Optimize Your Life: Remove URL Tracking

April 27, 2026 at 13:21

Last updated: 20260510 # Changelog at bottom

Welcome to another post in the Optimize Your Life series, where I cover problems most of us run into and the solutions I’ve put in place. Hopefully you walk away with something useful, or at the very least, copy the source code and do exactly what I do.

Squeak App
The Squeak homepage

The previous Remove URL Tracking post broke down what’s inside those long URLs and how to strip them clean in the browser with uBlock Origin. That approach covers most of your browsing. The browser sees the link, the filter runs, and the tracking is gone before the page even loads.

But uBlock only cleans links as you navigate to them. It has no effect on links you copy and share somewhere else.

For example, my wife typically sends me Signal messages that look like this:

https://slickdeals.net/click?trd=Get+Deal+at+Amazon&sdtid=19371291&pno=1263516&prop=diavail-false%7Cdincp-0%7Cdinpd-0%7Cdipgavail-false&pv=f822d56a40ee11f1aee0926680cc915d&au=5037221f90e943f2919a60fac2aeffd3&peid=44004949-c99d-4439-8187-9ffa8321aca2&adobeRef=e03bada0ccf1491eaa01c3bb8cb958a60001"

When those links should only look like this:

https://www.amazon.com/gp/product/B0CTL2QFN7

When someone clicks that first link, it doesn’t go directly to Amazon. It hits a tracking server first. That server logs the click, records the device, the browser, the IP address, approximate location of whoever clicked it, and any other information these people can get their hands on. All of that feeds into building a personal profile. The parameters in the URL are instructions to the tracking server, telling it exactly which campaign this link came from, who shared it, and how to attribute the click. uBlock strips those parameters when your browser navigates to a page. It can’t do anything about a link you copied from a chat message and forwarded to someone else or used on a device not setup with URL stripping. Your mobile browser will just parse the raw link.

There’s also a second problem that the browser approach doesn’t cover at all.

The broken affiliate system

Affiliate marketing sounds simple. A creator shares a link, a reader buys something, the creator gets a small cut. It works that way sometimes, but the system is fundamentally broken.

The clearest example is Honey. It’s a browser extension owned by PayPal that promises to find you coupon codes at checkout. In December 2024, an investigation told us what it was actually doing. When a user clicked an influencer’s affiliate link and went to check out, Honey replaced the affiliate tag with its own. The creator who sent you there got nothing and Honey collected the commission. On top of that, Honey was accused of hiding better coupon codes to protect deals it had with its own retail partners, showing you a lesser discount so a preferred merchant looked more competitive.

A class action lawsuit followed, filed by YouTuber LegalEagle on behalf of affected creators. PayPal defended Honey’s practices as standard behavior. Case is still pending.

The point is not that Honey is uniquely bad. The point is that the affiliate system has flawed and that this was happening at scale for years before anyone noticed. Every long URL you click, share, or paste is a small piece of that system. The tracking isn’t there for your benefit and has the potential to be abused.

update 20260527: Found this gem today that further proves my point. Apparently Motorola phones use the app “Smart Feed” to hijack shopping apps to steal affiliate revenue - and this is from a major phone corporation like Motorola!

Redirects are a security problem

A lot of links don’t go where they say they go. Affiliate links especially. You see something like https://go.skimresources.com?id=12345X&url=https://... and you have no idea what’s at the end of that chain.

This isn’t just annoying af. It’s a potential security issue.

When you click a t.co, bit.ly, or any other shortened or redirected link, you are trusting a chain you cannot see. It might be two hops. It might be five. At any hop in that chain, you could land on a page designed to steal your login credentials through a phishing form, run cryptocurrency mining code in the background, or install malware through a browser exploit. Shortened links exist specifically to obscure the destination. Sometimes that’s harmless. Sometimes it isn’t, and you have no way to tell before you click.

The redirect chain itself is also a data collection opportunity. Every service in the hop sees your IP address, your browser, and your timestamp. By the time you reach the destination, several different servers may have already logged your visit.

Some affiliate networks make inspection harder on purpose. They block server-side requests, so if a tool tries to follow the redirect chain by connecting to their network, it resolves to nothing. The goal is to prevent anyone from peeking at the destination before the click is recorded.

redirect_chain_diagram
Example redirect chain - you click once and your browser goes on an adventure

wheregoes.com

Before I built anything, I used wheregoes.com for years. Paste a URL into their link-checking box and it shows you every hop in the redirect chain and then the final destination. It has a clean interface, with zero setup, and it works immediately. It’s genuinely useful. If you just want to know where a link goes before you click it, this is the fastest way to find out.

This system has a few limitations though. Your URLs go through their server, and it doesn’t strip tracking params from the result. You see where the chain ends, but the destination still has all the garbage attached. For quick checks that’s fine, but for a security-minded or sharing workflow, it’s an extra step that doesn’t fully solve our problem.

Where Goes
Where Goes rusults page

Squeak

So this week I made Squeak. Squeak is a small self-hosted web app that solves both. It resolves the full redirect chain and strips tracking parameters from the result. It runs on your local machine or your home server.

You paste this:

https://go.skimresources.com?id=12345X&url=https://www.amazon.com/dp/B0CX1234/ref=nosim?tag=affiliate-20&utm_source=newsletter&fbclid=abc123&monster=666rawr&list=fbimostwanted

You get back this:

https://www.amazon.com/dp/B0CX1234

It’s only the one step. The redirect resolved through to the end, tracking parameters are stripped, and a clean link is ready to copy or open from the UI. For Amazon specifically, pretty much every query parameter is removed. Everything after the ? is rarely needed to reach the product.

The entire Squeak app is ~11kb. That includes the interface and the logic. There’s no framework, no build, and no extra horseshit. It’s a single HTML file and a single Python file.

Screenshot from 2026-04-25 11-30-48
Squak - An Amazon link cleaned from some long, obscure tracking URL

How it works

Pasting a URL into the field runs it automatically. Clicking the “Squeak” submit button isn’t required. The result shows the clean URL and a row of chips for every parameter that was removed.

Squeak Chips
Squeak - A sanitized URL and the chips showing which parameters were removed

Both the stripping parameters and follow redirects options are toggleable. Redirect resolution follows the full chain through to the end before stripping. The parameter list isn’t exhaustive across every URL on the internet, but I update it as new tracking patterns come up.

The affiliate pass-through handling is the most important part. Networks like Impact Radius (*.pxf.io, *.sjv.io), CJ Affiliate (*.dpbolvw.net, *.kqzyfj.com), and Rakuten (click.linksynergy.com) block server IPs. Squeak detects these domains by pattern and extracts the destination from the query string instead of connecting to them. It handles four redirect types in total: HTTP 3xx, meta refresh tags, JavaScript window.location assignments, and custom response headers. That’s the only nerd talk I’ll use until we get into the setup.

The tracking list covers UTM tags, Google and Meta click IDs, HubSpot, Mailchimp, eBay affiliate params, Awin, Slickdeals, AliExpress, and a handful of generic referral params. It runs almost exclusively on Python. If you find a parameter it doesn’t cover, add it to the list and restart the app.

The copy button works over a local network, which matters if you’re running this on a Pi and accessing it from a different device like your phone.

Get it

Download Squeak and run it with two commands:

pip3 install requests bottle
python3 sanitizer.py

It binds to http://127.0.0.1:5055 by default. To put it on your network:

python3 sanitizer.py --host 0.0.0.0

A squeak.service systemd unit is included in the zip file if you want it running automatically. You can also toss it in a Screen session if you just want to keep it simple. Full instructions are in the README.

Download Squeak and try it out. If it mostly works for you but something’s missing, the source is there. Change it or add additional features as you wish. Next I plan to add an API for other services to call it.

Firefox extension and API - updated 20260510

So today, I wrote my first successful browser extension! It’s cool af and it’s exciting to have one of those things actually work for once. Developing extensions are a pain in the ass, but this one actually works!

Download it here, and install it via about:addons. If it doesn’t work, you’ll need to disable xpinstall.signatures.required in about:config. You’ll now have a right click menu option for “Squeak this link”.

Squeak Extension
Right click context menu

Squeak Extension2
Squeak extension results page

 

  • 20260510
    • Added Squeak Firefox extension
    • Added API to Squeak
    • Updated Squeak version to 20250510

Tags

Questions or comments?

Previous: Optimize Your Life: Note-taking Next: How to Download Twitter Videos