article

09.30.09

Twitter's Gangster Spam Trap

Twitter’s innocuous-looking mobster game has turned the micro-messaging service into an unstoppable spam service. And just like the real Mafia, once you join, you can never get out.

Spam schemes are everywhere, and now they’ve hit Twitter. Early Monday morning, I received a rare email from a woman I respect tremendously, Marina Gorbis, executive director of Institute for the Future. She's the kind of person whose emails you open first. Turns out this wasn't an email at all, but a "direct message" from her Twitter account to mine. All it said was:

mgorbis: Hey, I just added you to my Mafia family. You should accept my invitation! :)

And it was followed by a link.

Wow, I thought. Marina Gorbis is playing some new game on Twitter, and asking me to take part? She's not the kind of person to do this on a whim, so assumed it must be something significant. I followed the link and got to this screen:

rushkoff-twitter-worm-mobster-world

A Twitter-based Mafia game? I don't really have time, but I didn't want to insult Marina by rejecting her invitation. Plus I figured if she really thinks this is so cool, there must be something to it... But wait. What's that little gray bit? Terms of service?

I never bother reading those Terms of Service contracts, but anything that might get me out of having to play an Internet game—on Twitter no less—was worth a shot. Sure enough, it turns out that clicking on the big red button grants Mobster World access to your Twitter account, and gives the game the ability to send invitations automatically to all your followers and everyone you follow. Which it goes ahead and does instantaneously, before you even get to the next page.

In other words, clicking on that button turns you into a spambot. And if, like Marina, you have any social standing with the community following your tweets, your reputation is now in service of a company, using your account and your name. With your permission. Then your friends see the big red button, click on it, and so on. A classic pyramid scheme.

Mobster World isn’t controlled by Twitter, which is, at its core, a platform. It’s one of the thousands of applications out there created by people or companies, ostensibly to make the service more useful. There's no information about the company running the game on the Web site, and a domain search only reveals that its operators are hiding their identity through an anonymous proxy service. That sure inspires confidence.

Worst of all, once users realize they have been scammed and attempt to cancel, there is no way out. They can click the "cancel" button and read through a big warning about how the step is irrevocable. But, once clicked, the cancel button doesn't actually do anything. The account remains active, and the permission given to the Mobster people to spam the account's followers and followees remains intact. Like the real Mafia, once you join, you can never leave. Not alive, anyway. The only way to reliably end its hold on you and your people is to close your Twitter account, altogether. Virtual suicide. Talk about a killer app.

"We're always happy to see people experimenting with Twitter and building off the platform," my friend Evan Williams, Twitter’s CEO and co-founder, told me when I emailed him about it. "Mobster World is pretty creative from what I've seen."

Problem is, it's much less creative at entertaining people than it is at commandeering their accounts. It's an alarmingly simple but dastardly concept that may ultimately challenge the openness of Twitter.

"If apps are tricking people or not making it clear what they're going to do with the auth credentials users give them, we're very against that," Williams said. But putting up technological roadblocks comes at a price. The only way for the company to forcibly prevent such abuse of the service would be to limit the ease with which people engage in legitimate activities. Every closed portal or feature is one less way for Iranian dissidents to message one another in a crisis, one less nook or cranny through which a creative hacker can devise a genuinely useful new app.

The answer, for Williams, is education. "In general, users are advised to use a lot of caution before authorizing apps. I also think we could do a better job of helping people know when to trust apps and what authorizing them means."

So far, that does appear to be working. Had a majority of people receiving the Mobster email actually pressed the red button, all our inboxes would be filled with their invitations by now. The smarter we get, the better it is for Twitter and the Internet as a whole.

By staying independent and as open as possible, Williams hopes to avoid the mistake he feels he made back when he sold Blogger to Google in 2003, before the application had discovered its true potential. He's famous for wanting to give Twitter the time to grow and develop, unpressured by the need to find profitability or an exit strategy.

But this time, the pressure may come not from above but from below. You can only fight off corporate partnerships for so long before an even more distasteful syndicate comes calling. If the spam mob really does infiltrate Twitter, making the service more trouble than it's worth, the company won't have to worry about a legitimate takeover anytime soon.

Douglas Rushkoff, a professor of media studies at The New School University and producer and correspondent for the PBS Frontline Digital Nation project, is the author of numerous books, including Cyberia, ScreenAgers, Media Virus , and, most recently, Life Inc., released this month by Random House.