Bluesky already doing enshittification

This is for publishers. They announced this openly.

As predicted.... And people piled on me here when I question why they were falling head over heels over bluesky when it was yet another techo bro platform
- I thought about it but lemmy seems more genuine.
  No karma. No nothing. Just info.
  
  This was more a Twitter vs BlueSky comparison... not against Lemmy, not sure I understand your comment
- I noped out the second I heard Dorsey was involved. Don't care he isn't anymore, it got the Techbro ick! Eurgh 🤢
- Fucking same! It baffles me how dumb people can be over and over again

This has absolutely nothing to do with enshittification. Bluesky doesn't need that redirect to know what you're clicking on. You're already on their platform, they can already track every single click that you do while on Bluesky including navigating to outbound links. I'm a bit shocked that nobody here is calling that out to be honest
- FUD is the name of the rage bait game.
- A centralized platform did something? Must be bad. The post title primes that reaction.
- I don't know much about how any of this stuff works, so these are honest questions in good faith. But how did Bluesky know, before this change, that I clicked a link? Am I not just telling my browser to visit a website? I don't really understand how it's different from me copy-pasting the URL manually.
  
  Am I not just telling my browser to visit a website?
  Well yes, but actually no. You are clicking on a link, which, by default, will make the browser visit the website behind the link. But the website that shows you the link can have Javascript code in it, which runs in your browser and can, among other things, "intercept" clicks on anything and change what the clicks are doing.
  This is how this redirect is happening in the first place. The links on Bluesky still point to the correct target site, but when you click one of them, JavaScript jumps in and changes the target of the navigation to the redirect domain. This is not necessarily to deceive you, it's actually a good thing that you can still check the website you'll end up at before you click, and you can still do things like right-click to copy the link manually this way.
  That means that even without the redirect, JavaScript could for example not change the navigation target at all, and just send a tracking event to their servers in the background to let them know you clicked the link. This is how it works for most websites that use analytics. For the normal user this is totally invisible, and this is why I'm saying that bsky doesn't need the redirect to track you. They could do that in a much less obvious way already. And for all we know, they probably are already doing that, as their privacy policy explicitly states that they can collect usage data like what links you click on.
  All of this is pretty standard for any commercial service on the web, btw - knowing what your visitors/users are doing makes it much easier to see where your app might be having issues, what features need to be focused on to be improved, etc. It only gets shady if that data is also used for marketing or sold to third parties. And, to be fair, bsky's privacy policy doesn't really prevent them from doing that as far as I can tell. It's just that all of this was already the case before the redirect, so it's very unlikely that this specifically is suddenly a sign of oncoming enshittification.
  
  The same way that they know that you clicked on literally anything on their website.
  It's foundational to how the modern internet works (more specifically JavaScript)
  For a more visual example, let's say there is a button that makes an animation or changes color when you hover over it.
  That is happening because of code running in your browser that was written by the website that served it to you, in order for the button to know to change, the code must know where your mouse is and if the mouse is hovering over the button.
  Your browser, emits 'events' which the JavaScript code is able to interact with, these are things like keystrokes and mouse actions. The JavaScript running on the page can very trivially record these actions.
  Every single way you interact with a website can be tracked, here is a commercial product that specializes in complete session recording (in theory to see how your users interact with your pages to make improvements: https://mouseflow.com/platform/session-replay-tool/
- Indeed. I have no doubt that BlueSky will eventually enshittify given that they are not truly non-commercial, but this is not an example of such a thing.
- So why?
  Facebook does the same, even in their own in-app browser to keep tracking you.
- I don't think that is true, iirc you can't track simple clicks on HTML a elements.
  
  With JavaScript you can track your precise mouse cursor movements. Many analytics products even offer that as an "session replay" feature to check how a user moved their mouse, or to see heatmaps of where people are pointing to.
  Tracking actual clicks is obviously much more trivial.
  
  Apart from using JavaScript, there’s also a way to track links in HTML
  https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#ping
  
  Yes, you absolutely can, and it's super simple. Click listeners are one of the most basic things you can do with JavaScript, and there's nothing special about a elements that would make them not work. The only way to stop it from the user's side is to disable JavaScript in their browser, but that comes with the downside of the majority of websites and apps just plain not working anymore.
- Just because they have other means of doing link tracking doesn't mean they aren't using this link proxying to track stuff.
  
  I mean... Sure? They might, or they might not. My point is that pointing to this change as a sign of enshittification doesn't make any sense, because it's not changing anything about how they can track and exploit you. There's nothing there to suggest that this is related to a change for the worse regarding enshittification.
  If you want something to point to, take their privacy policy that allows them to collect your usage data and possibly use it for marketing purposes, not a random feature that likely has nothing to do with this.

I've given up trying to save people from obvious traps. They refuse to listen and they refuse all data.

Glad to be a citizen of the chadiverse.

This is not enshittification. Many other knowledgeable users who actually know what they're talking about have explained why.
- they're in this very thread cmon man
  https://programming.dev/comment/15916128
  
  "check the link before you click" and these man in the middle forwarding systems make that impossible.
  generally not true… the link href (the thing the browser shows to the user) would be the original link… bsky hijacks the link with an onclick (or similar) handler so you can see where you’ll be taken before clicking
- It's not exactly enshittification yet. The service still mostly works. But it is an attempt to build a wall around the garden.
  Fuck walled gardens. That shit got old years ago. At least with FB you could pretend you didn't expect it. Maybe. If you're oblivious, at least.
- Funny how people keep saying it's not enshittification right up until the point where they choke to death on shit.

What is wrong wth a fucking discount code to show where you hot the referral.
I refuse all cookies everywhere and the internet works just fine.

There is a legitimate reason for this: it’s the only way to provide content creators with evidence of how many people actually clicked on the link.
The downside is that there is so many ways that a feature like this can be abused by BlueSky in ways that can hurt users.
- No, it's not the only way. You could track the click with JavaScript.
  
  The user can also block your tracking scripts. Besides, the user can share the link with friends, and you won't be able to track them this way. I'm sure there are many other reasons why having a middleware is de-facto the industry standard.
- Why do content creators need to see how many clicks they get?
  
  It's how a number of them get paid.
- There is no way it isn't already being abused, there are zero guard rails on it
  Fucking typical, a move that hurts the platform long-term is being cheered for by ignorant idealists while the makers of its demise are already salivating and cartoonishly rubbing their hands in glee
- Yeah, it's literally the second step of enshittification, where platforms stop allocating value to users and start allocating them to publishers. This is still Bluesky expanding out its surveillance apparatus, something it will have every incentive to abuse later on like other platforms before it.
- The content creators themselves could use a link that goes through a counter if they really need it, no?
- it’s the only way
  lol. Citations needed. Pretty sure this is JavaScript 101.
- That's incorrect.
  BlueSky relies on JavaScript to run (try turning it off and loading their site, it won't even render). Click-through traffic is almost exclusively measured by JavaScript (e.g. Google ad "events"). This is the same as measuring other stats, like whether you lingered on a post before scrolling past it, or whether you opened another tab, or whatever.
  Proxy links are absolutely a method of measuring traffic, and they're a method that works even when the site has JavaScript disabled - but since that's not how Bsky works, it's not relevant.
  
  Yeah that's what I was thinking. There's a bunch of ways to track what users are doing without needing to use referral links.
  Seems to me the referral links are there to prevent honey cookie shenanigans.
- Trust me bro, we are not tracking you. Please trust me bro!
  
  If the purpose of this feature was tracking, they could just use a JavaScript onclick handler.

So much for the claims I read that it would be a more open platform. I can’t see how this possibly benefits the users.
The product is ~~not open source and it~~ is mainly controlled by a company through its servers and proprietary components. They own it. Even if they use some open protocols. They are about as open as OpenAI — they are not.
- This is technically incorrect (the best kind of incorrect?). Bluesky is open source, with the exception of the discover feed algorithm, which they claim must remain secret to prevent it being manipulated. There are open-source replacements for that feed available, so it's open enough that it is theoretically possible to spin up a Bluesky replacement, albeit impossibly expensive.
  Coming at it from another angle though, the product in any commercial social media product is you, so in that sense you're right: the product is not open source. Either way, open source code is not some panacea that erases all risk of commodifying its users. Bluesky is a great example because while it is open source, that in absolutely no way prevents them from tracking their users.
  
  Additionally, it looks like you can host your own instance too.
  PDS Self-hosting
  
  There’s nothing to prevent someone from spinning up a lemmy or mastodon instance and tracking users either.
- you’re right that this is likely to be used for tracking crap, but i wouldn’t write off the concept as only for that
  for example, home assistant has https://my.home-assistant.io/ where you can set your home assistant URL and doc links (etc) link there, and then that site in turn automatically redirects to the correct place on your local home assistant
  this could be used similarly by the fediverse: imagine my.join-lemmy.org where lemmy instances you’re not logged into redirected you to, which then in turn redirects to your home instance… that way, links across the web to lemmy would automatically redirect to your home instance
  perhaps it’s not something that’s worth the trade off - centralising in some ways - but in federated platforms on the web it’s far from a write-off
  
  They don't need to redirect to click track. They could very easily do that on the front end and you wouldn't even know it was being done.
- So much for the claims I read that it would be a more open platform.
  There's no profit in an open platform. You only build these things to mine data.
  
  Exactly.
  It's a for-profit company.
  They care about your privacy like McDonald's cares about your health: if you have any left then they're not squeezing cash from you hard enough.
  Talk to friends on Signal, invite your favorite The Atlantic reporter, use self-hosted or federated social networks.
  Expecting privacy on corporate owned social media is like expecting to become a royal because you went to Disney World.
  Don't confuse the facade (social space for you and your friends/magical kingdom) with the reality (privacy stealing monetization factory/tourist juicer).
  
  This is further supported by the fact that story that they made more money selling their "fuck zuck" shirts or whatever, than they did in their actual money making strategies of selling unique domains.
  No VC investor is going to be okay with a merchandise company growth curve.

This doesn't even make sense.
If you are on their domain they can see the things you click on, this is how websites and cookies work.
This isn't nefarious, it's the raving delusions of a tech illiterate idiot.
- No.
  You can see a link was loaded in the page. Link tracking is still needed to know if the link was clicked.
  It can be an "on click" JavaScript event, or a redirect to a tracking site.
  
  No, if you click a link that brings you to or from a site your IP is logged
  Navigating the internet requires having and disclosing your IP address.
  Sorry
- So why are they hiding it by changing the link with client-side code? Might not be nefarious, but why?
  
  Most probably so that people don't hover over the link and see that it doesn't match, which might confuse them if they don't know how redirects work.
  
  Because that would break the “copy link” functionality.
- Whatever gets them to see the truth

For reference you can disable this with unlock origin https://github.com/uBlockOrigin/uAssets/pull/27500

Yeah, this is why BlueSky's openness is always only to a point. I will say it's probably not as bad as some are making it out to be, but it's definitely not something you want to see from a platform purporting to be open. Fortunately this is only a BlueSky thing and not the entire AT Protocol... but at this point, the AT Protocol and BlueSky are inseperable. I mean, are there even any other AT Protocol sites?

They already know your IP address, you're using their website/app.
It's either to track outbound clicks (And potentially block them if they're harmful, YouTube and Steam do that), or a much more unlikely option is to hide the referrer from the target site (Since browsers have better ways to handle that now, but old ones don't)
- Wouldn’t it be easier to just scan the original post for harmful links?
  
  Then you have to scan every single existing known post every time a new link is blocked, if you redirect it through a bouncer it's a single endpoint to block any link, regardless of the source of the post (since bluesky is in theory decentralized)
  
  Websites can change
- So either they are solving problems the most common browsers are solving or they are tracking clicks to sell user data. Somehow the latter sounds more likely, especially since they have no reliable source of income yet.
  
  True, but at the same time it's their app. They already know what profiles you're looking at, what posts you're viewing, and the images you view, knowing what links you're clicking on is just another event handler.
- track outbound clicks (And potentially block them if they're harmful, YouTube and Steam do that)
  Google & Meta & Discord doing the same?

Bluesky has been doing enshitification since it didn’t mind having that transphobic man on their platform, as far as I’m concerned.
- which one?
  
  Guessing we're talking about Jesse Singal. The man who was banned and then allowed back in after negotiating directly with bsky staff.
  
  Jesse Singal. The other person that replied reminded me. When I left his being allowed to be on the platform was a bit of thing.

Anything under direct corporate control will enshittify. It has nothing to do with mission, values, direction, purpose, or any other bullshit in the charter of a service. If it is controlled by an entity with shareholders turning a profit, it will enshittify, because those shareholders will demand ever increasing profit for their investments. It is a one-way process.
- The direct counter to enshittification is interoperability: the ability to pack up your content (likes, followers, messages, uploads) and import it into another service provider.
  Since Signal is open source and mostly FOSS, you can theoretically create a Signal fork that can import Signal backups. I know because this program can read such backups and convert them into other formats. Ideally, the Atlantic reporter could have exported a Signal backup with the offending group chat messages before they expired.
- so Signal too?
  
  Yes indeed.
- The only thing I want from companies is just a little transparency and a paid option to opt out.
  "Facebook is free, but we will mine the balls off your data, monitor everything you do, we will control your feed and you cant customise anything. Or for $20 a month, we wont mine or track you, your feed and how it works is totally customisable"
  Just put a number to it and let me decide if my privacy and experience is worth the money.
  
  20$ is ridiculous. 1-2 would be reasonable.

fuck it's almost like the world runs on capitalism
- Yeah, we need to do something about that.
  
  state funded internet service and social media?

Didn't take long for the expected to happen.

Even if it didn't go to bluesky.app first before the actual link, clicks on it can still be made to be tracked. It's trivial to do it much more discreetly.
It is definitely tracked, but I would guess that turning it into a bluesky link has other uses, not all nefarious, such as: link previews, caching, dealing with dead links.

Never follow social media to a second location.
- sometimes follow social media to a second location.
  
  always follow social media to a second location
  perhaps even a third or fourth location
- Unless that location is a really old website like zombo.com or maybe tane.us

How is this enshittification? As far as an end user is aware nothing has changed right?
- Literally nothing. Sure, twitter used its similar t.co links to throttle sites, but bsky isn't doing this, and if they did, someone could fork the app and people could start using that instead.

I use duckduckgo. It shows the sites I’ve visited, and tracking attempts. And, yes, there are tracking attempts from bluesky. There are no tracking attempts from lemmy.ca
- https://www.howtogeek.com/118915/duckduckgo-isnt-as-private-as-you-thought/
  Just gonna leave this here.

I, for one, am shocked that moving from one corporate owned social media to another corporate owned social media didn't fundamentally change anything.
- Well for one, most of the nazis stayed behind.
  
  The current marketing strategy for Bluesky is to target disaffected left-of-center people.
  This isn't because Bluesky is the one moral company in all of capitalisim. Instead, it's because they see an opportunity to grow their userbase (and income) by messaging to people who are likely to leave Twitter. It's no different than the thousands of companies that put up Pride Month banners and then a month later they take them down and continue donating to right-wing politicians.
  Bluesky isn't your ally, they're just the current company that is pandering to you.

Oh, there is so much more you can do with this "functionality". Welp, anyone who trusts bluesky even an inch better prepare to be deeply disappointed.
- "It's better than the Nazi one" major selling point. The bar is so low, it's under Satan's foot.
- Oh, there is so much more you can do with this "functionality".
  Like what? What would this redirect be able to do that they couldn't already do just with their normal website/app?

Eh. Doesn't seem too bad, but then again, I haven't made an account there because of it not really being decentralized enough for my taste.
Seems kinda dumb to go from one centralized service like X to another. Bluesky's claims of being decentralized are highly exaggerated.
- But anyone with a few million bucks can federate!
  
  I have like $10.52 in my checking acc right now, but am still currently federating and have been for like 3 months, specifically the social-app and the PDS.
  
  A small loan from ones father, a garage and a dream, like how all billionaires started. ::: spoiler .. s :::
  
  Why is it so expensive to federate Bluesky?
  
  There's no guarantee that anything will use your shiny new relay anyway.

As someone who ran a popular link shortening platform let me tell you how difficult it is to curtail spam links.
This is likely a way to warn users before being forwarded to fraudulent websites that a link has been marked as spam.
There are many other use cases for this redirect as well but this is the most obvious for user safety.
- They announced it was for publishers
- Doesn't sound plausible to me—If they can detect spam links like you're suggesting, why not just mask those links as bsky short links?
  
  Its easier to do this, so they don't have to go through every post to check if it has a bad link, and if so, to edit it.

Anybody know what the real reason for this is?
All websites can track how often a link is clicked, and what the link is, and who clicked it (especially if you have an account).
- It's to get around a bug on some platforms where the Referer header isn't set properly. Basically when you click the link in the app (maybe other platforms too idk), it can't set the Referer, so website statistics can't know what came from bsky. This was in their changelog. It used to already work correctly on desktop, though.
  
  Yeah I saw it in some announcement from them, it’s this.
- Probably so bluesky can get affiliate money, either changing affiliate links with their own a'la honey or just tracking them to report to advertisers how much traffic is going through their platform to garner deals.
  In other words, money
  
  How would link hijacking help with that? They can just track/rewrite directly without going through an intermediate step. The other commenter’s explanation seems more plausible.
- Not sure why they have it go through a redirect like that; you can just trap click events and do whatever with them, including sending tracking info back before sending the user to the new page.
- So far no one seems to know what the real reason is. That is why there is a lot of guessing.
  
  They said themselves its for publishers to track outgoing clicks.
- I'm thinking they'd want to control misuse of the platform. Someone links malware and it is shared enough, they may want to be able to intercept that. At least, that's what I'd want to be able to do.
  
  i doubt it’d be for that: if it’s a malicious link, they can just remove the post/link from their platform and the same effect is achieved
  best case scenario it’s planning for when atproto has more PDSes, front-ends, etc: in that case, a central place where all platform links go so that you can set your “home” server so that all links into atproto redirect to your home server
  worst case it’s for tracking click through for advertising
- Most companies implement for malicious link control. They can actively scan as needed and they can prevent users from going to any links deemed malicious. It also adds tracking for amount of clicks on a specific URL. There are more nefarious uses that others have stated redirection for paid links to them and user profile building for ad targeting

They never needed to redirect to do that in the first place. It's probably just done for convenience. Websites quietly tracking outgoing links has been technically possible since the '90s.

I use an app called URLcheck that I've installed via F-Droid. Although it doesn't appear to give me the ability to skip the bluesky redirect action but at least I know it's there I guess.
- The best part is that if you inspect elements, it still shows as the original link. They only generate the go link after you clicked.
  
  That is so... gross!!! Ugh. Yuck!
  
  That's how Google always worked, btw. But there is one obvious benefit to showing the original URL before you click it, you can hover it to see where the link actually leads before they hijack the click.
  
  that’s also for accessibility, etc so i wouldn’t pin it all on being malicious
- You can use pattern checker to automatically replace the URL with the original one.
  json
  
  "bsky": { "regex": "https?:\/\/go.bsky.app\/redirect\\?u=(https?.*?)", "replacement": "$1", "decode": "true", "enabled": "true", "automatic": "true" }
  (it's possible they will add more parameters in future, in which case you may want to restrict the selection to not be essentially anything after u=)
- URL Checker is an awesome that many more should be using if they're not. It can also remove trackers, redirects and other shenanigans from links before committing to the click
  
  Right? I didn't even know all of the times I've clicked links that had trackers on it before using this app, or to remove amp links and such too. I'm not 100% sure what the "scan" function does however.
- FYI, you need to insert an additional Return ¿ or the text will align with your image's left-hand side and throw off the comment formatting. The extra line of space will either place the text above or below the image instead of on its hip.
  
  Ah okay thanks. Is that true, independent of the app I am using? Reason I ask is that I am currently using Sync, but I'm looking into other apps (Voyager specifically)
- samsung internet? why?
  
  Depends on what I'm doing, most of the time it's Firefox with noscript running, ad block, privacy badger, decentraleyes, etc. but if I need to log into, say like a bank website, I'll use Samsung Internet. I know it's underpinnings are chromium, but I dunno, feels better than using straight up chrome I guess.

Bluesky never felt quite right.
Wolves in sheep's clothing.
- lemmy too, it's shit everywhere

I mean, it was made by former Twitter execs... and that was marketed as an "advantage" over alternatives like Mastodon. This isn't surprising at all unless you literally don't pay any attention to anything.
- it was made by former Twitter execs...
  ...who left soon after? Or did I get my history wrong?
  
  No you're right. But do you remember why he said he left?
  Bluesky was "literally repeating all the mistakes [Twitter] made as a company."
  They recreated the exact same company, with the same structural issues.

This is for publishers to track outgoing links.

That was fast
- Dead internet theory ain't a theory anymore
- It was expected, or should have been.

Would the URLcheck app on android filter this out, or not because of the way it's being done?
https://f-droid.org/packages/com.trianguloy.urlchecker/
- The urlcheck app will just show the bluesvp link. Unshorting it will have the same result (because you need to fetch the url to find out where it redirects to), though might be slightly better wrt not capturing browser cookies and thus not identifying you. Maybe.

How is this technically possible? When I hover over a link, my browser informs me it takes me somewhere; then when I click it, it takes me to go.bluesky. Is the destination changing at the moment the click occurs? Why are they hiding this?
- Javascript could change the url on the click event.
  
  That's messed up. Javascript should never have been introduced T_T
- One line of Javascript
  
  e.preventDefault()

It's time to delete Bluesky and use Mastodon full time!

Doesn't this (at most) make it a bit easier for the destination site to track sources? It's been a couple decades since I did much web log analysis, but the referring URL is part of each log record I believe.
They wouldn't only want to know that a click came from Bluesky. They'd like to know all their referring sites, so the go.bsky.app redirect probably would be of little use unless it encoded something significant not present in the HTTP_REFERER header.

Absolutely shocked, no one could have predicted this

You mean the company that was created by the worst of pre-Musk Twitter leadership, that claims to be open source and federated but actually isn't, that uses AI to moderate itself, and that has a policy that lets AI scrapers use your posts is actually bad? I'm shocked. Shocked!
- It is open source though.
  
  its also federated. I have my own instance set up lol.

Mastodon is the preferred alternative.

decentralization is the way to go, loving it here.
I will never understand how people keep falling for the same scam over and over and over again... something has got to give at some point before I die

I'm shocked!
Well, not that shocked.

What else would happen. Lol

Isn't that what honey did in their app?
- Are you talking about coupons? Then no, very different things.
- It's a switcheroo, but not the same switcheroo

That didn't take long

I’m using duckduckgo. Yes, it shows bluesky has trackers. lemmy shows NO trackers...

Still a million times better than mastodon.
- Why?
  
  Mastodon is dead, unusable, and left a bad taste in the public's mouth. The fediverse is good for some things. But a miroblogging site where people need news fast? No.
  Bluesky has already become the replacement for Twitter, and it's off to a great start. I tried mastodon, I had 3 accounts, I used it as much as I could, but as soon as I got an invite for bluesky, I stopped using it. There is no content I wish to see on mastodon.
  
  You can make a service that interoperates with Bluesky, such as a firehose view, without getting harassed by thousands of users.

There's no way I'm joining. Give it a little time, it will be a festering boil.
Edit to add I've never used Twitter either. They just seem like they're designed to promote conflicts. I have enough of that in my life already. I'll stand by my prediction though.

Bluesky really streamlined the process.