If you use Bit.ly for your URL shortener, or you are clicking on a Bit.ly link, you should be aware that those shortened links are now a vehicle to drop Viglink affiliate cookies on the unsuspecting , and most people likely won’t even notice it is happening.

The change seems to have happened in February or March of this year. They announced it with a knowledge base entry, although it is undated and it seems to be unannounced on their blog. And when you shorten a link, there is no mention that Bit.ly could be appending their own Viglinks link to the URL being shortened.

At the end of March, Carolyn Kmet raised concerns about the change and how sales are being credited to Bit.ly and Viglink through cookie dropping.

Here’s how it works. Say that you find a sweater you like on Amazon. You want to see what your friends think about that sweater. So, you post a link to that sweater on your various social networks. However, to stay within the character limit constraints of the social media platforms, you use Bitly to shorten the URL. Since Bitly has partnered with Viglink, when your friends click on that link, Viglink’s affiliate cookie is dropped onto their computers. This means that Viglink, and subsequently Bitly, could earn a commission on any purchase your friends make on Amazon, provided those purchases were made within the cookie duration window.

Obviously this has more implications than someone simply clicking a link with an affiliate code appended to it. Bit.ly originally stated it was a test of only “a small portion of free user activity where we are affiliating some links” but they have not updated further.

Apparently Viglink said they would not be overwriting other affiliate links, however in the comments at Practical Ecommerce, it seems to indicate that it is happening in practice, and affiliates driving the links are not getting credit for doing so.

If you are using a URL shortener, it is probably worth the time to either create your own URL shortener (and probably not use Bit.ly to manage it) or use another one that is not essentially hijacking links for their personal gain.

H/T to Dan Barker who pointed it out on Twitter.

Added: Here is how merchants can opt out, but be warned, it isn’t always successful.