
Bit.ly is Harmful to Your Reputation - barrkel
http://cranialsoup.blogspot.com/2010/04/bitly-is-harmful-to-your-reputation.html
======
tdavis
Firstly, the hypocrisy of a URL shortener blocking another URL shortener's
links because they can't be verified is hilarious. Secondly, if a person goes
as far as to shorten every link they copy from their browser _and_ use a
Twitter client that shortens all links regardless of length, I hardly think
they have much room to complain about the system they're fully backing.

What did she expect to happen? That Bitly would concern themselves with her
reputation? If you want a URL shortener who cares, your only option is to run
your own. Bitly's only concern is for their business, nothing more.

~~~
Confusion
The blogger reports that bit.ly updated their page, to explain why a link may
be disallowed. He doesn't accept their explanation, but it does make a lot of
sense:

    
    
      - Some URL-shorteners re-use their links, so bit.ly can't
        guarantee the validity of this link.
      - Some URL-shorteners allow their links to be edited, 
        so bit.ly can't tell where this link will lead you.
      - Spam and malware is very often propagated by exploiting
        these loopholes, neither of which bit.ly allows for

~~~
dasil003
It makes some shallow sense, but on deeper investigation it's anti-competitive
bullshit that is not much better than the scams they claim to be protecting
you against.

Think about it, since when is bit.ly the arbiter of link safety? Does bit.ly
provide you a guarantee that they will not ever link to malware? Of course
not! They could not afford the liability on that. Anyone could post a
malicious link anywhere. Any page can set up a 301 redirect any time. People
can post malware links anywhere any time.

What's going on here is that bit.ly is breaking links arbitrarily, and doing
it to third parties without their consent or even knowledge. It might be
possible that a credible legal case could be mounted against bit.ly on this
basis. Quite simply, it is neither their right nor their responsibility to be
the link police of the internet, and it also is far from within their power.
These guys are overstepping in a major way.

------
MWinther
How about putting some of the blame on Tweetdeck? Shouldn't "short enough"
links be allowed to stay intact?

~~~
jackowayed
Yes, they should. But what's worse? Software that people don't even pay for
being stupid in a fairly minor way, or bit.ly being anticompetitive and
severely hurting its users in the process? He was focusing on the major issue.

~~~
MWinther
I agree that bit.ly aren't being cool about this, clearly they should fix it.

On the other hand, you could say that Tweetdeck is actually being stupid in a
pretty major way. I have a hard time imagining this scenario occuring without
the help of Tweetdeck, or other lazily written convenience shortener
functions.

~~~
bobbyi
In Tweetdeck, when you paste in the URL, you can see it turn into a bitly URL.
It's not as if you don't know that's what's going to be posted.

There is a checkbox next to where you compose your tweet for "Auto Shorten
URLs" that you can uncheck to disable this behavior. It's right there in plain
sight, not buried inside preference dialogs.

~~~
jrockway
I think most people want long URLs to be shortened, but don't want short URLs
to be re-shortened. But there's no checkbox for that.

~~~
furyg3
Do people want long URLs to be shortened if they fit in the tweet? I don't
know if that's true...

~~~
jrockway
I would be happy with shortening any time when the short URL is not longer
than the original...

------
tkaemming
While the author has a right to be upset, her attitude toward the support
staff — who likely have no control over the situation — is disgusting. ("Your
apology is worthless", "Your refusal to check the link", etc. from the email
conversation, and the ensuing comments on the blog post.)

~~~
markbao
Seriously. I've found it's easier to make someone do something when you don't
have your teeth clenched at first, looking to attack. If she approached that
with a "Could you help me figure out..." or "I think you should probably
fix..." attitude, instead of a "screw you" one, she probably would have
received a similarly gracious response.

~~~
blahedo
Did you read the email exchange she posted? Her original email was polite, her
first response was a little clipped but not yet angry, and it wasn't until
bit.ly had blown her off _twice_ that she started with the attacky language.

~~~
markbao
Re-read. You're right.

------
DenisM
_What do you think happens when you click it and report a mistake? Do they
check the link and remove the flag if the site is ok?

No, they don't. They told me to make a new bit.ly link and give it out to
people, as if that would undo the damage that was done_

Uhm. Reminds me of Yelp.

------
qeorge
I have to agree with the author, this is ridiculous. They even do this to
tinyurl:

<http://bit.ly/cGLU0o>

Tinyurl was without a doubt bit.ly's #1 competitor, especially when their
service launched, and they know you can't edit a tinyurl. Seems like a pretty
convenient time for an URL shortener to suddenly get preachy about the dangers
of URL shorteners.

------
toddml
Todd from bit.ly here.

From day one, we've prized security, transparency, reliability, and openness
at bit.ly. Along the way, we've made a number of product decisions based on
those tenets. Among those are link permanence (link destinations don't change
once created), the avoidance of anything that interferes with user experience
(we've never framed, nor will we), and a dedicated focus on spam and malware
detection, so that our users can click on bit.ly links with a high degree of
confidence.

We take our responsibility as internet citizens seriously, and you'll see this
exhibited even in the small details of the ways in which we manage flagged
links (you'll notice we never actually disable a redirect, and at most simply
insert an interstitial which retains the end destination link).

In the course of analyzing content for spam, malware, and phishing attacks, we
rely on a number of systems, both internal and external. Over the course of
the past year, a number of spammers have attempted to use various levels of
indirection through redirectors (some of which are reconfigurable), in order
to obfuscate and cloak their efforts. In fact, the bulk of shortens to bit.ly
coming through other URL shorteners have tended to be attempts to spam the
system. While our crawlers do of course follow links through redirections, the
inclusion of modifiable redirects in the stream, and our analysis of the
preponderance of spam attempts via these vectors have made it necessary and
appropriate in some cases to block the URL shorteners.

Just to reiterate, the only goal is and always has been to protect the end
user clicking on bit.ly links, regardless of the link source. Given that
multiple layer wrapping of URL redirectors tends to be an edge case based on
inappropriate API usage, confused users, or in the preponderance of cases,
attempts to spam, we think this has been a fair approach. As such, you'll note
that we did in fact update our interstitial warning pages with language better
reflecting the reasoning behind the status. We're happy to see a healthy,
vibrant, shortening ecosystem, and have no intention whatsoever to put a
damper on other sites in the space.

Some have suggested we simply not shorten URLs already pointing to 3rd party
short URLs. While this is a potential possibility, our API responses and the
innumerable clients and scripts that use these methods aren't currently
designed with this state in mind. Consequently, any changes would have to be
carefully considered.

As with any product, bit.ly is a work in progress, and we're always interested
in finding ways to best serve our users, while maintaining the integrity and
openness of the product.

~~~
dasil003
That's well-written PR Todd, but the bottom line is this: your false positives
are doing potentially severe damage to third parties. These are people who
aren't even using your service.

When these things happen you need a way to fix them quickly, or you will find
yourselves in legal hot water sooner or later.

Also, I might suggest to you that you have neither the power nor the authority
to be the link police on the internet. What you're doing is engaging in an
arms race that A) is impossible to win, and B) has numerous innocent
bystanders.

I've never really been one to decry the dangers of link shorteners, but this
is a great example of how a link shortener—even with a team of stand-up
ethical guys behind it—can be bad for the internet.

We've been thinking about signing up for bit.ly pro, and I have to say this
throws a wet blanket over the whole thing.

~~~
DenisM
_We've been thinking about signing up for bit.ly pro, and I have to say this
throws a wet blanket over the whole thing._

whitelabel shouldn't be nearly as bad - as long as you control the domain name
you can always take your ball and go home.

~~~
dasil003
Yes, definitely whitelabel was already a requirement for us.

My comment was more about the moral aspect though.

------
Osmose
I'm having a really hard time believing the scenario where a user follows a
shortened link in a re-tweet, sees the bit.ly warming page, assumes that the
original author is trying to spread malicious stuff (and that the re-tweeter,
whom this user is following and supposedly trusts, is supporting this
malicious stuff), and starts telling other people about how untrustworthy the
original poster is.

In reality, they'd probably close the page, maybe make a reply tweet confused
about the warning, and _go on with their life._

------
bcl
Gee, how about we stop acting like we need to limit things to 140 characters?
This isn't SMS you know. We do have the bandwidth to actually exchange useful
information and real URLs. Twitter, bit.ly, et. al. are all pretty damn silly.

Even back in the days of 300bd modems and BBS's we weren't this dumb.

~~~
vsync
Twitter is still fully usable via SMS and that's both useful and unique.

~~~
carussell
Are there any handsets in use out there that support SMS and don't support
Concatenated SMS? This is a serious question.

------
jrockway
What Twitter needs is to remove the 140 character limitation. Nobody uses SMS
anymore, especially when the content contains URLs to non-mobile-friendly
sites.

~~~
markbao
I think that would completely go against the concept of Twitter: short-form
communication.

~~~
alextgordon
They could detect URLs and not count them towards the total message length.

~~~
romland
This is the immediate thought one gets, I can guarantee you that Twitter
considered this. It surprises me that parent was deemed insightful.

Should what parent suggests be announced I expect it would be in place for
about six minutes (+/- 5) before we'd see the first Tweet with the actual
message in the form of a URL.

    
    
      http://example.com/Hi_this_is_a_tweet ...
    

And as someone else stated, long messages are clearly against Twitter's
concept/principles/idea/whatever.

The interesting part about this is that instead of URL shorteners we'd end up
with domains that would just act as decoders of the link you clicked on. Good
or bad, who knows.

And while we're at it, let's think of the next step: It wouldn't be long
before someone implemented a packer/cruncher on these messages to be able to
squeeze them into a 140 character limit so that it can fit into an SMS. Then
we'd realize that this is a remarkably stupid thing to do and start sending
un-shortened links to blog posts again. Profit!

~~~
carussell
_It surprises me that parent was deemed insightful._

This isn't Slashdot. There is no "Insightful". Only upvotes.

 _<http://example.com/Hi_this_is_a_tweet*>

Eveyone's not going to do that on a regular basis, and Twitter can cap
messages at ~1000 characters to prevent egregious abuse and maintain
accessibility to SMS users.

_It wouldn't be long before someone implemented a packer/cruncher on these
messages to be able to squeeze them into a 140 character limit so that it can
fit into an SMS.*

Nobody gives a shit about SMS outside of SMS. What _might_ result is that type
of service as part of the SMS gateway, which is exactly what Twitter should
have done to begin with.

------
nhebb
Does SMS have to display the href? Could Twitter just replace all URL's with
the word 'link' and show the real URL on hover, thereby doing away with URL
shorteners altogether?

~~~
MWinther
Hover doesn't work well with touch based interaction, which is all the rave
these days, I hear. I like the idea of showing them separately somehow,
though.

~~~
pyre
It only has to display 'link' in SMS. I don't necessarily think that it _has_
to still say 'link' outside of SMS. It makes more sense to just strip the
links when going through the SMS gateway, and count all URLs as 4 characters
in the '140 characters' limit.

------
caffo
I've contacted bit.ly about this issue 4 months ago. Got the same answer -
"Page is under review". Maybe its an indirect attack to the competitors?

~~~
malnourish
Unfortunately, offering itself as the best alternative to protecting links
when setting a warning page for already shortened links doesn't seem very
"indirect".

------
moultano
So their spam detection system isn't as good as at should be. Give them a
break. People spreading malware use url shorteners all the time, and I'd bet
some automated system just got tripped up here.

(malice -> incompetence etc.)

I'm happy bitly is at least working on spam.

------
Hume62
Isn't the problem bigger than a small number of people not paying attention to
their Twitter client re-shortening links when it's not necessary? Aren't
people intentionally re-shortening links they get from others, so that they
can track their own reach/influence? If I have a big following and I re-
shorten your link, I can then go to Bit.ly or (anywhere else I have an
account) and exactly measure how that link was spread across the net,
regardless of whether any RTs mention me. "I'll take your short link and raise
you my own..."

------
ericz
That seems rather stupid. How is url-shortening a already url-shortened url a
security threat?

~~~
whughes
Extra cloaking for malicious links? Bit.ly can't exactly check the original
site to see if it's OK if it's hidden behind a funky redirection layer. I
think that bit.ly was reasonable to have an interstitial, although maybe they
should be more open about why and how to remove it.

~~~
sjs
It's a standard http 301 redirect, not a "funky redirection layer".

    
    
        /Users/sjs % curl -i http://xrl.in/33qj
        HTTP/1.1 301 Permanent Redirect
        Date: Sun, 09 May 2010 00:38:19 GMT
        Server: Apache
        Location: http://www.donationcoder.com/CodingSnacks/index.php
        Content-Length: 0
        Content-Type: text/html

~~~
thenduks
Right, but the problem is this scenario:

Bit.ly see's your xrl.in and does a request. They find 301 and the location at
donationcoder.com. They conclude "this site is ok". Later, the xrl.in url is
changed to <malware link>.

They aren't going to do a request to every url they're linking to on every
click, obviously. So they'd only get the one chance.

Now, I'm not actually sure that xrl.in lets you change links after shortening.
The point is that bit.ly doesn't know either.

~~~
jbm
Bit.ly could check a link to no_malware_here.com, which thereafter adds a 301
that redirects to your_computer_now_has_aids.com.

I think it is misleading to display that message based on the possibility of a
redirection. Any page can do that, not just xrl.in.

~~~
thenduks
I think that's the point. They check for a redirection and show an
interstitial. They've white-listed a few other shortener services (the ones
they know are redirecting to actual sites and presumably do their own
redirection checks on)... but as far as I understand it any url that you try
to shorten that does an immediate 301 gets the interstitial first.

If they let urls with redirects on them they can inadvertently bit.ly link
directly to a malware site. They don't want to do that at all and take
measures to prevent it. Checking urls against malware lists and not allowing
redirects are just a couple, I'm sure there are more.

As for being misleading in the interstitial itself... I don't think so.
They've updated it to be more clear about the issues with this link:

* Some URL-shorteners re-use their links, so bit.ly can't guarantee the validity of this link.

* Some URL-shorteners allow their links to be edited, so bit.ly can't tell where this link will lead you.

* Spam and malware is very often propagated by exploiting these loopholes, neither of which bit.ly allows for.

------
wyclif
She forgot #3: Just use one of the whitelisted shorteners she mentioned
further up in the article, e.g. goo.gl.

~~~
vaporstun
<http://goo.gl/>

"Google URL Shortener is currently available for Google products and not for
broader consumer use."

~~~
DanielRibeiro
It is interesting to note that common users can easily use goo.gl by using
google toolbar's share function.

------
nostrademons
I solve this problem by not clicking on shortened URLs. At all. If you want me
to click on something, send me the full link. If it's too long for Twitter,
find me on GChat or send me an email.

------
ck2
So? Run your own blog with your own rss feeds and stop using twitter.

~~~
malnourish
Not very feasible for the most part. I don't use twitter, but it does have a
large following. This is somewhat along the lines of saying "So? Stop using
facebook", although I understand where you're coming from.

------
gsiener
My takeaway is to make sure I'm using the most popular shortener (aka bit.ly)

