How URL Tracking Works (And How to Stop It)
Every link you share carries invisible baggage. Here's what's hiding after the question mark — and why it matters more than you think.
Copy a product link from Amazon. Share a YouTube video with a friend. Click through a link in a marketing email. In each case, the URL you're handling is almost certainly longer than it needs to be — stuffed with parameters that identify you, record where you came from, and follow you across the web.
This isn't a bug. It's the business model.
The anatomy of a tracked URL
Let's look at a real-world example. You search for headphones on Amazon and copy the link. Here's what you get:
https://www.amazon.com/dp/B09V3KXJPB?tag=foo-20&ref=pd_rd_r&pd_rd_w=3Kf8g&content-id=amzn1.sym.eb926b83&utm_source=newsletter&utm_medium=email&fbclid=IwAR3xQz7
https://www.amazon.com/dp/B09V3KXJPB
Everything after the ?
is a query parameter. The destination page loads identically without them.
They exist solely to tell Amazon (and Facebook, and the email platform)
that you, specifically clicked this specific link from
this specific source at this specific time.
The most common tracking parameters
Hundreds of companies append their own parameters, but a handful appear on almost every tracked link you'll encounter:
| Parameter | Source | Purpose |
|---|---|---|
fbclid |
Meta | Facebook Click ID — ties your click to your Facebook profile, even off-platform |
gclid |
Google Click ID — connects your ad click to your Google account for conversion tracking | |
utm_* |
Urchin / Google Analytics | Campaign tracking — records source, medium, campaign name, and content variant |
ref |
Amazon | Internal referral tracking — records which page or widget led you to the product |
si |
Spotify / YouTube | Share ID — identifies who shared the link, connecting the sharer to the recipient |
igshid |
Instagram Share ID — tracks sharing activity and links it to your account | |
mc_eid |
Mailchimp | Email ID — identifies your specific email address across all campaigns |
li_fat_id |
LinkedIn First-party Ad Tracking — ties ad clicks to your LinkedIn identity |
This is just a sample. The ClearURLs project maintains a community database covering over 200 providers and thousands of individual parameters.
It's not just parameters: redirect chains
Tracking parameters are the visible part of the problem. The invisible part is redirect wrapping — when a company routes your click through their own server before sending you to the real destination.
You click a link on Facebook. The URL isn't example.com —
it's l.facebook.com/l.php?u=https%3A%2F%2Fexample.com.
Facebook's server logs your click before forwarding you.
A friend sends you a link in a tweet. It looks like
t.co/Ab3xKz9.
X/Twitter resolves the shortener on their end, recording the click.
You Google a recipe and click an AMP result. Google routes you through
google.com/url?q=
first, capturing the click before the redirect.
In each case, the company sees who clicked, when, and where they went. The destination site never needed to know any of that. And no amount of clearing your cookies will undo it — the tracking happened at the URL level.
Doesn't Safari already handle this?
Partially. Since iOS 17, Safari has included Advanced Tracking and Fingerprinting Protection (ATFP), which strips certain tracking parameters. But there are important limits:
gclid,
fbclid, and a handful of others).
It doesn't follow redirect chains. It doesn't unwrap URL shorteners.
And until iOS 26, it only runs by default in Private Browsing — not
your everyday browsing sessions.
Most importantly, Safari only cleans URLs as you browse. It doesn't touch URLs you copy and share. When you paste a link into Messages, WhatsApp, Slack, or an email, you're passing along every tracker attached to it — and your recipient may not be using Safari at all.
Why sharing dirty links harms others
This is the part most people miss. When you share a tracked URL, you're not just exposing your own browsing habits — you're making the recipient trackable too.
That fbclid in the link you pasted? When your friend opens it,
Facebook can now correlate their visit with your original click. The
mc_eid from a Mailchimp campaign? It identifies your
email address — and now it's sitting in your friend's browser history.
Clean links are a courtesy. They're the digital equivalent of not giving out someone else's phone number.
How to actually fix this
You have a few options, ranging from manual to automatic:
The manual way
Look at every URL before you share it. Find the ?,
delete everything after it, test whether the page still loads.
Do this dozens of times a day, every day.
It works — but nobody actually does it consistently.
Browser extensions
Extensions like ClearURLs work well inside the browser. But they don't cover URLs you copy from emails, messages, documents, or other apps. They also don't exist on iOS.
System-level cleaning
This is the approach that actually works in practice: an app that intercepts URLs at the system level — the clipboard, the share sheet, everywhere — and strips tracking before you paste or share.
See the difference
The links work identically. The pages load the same. The only difference is that nobody gets to track who shared them or who clicked them.
Start sharing clean links.
One app. All your devices. No tracking — not even by us.