How secure is Bitly

URL shorteners and their privacy issues

25.06.2019

URL shorteners generate particularly short URLs, which are used, for example, on social networks, with a limited number of characters, or to analyze advertisements. However, the GDPR-compliant use of URL shorteners has a number of hurdles, as the providers of the short URLs collect and process user data. This applies to almost all major providers on the market such as bit.ly, tinyurl.com, ow.ly, redir.ec and goo.gl (the latter has now been discontinued).

Why are short URLs used?

Long target links seem out of place and very often go beyond the scope of certain publications. For this reason, companies and influencers like to use the URL shorteners to shorten the link and thus present it in an appealing way for the user. A short URL is certainly a good choice from an aesthetic point of view, but creates privacy issues. Because in addition to shortening the target link, the providers also use services for range measurement and for analyzing the interacting party (tracking). How exactly the tracking looks behind a shortened URL can be determined by adding the + Sign can be viewed at the shortened link.

Do shortened URLs fall under the GDPR?

The General Data Protection Regulation regulates the processing of personal data, which also includes dynamic IP addresses. The problem is that the large providers collect data such as the IP address, the location, the time, the date and the device information such as browser type, operating system or the language used and transmit it to third countries outside the European Union (USA), as well as to third parties disclose.

Bitly automatically collects personal information about the interaction (e.g. clicks or views) with each Bitly link created through the Services (any of our Bit.ly links or one of our branded domains) on a third-party website. This information includes, but is not limited to: (i) the IP address and the location derived from the IP address; (ii) the referring websites or services; (iii) the time and date of each access; (iv) device settings such as browser type, operating system and language; (v) Cookies, as described below, as well as mobile advertising identifiers and (vi) information about the common use of the Bitly link in services of third parties such as Twitter and Facebook (collectively “Bitly Link Metrics”). As described in this Policy, we use Bitly Link Metrics to provide the Services, to understand and analyze how our Services are being used, and to identify trends and detect malicious, fraudulent, or illegal activity from them and prevent them. For a description of how we may share information we collect when you create, view, or interact with Bitly links, see the “Information We May Share” section.

https://bitly.com/pages/privacy/german

Upon request from bitly, the reference to the IP address is completely anonymized after transmission, but the collection of the IP address means that use still falls under the scope of the GDPR.

Legal basis for the processing

If a company presents a link via URL shortener and thus offers it, the company is considered to be the person responsible within the meaning of the GDPR. One of the responsibilities of a responsible party is to determine the lawfulness of the processing in accordance with Article 6 of the GDPR. It would be possible to have a legitimate interest in accordance with Article 6 (1) (f) GDPR for an appealing display of the short URL or for range measurement. However, from our point of view, the balancing of interests should be in favor of the person concerned, as the interests of the person concerned outweigh the interests of the person concerned through tracking, disclosure to third parties and data transfer to third countries. A possible IP anonymization on the provider's servers should not change this. What remains is the informed consent of the interacting party for the processing and disclosure of their data in accordance with Article 6 (1) (a) GDPR. However, this will only be difficult to achieve in practice.

Information requirements according to Article 13 GDPR

The person responsible is also responsible for the information obligations under Articles 13 and 14 GDPR. Accordingly, the data subject must be informed about the scope of the processing when the data is collected. This proves to be difficult, for example, with consent, since the data has already been processed during the interaction and the information obligations can only be fulfilled later, if at all, and in a non-transparent manner. In principle, the use of URL shorteners in compliance with data protection regulations is a problem that only a few companies are even aware of. Because services and providers like Bit.ly are used by many companies in official communication or on social media without taking data protection and the GDPR into account.

URL shorteners and security risks for the user

In addition to the problems in the area of ​​data protection, short URLs can also bring other security risks with them. The interacting person in particular is at risk, as he cannot see which page he is being directed to by the link. Phishing and malware pages are often hidden behind the short URLs so that users visit them carelessly and are thus attacked or misled to act. In addition, researchers from Cornell University were able to prove in a study that cloud services in connection with short URLs pose a threat to data security. Due to their brevity, the various URLs could be scanned and privately shared documents could be revealed. It was also possible to copy malware into the folders of the open cloud accounts. This then synchronized to the end device of the cloud account. That was the case for seven percent of the accounts.

URL shortening, which looks like a relatively minor feature, turns out to have serious consequences for the security and privacy of modern cloud services. In this paper, we demonstrate that the token space of short URLs is so small as to be efficiently enumerable and scannable. Therefore, any short link to an online document or map shared by a user of a cloud service is effectively public.

http://www.cs.cornell.edu/~shmat/shmat_urls.pdf

Conclusion: URL shorteners and their services offer strong potential for problems

Even if the providers' services tempt you to shorten a URL, these are risky both in terms of the GDPR and in terms of data security. Compliance with data protection is only possible if the provider, as a URL shortener, does not collect personal data or if it is not passed on to third parties. One solution is the use of the German open source solution T1P.de, which says it does not collect personal data and checks the target URL for malware or the use of a self-hosted URL shortener.