Earlier today I came across a Reddit comment with a link to an Instagram post. The link had ?igsh=
at the end.
When I clicked on the link, I got this popup. It had a name and profile photo that was different from that of the post being shared.
Join Firstname Lastname on Instagram
See photos, videos, and more from Firstname Lastname.
[ Open Instagram ]
not now
I avoid link trackers. However, I did not realize it was this bad.
To my knowledge, TikTok does the same thing and lists the name of the person that shared the link. Assuming this increases engagement, any website could enable such a feature, even on old links that you shared in the past.
You should manually remove any trackers before sharing, or use an app for it.
For anyone who wants to take this seriously but doesn’t know what to do:
TL;DR: Chop off everything after the question mark.
Usually these trackers are at the end of the URL, after a ?. That’s called the “query string parameters” of the URL, and it’s where developers will attach extra information for the server or page. Often, those are benign and useful: It’s a token that identifies you to the server, or it’s context about what you’re trying to do. Sometimes you can eyeball the query string params and guess what they do, e.g.:
coolvideos.com/videos/5432?fullscreen=true&autoplay=true&time=12021
or
cheapshoes.com/search?query=adidas+tennis&category=womens&filter=discounted
or
https://m.youtube.com/watch?v=dQw4w9WgXcQ
If you chopped off everything after the question mark, the URL should still work, it’d just give you a default version of that page. In these examples, there would be no privacy risk to sharing the URLs somewhere.
But query string params are also where alot of marketing/tracking bullshit goes. When you see URLs with UTM params like “utm_medium” and “utm_campaign”, that’s marketing bullshit. They can also contain info about who you are, like what OP is describing: If it’s some kind of referral link for example, then it might look like pyramidscheme.com/special-offer?associate_id=455&source=facebook. It might be esoteric too, like the “igsh” param in OP’s post (which I assume is short for “Instagram share” or something?). That WOULD be a privacy concern.
So yeah… Often you can eyeball it and figure out what (if anything) to remove… And if in doubt, try chopping off the question mark and everything following it, and see if the URL still works.