totally upfront
about what you're doing?

~~~
x1798DE
I don't think creepy stuff is less creepy if you're not doing it for profit.

