You’ve seen them before: the cryptic shortened URLs. Generally speaking, these are short links to sites with long names. Services such as bit.ly, tinyurl.com, and (mostly defunct) goo.gl will take the long URL and create a shortened version. The result is something that looks like this: https://bit.ly/2HSe5in.
Why Did We Invent Shortened URLs?
The justification for the rise of these URLs is simple, and innocuous. Primarily, it is because Twitter historically restricted tweets to 140 characters, which made including a long URL with any kind of meaningful message quite difficult. Another reason is simple aesthetics; a long URL can be visually unappealing. Nowadays, Twitter allows longer messages and will automatically shorten your URLs using its built-in shortener.
The Risks of Shortened URLs
Just like the fact that most of the people you meet are going to be good, honest, and trustworthy people, most shortened URLs are safe. However, if that were true 100% of the time then this would not be a very interesting article, would it?
Where are you going?
I’m sure that you’ve heard the common admonition to avoid clicking on suspicious links. But if the link is obscured by a rewritten URL, how do you know whether it is suspicious? Well, you probably don’t want to just click on it, unless you can be reasonably certain that it’s safe before you do so.
I recently had a friend send me a shortened URL over Skype, without any preamble. Although I trusted him, the behaviour was atypical of him. As a result, I did not click the link and texted him back. As it turned out, I was correct, and his Skype account had been compromised. The bad actors were using his account to send out phishing links. In fact, that event was the inspiration for this article.
The alternative is to use a URL unshortener to convert the short URL back into its original long form so that you can examine it before deciding to go to the web site. These are usually “free” services, which means the cost is hidden. They recoup the cost of providing the service by running advertising and tracking user activity.
Services that provide URL shortening, like the unshorteners, are also free. Since their users don’t ever see their site (they go directly to the destination link), those services do not have an opportunity to display ads and are 100% paid for by user tracking. That includes the Twitter built-in URL shortener. Twitter uses that analytics data to sell advertising to its business accounts.
The most common usage is for encoding a URL into printed media so that people can visit your website without needing to type in the address. You don’t need to worry about user tracking with a QR code since there is no service that looks up the address, the message is encoded in the image and your phone can decode it automatically. However, the risk is similar to that of a shortened URL. Assuming you can’t decode it in your head, you need to scan the code to know where it wants to take you. So just make sure you use a QR code reader that will tell you the website and prompt you before taking you to there.
Although most shortened URLs and QR codes are safe, treat them like a suspicious link. In other words, we should treat links as guilty until proven innocent.