Beware Reddit's New Tracking URLs


Reddit recently implemented a new feature for tracking the activity of it's users and site visitors, even if not logged in. This is a privacy concern for everyone, even if you've never used Reddit.


If a user using the official app shares a link, they will be given a special tracking URL that links their account to the post being shared. These tracking links look like this: https://reddit.com/r/subredditname/s/tracking_token where the tracking_token is a bunch of gibberish.


Opening this link resolved to a normal Reddit URL with tracking parameters: https://www.reddit.com/r/subredditname/comments/post_id/post_title/?share_id=more_gibberish


Take note of the share_id parameter. This is a unique identifier that reports to Reddit who shared the link that is being opened.


The most nefarious part of this is that the only way to get the true link is to go through the tracking link. If they started with the URL parameter, we could strip it out before loading the page using a browser add-on such as ClearURLs.


https://addons.mozilla.org/en-US/firefox/addon/clearurls/


This way, we are forced to resolve the tracking link, who's tracking token is connected to the user who shared it, in order to reveal the true URL.


Reddit could use this information to build a social graph of who a user is sharing things with. They can map how the information is moving through that graph. If you have a Reddit account, they have your IP address and can use that to connect you opening the link to your account even if you are not logged in. If you don't have an account, they can start building a shadow account based off of information they scrape from you like this and use that to track you.


This is an over-reaching, creepy level of corporate surveillance. There is no good justification for this. Digital stalking has gone too far. Do what you can to avoid it. Let Reddit know this is not okay. Practice Surveillance Self-Defense.


https://www.eff.org/pages/surveillance-self-defense


Further, these links break privacy respecting 3rd party options such as RedReader and LibReddit. RedReader is working on a fix, but it sadly will not be able to work around the privacy invasion, as the URL information is hidden server side.


https://github.com/QuantumBadger/RedReader/pull/1123


For now, it appears that the links are only generated by users who share links from the official Reddit app. If you can, use a 3rd party app that generates real URLs.


If you have to share from the official app, first load the link in your web browser to resolve the link, trim off the ?share_id=more_gibberish part, then share the clean URL.


Let this be a warning. Beware any Reddit links that have /s/ in the middle. Do not reshare them. If you see someone sharing one, tell them to resolve it in their browser first and share the real URL. Refuse to open them yourself.


If you haven't already, please consider to stop using Reddit. It's only going to get worse.


/gemlog/

Proxy Proxied from the original at gemini://zelena.flounder.online/gemlog/2023-09-04_Beware_Reddit%27s_New_Tracking_URLs.gmi
About Gemini
Hosted on flounder