The hidden cost of free URL shorteners

A free URL shortener feels like a small gift from the web — paste a link, get a shorter one, save 30 characters in a tweet. The trade is invisible at the moment of use. But there is a trade, and over a long enough timeline it shows up in places that matter.

This post is not an argument against URL shorteners. They solve a real problem. It is an argument for understanding what you are exchanging for the convenience, so you can make a conscious choice about which links you shorten and which you leave long.

The three things you actually pay with

Your readers' privacy

When someone clicks bit.ly/anything, three things happen before they reach the destination. The shortener resolves the code. It logs the click — IP address, user-agent, referrer, often device fingerprinting. And it issues a redirect.

That middle step is the one most people don't think about. It means that for every reader who follows your link, the shortener has a record of: what content they were reading (the destination URL), where they were when they read it (geolocated IP), what device they used, and what time they clicked. Multiplied across all the links a frequent user clicks, that is a substantial behavioral profile.

Some shorteners are explicit about using this data for advertising. Others sell aggregated reports to marketers. A few promise they don't, and you are trusting that promise. Either way, every short URL you share is a data point you have inserted between your reader and your content.

Your link's longevity

Short URLs only work as long as the shortener works. If the service shuts down, sells out, gets bought and gutted, or simply stops paying its hosting bill, every link pointing through it stops resolving.

This is not a hypothetical. Google retired goo.gl in 2025 after years of warnings. Independent estimates put the number of dead goo.gl links across the web in the billions — academic papers, news articles, Wikipedia citations, Stack Overflow answers, every link people copy-pasted from a Google product over fifteen years. They are now broken.

A 2014 study published in the Journal of the American Society for Information Science found that academic papers using URL shorteners had link failure rates roughly twice as high as papers using direct URLs over the same time window. The shortener was the additional point of failure.

If your link is meant to last — a citation, a piece of evidence, an archive reference, anything that will be looked up years later — a public shortener is the wrong tool.

Your control over the destination

Most shortener terms of service include a clause that lets the operator remove or redirect any link at their discretion. This is not necessarily malicious — they need it to take down phishing and malware — but it means your links exist at the operator's pleasure.

The implications are subtle. If you shorten a link to a competitor's article (to share critical commentary, say), the shortener's owner could in principle redirect that short URL. If a state actor pressures the service, links can be redirected silently. If the company pivots its business model, your links are along for the ride.

For a link you tweet on Tuesday and forget by Friday, none of this matters. For a link in a piece of writing you want to stand the test of time, all of it matters.

Why phishers love short URLs

Short URLs are a known and persistent vector for phishing because they hide the destination. A reader cannot tell whether bit.ly/3xY9pQ resolves to a legitimate page or to a credential-harvesting clone of their bank's login page until they click.

Most major shorteners run their destinations against blocklists and try to catch malicious campaigns, but the protection is reactive. New phishing pages get short URLs, the URLs spread for hours or days, and only then get caught. By the time the shortener blocklists them, the campaign has typically already harvested its quota.

This is not the shorteners' fault — it is an unavoidable consequence of their core feature, which is hiding the destination. But it is a reason to be skeptical of short URLs in unsolicited messages, and a reason to consider whether your trustworthy content is being damaged by association with the medium.

The real alternatives

Use your own domain. If you own yourbrand.com, you can run shortening on yourbrand.co/promo (a "branded short domain"). The links live as long as your domain does. The analytics, if any, belong to you. The destination is somewhat clear because the domain is yours. The tradeoff is the cost of the domain and the operational work to run a shortener (or use a service like Short.io that hosts on your domain).

Pay for a service. Bitly's paid tier and similar pay-for-it services have a clearer alignment of incentives. You are the customer, not the product. Your data is less likely to be sold because the company doesn't need to. If the company shuts down, you usually have at least notice and some kind of export. A subscription is a reasonable price for a link you want to last.

Don't shorten. Not all links need shortening. Twitter automatically wraps URLs in t.co regardless. SMS character limits matter less now that most carriers support concatenated messages. Print and packaging benefit from QR codes, which can encode arbitrarily long URLs without needing a shortener at all. (We have a QR generator that does exactly this — encode the long URL directly, skip the shortener.)

A reasonable policy

A pragmatic approach we use ourselves:

1. Do shorten for one-off social media posts, link tracking on a marketing campaign you'll review in 30 days, anything where vanity matters more than longevity.
2. Don't shorten for citations, documentation, articles meant to last, anything in print that won't be reprintable, anything you'd be sad to find broken in 2030.
3. Always use a branded domain for shortening tied to your brand. bit.ly/your-thing looks like every other random short URL; your.co/thing does not.
4. Encode the long URL directly into QR codes. It is almost always small enough to fit, and you cut out a point of failure.

The web works best when its links last. Free shorteners trade longevity for convenience and the trade is often a fair one — but only if you know the deal.

Further reading

The companion piece to this is How URL shorteners actually work, which describes the mechanism behind the service. And if you've come around to the QR-as-alternative argument, the Tryst Link QR generator will encode any URL — long or short — without sending it to a server.