the kdmcinfo weblog

URL Shorteners: Handle with Care

Nearly a decade ago, was an occasionally useful internet curiosity, with its seemingly magical ability to compress arbitrarily long URLs, such as:

down to:

At the time, the main use for tinyurl was for sharing long links via email, since many email clients would insert line breaks into long lines of text, blindly breaking links as they did (most email clients are smarter about this now).

A few years ago, along came Twitter with its 140-character message length limit. Suddenly, URL shortening became a necessity, rather than a convenience. Twitter opened the door to a whole cottage industry of companies trying to find ways to commoditize the niche. To minimize URL lengths, URL shortening companies all had short, clever-looking names like,,,,,, and most recently, Google's own entrant to the fray,

Many shorteners work as tools embedded in other clients -- as browser bar bookmarklets, or command keys in Twitter applications, for example.

For news organizations, shorteners provide a great way to provide links to readers in non-web formats, such as in print or on TV. Shorteners also work great in slideshow presentations, so the audience can write down just a few characters instead of a long string.

All shortening services do basically the same two things:

  1. Make it easy to shorten long URLs quickly
  2. Provide an easy to way to count how many times links have been clicked

Bitly stats

The Shady Side of URL Shorteners

Unfortunately, all shorteners also have downsides, which any user of these services should be aware of.

Trust: When clicked, the shortening service is contacted, the shortened string is looked up in their database, and the user is redirected to the intended destination. In other words, all traffic has to go through the shortening service before the user is taken to the destination. If they go down, your links go down. Note also the trust requirement here - since we've put an intermediary in the process, we need reasonable assurance that the shortening service is honest and won't try to hijack or change the link, present commercial offers to readers before they get to your site, or otherwise try to "skim" a bit off the top of the relationship.

Security Security: A standard URL gives the reader some sense of the destination - they can tell at a glance that the link, when clicked, will take them to some domain they know and trust, and that there's no malicious code stuffed into the URL. Once shortened, however, there's no way to tell where the link points until it's too late and the user arrives at the destination site, which may be a malware site that could harm the user's computer. Of course this won't happen if you shorten only your own publication's URLs, and use a reputable service to do so. But be aware that some security-minded users are wary of shortened URLs because they mask the destination. Some sites that read or process shortened URLs, such as Twitter and Google, are starting to build in "preview" features that will mitigate this problem.

Reliability: If you're familiar with the Domain Name System, you know that it works as a "lookup" service, translating domain names into IP addresses so you don't have to type crazy numbers into your browser all the time. When shorteners are used, we're injecting a second layer of lookup services into the internet -- shorteners are almost like a second layer of DNS. Except that, unlike the crucial DNS system, which is an open specification owned by no one, shortening services are owned by companies who may not be around tomorrow. What happens if a shortening service goes out of business? All of those links you've entrusted them with go kaput. Sound far-fetched? Just a year ago, one of the top shortening services,, publicly announced that they couldn't find a way to effectively monetize, and was closing its doors (and the resolution of millions of URLs). The service was rescued from the brink, but you get the picture - be careful whose baskets you put your eggs in.

Libya map Non-U.S. Namespaces Ever wonder about that ".ly" top-level domain in some of the shorteners (like or That's the top-level domain (like .com or .us) for the country of Libya. That doesn't mean the companies are based in Libya -- the domains were simply registered there. As you know, Libya doesn't exactly have the best human rights record. Some people worry that by "doing business with Libya," we are implicitly supporting them. has a pretty solid response to this objection, but it's worth noting that the Libyan government did recently exercise its control to shut down another .ly domain.

Roll Your Own

None of these objections are show-stoppers. Millions of links are shortened by these services every day, and the web doesn't come crashing down. But if these issues are a concern to your organization, one excellent option is set up your own shortening service on your own domain. There are many free/open source string shortening packages available. Just buy the shortest version of your domain you can think of, have your web techs install a package on it to handle the shortening, and instruct your staff to start creating all shortened URLs through your own service, rather than using someone else's. Many of the problems above will simply go away. The better open source packages should even provide some kind of click tracking, similar to what you'd get with commercial shorteners.

Another big advantage to running your own shortening service is that if your web engineers are clever, they can integrate it directly into your content management system, so you won't have to do the copy/paste dance between sites.

Use in Moderation

Whether you decide to run your own shortening service or not, our advice is this: Use shorteners where they make sense to: On Twitter, in print, on TV, in slideshow presentations, or in plain text emails. Don't, however, use shortened URLs as links in your regular web pages, or in HTML emails. They don't benefit the user in those contexts, and only add another layer of redirection the open web doesn't need.

QR Code Tip:

If you use Google's new shortener, try appending ".qr" to the end of the shortened URLs it creates for you - you'll get a visual QR code that can be scanned by mobile phones, so users can visit your page without typing! 

For example, the shortened version of this post is But if you enter into a browser, you get this image:

Try pointing a QR code reader at that image with your smartphone - you should be taken directly to this page!