Bit.ly is Harmful to Your Reputation

[app103]

If you tweet links on Twitter, retweet links from other people, or have a website in which someone might tweet a link to it, you are going to want to read this, because this can potentially affect any or all of us and harm our reputations.

It started with me trying to promote DC a little, to a writer on TechCrunch, which lead to a discovery of how Bit.ly blacklists links shortened by other services, adding an interstitial page that calls the target site harmful, malware, a forgery, spam, and phishing.

When the writer retweeted my link I sent to him, DC was flagged as a bad site, just because I choose to use a competing URL shortener and his twitter client automatically shortens all links with bit.ly (whether they need it or not).

I contacted bit.ly about it, attempting to get the flag removed from the DC link, and their response and attitude were quite alarming.

For the full story, read my blog post about the whole thing;

http://cranialsoup.b...your-reputation.html

[Eóin]

Devils advocate: Outside of a constrained medium like twitter I would consider it right to warn user that they are clicking on masked or obfusticated URLs. It is a very dubious practice, personally I almost never click such hidden links.

But nonetheless you are correct here app, there is no excuse for one url shortening service to flag their competitors as malicious.

[edit] Just noticed that it's a nice ironic twist the the bit.ly link is longer than the original 

[mouser]

Kind of outrageous that they won't unflag it (or don't have the ability to do so) as harmful once notified.

Companies these days seem to pretty much have a careless and carefree attitude these days regarding telling people that other sites are "dangerous" and "harmful" based on almost no justification at all -- pretty outrageous really considering the damage it can do to a site's reputation.  Maybe a few lawsuits will change their mind.

ps. Also, seems like some blame should be laid at the feet of any twitter client that is re-shortening already short urls.

[40hz]

  I liked your idea about shortening a link to bit.ly with a competing service and then submitting it back to bit.ly to trigger a false positive.

Hoisting someone on their own petard is poetic justice at it's best.

(BTW - remind me never to get you mad at me. )

[app103]

Kind of outrageous that they won't unflag it (or don't have the ability to do so) as harmful once notified.

-mouser (April 18, 2010, 03:48 PM)

I would not have gone on the war path with this if they had the right attitude about it and done the right thing.

ps. Also, seems like some blame should be laid at the feet of any twitter client that is re-shortening already short urls.

-mouser (April 18, 2010, 03:48 PM)

I have attempted to contact the developers of TweetDeck about this, but so far there has been no response. I also don't know if this issue is limited to just TweetDeck or if it affects any of the million other Twitter clients.

Devils advocate: Outside of a constrained medium like twitter I would consider it right to warn user that they are clicking on masked or obfusticated URLs. It is a very dubious practice, personally I almost never click such hidden links.

-Eóin (April 18, 2010, 03:46 PM)

There is a big difference between warning the user of masked or obfusticated URLs, offering a preview of the target site, and flat out calling the target a bad site with reputation damaging terms like malware, phishing, forgery, and spam without any proof whatsoever.

(BTW - remind me never to get you mad at me. )

-40hz (April 18, 2010, 03:49 PM)

I thought everybody that knows me knew that by now. 

[40hz]

ps. Also, seems like some blame should be laid at the feet of any twitter client that is re-shortening already short urls.

-mouser (April 18, 2010, 03:48 PM)

Out of curiosity - why?

When did everybody get together and agree to bit.ly's arbitrary rule?

Guess I wasn't copied in that memo.  

[cthorpe]

I just emailed bitly support to request that they stop flagging sites as potentially harmful without cause.  I included the following link as an example of a false positive: http://bit.ly/dj7uk7

[app103]

Rex Dixon, the same guy at bit.ly that gave the lame advice in the email to me, replied to my blog post:

Nice blog post. Well written, but as I tried to explain to you - our policy is not out to harm anyone. In fact it is there to protect our community. There are too many times that a bit.ly url can be used as a cloak to hide a rogue shortened link.

While I tried to explain that our interstitial page was a bit vague, that page is currently under review. Again, our apologies for the inconvenience, but bit.ly is trying to protect the overall community from rogue short links. We understand the frustration, and hopefully after review, you will understand that we are not out to undermine you or your efforts in promotion.

-http://cranialsoup.blogspot.com/2010/04/bitly-is-harmful-to-your-reputation.html#comment-45436037

To which I replied:

That interstitial page is not vague at all. It clearly states the target site is believed to be a forgery, spam, malware, or phishing. All very damaging words to a site when you have no proof of such activities.

I ask again, why give an email address to report mistakes if you are unwilling to check the links and unflag them if they turn out to lead to safe sites? I gave you enough information to be able to decide if the link lead to a safe site or some rogue site, so why are you unwilling to remove flags from safe sites?

This post would never have been written if you were more cooperative and removed flags from safe sites that were mistakenly marked as bad sites. Instead you gave lame advice that was very unhelpful and apologized for your unwillingness to undo the harm you are doing to innocent people.

Change your ways and stop hurting people and I'll modify my post with an update to reflect the changes.

Reputation is a thing of great value that can take many years to build and only one small careless act to destroy. And in this case the careless act isn't my own, so the reputation damage isn't my fault.

It's yours.

[urlwolf]

I contacted them too, and got an equally non-caring answer:

Understand the concern, but our policy has been the same. The interstitial page is currently under review.
- Hide quoted text -

On Sun, Apr 18, 2010 at 4:03 PM <my email> wrote:
cranialsoup.blogspot.com/2010/04/bitly-is-harmful-to-your-reputation.html
this is simply unacceptable.

Will tell everybody I know.

Best,

when I tried to tweet about it, it said 'twitter may be experiencing problems'. Funny because any other tweet of mine not containing the url to the post didn't have any issues. I wonder if (this is a big accusation, so remember that this is only hypothetical) twitter was in bed with bit.ly and blocking the spread of news that harm bit.ly. It'd have major consequences. Worth keeping in mind.

[app103]

when I tried to tweet about it, it said 'twitter may be experiencing problems'. Funny because any other tweet of mine not containing the url to the post didn't have any issues. I wonder if (this is a big accusation, so remember that this is only hypothetical) twitter was in bed with bit.ly and blocking the spread of news that harm bit.ly. It'd have major consequences. Worth keeping in mind.

-urlwolf (April 19, 2010, 03:59 AM)

I have serious doubts about that, for quite a few reasons, this being at the top of the list.

[Carol Haynes]

Why can't bit.ly have a list of shortening services and simply stop bit.ly from reshortening them?

Failing that why not warn someone during the process that they cannot posted shortened links and refuse to accept them - at least then the correct link will be posted?

[Eóin]

I know this is all happening automatically without evil intent, but when you step back and look at it from again from the point of view a maliciously cloaked addresses then one that is doubly cloaked is very very suspicious.

A big part of me still thinks the blasé use of these services need to be highlighted and if you're using a client which is re-shortening already short links you should switch clients.

[nudone]

Why can't bit.ly have a list of shortening services and simply stop bit.ly from reshortening them?

Failing that why not warn someone during the process that they cannot posted shortened links and refuse to accept them - at least then the correct link will be posted?

-Carol Haynes (April 19, 2010, 05:39 AM)

sounds like a very reasonable thing to expect.

could we set up a service that did that - the others might follow afterwards...

[40hz]

I know this is all happening automatically without evil intent, but when you step back and look at it from again from the point of view a maliciously cloaked addresses then one that is doubly cloaked is very very suspicious.

-Eóin (April 19, 2010, 06:46 AM)

I don't think app103's issue is with the validity of how bit.ly might be interpreting a double-shortened link. (Double shortening?)

I think her issue is with bit.ly's refusal to accept responsibility or do a fix once their error has been brought to their attention.

I'm not sure where bit.ly is coming from, but I'd suspect they've been aware of this problem for some time and either: can't be bothered, are in denial, or scared silly.

Reputations are valuable. There are legal repercussions for those who  damage one. And that liability applies even if such harm was done "unintentionally."

Unintentional actions may be viewed as mitigating factors in a slander or defamation charge. But only if the party who did the harm responded in a timely fashion; did everything in their power to minimize the damage; and could show how steps had been taken to prevent it from happening again.

Saying something was done "automatically" may let you argue your intent wasn't malicious. But to just say "oh well" or "sorry, we're working on it" doesn't meet the requirement for acting in a timely and responsible manner. Nor does it remove the liability for any harm done.

Society doesn't expect all our actions to be error free. But it does expect us to accept responsibility for our mistakes.

And to make good on them.  

[Carol Haynes]

Why can't bit.ly have a list of shortening services and simply stop bit.ly from reshortening them?

Failing that why not warn someone during the process that they cannot posted shortened links and refuse to accept them - at least then the correct link will be posted?

-Carol Haynes (April 19, 2010, 05:39 AM)

sounds like a very reasonable thing to expect.

could we set up a service that did that - the others might follow afterwards...

-nudone (April 19, 2010, 07:17 AM)

Not a bad idea - I don't really like shortened links 'cos you never know where they will actually lead.

Another option for bit.ly (and other URL shortening services) is to build in a 'resolving' algorithm so that whatever the shortened form used the new shortened form automatically detects where it is heading and uses the full URL - that way you would never get contractions of contracted URLs.

By far the simplest solution though is to refuse to accept any submissions that use shortened links - then it is up to the poster to post the correct link.

[Eóin]

Saying something was done "automatically" may let you argue your intent wasn't malicious. But to just say "oh well" or "sorry, we're working on it" doesn't meet the requirement for acting in a timely and responsible manner. Nor does it remove the liability for any harm done.

-40hz (April 19, 2010, 07:38 AM)

Just to clarify to automatic aspect I was referring to is a twitter client auto shortening of URLs for you, not bit.ly's identifying of site's as malicious.

My point is that the user who re-tweeted apps link should not have re-shortened the link and that they are more responsible for the damage done than bit.ly in the sense that they created a very suspicious looking, doubly cloaked, link.

[Stoic Joker]

Problem seems to me to be mostly with the automation - because they're not automatically checking to see if the link is long enough to need shortening. (i.e. running www.wdc.com through bit.ly helps who?)

if(strlen(link) < Screen_Width_of_Typical_Cell_Phone) {
  Skip_it;
}

[wraith808]

Problem seems to me to be mostly with the automation - because they're not automatically checking to see if the link is long enough to need shortening. (i.e. running www.wdc.com through bit.ly helps who?)

if(strlen(link) < Screen_Width_of_Typical_Cell_Phone) {
  Skip_it;
}

-Stoic Joker (April 19, 2010, 10:06 AM)

One of the reasons that bit.ly is in such widespread use is that it gives you other information about the link, i.e. how many times it was clicked, how many times was your version of the URL clicked vs others that link to it, how many were from twitter and how many from other places.  Nothing identifiable, but some people might use that, I suppose...

[Stoic Joker]

One of the reasons that bit.ly is in such widespread use is

-wraith808 (April 19, 2010, 10:13 AM)

People are lazy, and deluded into thinking security is the other guys problem. Regardless of how chronically incredibly dangerous this practice is ~OMG~ it's Fun! - Because the whole point of the internet is FaceBook, marketing & vanity...

Yes, I'm a bit cranky today. 

[scancode]

I'm a fan of is.gd... when you try to shorten a shortened link you get this

Sorry, the URL you entered is either on our blacklist or is of a type not supported by is.gd. Often this means you tried to link to is.gd itself or another URL shortening site. Links to these sites are disabled to stop spammers hiding abusive links behind a chain of shortened URLs.

-http://is.gd/create.php

And if you use the api you get

Error: The URL you entered is on our blacklist or of a type not supported by is.gd (links to URL shortening sites or is.gd itself are disabled to prevent misuse)

-http://is.gd/api.php?longurl=http://bit.ly/dj7uk7

Tehy be teh smrat!

[wraith808]

One of the reasons that bit.ly is in such widespread use is

-wraith808 (April 19, 2010, 10:13 AM)

People are lazy, and deluded into thinking security is the other guys problem. Regardless of how chronically incredibly dangerous this practice is ~OMG~ it's Fun! - Because the whole point of the internet is FaceBook, marketing & vanity...

Yes, I'm a bit cranky today. 

-Stoic Joker (April 19, 2010, 10:40 AM)

Ever consider the limitation of twitter and what it does to URLs.  Isn't this 'twitter' craze partly to blame for that?  Or are they absolved because it has to be the lazy, deluded people's fault?

There's all sorts of dangers on the internet... shortening URLs I don't think falls too soundly in that category.  It's in the implementation (as ScanCode just pointed out above) not the practice.

[Eóin]

It would be interesting to see a survey of tweets with shortened URLs. I bet the vast majority would still fit within the 160 chars limit even with the long URL.

Of course I have no data to back that up, it's just a feeling

[wraith808]

It would be interesting to see a survey of tweets with shortened URLs. I bet the vast majority would still fit within the 160 chars limit even with the long URL.

Of course I have no data to back that up, it's just a feeling

-Eóin (April 19, 2010, 11:36 AM)

Of course, people don't just tweet the URL... or why do it using twitter?   As micro-blogging implies, it's commentary on the URL that adds value.  Fitting said commentary + the URL (and sometimes even the shortened URL) is at times a challenge.

frex - what I would consider a miniminalist tweet about this conversation -

An interesting discussion on URL shorteners on DonationCoder - Bit.ly is Harmful to Your Reputation - https://www.donation...ndex.php?topic=22478

Clocks in at over 160 by 22 characters.

[Lashiec]

An interesting discussion on URL shorteners on DonationCoder - Bit.ly is Harmful to Your Reputation - https://www.donation...ndex.php?topic=22478

Clocks in at over 160 by 22 characters.

-wraith808 (April 19, 2010, 01:16 PM)

2 characters, actually. Didn't see the ellipsis.

An interesting discussion on URL shorteners on DonationCoder: Bit.ly is Harmful to Your Reputation

And, hey, look, a mere 98 characters line (170 internally, including BBcode and HTTP link).

I wonder if all this paranoia comes because of the hack done to the Apache issue-tracking server (which used TinyURL to deliver the XSS attack that started everything), because last week a friend sent me a bit.ly URL that redirected to at least one other URL shortener before showing me the true URL, and worked perfectly, without any warning message. Considering how distasteful the content hosted at the site URL was, I wish it worked back then, it would have saved me one more terrible picture ingrained in my brain >_<

[wraith808]

An interesting discussion on URL shorteners on DonationCoder: Bit.ly is Harmful to Your Reputation

And, hey, look, a mere 98 characters line (170 internally, including BBcode and HTTP link).

-Lashiec (April 19, 2010, 02:15 PM)

Ummm... that's not twitterable, which is what my point was.  The arbitrary limit set by twitter at 160 characters is what made these url shorteners gain traction.  They were around before, but no where near as ubiquitous as they seem to have become since twitter.  I'm not advocating their use anywhere else in particular.  I personally never used them until I started using twitter, and it became easier to use the same URL in all mediums rather than switch up for one contact method.