Twitter Marks Clean Sites As Harmful, Breaks Links

starglider29a writes "Yesterday, a website I maintain that has a Twitter presence encountered an 'unsafe' warning when clicking on the tweets. 'This link has been flagged as potentially harmful.' After scanning the site and its database, then checking with Google and third-party site scanners, I found no evidence of harm. At noon, The Atlantic posted an article which describes the same issue with the Philadelphia City Paper. 'Perhaps most frustrating of all is that Twitter has not been particularly responsive to the paper's plight.' If the warnings are incorrect, how does Twitter justify this libel?"

Re:

[Anonymous Coward]

Probably just marking sites without a 'Follow us on Twitter' link as potentially harmful (to Twitter).

Re:

[iamhassi]

"It's our service, and the word 'potentially' covers our asses just fine thank you, deal with it."

That's like saying someone potentially does sexual things to goats. Pretty sure that's still libel unless they have proof.

Are they really safe?

[keltor]

People talk about so and so site being safe when Google marks them unsafe, but time and time again it's shown that those sites WERE in fact infected - usually from a third-party ad network.

Re:

[i kan reed]

It's worse than that, I've seen people assume a site was safe because it was a blog that validated their personal biases.

Re:

[i kan reed]

Actually, I've found not being stupid is a good way to get modded down. You gotta be careful to be utterly inane if you want karma.

Re:

[hazah]

I must be really stupid then. More often then not I get modded up, and all I've ever done is share a personal opinion/thought. That is to say I speak for the discussion, not the mod -- sigh.

Re:

[i kan reed]

It was a joke at the expense of our poor community. I don't really think there's any connection between actual insight and mod score though.

Re:

[hazah]

I was playing along :).

Re:

[gl4ss]

why not mark the 3rd party ad network as unsafe?

Re:

[Anonymous Coward]

because they have no control over what loads on the site that loads ads from the 3rd party ad network, but can warn people before browsing the site that loads the ads from the 3rd party ad network that jack built.

Re:

[Skapare]

Then why not say specifically what is wrong "This site is potentially unsafe because ads on the site may link to malware, or to pages that load malware, specifically with domains like ... (and list the domains involved)"?

Re:

[sjames]

Because it adds complexity to determine the exact reason the bad thing ended up loading.

Re:

[Skapare]

If they didn't determine the exact reason, they didn't do it right. They should not be blocking sites based on a bad process. Fix it.

Re:

[sjames]

And sites shouldn't be including content from untrustworthy 3rd parties. They need to fix it.

Re:

[DaveV1.0]

The ad network is displaying as a part of the site marked as unsafe. Marking the ad network unsafe doesn't protect anyone who might go to a site serving the ads.

Re:

[GIL_Dude]

Sure, but it wouldn't be so hard to just block the content from the ad network until it was verified as cleaned up. An added benefit is that - the first time this happened - the ad networks would start to take security more seriously.

Re:

[Anonymous Coward]

It would be very hard, Twitter of course have no control what the browser proceeds to load after the user has followed the link.

Re:

[Skapare]

But that is NOT what Twitter is saying. Twitter needs to come clean on this and explain what they found. These kinds of problems will NOT be solved by Twitter's coy attitude of not providing appropriate details (a link from the alert to a page that explains what their system found).

Re:

[DaveV1.0]

What exactly do they know? Do you know what they found? They are not alerting the website. They are warning the users of Twitter. That is all they need to do. It is the responsibility of the site to investigate, not Twitter.

Re:

[Darinbob]

But how do you respond if you find no evidence of problems? With no evidence given from Twitter about why a site is marked unsafe, and no evidence of anything unsafe occuring, and no method of fixing the "problem", it's not irrational conclude that Twitter is actively discouraging traffic to certain sites or performing a shakedown.

Re:

[DaveV1.0]

No, it is pretty irrational to conclude that. Specifically, it is paranoid.

Re:

[Skapare]

The site did investigate. Twitter did investigate. They came to different conclusions. If the site brings it to court (they should, IMHO), then in court Twitter defends themselves with information they SHOULD have provided in the first place (or provided to settle the case) and the court throws it out because the site now knows what they wanted to know. Or Twitter fails to defend and loses. The lawsuit is to get the information.

Re:Are they really safe?

[Savage-Rabbit]

People talk about so and so site being safe when Google marks them unsafe, but time and time again it's shown that those sites WERE in fact infected - usually from a third-party ad network.

There are two sides to that coin. A friend of mine operates a small aviation website that was flagged as infected by Google for over a year and they steadfastly refused to fix the situation even though he got his site certified clean and uninfected by multiple security companies. Google finally relented when he blogged about his experience and it started topping the search results on their own search engine. I suppose they figured that a headline starting with the words "Why I hate Google..." wasn't doing their image any good. His site did not carry ads, it's a pretty basic HTML based site.

Re:

[phantomfive]

a headline starting with the words "Why I hate Google..." wasn't doing their image any good.

Wow, I could write a long story under that headline.........

Re:

[Darinbob]

A site not carrying ads is being actively hostile towards Google's business model, thus they have an incentive to harm that site. It should be up to Google to provide the evidence of harm, otherwise everyone should conclude that Google is acting in bad faith and gaming the system. The same applies to Twitter. How is this any different from someone claiming that the restaurant down the street has rats as a means of hurting a business?

Re:

[Savage-Rabbit]

A site not carrying ads is being actively hostile towards Google's business model, thus they have an incentive to harm that site. It should be up to Google to provide the evidence of harm, otherwise everyone should conclude that Google is acting in bad faith and gaming the system. The same applies to Twitter. How is this any different from someone claiming that the restaurant down the street has rats as a means of hurting a business?

I put it down to bureaucratic incompetence rather than malice. It stills shows how powerful Google has become. If they wrongly flag your side as harmful and nobody at Google support gives enough of a shit to help you sort it out, your site is pretty much dead because of Google's dominant market share. The only traffic you will get is from Bing/Yahoo users. Other than that you will get some traffic from places like Russia (Yandex) and China (Baidu) where Google has not managed to monopolize the market but t

Re:

[Hentes]

How about letting people take responsibility for their own actions? Marking third-party pages is stupid.

Re:

[Miseph]

Perhaps Twitter is concerned that their own actions are causing users to be infected with malware by following links on a first party website.

Re:

[RogueyWon]

Yes, I've noted the same thing.

The nasty suspicious part of my mind can't help but wonder whether the submitter isn't somehow releated to our "friend" Bennett Haselton. It's not a huge leap of logic from "an email can't be spam if I sent it" to "a website can't be infected if I manage it" after all.

Re:

[seebs]

Uh-huh.

I did actually get one of those warnings popping up once, and... it was right. Hole in blog software was being exploited. Fixed hole, cleaned up, warning went away.

Re:

[robmv]

I have seen malware compromised sites with code that hides from GoogleBot User Agent and Google ips, so being flagged as safe from Google is not a sign your site is safe for your visitors

Re:

[Darinbob]

If it's on the internet, it's not really safe.

News item: Piece of software flawed

[i kan reed]

If we report it every time any website doesn't work right, like Obamacare or Twitter, we'll be here all day constantly reading about bug on random website X.

Software breaks, it's only really newsworthy if it breaks in novel or spectacular ways.

Re:

[Skapare]

It's more about Twitter not being willing to explain what is wrong. It might be a bad ad network being used on the paper site. Twitter needs to, at the very least, explain to that site which ad network, and how that ad network is doing things wrong (it might be one bad advertiser). Without this info from Twitter, everyone is not served well. People end up having to work around Twitter, defeating the advantage.

News item #2

[Lendrick]

When a large, unresponsive company leaves an annoying bug in place without any response or explanation and it's impossible to reach their technical support about getting it fixed, often times the best way to get someone at the company to acknowledge it is to report it on tech news.

Re:

[Skapare]

Another way is to sue them and get it in the discovery process.

libel..

[Anonymous Coward]

Is it really libel if you say something has been flagged as "potentially" harmful?

Re:

[Desler]

Just saying potentially doesn't have anything to do with whether it's libel not. What determines if it's libel is if it's malicious defamation which this clearly isn't.

Re:

[HiThere]

Clearly? No. Probably? Yes.

I don't think they could win a libel suit, because I think the perponderence of the evidence is not on the side of intentional malice. But that's a guess, and IANAL. But I really doubt that you are either.

Re:

[Darinbob]

How do we know it's not malicious? There is no evidence from Twitter to prove it is not malicious. Site gets marked "unsafe" and there is no further information to validate this assertion. It's either intentional malice or else they are utterly clueless and are covering their asses rather than admit to a mistake. If they made a mistake that harms a third party site then it is indeed intentional malice when they refuse to admit to the mistake.

Re:

[Skapare]

It's defamation if you cannot defend your position. Twitter is not defending their position.

Re:

[Darinbob]

Why not? It is libel if a newspaper reports that a restaurant has rats when it has provided no evidence of it. This is true even if you say "Bob's Bistro Potentially Has Rats, News At 11!"

Welcome to the future

[koan]

Of the "safe web", all content not making "me" money gets blocked.

time to sue

[slashmydots]

Yep, sue the shit out of them. Everyone says it's so hard to prove damages. Um, look at the web stats for inbound links from each place and the drop in ad revenue. Those are real numbers that they really will cut you a check for after a very short court case.

Re:time to sue

[Scutter]

Really? You jump immediately to "sue them!"? Even the submitter calls it "libel" right out of the gate. What the hell is wrong with people anymore? Twitter is under no obligation to link you to anything at all. When sites like Twitter start getting sued every time there's a broken link (or a warning that a link may be to an infected site), they'll just stop parsing links altogether to avoid liability. Enjoy your cut-n-paste web browsing experience from then on.

Re:time to sue

[slashmydots]

They can link or not link all day but guess what, it's illegal for me to stand outside a restaurant and tell people that they're doing something illegal and harmful inside and that they shouldn't go inside when that isn't actually true. It's the same on the internet.

Re:

[Scutter]

Twitter is doing nothing of the sort. Not even by your fevered stretch of the imagination.

Re:

[Skapare]

Yes, Twitter most certainly is. They are saying the site is unsafe ... AND not allowing the site to correct this problem by detailing exactly what the problem is (presumably a bad advertiser at some ad site). If Twitter's system found it, they may well have a better system. But it's still a terrible attitude by Twitter (their executives, probably) to act in a way that does not allow such things to be corrected. So I'm all for Twitter being sued for this because such a lawsuit has the potential to benefi

Re:

[fatphil]

> Twitter is under no obligation to link you to anything at all.

You seem to be confusing not being obliged to link you to anything, and being obliged not to link you to things that would be considered libelous.

For example, I am under no obligation to post this correct list of slashdotters who do not perform regular goat rape:

Slashdotters who do not perform regular goat rape:
FatPhil (ID: 181876)

But I am under an obligation to not post an inaccurate list of slashdotters who do regularly perform goat rape:

S

Re:

[Darinbob]

Twitter is intentionally harming another business. It should be up to Twitter to prove their allegations.

(Besides, I always cut-and-paste, doesn't everyone? Who is dumb enough to click a link?)

Probably the content

[Anonymous Coward]

Over the years I've noticed a trend with sites and services that offer "safe" lists. Websense, for example, filter software that many companies and governments use, has a tendancy to flag or block sites, not because they are unsafe, but instead, based on people reporting the site, for their own reasons.

A site talking about the situation in Gaza, for example, was flagged through websense and blocked. When I checked from home, the site was safe, no scripts, no tracking, and of course, violated no rules. But, because it wasn't as critical of Gaza (read racist) a group using "megaphone" (google it) had flagged the site with repeated complaints and websense blocked it. I contacted them and had it unblocked.

I've seen various sites flagged through google as "unsafe" that are infact completely safe. It's just a matter of a group of people, with too much time, not agreeing with the content of the site. Usually opinion pieces.

It wouldn't surprise me at all if this was the case here as well. Youtube is horrible for it, I had songs I wrote and recorded flagged various times, because some people from some sites saw that I had a youtube channel and decided to go after me, every video.

Stupid bastards, serves them right.

[fuzzyfuzzyfungus]

Anybody who uses a link-shortening service especially for the purposes of complying with a totally arbitrary character limit, deserves what they get.

Seriously. What is a 'link shortening service' except a way to add another layer of quasi-DNS (except under the control of, probable analytics surveillance of, and subject to any uptime failures, retention limits, etc. of, a single entity) to the process of accessing something on the internet? Even better, since it isn't real DNS, it lacks all of the relatively mature, implementation-agnostic, tools for dealing with DNS and its issues, its behavior can vary nontrivially between providers (so if you aren't handling the shortened link exclusively with a common web browser, it may not work as expected, unlike DNS resolution), and it's a fantastic way to hide phishing and malware from the casual.

You can't really do without one layer of DNS; because remembering IPs is a pain (and tricks like round-robin load balancing are crazy useful); but what kind of sick masochist voluntarily adds additional layers of crippled-semi-DNS?

Re:Stupid bastards, serves them right.

[Ksevio]

People with only 140 characters to post their message and link?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Vegan Cyclist]

There really ought to be a way to disable/opt out of the t.co shortening..that's part of the problem. And i was fine with shortening URLs myself when needed... (Or able to choose who to use for this service..) Same thing when they disabled this for image sites....it's really frustrating and unfair; we should have a choice.

Re:

[heypete]

Twitter's article about their shortener [twitter.com] lists 3 reasons for why they do it:

1. Shortened links allow you to share long URLs in a Tweet while maintaining the maximum number of characters for your message.

That's reasonable. Still, if that was the only reason why it existed then one should have the ability not to use it or use a different one.

2. Our link service measures information such as how many times a link has been clicked, which is an important quality signal in determining how relevant and interesting each Tweet is when compared to similar Tweets.

That information is valuable, I get that. Still, not really enough to justify requiring all links go through their shortener.

3. Having a link shortener protects users from malicious sites that engage in spreading malware, phishing attacks, and other harmful activity. A link converted by Twitter’s link service is checked against a list of potentially dangerous sites. Users are warned with the error message below when clicking on potentially harmful URLs.

In my view, this is what makes the mandatory use of t.co worthwhile -- malicious links can spread really quickly on Twitter and having a mechanism to help minimize the damag

Re:

[HiThere]

I see you trust them, even under the heading of an article about how they are untrustworthy. And you don't even seem to experience any cognitive dissonance.

Re:

[Darinbob]

I guess you could opt out of Twitter.

Re:

[fuzzyfuzzyfungus]

I avoid it like the plague, and your post provides a couple of the reasons why.

While it might occasionally inspire a pithy line, Twitter's artificial limitations turn interaction with, oh, other parts of the internet that you might want to make pithy comments about, into a totally unnecessary clusterfuck, one that isn't even voluntary anymore (for reasons that, no doubt, have everything to do with Twitter's desire to protect users from scammy 3rd party redirect services, rather than their attempt to find

Re:

[DeVilla]

I don't use twitter. Knowing this I believe twitter should be help liable for every mistake. Every unsafe site a user is sent to. Every false positive and every false negative they report. If they want to obscure every link posted so the user can't asses if they trust the site being linked to prior to clicking it, then they assume the responsibility for what's on the other side. In exchange for that liability they get the data from snooping on every link that gets clicked provided that voyeurism isn't

Re:

[account_deleted]

Comment removed based on user account deletion

Maybe it would really help if they cleaned up

[ArsenneLupin]

their site.

When I want to move the mouse to an item in one of their menues, the menu just closes.

Maybe somebody at twitter got annoyed at this, tried to complain to the paper, but got no response, at so gave them some of their own medicine?

O, and what's up with the cookie that they try to foist on you first thing? If your site is in such a sorry state, you are really in no position to complain.

Hash Collision?

[stewsters]

I believe these [google.com] things use lists of hashes of the domains to increase the speed of lookup. It's possible that you have a hash collision with a malware site. They are super rare, but possible. Not sure what you can do about that. It's also possible that there is something that reads as an infected file hosted on your site. A pdf or something that looks like a virus.

Re:

[HiThere]

None of those seem useful speculations for him to entertain. Yes, they might be true, but without further information even if you knew they were true, it wouldn't be helpful

I mean: "Some file on your site hashs the same as a piece of malware does" isn't really something you can act on. Perhaps if you identified the particular file, depending on what it was, it might be something that could be handled, but "some file"? And it's really "perhaps some file, but we aren't going to tell you even that". That's

Re:

[Desler]

It's actually more nuanced than that. It has to be a defamatory statement made with malicious intent.

Re:

[HiThere]

And again, this depends on what country you are in. I'm informed that in Britain something being true is no defense against libel charges.

Libel?

[93 Escort Wagon]

It's not enough to claim the statements are wrong - by claiming libel, the submitter is stating that Twitter knows the statements are wrong and is deliberately making them anyway. That seems a rather high bar to clear.

Maybe Twitter thinks the sites are dead. After all, you can't libel the dead...

Re:

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Censorship?

[s.petry]

Before you go on a tangent and claim it's only big brother tinfoil hat censorship, let me give a list of reasons to consider it possible. Without answers from Twitter and other sites that block, claiming "whoops" is no more and nor less valid than the subject (censorship). Even with answers, it's not beyond many of these companies to outright lie, so we should be scrutinizing their answers.

1. Money. Google/Twitter may not have pay links on the site and see no revenue from click ads. While this may not be the only cause of a block, it sure could impact how fast they respond to fixing a site blocked.

2. Group Pressure. We have seen this with numerous groups, they have a couple people flooding complaints against a site, broadcast, or print article that they don't like. We have also seen this from groups that are not Religious, so don't just blame those idiots from Westboro Baptist Church.

3. Appeasing Big Brother. The NYT, CNN, and others have had numerous whistle blowers telling you that these companies censor works that the Government does not find favorable. It would be safe to assume that they also censor on their own prior to receiving a stop order from the administration.

4. Big Brother. This comes in so many forms today with our massive and intrusive Government that it can not be discounted. Many of these people share resources, so it's not going to be hard to use this network to block content people don't want out. Yes there big ole maps that shows how all of these massive companies and governments are tied together. Since there are bunches of these covering various categories I'll let you search and look at them all.

Disclaimer: I'm not saying that all 4 of these things happened here, or that even 1 of them happened. I'm claiming that to not consider it possible is rather idiotic given everything know. Anyone that blindly trusts one of these large technical companies or a Government agency today is a fool. The only way to start breaking up the corruption is to question everything, scrutinize everything, and of course report when bad things happen on every available channel in order to avoid some of the blocking.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[david_thornley]

Not allowing a link is one thing. Claiming the link is unsafe is another. Twitter's TOS cannot make illegal actions legal.

Grain of truth

[jdavidb]

If the warnings are incorrect, how does Twitter justify this libel?

Probably the same way you justify your hyperbole: with the basic fact that people are entitled to their own opinions, even if others disagree. Using big dramatic legal sounding words to try to bludgeon others over their opinions is actually harmful to society, in my opinion.

Re:

[Jeff Flanagan]

You accidentally called someone else an idiot when you have no idea what you're talking about, so all you've conveyed is your own shortcoming. Sorry life is going so poorly for you.

Re:

[Man On Pink Corner]

If that's not libel, then the law has a bug, and needs to be fixed.

Regardless of the obscure legal technicalities, the facts are as follows: (1) Twitter is drawing a distinction between "safe" and "dangerous" sites; (2) Twitter is suggesting that the site in question is "dangerous," and (3) Twitter is causing the victim to suffer demonstrable losses as a direct result.

Twitter's act of drawing a distinction between "safe" and "dangerous" links should be what incurs the liability. They should not be able to

Twitter is doing a lot wrong these days

[DougDot]

My company has a project that is funded by NIH, and as part of our project work we are collecting tweet data from the 1% API stream for use in epidemiological research. Up until last week, the python (tweetsream-based) application that was collecting the data was running on an AWS EC2 compute instance. Without any warning or comment from Twitter, we started getting the '401 Unauthorized' error, and our data collection requests were blacklisted.

Twitter's support system seems designed to prevent users from su

Darwin rules.

[Thor Ablestar]

I believe that it's the existence of insecure sites that promotes the creation of immune software. And [TINFOIL MODE ON] that the existence of services that mark sites as harmful allows the vulnerable software to exist and to give a profit.