I was interested last week to discover that, unknown to me, the link shortening service bit.ly was displaying a warning message when anyone clicked on one link I had shortened with them. The link was to a controversial but entirely valid political commentary and there had been no indication that this would happen when I shortened the link. I was even more concerned that the warning message implied I was attempting to hide spam or malware in the link. The message displayed looked like this:
The assertion in the second sentence is completely untrue. The link involved had not been shortened more than once, so the rest of the explanation given there is completely wrong. I got several worried comments from Twitter followers asking what was going on and why I was trying to double-obfuscate links, so I decided to investigate.
Clicking the link myself I started by looking for a way to report a false-positive. (The screenshot above was kindly supplied by bitly’s Chief Scientist, Hilary Mason, after she had quickly updated the last line in the yellow box – prior to that there was no mention anywhere of the possibility of a false positive). Looking through bitly’s site I found that indeed all the links and pages I could locate were purely for reporting abuse; clearly no-one had anticipated that a mistake might be made.
I sent a message to their support e-mail address suggesting this was a false positive (possibly created maliciously by a critic of the page I was linking) and to their credit I got a response within a short time. It didn’t help much, though. It said:
Please contact Spamhaus and have the URL removed from their system. We currently have blocked it due to a Spamhaus report. Thanks for asking.
That wasn’t a terribly good answer, for two reasons. First, I checked Spamhaus and there was no indication that the URL in question had been blocked. Second, it’s hardly a job for a user to debug a company’s system like this. I replied asking for clarification and got the reply:
We are Bitly and Spamhaus has it’s own system of how to ask to be removed. They are a spam service that reports a blacklist. I don’t have much knowledge directly of how to get off their list, but I’m sure if you do some research, you can find out quite easily. Thank you.
By this stage I was getting concerned. They seemed to think that they were to free to block any URL without question, and that it was entirely up to me both to detect they were blocking a URL, to diagnose the reason why and to independently go upstream of their filter system and resolve false positives. So I asked for an interview.
Within a few minutes, Hilary Mason called me. We had a good conversation about the spam blocking system she had designed and which bitly have implemented. It uses multiple upstream sources to identify potential abuse, as well as looking for usage patterns that might also be indicative. Unfortunately, despite the fact they have multiple triggers to deciding a link is suspect, they only use a single mechanism to react to the trigger, and it seemed to me that no-one had considered the system from the perspective of a link publisher.
Hilary was also unable to explain why the URL I’d used had been blocked. She did indicate that the URL involved had been on the Spamhaus list in April and that seemed to be the only reason it might have been blocked, but it clearly wasn’t on their list that day, so there’s obviously some engineering work that needs doing. I explained why the text on the alert screen was a problem and she has changed it to the following:
which is a bit less damning of users than the original. But it’s clear that they need to invest time in this to make it more accurate, more informative and to have an actual mechanism for handling false-positives. Hilary explained in e-mail that the original intent had been to have multiple screens depending on the issue that triggered the concern, but that hadn’t made it through to implementation.
Good Approach, Poor UI
All in all, this was a a very unfortunate encounter with what looks like a well-considered approach to handling link-shortener abuse – thanks to Hilary for taking the time to discuss it with me. The fact the alert message includes the option to over-ride bitly’s concerns and just click through to the link is excellent, and an approach that is far preferable to a straightforward blacklist. There’s no doubt that link shorteners offer the potential for abuse and it’s good bitly is taking this seriously.
The fact the system is based on balancing and measuring multiple inputs is also a strength, although the lack of user feedback to explain the nature of concern is a shame. The fact they don’t alert me, the publisher, to the fact they are going to alert all my readers of a problem is really poor – Hillary assured me that a fix for this is about to be rolled out too. Overall it’s encouraging to see this approach being taken and regrettable the actual implementation doesn’t match the strength of the ideas behind it.
Filed under: Technology |