"Share a link" for a post should not leak username


(Ralf Jung) #1

Currently, using the “Share a link” or copying the URL associated with a post’s timestamp results in a URL that contains the username of whoever does the copying, if that person happened to be logged in at the time. This poses some privacy concern: If the link gets shared around, possibly forwarded multiple times, it exposes who was the original person to create it – like a watermark. While it is possible to just remove the u=..., this is easily forgotten when just copy-pasting URLs around. After all, users do not typically expect a URL to leak information like this. I also tried hard to come up with a good reason for why the username is in the link, and failed – I suppose there is a reason, but I wonder if it is worth the cost?

So, please remove the u=... at the end of posts’ URLs.


(Vinoth Kannan) #2

It discussed already and having a solution below


(Jay Pfaffman) #3

Including the username is a feature that allows Discourse to track who has shared a link. One can easily copy the URL from the web browser. If you want to disable this feature see the discussion @vinothkannans linked to.


(Jide Ogunsanya) #4

I love the feature because it enables us to track the top referrers, who we do appreciate with gifts and freebies. It’s one of the ways we grow our community.


(Ralf Jung) #5

I am not an admin of the forums I frequent, so I it doesn’t seem like I can do the customization you are suggesting.

You are literally tracking people across the internet for the benefit of some cute badges…? :frowning:


(Jay Pfaffman) #6

Then rather than clicking the :link: icon, type control-L then control-c. If you really want to use the mouse, then you can click the location bar in your browser, and probably right-click and select “copy”.

Being able to give users credit for bringing new users to a community is literally a valuable benefit in the eyes of many community managers.


(Neil Lalonde) #7

Usernames are public and specific to the site, so I don’t think it’s a privacy issue.


(Ralf Jung) #8

I usually want to link to a particular post. When I see three posts on the screen, I do not know which one the link goes to.

I see. I personally don’t agree, but at least this explains why the name is added to the link. I still think it’s a very problematic default, but I realize that this kind of community building has higher priority here than privacy concerns.

I don’t follow. It’s not about leaking the fact that a user with that name exists on that forum – that’s indeed public information. It’s about the fact that this user is the one who originally shared this link. That’s definitely not public information.


(Mittineague) #9

Sorry, but I’m not following.

For me, the ?u=mittineague can easily be removed with an edit - if I wanted to not have it for a post I was referring to, and alternatively it could be removed by script - if I wanted to not have it for any posts referred to by anyone.

Personally, if I care enough to refer to a post, I really don’t care if others know that it was me that referred to it. That is, I don’t understand how this could be a source of a “privacy” problem. Please post an example of how this can be a problem.


(Jay Pfaffman) #10

I think that the logic is that If they shared the link publicly, e.g, on twitter, then it’d be public that they’d shared it anyway. But your logic is different.


(Ralf Jung) #11

Well this would first of all leak a connection between maybe otherwise uncorrelated usernames. I may not want to reveal who I am on that forum as I pass on links to a different group of people. I wouldn’t expect that to be revealed.
Also, the name sticks around as the link gets copy-pasted into more places, still pointing to who originally started the reference.

Technically savvy people will easily recognize that their username is in the URL and just remove it, but I wouldn’t expect non-technical people to know that they can modify a URL like that and still have it point to the same thing.


(Ralf Jung) #12

I tried this in another forum where I am admin, and it does not work. When I click on a post’s time and copy what I get, it still adds ?u=... to the URL.


(Vinoth Kannan) #13

That script will remove the username from “share a link to this post” button only. Not in the time link. If you like to remove that then you have to add some extra modifications.