"The question is at what point is the lock on the door overkill?"
That's an easy question: the lock on my door is overkill when when it exceeds the amount of security that I am satisfied with.
What is "strong enough" is a call that only I can make. Nobody else has any business telling me what's too strong. Just as I have no business telling anyone else what their maximum security level should be.
I wonder how close they got to setting the record. Probably not very, because the cops were clearly slacking. They didn't even beat the guy up while shouting "stop resisting arrest!" before raping him.
I totally understand the convenience and utility of link shorteners! But I'm arguing that the benefit is generally not worth the cost.
As to using malware scanners, that would be better than nothing, but malware scanners are not anywhere near good enough to be an adequate solution by themselves.
Adding an attribute that tells you the real URL is a bit pointless because that means that the real URL has to be encoded, so you aren't saving any bytes -- you're actually increasing the number of bytes required because you have to include both the shortened link and the unshortened link. Also, it is a weak move because the URL you'd see would not be the one in use. You are effectively having to take the service's word for it, which means that it's a point of failure that when exploited would make everything even more dangerous by giving you a false sense of comfort.
Also, the problem of unnecessary data leakage remains unaffected by those proposed solutions.
The entire point of link shorteners is one of obfuscation: hide the real URL while presenting you with a shorter encoded one. In my opinion, this is an unacceptably risky proposition.
There is one situation where I'm completely comfortable with them, though: if I were the one running the shortening service, then I'd be much more comfortable with using it, because I retain in control of my data and I can do security audits.
They aren't really in the same position as the others, though. Windows phones don't really count, since nobody really expects security from them anyway. Android phones are made by a variety of manufacturers -- and most of them aren't US companies -- and the US represents a significant, but relatively small, percentage of their sales. They are much better able to take steps to mitigate the damage, either by withdrawing from the US market or (more likely) by producing special US-only phones.
"Apple will have been spanked on this issue, and their encryption will be back doored or will be made in some way hackable by large scale brute force."
If Apple were to do this, and fail to keep it 100% secret, it would be the end of them as a major consumer product company. I'm not sure how much it would reduce US sales, but sales in the rest of the world would plummet.
I suspect that they'd be willing to spend a pretty sizable chunk of that $200+ billion cash reserve they have to fight that eventuality. Or perhaps withdraw from the US market.
They want to make as big and public a stink about this as they can, as often and for as long as they can, to try to shift the public view towards the idea that this is a big problem. The end goal is backdoor (or something that achieves that effect) all communications.
Why do they want to do that? Who knows? I can only think of one reason: they want power.
I don't really see anybody crucifying him. People are complaining about a bad thing his campaign is doing. I'm sure that you're right -- this is the sort of detail that candidates don't personally sign off on in campaigns of this scale.
Nonetheless, it needs to be called out. As a bonus, how Sanders responds to this will tell us all something about his style.