Shortened URLs in email are evil

Shortened URLs in emails are bad for security, encourage tracking, and are completely unnecessary.

Huzzah, take that URL shorteners!

A few days ago, a recruiter reached out to me. All of the links in the email were shortened URLs. The URLs redirected to the domain zen.sr. My initial reaction was "Ooh, definitely won't be clicking on those links!"

I've never seen an sr domain, I hadn't heard of the company, and I'm pretty suspicious of clicking on any links in emails. Gmail does a pretty good job of filtering out the phishing emails that come my way; and the few that do manage to slip through tend to be blatant spam. I read over the recruiter’s email again. It didn't seem very spammy. It was well-written and the content looked pretty standard for an email from a recruiter. I suppose that all blanket recruiter emails that are general enough that they could be sent to any engineer for any position are spam by definition but I'll save that argument for a later time. Now I was curious: Was this a real recruiting email or was it some well-disguised spam?

First, I looked at the sender email. I figured that if they worked for the company they were hiring for their email would have the same domain. One point for this being a real email; the email was joe@acme.com. I opened up a private Firefox window and did a search for acme.com. There was a hit and everything seemed pretty normal. I went to the website and clicked around. If this was a phishing scam, it was pretty elaborate. Looked like a real company to me. At this point, I decided that the company seemed real. But I was bugged by the shortened URLs!

So, I decided to do some investigation into the shortening service behind zen.sr. The first search result was exactly what I was looking for: A help center article from gem.com. According to Gem's website, they are "The Platform For Modern Recruiting." Okay, the recruiting email almost certainly wasn’t spam. The help center article is pretty funny. It says that they shorten URLs to zen.sr so they can track clicks. Yep, I had a feeling. The funny part is the last sentence of the article. It says, "As a best practice, we recommend turning it on, with the exception of a few roles that tend to care more about privacy (e.g. security engineers)." Ha! Security engineers?? So you should turn off tracking for people who know they are being tracked but tough luck for everyone else? Ugh.

This sent me off on a little hunt to learn more about shortened URLs and their history. The first site I landed on had all of the info I wanted. The prose bugged me a bit (I wasn't in the best mood at this point) but it was a treasure trove of information on URL shorteners. The tl;dr is that they have been around since 2001. They were originally invented so a guy could post links on a unicycle forum (I love the web). Since then shorteners have had a checkered history. At first, people were upset that they masked the true destination of links. A few years later, they started to show up in any plain text context where long strings were an issue (ex. Twitter) -- this is arguably the only place where URL shorteners are somewhat useful. In 2008, as so much of the web started to shift into a tracking and advertising machine, so too did URL shorteners with bit.ly's launch of the first link analytics tracking service.

After the history lesson, I looped back to the recruiter's email. Why did they need to use the shortening service? The email was HTML and the link was in an <a> tag so the shortening aspect of it was unnecessary. That leaves one reason for the shortened URL: Tracking. This type of tracking is invasive. What are the metrics that are gained by tracking? They already know how many people respond to their emails. Isn't that enough? You can run a/b experiments and the like just based on that. Also, are the metrics really that sound? Certain email clients will click on links to assess their security. Likewise, when I held down on the link on my iPhone to copy it, it opened it in a little modal. I wouldn't count either of those as real clicks. Does Gem not count them too? I'm sure my imagination is letting me down here but this tracking just seems unnecessary.

At the very least, obscure links in emails are unsafe. Every publication under the sun has written about not trusting links in emails. Informed users have been trained to not click on links in email. They may have even tried to fight invasive email services like Superhuman. But with invasive email practices (as with so much else in tech) there is an asymmetry between the people building the tech and those who use it. Steve Jobs discouraged his kids from using iPads. The same ones he was trying to sell to schools. And most people don’t have the time to dodge tracking at every turn. If we normalize obscure links in emails then we’ll never get the cat back in the bag (though perhaps the cat is already out of the bag with the prevalence of shortened URLs on Twitter).

Link shorteners in email are evil. At the very least, services like Gem should disable them by default. Their docs encourage users to disable them for “security engineers.” If they are willing to disable them for the population in the know then they should extend that decency to everyone. This email was from a recruiter who wrote me out of the blue. I’m not looking for a job and I don’t advertise that I am anywhere. If someone is going to write to me then they shouldn’t track me while doing it. This is like a door to door salesman snapping your photo as soon as you open the door. There is an information asymmetry that means the sender gets to know more about me before I even know what their business is.

P.S. If you're thinking to yourself that it is annoying to read a post that bemoans tracking written by someone who has worked for the chief tracker (rhymes with “Schmoogle”) and uses Gmail for their email; all I can say is that isn't lost on me and you are certainly right. Happily, there are people hard at work trying to reduce harmful email practices and I encourage you to check them out.

P.P.S. This website uses analytics. You can read more about them and get a link to the public dashboard by visiting my about this site.