YSK sharing a YouTube video could be revealing your identity
When you share a YouTube video using the share button it adds “si=some_unique_code” to the URL. If you don’t remove that it shows your personal account to anyone who receives it so that they can chat directly with you. For a lot of people this is their real name.
I’ve seen it all over Lemmy so I figured I’d mention it here! You only need the stuff before the question mark in the URL to let others see the video.
This can also be turned off in your YouTube settings under the privacy section. The setting is “channel visibility for shared links”. It will still add the si code for tracking though.
95 replies
Done. Thank you.
I use this on Android to sanitise links I sent out as well as clean incoming links before viewing them.
https://play.google.com/store/apps/details?id=com.svenjacobs.app.leon
Since 4 March 2026 I am seeing "is=" in some YouTube links instead of "si=", also with the 16 character ID.
The frequency with which I've seen the
siattribute included in youtube links has made me painfully aware of just how many people are not using the internet the same way I do; they're experiencing the internet through a handful of mobile apps, not through a web browser on the desktop.even some IT pros are leaving it in, knowing well what it does. some people just couldn't care less.
yup. I don't use the google apps for ANYTHING. Even on my tab/phone, I use a browser (orion, with ublock origin installed) to watch youtube. It's really annoying, but it's better than using their spyware app.
This is why I use YouTube revanced. The features for it are great.
Even then.. what proportion of people do you think know the parts of a URL? Or know what a URL even is...
You may be in a bubble, friend
I know all this stuff and even I don't look at the technical stuff in the URL. I just make sure it doesn't have dQw4w9WgXcQ in there.
I refuse to search for that user, but dammit am I curious.
Iykyk
A problem I've had is people using those Google share links. I keep yelling them that I'm not clicking that link no matter how funny or interesting it may be.
Traffic is roughly 70-80% mobile on most websites I know.
til people don't reflexively strip out everything after the ? unless you know exactly what it's doing
most people don't even know what an URL is, and how it's structured. if their browser does not remove the tracking parameters, they won't get removed.
yup. all you need is the v=vkjlhaswlikuj3hg4 thing. that is the only thing you need, as it identifies the video. Strip everything else.
tbf, it's intentionally designed to be malicious and deceiving
Not sure if my anxiety is justified here, but I am not tech savvy whatsoever. And I worry about all the things I’m doing that’s probably completely giving myself away that I’m just unaware of. I didn’t know about this at all.
It is . But now you know . Don't freak - and you might even learn how to install a privacy based browser, vpn, or operating system. Keep the tinfoil har dude and best of luck
I do use a VPN, but tha'ts about it.
pretty much everything that has a "share" button does this. it's not to help you share the link more easily than copying from the address bar - it's to harvest your data
Even voyager gives a link to vger.to when you hit share instead of a direct link to the thing you want to share. No idea what they are doing with it (other than trying to redirect it to the app). Maybe it's set up to just use the localhost and that's all it does, but I usually strip that part out because I have no idea either way.
vger.to solely exists so i can text dumb memes to my non tech inclined friends, and they open in voyager on their device instead of the web.
It’s a dumb service and has zero analytics other than cpu disk bandwidth use lol
On my forum, youtube links get stripped of any extra url parameters. Every site should have to do that.
That's a great extra layer of protection, but people shouldn't rely on it and get/stay in the habit of always removing the tracking code themselves.
Yeah, it's easily possible to set it up to save the original link somewhere hidden. Same reason why you shouldn't reuse passwords because it's trivial to set up a site to look like it's doing it right from the outside but actually saves all passwords in plaintext for owners, admins, or disgruntled staff to look at later and see if it logs in to your email.
If it helps, for Androids share YT link to something like Untracker to remove unwanted nonsense from the url which you can then pass on safely (also works for things such as Amazon links).
For images, share to something such as Imagepipe first to remove location data. Other apps such as Aves Libre gallery or image Toolbox also strip this data but Imagepipe is simple - share image to it & it passes the image directly to your messaging app after stripping the data
Along similar lines be careful of the images you post if you location tag your photos. A lot of the larger websites will strip the location data by default but some do not. I’ve saved a handful of photos from reviews off the internet and now have people’s home addresses where the photo is of the product in their living room or whatever.
If you go to the ‘map’ section of your photos app it arranges them by location.
You can turn location tagging off globally when photos are taken or usually when you go to share a photo there is an option buried in a menu to strip location data(on mobile).
I have an iOS shortcut that remove exit meta data.
That's one of the first things I did when configuring my kids phones.
It would be great if link cleaning and auto-mirroring was part of the lemmy UI itself.
The problem is that there is an almost infinite way to design these kinds of URLs, so maintaining a database of what should be stripped out isn't trivial.
Yeah, would be best within particular client implementations. Not core Lemmy tho. Too many ways to do this and high maintenance.
I think that would probably be a client implemented feature, not a Lemmy one. I also don't design social medias, so I don't really know.
Yeah "lemmy-ui" is the official web app for lemmy. There might be other web frontends or clients that already do this.
I remember telling this to people on reddit and getting downvoted to oblivion while redditors squawked "who tf cares bro"
We set up a bot on r/asmr to reply to anyone posting a YouTube link containing the "si=" parameter, warning that it was likely a tracking ID that Google could potentially use to tie their YouTube account to their Reddit account with some degree of probability and suggesting that they delete their post and re-post without the si= parameter. Many were grateful for the warning and info but some didn't care. We decided to disable the warning after a few weeks.
fitting
I first heard about it on reddit but it was before the API exodus, so...
YSK PieFed automatically strips that out.
Like if you post a YouTube link, the platform detects it and automatically edits the link?
Yeah
Is that so?
Edit: I posted this from PieFed, and it preserved the "?si=" part of the URL, which I have since edited out by hand.
This one I loaded from a private-browsing tab. The URL includes the tracking ID but it may not be connected to me.
It doesn't do it in comments, just when you make a post.
They might be talking about the default web interface.
That's what I use!
Pretty cool!
Thats great!
Thank you for that.
I just share the URL from the browser.
Even on mobile: I don't use the YouTube app. On Android, this is a no-brainer, since you can run Firefox and uBlock Origin and bypass all the ads. On iOS it is a bit more dicey, but still advantageous to forego the app. Currently DuckDuckGo can bypass the ads for free. If you don't mind paying, Wipr2 can also do it, in Safari. Then you just put a web shortcut to YouTube and bam, ad-free YouTube. Shitty icon though (it's the regular icon in a white squircle). Either way, share from the browser, not YouTube.
Also, of course you can remove all the extra shit from the URL if you know how. That wisdom is lost on younger generations, but innate to older ones (who grew up around tech, like Millennials; or younger Gen X who adopted it at a young age — not like these iPad babies you have now).
I don't see how it's a generational thing. I remember when every link included the page type at the end, meaning there was nothing that could be truncated. If you don't know what si stands for or don't know that anything after a ? Is tracking bullshit, then you simply don't know. It's a "knowledgeable person" thing that can be learned at any time. I've pointed it out and many people I know still don't care
People who grew up when smartphones were already a thing might never have needed to learn how the Internet and URLs actually work. To a lot of everyday users nowadays, the Internet is just a series of smartphone or tablet apps you switch between. I used to think that the spread of the Internet into more segments of society would create a society of computer nerds, ha ha ha ha ha nope.
Sample the people around you in real life. They don't know any better, regardless of age. The group that experienced it has already largely forgotten it because the link purpose got obfuscated and the need became obsolete in everyday use
As a web developer, everything after the ? is actually parameters for the request. Anything could be in there, even important stuff (though hopefully nothing identifying, since that is extremely unsecure). You will likely break functionality if you delete everything without knowing what it is.
if it's obfuscated, then it's assumed to be malicious
Usually parameters are easy to understand. Like the time parameter in yt URLs, which is t=180 (meaning 180 seconds from the beginning of the video). Usually, parameters that are a string of seemingly random letters are UIDs or tracking parameters. Whenever I see a URL with one or multiple of those, I start deleting them and seeing if the URL still works. In 90% of the cases, it still does. Amazon is one of the worst offenders, with usually 4 or 5 random looking parameters that can be deleted without affecting the functionality of the URL.
t= is the only useful parameter in YouTube URLs (that I know of). If not for that we could just strip all of the parameters out.
People can't even unanimously agree on when each generation starts and ends (see terms like "zillenial" or "xillenial") so I'd even go so far as to say it's a completely redundant concept in the colloquial sense. Obviously most people care more about continuing to use the "kids these days" rhetoric so it hardly matters regardless, but it doesn't make it any less ridiculous.
Blurry deliberations are typical. As time goes on, "millennial" will become more accurate as the differences between xennial and zillennial become smaller and smaller in comparison to differences between _ennial and alpha or beta or delta. I just take issue with acting like direct url interface was the experience of a generation, and not a short-lived blip for the gen pop that has already been forgotten, especially as full url purpose has shifted to something arguably evil.
Yes, though my point that I wanted to add is that people seem to treat generational terms as if they’re a fact of reality instead of a very shaky conceptualization of cultural differences between birth groups that are already influenced by a lot more factors than just when people are born. It’s much more of a spectrum than a strict range of demographics inherent to humanity.
Always remove those search parameters before pasting links, even to my friends. F—k these big tech platforms, I'm not giving you any sharing data!
Same here, the awful thing is if they click on it, they cannot see the comments under the video and can only "reply" to you. Not sure what that should do, since the link has already been shared.
It can't share my personal account if I'm never signed in.
Pipepipe does not include this tracking, by default.
Same with freetube (which can be used for both mobile and desktop)
Same with LibreTube.
Revanced strips it when copying or sharing the video url
Grayjay does too.
Hopefully NewPipe does the same,
as PipePipe's successor.I'm preeeeety sure PipePipe is the successor. Or atleast a different fork with more updates.
You are correct. Or, rather, not the successor but an independent fork (doesn't necessarily adopt upstream changes).
I don't know what the hell I saw just the other day. I am 100% certain that I read that some GitHub project I was looking at said it was a fork of PipePipe, or in reverse, that "you should use NewPipe as it supersedes this repo".
🤨 I need to dive into my browser history...
Edit: ah! It was PipePipe! I just misinterpreted this line:
I took this to mean:
🤦♂️💁♂️ D'oh.
Newpipe and Tubular also share videos without the tracking, by default.
Nice!
On android, urlcheck is a great app to modify URLs before sharing or opening. For this problem, you can use the json editor, and add the following two entries with small a regex I wrote:
A button to shorten the link appears in urkcheck when the pattern matches. You can all auto shorten them by replacing "enabled": true
With
"automatic": true
Wow. This is awesome. Thank you! I will have to see if the dev has a donate button.
FWIW I had to noodle with the spacing of your json after copying from Lemmy (Voyager android app) but I got it to work. Thanks for sharing!
Here's another. If the video you want to share is on youtube, it's also on invidious. Without ads, downloadable and just generally none of youtube's bullshit. It even uses the same video vURL address.
tbh I would still prefer receiving the raw youtube link so everybody can redirect it to their preferred way of watching e.g. Morphee. Invidious instances can go down or stop working.
I haven't had a positive experience with an invidious instance in years. They are usually either down or horribly slow for me.
Facebook and Instagram do the same btw. Just FYI.
TikTok too, actually. They’re just more clever about it by generating a slug when you share a video, so you can’t just lop off the end.
Additional PSA: TikTok does the same. Also Instagram, but in my experience it doesn't reveal the sharing user (yet).
Insta does. if you open it on web and you didn't log in, the popup that beg you to log in will also include the user who shared it.
What the fuck
Instagram absolutely does reveal the sharing user
Holy moly, better pay attention
Might not solve everything, but a good link cleaner utility is helpful too. I personally use this one: Trackless Links
I use Leon:
https://f-droid.org/packages/com.svenjacobs.app.leon
Is
I've seen YT links with both
siandis.Yeah I’ve only seen si but that’s good to know
I never knew users could get the profile from it, I always thought that was a youtube internal thing. thats not cool
It's a very recent change
i would be surprised if it is true that "If you don’t remove that it shows your personal account to anyone who receives it so that they can chat directly with you", and a search just now didn't find anything to substantiate that.is it though? if so, how do you actually find out the profile name from thesiparameter?obviously tracking parameters from URLs should be removed in any case, but afaict only google can use this to find which user generated the link.after some more reading i found conflicting reports but i think this might actually be happening; apparently it is only visible in the app?
I’ve seen it when opening shared links in the browser but it’s possible that you need to be logged in for it to show
Get YouTube Sharing URL sans Sharing / Tracking Code (for iOS users)