This Christmas, a family member sent me a URL to a family Zoom call. However, they didn’t send me a direct link to Zoom. Instead, they sent me a

January 2, 2021
writing
This Christmas, a family member sent me a URL to a family Zoom call. However, they didnt send me a direct link to Zoom. Instead, they sent me atinyurl.com link.
When I clicked on the link, my URL bar flashed an intermediate domain that was neither Zoom nor TinyURL. Later, I used cURL to see where this URL was really going.
$ curl -v https://tinyurl.com/examplezoom

> GET /examplezoom HTTP/2
> Host: tinyurl.com

< location: https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC
(all HTTP responses abridged for clarity)
Sure enough, the redirect wasnt clean at all. TinyURL was first sending me to VigLink1. VigLink is an advertising tracking company that specializes in affiliate marketing.
Following the redirect in cURL reveals another unsavory fact. VigLink sets cookies before they send me to the intended destination on Zoom.
$ curl -v ‘https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC’
> GET /?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC HTTP/1.1
> Host: redirect.viglink.com

< Set-Cookie: vglnk.PartnerRfsh.p=; Domain=.viglink.com; Path=/; SameSite=None; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure
< Set-Cookie: vglnk.Agent.p=v-c935c520ecc561fe60a9418874e023b7; Domain=.viglink.com; Path=/; SameSite=None; Expires=Mon, 01 Feb 2021 16:52:34 GMT; Secure
These cookies give them the ability2 to track me across every other site that uses their advertising tech. Who knows what VigLink is doing with my data, but I personally wouldnt trust an advertising company to keep my browsing history to themselves.
Furthermore, they didnt give me a chance to opt-out of this tracking. Im currently based in Europe and I would expect to see at least an interstitial asking for consent to be tracked. TinyURLs privacy policy, last updated in 2012, has no mention of either third party data-sharing nor the cookies they share from affiliates.
This isnt a phenomenon limited to TinyURL. More common URL shorteners like t.co (Twitter) and bit.ly set cookies when you click on a link. While neither redirect you to an advertising company like TinyURL, Twitters primary business model is advertising, and bit.lys privacy policy says they share data with third parties toprovide advertising products and services
Dont use URL shorteners. And if you click on a link from a URL shortener, I recommend using tools like the Temporary Containers Firefox extension to limit the scope of ad tracking. Personally, I took the time to send Sovrn (VigLinks parent company) a GDPR request, and made sure to give them my tracking cookie. Ill update this blog and my newsletter if I actually get anything substantive back.

  1. Their main website was initially blocked by my ad-blocking software. I figured Id just link to Wikipedia here.
  2. Browsers like Safari and Firefox are getting better at catching these drive-by attempts to set cookies. I applaud those efforts, but since this type of tracking works in many cases and is explicitly limited by privacy law, I think its still noteworthy.