Anyone can add arbitrary user ID OpenPGP packets to any public key, and the sks web app will display them, even if they don't have valid signatures.
This has happened with my key: https://pgp.mit.edu/pks/lookup?search=0x403C2657CD994F73&op=index
The display of my key shows three user IDs which I did not create (and therefore they don't have valid signatures):
trolldwot <firstname.lastname@example.org> Dontuseee <email@example.com> Hacim Lee <firstname.lastname@example.org>
If I import the key locally, it only shows the ones that have valid signatures:
pub rsa4096/CD994F73 2015-08-14 [SC] [expires: 2016-08-13] Key fingerprint = 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73 uid [ unknown] Micah Lee <email@example.com> uid [ unknown] Micah Lee <firstname.lastname@example.org> uid [ unknown] Micah Lee <email@example.com> uid [ unknown] Micah Lee <firstname.lastname@example.org> sub rsa4096/5D5F1356 2015-08-14 [E] [expires: 2016-08-13]
I've had multiple people tell me that they searched for the OpenPGP fingerprint they found on my Twitter profile but it says "don't use" so they're not sure if they should trust it.
This is a user interface issue with sks.
I think that either the web app should only display uids that have valid signatures, or the web app should explicitly show that uids with invalid signatures are invalid (for example, by making them red and crossed out).
But the former is probably cleaner UI, and if people really wish to see the invalid uids they can always download them and use pgpdump, just like they must to see all sorts of other information stored in a public key block.