That curse is URL shortening. And yes, it did exist before Twitter, but Twitter both limits how much its users can post and depends on those users sharing content with each other, often in links–and those URLs can take up a lot of space. The growth of URL shortening has brought with it the growth of URL shortening services, which apparently hope to monetize it.

Leaving aside the issue of how monetizing such a thing can be done, URL shortening is bad from a user’s perspective for the simple reason that if someone shares a link with me, I have no clue where it’s going. If someone just posts “OMG this is awesome”, the shortened URL they post it with could just as easily be a rickroll attempt as it could be an evildoer hijacking their account and sending me to malware. And while I may be running Ubuntu, there’s no way of knowing that there isn’t some kind of zero-day exploit already being used on it (I have no illusions about Ubuntu being perfectly secure, after all).

This isn’t just a security problem–it’s also a usability one. What if I’m playing music and I don’t want to see a Youtube video? What if I’m working and only want to click on a link if I know it’ll be something quick? What if it’s a link to an inflammatory Reddit post that’ll just get me angry and ruin my mood?

Clever users may respond that there are browser extensions and Twitter clients that can solve this problem by showing a preview of the destination. Maybe, but if they don’t show you the URL, do you really think it would be hard for a malware writer to put up a fake display of the site at the destination? If they’re willing to meticulously fake the appearance of a Windows security warning or antivirus program, would it really be hard to put up a fake image of a Youtube page and then switch it out with Javascript if an actual browser is detected? Admittedly, this would likely have to target specific previewers to fake them out, but it’s a real possibility, and not one that an informed user can ignore.

In order to avoid subjecting people to this danger, I’ve installed YOURLS (Your Own URL Shortener… clever!) on my hosting to try to avoid putting people through that. I don’t intend to let anyone else use it for URL shortening, just me–so you can be reasonably certain that if you see a short URL beginning with perpetualstudent.net/, it came from me and not someone who hijacked my account. Yes, my domain isn’t especially short, but it’s probably short enough for my purposes. YOURLS is a great project, if only because it shows just how little work it takes to make a URL shortener beyond thinking of a clever short domain name. All it takes is a cleverly-written .htaccess file, a bit of PHP code and a MySQL database. YOURLS even gives you all the same URL tracking features that the likes of bit.ly do.

So please–if you’re going to use a URL shortening service like bit.ly or u.nu, have the decency to explain in context where those links go and what I’ll get if I click on them. The occasional rickroll won’t kill me, but the last thing I want is to feel paranoid when clicking on links my friends share.

This most recent change consists of a revamp for Facebook’s already-substantial privacy settings. This change didn’t actually affect anyone’s settings who didn’t tell it to; users were greeted with an unavoidable menu asking them if they wanted to keep their old settings or switch them to new, simplified privacy categories–the default of which in a number of them was “Everyone”.

This is, to be perfectly fair, not something I really have a problem with. While “Everyone” was preselected for some users (UPDATE: apparently not all, since for some at least, it was set to Original Settings), they gave you all the information you need to decide whether that was actually a good thing. Plus, I get why they’re doing it; they want all the data they have on their users to be available to search engines and marketers so they can monetize it, and so they can position themselves as the search result that people might want to come up on Google searches for their users’ names. Monetizing profile data without incurring the wrath of privacy advocates is something they’ve been doing for years through, among other things, their own targeted advertising network (the one that’s known for selling sex to men and weight loss to women), the ill-conceived and ill-fated Beacon, Facebook Connect, and the notorious ads that use friend connections to make it appear as though a user’s friends endorse a product.

Many of Facebook’s users tend to forget that Facebook is neither free nor intended as a public service. They’re in the game to make money, and the data they’ve amassed on their users is worth a fortune to the right people. With that in mind, I don’t really blame them for encouraging their users to make their profile data public. (As long as, y’know, they’re not doing anything shady on the side in complete violation of their privacy policy.)

On the other hand, I imagine many of their users neither take the time to learn about how far their profile data can go nor care about the issue, and might very well absently click their way through the menu without thinking about what “Everyone” actually means. Frankly, I have little sympathy for those users, but the EFF disagrees. I would be quite interested in statistics on how many users actually changed their settings to Everyone as a result of this menu–those would presumably be the ones who just didn’t want to be bothered and thought “yeah, whatever”.

It just goes to show: as always, there is no replacement for a smart user. Internet companies will monetize however they can. It’s up to users to decide where they want their data to go, or if they even care.

Edited: Fixed a minor typo. Also, I’ve received reports that Everyone wasn’t always preselected, which is quite significant for the “yeah, whatever” cases.

No matter how secure your system is, there’s never a replacement for a well-educated user who knows to at least be wary of untrusted software packages. While a smart security framework can make a user pause before making a mistake, it’s ultimately still at the user’s mercy. (Though having such a system in place is certainly much better than not having one, or providing a false sense of security.) A Linux user who joyfully installs every package offered is really in no safer a position than… well, the majority of Windows users.