557 comments

[ 5.0 ms ] story [ 328 ms ] thread
Why can't companies like google just have a warning and review period before taking actions like this?
They don't even validate that blacklist entries actually contain an offending URL in the report. That's how much they care.
Reviews would have to be done by humans and humans doing things themselves is bad for the bottom line.
Google doesn’t need to do it, so they won’t spend the effort to do it.
“We don’t care, we don’t have to.”
I have no extra knowledge on the subject, but if the flagged website was indeed serving malicious content, the brakes would have to come down pretty hard. If you have a review period you can end up serving malware to hundreds/thousands of people. Don't know how often this happens, though, and what the false positive rate is, it'd be interesting to see.
That would probably cut a lot into their profits. Automating these tasks even if some people get cancelled wrongly is way cheaper than hiring people for reviews. Hey are so big that losing a few customers doesn’t mean much to them.

I am waiting for the day when this happens to a large company. My company has more and more stuff on AWS. If Amazon cuts us off by accident the damage will quickly go into the billions.

1) Google doesn't want any humans in the loop. Humans are expensive. Would sending a warning first result in more humans involved or less? More. So not gonna happen.

2) Google claims any information given to exploiters of its rules and systems aids the next attempt. So they don't like to give out any information about what AI rule you tripped to get banned.

It's absurd. This thing happens on the play store. I've seen it happen multiple times due to pure mistakes. It takes an appeal and time to resolve the issue, in the meantime you are stuck.

Their appeals form only lets you submit 1,000 characters, no images or attachments. So in many cases, it's hard to even provide proof of the mistake. For example, if they falsely takedown your app for trademark infringement, but you have priority rights in a country or a registered mark, how are you supposed to effectively prove that in 1,000 characters with no images? In one case, we had a decision from the trademark office in our favor, but we were unable to attach it in any way and had to try and summarize it in like 300 characters.

There is no reason in most cases to not provide a warning period and the opportunity to provide evidence and exhibits.

They act so much like a monopoly in this case that they are stupidly making things harder for themselves. Sundar and Google's legal team should take all the PMs aside and tell them they are going to start losing antitrust cases left and right if they can't provide more due process for decisions.

Because malware sites are practically ephemeral, pop up and disappear on short time frames. A review period wouldn’t do much except let them game the system even better.
Maybe there should be a law that any business that has over ten billion dollars in annual revenues has to answer the phone when you call them and have a reasonable resolution process for complaints.

If that ruins your business model, cool. Just spin off parts of the business until each one is back under ten billion in revenue and do whatever you want.

That’s not a bad idea. In general I am believing more and more that businesses that exceed a certain size are harmful for the overall economy. They may be more efficient and generate lower customer prices but they also harm innovation and prevent smaller companies from succeeding.
Ideally, we would be able to choose the best company, such as the one that does answer their phones. In this case we can't, which is the real problem.
I’ve being increasingly wary of Google’s offerings altogether. Their ban hammer seems to be driven by Mr Magoo, who looks at everything and sees threats, and makes judgements.
As a person why suffers from myopia, I find this analogy offensive.
Yes, but an inverted magoo. Mr. Magoo assumed the best intentions of everything he bumped into (and misunderstood).
Eventually, Google will get to the point when regulators will come to gut it and the crowd will be cheering
But, left with fewer resources, Google's security might become like the security of smaller companies, and the crowd will be crying.
Is there any reason that Google couldn't, or wouldn't, repurpose Google Safe Browsing to blacklist sites that are "unsafe" due to under- or poorly moderated content? E.g. doing this to Parler after they find hosting again? I can't think of a reliable one.
There's a very obvious reason not to do that: if you apparently maliciously cry wolf a few times, people won't trust your cries any more, and, for example, other browsers might choose to stop using the Google Safe Browsing list.
So what would they use instead? It's not like there are any other free, real-time and mostly accurate malicious-URL databases around for people to plug into their browsers and products.
Perhaps “comes the hour, comes the man” would apply? It's a difficult problem, but if there was an urgent need for a solution, I'm sure one could be found.
Nothing at all. Many people survive exposure to the internet without being protected by corporate firewalls, think-of-the-children filters and antivirus.

Or do we expect UK citizens to curl up in fetal position and start screaming as soon as they leave their country because they're no longer protected by their ISP filters?

As someone who tracks phishing pages I would disagree. The amount of really high-quality fast flux phishing put out every day on completely legitimate-looking domains is astonishing. I know plenty of people who would immediately fall for it, and I wouldn't blame them one bit.
I don't doubt that phishing exists, but it's still a tail risk, it's not like the majority of the internet population got scammed 24/7 before google stepped in. So if google were to abuse that power then we could choose living with an increased risk instead of trusting them. At least until another solution is found.
What other browsers? Almost all users of SB are using Chrome.
Firefox and Safari. I know, Chrome is huge these days and it's a problem, but it's not like anything can be done about Chrome.
As @gomox alludes in his article, Firefox uses Google Safe Browsing API.
I would agree, but "apparently maliciously" is too subjective.

According to US conservatives this is what Twitter, Facebook, Amazon, Google, Apple, Twilio, Snapchat, etc all did to Parler for political reasons.

According to US progressives/liberals it was absolutely not malicious, but rather the polar opposite: protecting people.

These days there is no common agreement on that stuff, and given the recent events I see no reason to believe that they wouldn't do as GP asked.

Sounds like a full inversion of terms "conservative" and "progressive/liberal" has happened?
Indeed, although I suspect it's just because of the politics here. If Parler had been a progressive/liberal haven conservatives would support censoring while progressives would be outraged at the violation of free speech.

The reason I think this is that's what happened with "private companies can do what they want." Giant corporations imposing their values on individuals is not a problem for progressives when it's big tech. Likewise Conservatives don't seem to support private property rights and no regulation anymore.

Author here. I think it's too late in the cycle for that. This list is too widespread and anyone that is banned from it needs to immediately work around the issue somehow, therefore reducing the visibility of the problems.
No, I don't think that's how it would play out.

1. Google bans parler.com on Jan. 8th by adding it as an "unsafe URL" to their blacklist.

2. Mozilla issues statement: "While we don't believe it was prudent to use the Safe Browsing blacklist for this purpose, given recent events, we will not be unblocking parler.com, and do not currently deem it necessary to maintain a separate safe browsing list."

3. Something similar happens a few months from now, and this time there's no statement from Mozilla or Microsoft. It has now become accepted that blacklisting less-moderated social media, which can cause real-world harm, is a normal use for the Safe Browsing list.

The problem is, if a mainstream browser goes against the flow, it becomes "The Nazi Browser." Its market share was already less than Chrome's, and now it's getting all these new users who are outcasts. This is a Hard Problem of moderation in a small market. You can't be the one out of three players who moderates less, lest you be overwhelmed by undesirables and less-desirables.

I can't tell if this is true or not - was parler.com actually blocked with this mechanism?
No, they were taken down by their cloud provider and by the two mobile app stores. My story was hypothetical, though disturbingly the companies involved don't entirely change when you talk about a take down from a different layer.
I guess just entirely inventing the slope and start points as well as a predicted trajectory is a new achievement in "slippery slope" arguments. Congratulations.

More seriously, maybe invent imaginary third parties rather than arbitrarily assigning your imagined bad motives and awful consequences to real people who did none of what you've suggested?

Google could, if they wanted, just add a new category to Safe Browsing. They could call it "Arbitrary censorship" or "Nazis are bad" or whatever you want. There are already several categories which even use slightly different parameters for the core technology so this wouldn't substantially change the system and yet would add much more flexibility if you wanted (as you might well) to protect against Phishing whether from Nazis or not, while still visiting a popular web site organising the overthrow of American democracy.

How is talking about mechanisms for taking parler.com offline "entirely inventing the slope"? It was taken offline by its cloud provider and its apps were removed. Google was even involved in the takedown. Nothing outlandish is being discussed here.

As for "bad motives and awful consequences", what are you talking about? Is wanting to take parler.com offline an objectively "bad motive"? Is succeeding in that endeavor an "awful consequence"? This is the heart of the problem: Weighing consequences is hard when faced with real threats. So when the two consequences are "parler.com becomes inaccessible" and "the integrity of the Google Safe Browsing URL list is slightly compromised", I think it's at least possible that executives would decide to compromise the list.

The problem is, if a mainstream browser goes against the flow, it becomes "The Nazi Browser." Its market share was already less than Chrome's, and now it's getting all these new users who are outcasts.

This whole problem only started because browsers stopped being neutral to the content and basically adopted the harmful "if you're not with us, you're against us" stance that seems to be propagating through everything these days. None of the "smaller" browsers (and I mean smaller than Firefox - the Dillos, Netsurfs, and Lynxes) do anything like this.

Users would start to ignore the warnings and proceed anyway, or even turn safe browsing off.
I think another take away from this article is “don’t allow users to upload malicious files that you then host from your domain”

This seems easier to do than jumping domains.

Author here.

That is definitely a good idea, and I recommend it. But that should not be the main takeaway.

In our particular case, that was not found to be the problem (we think it was some sort of false positive), and there are valid reasons for users to do that anyway (upload a phishing email attachment onto an IT support ticket, for example).

Pretty sure the main point was a private company can effectively delist you from the internet without any rhyme or reason. Most of us have heard Google horror stories when you use their products the fact you can be free of them and have any new customers bounce from your sight in terror is uh, terrifying.

I would like to emphasize of course they have good stated reasons for warning users before accessing websites. The issue is that they are a private company whose behavior affects all major browsers and (for kicks) they have an extremely opaque review process.

If you ran a "divest from Big Tech" website which started gaining steam they could delist like this and the only real force stopping them is public backlash. If you think you can effectively sue Google to stop them I have a bridge to sell you.

> I think another take away from this article is “don’t allow users to upload malicious files to your domain”

I disagree, at which point did we all accept Google's role as defacto regulator and arbiter of the Internet? Why should we tacitly accept the constraints they deem as appropriate and modify the way we build the web?

In other words, those are our domains, our apps, our systems and we'll do as we please; that includes worrying about content moderation, or not.

When and why did we accept google as the Internet's babysitter?

Apologies if this sounds aggressive, but your takeaway reflects an appalling and quite fatalistic mindset; one which I sadly believe is increasingly common: big corporations knows best, big corporations say and we do, big corporations lead the way.

On the other hand, probably I'm just biased and tired considering how tiresome it's been to explain to my friends and family why Signal is the better alternative after the WhatsApp/Facebook fiasco.

/EndRant

Sorry, but you don't get to tell me I am obligated to browse your site without being notified if you have malware.
Might have, judging from this story.
Assuming that this site "serving malware" isn't doing it purposely.

What if someone made a site that inspected malware and went in depth on how it worked and allowed you to download the malware to inspect yourself so you desire. Google would flag this site as bad and blacklist it, but in reality it's a research site.

There are standardized ways to share malware downloads. Google likely respects them.
What is that standardized way?

Encrypted zip files with the password listed on the website is the easiest one that comes to mind. I wonder if googlebot will some day decrypt those files because a lot of pirated software is distributed in encrypted zip files. Scanning those files for viruses would be pretty useful for the average user.

I guess captchas are the only bulletproof solution

Usually people use a zip file with the password "malware".
You are not obligated to browse anything. In fact, you as a human is obligated to very little. Perhaps keeping yourself alive (which somebody might even oppose as an obligation).

If you enter at site that hosts articles on malware and it allows you to download the malware assets to play with for yourself, you should be a fool for not understanding that the site hosts malware and is not adversarial.

When you installed their browser.
I didn’t install their browser.
Your users did decide to use it, though - and this particular feature is one of the reasons why that particular browser if popular. It was one of the major differentiators of the "better" browsers in the sad old IE days.

For all you "use Firefox [etc], don't use Chrome" pundits: it also uses Google Safe Browsing [0], and for that matter so does Safari, which may compound it by using Tencent version instead if you happen to be in China [1]

[0] https://wiki.mozilla.org/Security/Safe_Browsing [1] https://support.apple.com/en-us/HT210675

This is a weak take. Are we saying that any feature built into a web browser is desirable by virtue of the products popularity? 99% of chrome users use it because they recognize the interface from school laptops. Do you really want to live in this world where massive corporations can put whatever they want in their products and the justification is “yeah well people still downloaded it?”
> 99% of chrome users use it because they recognize the interface from school laptops.

The implication that less than 1% of Chrome users are old enough that Chrome didn't exist when they were in school is laughable.

Also, if that kind of familiarity rendered feature comparison irrelevant, Mosaic would still have a healthy share of the browser market.

No, we are saying that a site owner should not get to choose which features of the browser the users decide to use. It's the same reason why HN is dogpiling on any site that announces "Only works in Google Chrome", "Best viewed in Safari" or, for older users, "Designed for IE".

One of the reasons why users decided to jump ship to browsers implemneting more advanced security features (which invariably including some sort of malware/phishing actors filter) was the realisation that even a site that has been safe to visit before may serve you malicious content. PHP.net, for instance, was compromised in a way that is eerily similar to what the author here describes - JS files were variably serving malware depending on certain conditions [0], and the first warning anyone got was GSB blocking it. You can read and compare the outrage that 'it can't be true' that particular blocking has caused at your own convenience [1].

Whilst you can convince the users to jump ship to some fringe browser that does not use the technology (and I do invite you to try to find one which does not use either Google, Microsoft or Tencent filters and has at least 0.1% of global usage!), it is a losing proposition from the start. The take is: the vast majority of users is actually comfortable and happy to get this message, as long as they can trust that it is warranted.

Should filters be hosted and adjusted by a major technology company like Google? Probably not, and some indepdendent non-profit hosting them (for the sake of the argument, even StopBadware that kick-started the whole mess [2]) would be welcome to try to take that responsibility. But the filters are here to stay until we come up with something better as a solution.

[0] https://news.ycombinator.com/item?id=6604251 [1] https://support.google.com/webmasters/forum/AAAA2Jdx3sUpuLmv... [2] https://www.stopbadware.org/

The problem is that the process is opaque so you aren't even given a hint as to why the site is blacklisted. Security filters, fine, but at least tell the developers what the violation is so that it can be fixed. It's the same in the play store controversies, the developers aren't told what's wrong, the app is just taken down. This lack of transparency is the real issue.
I think the author highlights the main issue at the end of the article. This is where pressure needs to be applied. I get it, Google’s process probably protects a lot of end users from malicious sites. Getting a real business added to this blocklist by a bot though is not cool. Perhaps a process to whitelist your own domains if this power can’t be wrangled from Google.

> Google literally controls who can access your website, no matter where and how you operate it. With Chrome having around 70% market share, and both Firefox and Safari using the GSB database to some extent, Google can with a flick of a bit singlehandedly make any site virtually inaccessible on the Internet.

> This is an extraordinary amount of power, and one that is not suitable for Google's "an AI will review your problem when and if it finds it convenient to do so" approach.

> Getting a real business added to this blocklist by a bot though is not cool.

Real businesses can (and often do) host malware too. There was a notable event where php.net was hacked and hosting malware, which Google flagged. The owner of php.net was pretty mad at first and claimed it was a false positive. It wasn't.

Right, I’m not saying they aren’t a risk. I’m suggesting that if a real business is whitelisted that a automated process shouldn’t be allowed to blacklist it without some type of human interaction.
Not to mention thousands and thousands of unsecured Wordpress and other similar systems which were turned into malware delivering botnets.

At my local faculty there were at some point not less than 6 different malware serving sites (Wordpress, Drupal and some similar unpatched sofware), which were happily delivering all that data from a university domain.

Easier?

What's the easy way to distinguish between "malicious" and "non-malicious" files?

The section about ants and Google shifting on its planetary chair is perhaps the best part of this article. A sobering way to look at it.
Are there any no win, no fee law firms that specialize in these cases? What if for every hour offline, your SAAS loses X money? For this particular case, what if due to the service disruption, some customers decide to move their business elsewhere? Enforce an SLA?
Author here. That was exactly our situation with the impacted systems. We got lucky with the fast "review" and it happened late enough in the day that only PST customers were impacted meaningully.

But still, quite frightening, hence the post. It's not a failure mode we had in mind when we established the SLAs.

We seriously need to break up Google. This is a chokepoint for innovation, should not be controlled by one company, and has serious downstream consequences on economic growth as a nation.
(comment deleted)
Imagine a future where multiple big tech companies share “blacklists” of individuals and applications that should be banned across their networks. Your entire business and digital life could be snuffed out in an instant. Already seen it happen, now it just has to scale.
After years of seeing developments like this, getting worse and worse, it fills me with rage to think about how clearly nobody in power at Google cares.

I naively used to think, "they probably don't realize what's happening and will fix it." I always try to give benefit of the doubt, especially having been on the other side so many times and seeing how 9 times out of 10 it's not malice, just incompetence, apathy, or hard priority choices based on economic constraints (the latter not likely a problem Google has though).

At this point however, I still don't think it's outright malice, but the doubling down on these horrific practices (algorithmically and opaquely destroying people) is so egregious that it doesn't really matter. As far as I'm concerned, Google is to be considered a hostile actor. It's not possible to do business on the internet in any way without running into them, so "de-Googling" isn't an option. Instead, I am going to personally (and advise my clients as well) to:

Consider Google as a malicious actor/threat in the InfoSec threat modeling that you do. Actively have a mitigation strategy in place to minimize damage to your company should you become the target of their attack.

As with most security planning/analyzing/mitigation, you have to balance the concerns of the CIA Triad. You can't just refuse Google altogether these days, but do NOT treat them as a friend or ally of your business, because they are most assuredly NOT.

I'm also considering AWS and Digital Ocean more in the same vein, although that's off topic on this thread. (I use Linode now as their support is great and they don't just drop ban hammers and leave you scrambling to figure out what happened).

Edit: Just to clarify (based on confusion in comments below), I am not saying Google is acting with malice (I don't believe they are personally). I am just suggesting you treat it as such for purposes of threat modeling your business/application.

Author here. I don't think it's malice on their part, but their hammer is too big to be wielded so carelessly.
Yes I agree with you (and thank you for your medium post by the way. Our only chance of ever improving the situation is to call attention to it. I fully believe Google leadership has to be aware of it at this point, but it clearly won't be a priority to them to fix until the public backlash/pressure is great enough that they have to).

Just to avoid any misreading, I didn't say I thought it was malice on Google's part. My opinion (as mentioned above, is):

> I still don't think it's outright malice, but the doubling down on these horrific practices (algorithmically and opaquely destroying people) is so egregious that it doesn't really matter.

So they are not (at least in my opinion without seeing evidence to the contrary) outright malicious. But from the perspective of a site owner, I think they should be considered as such and therefore mitigations and defense should be a part of your planning (disaster recovery, etc).

I do not trust management folks, whose paychecks and promotions are dependent on how successful such hostile actions are, to take the right decisions. I also do not think that they are deliberately ignorant/indifferent or that calling attention to it will do any good. These types of individuals got to where they are largely by knowing fully well that their actions are malicious and legal. I used to work under such people, and currently interact with and work with such people on a very regular basis (you could even consider me as part of them tbh). It is very much possible that the management level folks at Google don't have an ounce of goodness in them, and will always see such decisions from a zero-sum perspective.

To make it relatable, do you care so much for a mosquito if it's buzzing around you, disrupting your work and taking a toll on your patience? Because your SaaS is a mosquito to Google. After a certain point, you will want to kill the mosquito, and that's exactly what Google execs think so as to get to their next paycheck.

Great article. It’s not malice, it’s indifference.

Googles execs and veeps don’t care about small businesses, because most are career ladder climbers who went straight from elite colleges to big companies. Conformists who won’t ever know what it’s like to be a startup. As a group, empathy isn’t a thing for them.

Don't a lot of startup founders go to elite colleges and come from big companies?
The funded ones with the 2 year timelines generally are. But most startups are more bootstrap/angel investor with a bright owner who has a fatal flaw.
Is this an excerpt from your woefully unpublished startup culture fanfic novella? You can't just leave us hanging.
Agree, we can only vote with our clicks.

Sadly gmail and google docs are top notch products :(

No, we can't vote with our clicks. That's what it means when a handful of companies dominate most of the web and the web playing a dominant role in global economy.

We have very little real choice.

Occasionally people will pretend this is not so. In particular those who can't escape the iron grasp these companies have on the industry. Whose success depends on being in good standing with these companies. Or those whose financial interests strongly align with the fortunes of these dominant players.

I own stock in several of these companies. You could call it hypocrisy, or you could even view it as cynicism. I choose to see it as realism. I have zero influence over what the giants do, and I do have to manage my modest investments in the way that makes the most financial sense. These companies have happened to be very good investments over the last decade.

And I guess I am not alone in this.

I guess what most of us are waiting for is the regulatory bodies to take action. So we don't have to make hard choices. Governments can make a real difference. That they so far haven't made any material difference with their insubstantial mosquito bites doesn't mean we don't hold out some hope they might. One day. Even though the chances are indeed very nearly zero.

What's the worst that can happen to these companies? Losing an antitrust lawsuit? Oh please. There are a million ways to circumvent this even if the law were to come down hard on them. They can appeal, delay, confuse and wear down entire governments. If they are patient enough they can even wait until the next election - either hoping, or greasing the skids, for a more "friendly" government.

They do have the power to curate the reality perceived by the masses. Let's not forget that.

Eventually, like any powerful industry they will have lobbyists write the laws they want, and their bought and paid for politicians drip them into legislation as innocent little riders.

We can't vote with our clicks. We really can't in any way that matters.

That being said, I also would like regulatory bodies to step in and do something about it. To level the playing field. If nothing else, to create more investment opportunities.

Do you think the 1982 breakup of AT&T would have been possible in today's political reality?
Stock picking is not realism.
If by that you mean that valuations are not the result of a rational process, you are correct.

But investment strategy isn't so much about any underlying reality as it is about the psychology of market participants. You don't invest based on what you hope will happen, but what you believe will happen.

They have the option of not wielding the hammer. I for one never appointed them the guardian of the walled internet.
This. Why is there an implicit agreement that okay Google is the gatekeeper. It shouldn't be. The internet did not appoint Google as the gatekeeper.
>The internet did not appoint Google as the gatekeeper.

Uh, it kind of did, when internet-savvy early adopters (and developers) convinced all their friends, then family, then acquaintances, to switch to Chrome a decade ago.

I know there's probably a very large number of FOSS-only types on this site who would disagree with that assessment, and claim that they've always been in the Firefox camp, but the sheer market share of chrome clearly shows that they are the minority.

Everyone switched to chrome because they were tired of IE having too much power and not conforming to standards. Nowadays web devs often build chrome-first, using chromium-only features, and the shoe has almost migrated to the other foot.

> Why is there an implicit agreement that okay Google is the gatekeeper.

Because they run a popular browser and don't want their users getting scammed?

For each tech savvy person mad about this, there's 10 non-tech-savvy people completely oblivious that could get scammed by phishing sites we'd consider obvious.

Sure, they should do a better job, but that blacklist is probably millions of websites big at this point. It's the kind of thing where a perfect job is essentially impossible, and the scale means that even doing a decent job is going to be extremely difficult.

> I for one never appointed them the guardian of the walled internet.

On the other hand, lots of chrome users most likely do trust google to protect them from phishing sites. For those ~3 billion users a false positive on some SaaS they've never heard of is a small price to pay.

It's a tricky moral question as to what level of harm to businesses is an acceptable trade off for the security of those users.

I actually don't think this is that hard to fix though.

I'm a fan of google doing their best to protect people from scammers. The real issue here is no way to submit an escalated help request when they accidentally mess up. eg they could build a service where -- and I doubt scammers would play -- $100 (or even $1k) would escalate a help request with a 15 minute SLA. I run a business; we would have no problem paying an escalation fee.

I can already see the headlines on HN:

"How Google Runs a Pay-to-Play Protection Racket"

I mean, that's their whole business anyway, so...

Format your site to suit google, or they don't index it.

Add headers to your emails or google reduces deliverability.

Pay for clicks on your own company's name or google sells ads against the name of your company! They monetize navigation queries.

Run your site through amp and let google steal your traffic or google pushes your search rank down the page.

Let google steal answers to questions contained on your site and display them as answers w/o sending people to your site, or they deindex you (see tons of examples, but also genius).

Let google steal your carefully curated and expensive photographs for google shopping and use them for the item from other vendors or you can't list items in google shopping.

etc etc etc... it's nothing new. So we may as well encourage them to do a more helpful job of what they were going to do anyway.

This was the old Microsoft support model: opening a case cost $99(IIRC), but if the case was actually a MS bug/issue they’d waive the fee.
It might have started at $99 but it's much higher now. I think the last time I used it it was $299 but that was at least 2 decades ago. Fortunately it was their bug.
The trade-off isn't between increased phishing vs. increased false positives. It's being able to get a human on the phone vs Google's profit margins. Break them up already.
So browsers should just let users go to obvious phishing sites?

It's easy to take this position when you're very tech savvy. Imagine how many billions of less tech savvy people these kinds of blocklists are protecting.

It's very easy to imagine a different kind of article being written: "How Google and Mozilla let their users get scammed".

I mean, it was barely a decade ago when my parents computers regularly got filled with malware and popups and scams. They regularly fell for bullshit online. Maybe they have gotten more savvy, but I feel like this has overall greatly decreased, in a world where there's actually increasingly more bad actors.
IMHO, it sounds like it worked. The things you changed sound like it's made your site more secure. In the future, Googles hammer can be a bit more precise since you've segregated data.

And you don't know what triggered it. It's possible that one of your clients was compromised or one of their customers was trying to use the system to distribute malware.

It's only more secure from Google's blacklist hammer.

No significant security is introduced by splitting our company's properties into a myriad of separate domains.

This type of incident can be a deadly blow to a B2B SaaS company since you are essentially taking out an uptime sensitive service that a lot of times has downtime penalties written down in a contract. Whether this is downtime will depend on how exactly the availability definition is written.

To add to this - by splitting and moving domains you've hurt your search rank, eliminated the chance to share cookies (auth, eg) between these domains, and are now subject to new cross-domain security dings in other tooling. Lose-lose.
We're talking about user uploads into a ticket system. They should not be publicly available at all. It won't hurt search rank.
If you split up your user uploaded material into per client subdomains you will know which one is uploading the malicious files. And your clients can block other subdomains limiting their exposure as well. Is it a huge improvement? No, but at least it's something
It's not clear from other commenters that had similar issues that GSB would not outright ban the entire domain instead of specific subdomains.

In this case, the subdomain they banned was xxx.cloudfront.net, and we know they would not block that whole domain.

We might consider that approach in the future, but I foresee complications in the setup.

Is this list only maintained by Google? Do Firefox and Bing use the same list, is their process better/different? Is there any sharing happening?
SmartScreen is a different list. (And has a "This website isn't malicious!" button.)
That is malice.

Accidentally unleashing a process that harms people is negligence. Not caring that you are being negligent is malice.

Have you considered not using a 3rd party for hosting your JavaScript? There is always going to be some risk if the code isn’t under your control.
"never attribute to malice that which is adequately explained by stupidity" and all that, but after the events and the almost perfectly orchestrated behavior we've seen in the past and last couple of weeks it's becoming increasingly difficult, at least to me, to not attribute this to malice. Probably deliberate negligence is a better term. They know their systems can make mistakes, of course they do, and yet they build many of their ban-hammers and enforce them as if hat wasn't the case.

This approach to system's engineering is the technological equivalent of the personality trait I most abhor: the tendency to jump quickly to conclusions and not be skeptical of one's own world-view.

[1] https://en.m.wikipedia.org/wiki/Hanlon%27s_razor#cite_note-m...

Thanks, I totally agree. Just to be clear I'm not saying it's malice as I don't believe that. I'm just saying the end result is the same so one should consider them a hostile actor for purposes of threat modeling.

Given you're the second person who I think took away that I was accusing them of malice, I probably need to reword my post a bit to reduce confusion.

Accusing them of malice is irresponsible without evidence, and if I were doing that it would undermine my credibility (which is why I'm pointing this out).

> Thanks, I totally agree. Just to be clear I'm not saying it's malice as I don't believe that. I'm just saying the end result is the same so one should consider them a hostile actor for purposes of threat modeling.

No worries at all! I interpreted your post the way you intended; and I agree fully being also in InfoSec.

Going by how you phrased your original post, you're probably more patient and/or well-intentioned than me as I'm farther along the path of attributing mistakes by big, powerful corporations to malice right away.

They probably aren't malicious, but they are definitely antagonists.
>”never attribute to malice that which is adequately explained by stupidity"

I keep reading this on the internet as if it’s some sort of truism, but every situation in life is not a court where a prosecutor is trying to prove intent.

There is insufficient time and resources to evaluate each and every circumstance to determine each and every causative factor, so we have to use heuristics to get by and make the best guesses. And sometimes, even many times, people do act with malice to get what they want. But they’re obviously not going to leave a paper trail for you to be able to prove it.

> I keep reading this on the internet as if it’s some sort of truism

I don’t believe this statement was initially intended to be axiomatic, rather, to serve as a reminder that the injury one is currently suffering is perhaps more likely than not, the result of human frailty.

I would agree. It's not useful in the context of remediation or defense, but on a human emotional level it's extremely helpful.

When Google kills your business it doesn't help your business to assume no malice, but it may help you not feel as personally insulted, which ultimately is worth a lot to the human experience.

Humans can be totally happy living in poverty if they feel loved and validated, or totally miserable living as Kings if they feel they are surrounded by backstabbers and plotters. Intent doesn't matter to outcome, but it sure does to the way we feel about it.

I'm not sure it's even attributable to stupidity (necessarily) as attributable to automation or, more long-windedly, attributable to the fact that automation at scale will sometimes scale in wacky ways and said scale also makes it nearly impossible--or at least unprofitable--to insert meaningful human intervention into the loop.

Not Google, but a few months back I suddenly couldn't post on Twitter. Why? Who knows. I don't really do politics on Twitter and certainly don't post borderline content in general. I opened a support ticket and a follow-up one and it got cleared about a week later. Never found out a reason. I could probably have pulled strings if I had to but fortunately didn't need to. But, yeah, you can just randomly lose access to things because some algorithm woke up on the wrong side of the bed.

>said scale also makes it nearly impossible--or at least unprofitable--to insert meaningful human intervention into the loop.

Retail and hotels and restaurants can insert meaningful human intervention with less than 5% profit margins, but a company with consistent $400k+ profit per employee per quarter can not?

https://csimarket.com/stocks/singleEfficiencyeit.php?code=GO...

This is what I'm talking about in my original comment about the malice and stupidity aphorism.

Someone or some team of people is making the conscious decision that the extra profit from not having human intervention is worth more than avoiding the harm caused to innocent parties.

This is not a retail establishment barely surviving due to intense competition that may have false positives every now and then because it's not feasible to catch 100% of the errors.

This is an organization that has consistently shown they value higher profits due to higher efficiencies from automation more than giving up even an ounce of that to prevent destroying some people's livelihoods. And they're not going to state that on their "About Us" page on their website. But we can reasonably deduce it from their consistent actions over 10+ years.

Fair enough. Scale does make things harder but my $FINANCIAL_INSTITUTION has a lot of scale too and, if I have an issue with my account, I'll have someone on the phone sooner rather than later.
You're saying that as if it contradicts (“but”) what lotsofpulp said, but that was exactly their point: If your bank can do it, then so could Google. That they choose not to is a conscious choice, and not a beneficious one.

Conrad's corollary to Hanlon's razor: Said razor having been over-spread and under-understood on the Internet for a long while now, it's time to stop routinely attributing lots of things only to stupidity, when allowing that stupidity to continue unchecked and unabated actually is a form of malice.

(Hm, yeah, might need a bit of polishing, but I hope the gist is clear.)

Meta: I’ve vouched for this comment. You have been shadowbanned.
I thought I was agreeing. "Fair enough."
I'd go with: "Sufficient stupidity[1] is indistinguishable from malice"

[1]: Where stupidity is further defined as "willful ignorance"

I was just paying a bill online.

I had loading images turned off in my browser.

So I get the checkbox captcha thing, and checking it is not enough, so I have to click on taxis, etc. Which didn't initially show because of images being off.

I eventually did turn on images for the site and reload it. But at first, I was like "wait a minute, why should I have to have images on to pay a bill?" and I clicked a bunch of things I'd never tried before to see if there was an alternative. It appears that you have to be able to do either the image captcha or some sort of auditory thing. I guess accessibility doesn't include Helen Keller, or to someone who has both images and speaker turned off (which I have done at some times).

Maybe this is hard for someone younger to understand, but when I was first using computers, many had neither high quality graphics nor audio - that was a special advanced thing called "multimedia". It feels like something is severely wrong with the world if that is now a requirement to interact and do basic stuff online.

Genuinely-handicapped users should certainly have accommodations that allow them to pay bills using the necessary accessibility tools. It's always tricky to keep those tools from being leveraged by spammers and phishers, though, as witnessed by how TDD services for the deaf were misused in the past. Hard problem to solve in general, either through legislation or technology.

But if you're an ordinary user without special challenges, why would you expect anything to work after turning images off in your browser? If you're that much of a Luddite, maybe computers and technology aren't appropriate areas of interest for you to pursue.

Once upon a time, it was not only easy to find the option to disable image loading, but you could easily load them a la carte, by right clicking on any placeholder.

With the browser I use now, it seems to only let you reenable images per-site and then you have to dig in settings to delete the exception.

There IS a Load Image menu item when I right click...but it does nothing! Neither does "Open image in new tab".

I think it's unfortunate if there is a "long tail" of features in a typical application these days that are not expected to work.

What frustrates me personally is that there used to be a Firefox extension to suppress displaying a particular image, which is no longer available. I can't see the utility of disabling all images, but that extension was nice because you could use it to remove things you were tired of seeing like obnoxious backgrounds, avatar photos, and even some ads. Once you right-clicked on an image and told it to remove it, you'd never see it again, even in subsequent browsing sessions.

This extension died during one of Firefox's periodic Purges of Useful Functionality(tm), and I've been looking for another one ever since. So to some extent I see where you're coming from, but a general jihad against sound and images in the browser seems pretty radical.

I think you have a point, and it's important to not be naive as people out there will steamroll those around them if given the opportunity. Personally I try to not immediately assume malice because I've found it leads to conspiracy-minded thinking, where everything bad is due to some evil "them" pulling the strings. While I'm sure there are some real "Mr. Burns" types out there, I can't help but feel most people (including groups of them as corporations) are just acting in self-interest, often stumbling while they do it.
The saying is for your own sanity. If you go around assuming every mistake is malicious, it’s going to fuck up your interactions with the world.

Everyone I know who approaches the world with a me vs. them mentality appears to be constantly fraught with the latest pile of actors “trying to fuck them”.

It’s an angry, depressing life when you think that the teller at the grocery store is literally trying to steal from you when they accidentally double scan something.

One does not have to choose between assuming everything is malice or everything is stupid. Situations in the real world are more nuanced, and hence the saying is inane.
It’s not though. Assuming malice is incorrect 99.9% of the time and correctly identifying that other fraction offers so little upside. What good does it do to realize earlier that the person is malicious and not incompetent?
It's a truism not because people are never malicious, but because we tend to see agency where there is none. Accidents are seen as intentional. This tendency leads to conspiracy theories, superstitions, magical thinking, etc. We're strongly biased towards interpreting hurtful actions as malice.
Well, I think the stupidity and laziness is exacerbated by their ill will towards customers and users. This is also what prevents them from reforming. The general good will and sense of common purpose was necessary in Google's early days when they portrayed themselves as shepherds of the growth of the web. Now they are more like feudal tax collectors and census takers. Sure they are mostly interested in extracting their click-tolls, but sometimes they just do sadistic stuff because it feels good to hurt people and to be powerful. Any pseudo-religious sense of moral obligation to encourage 'virtuous' web practices has ossified, decayed, been forgotten, or been discarded.
I was thinking about this this week in the context of online shopping with in store delivery. My wife recently waited nearly half an hour for a “drive up” delivery where she had to check in with an app. Apparently the message didn’t make it to the store, and when she called half way into her wait she wasn’t greeted with consolation, but derision for not understanding the failure points in this workflow.

It seems that the inflexible workflows of data processing have crept into meatspace, eliminating autonomy from workers job function. This has come at the huge expense of perceived customer service. As an engineer who has long worked with IT teams creating workflows for creators and business people, I see the same non-empathetic, user-hostile interactions well known in internal tools become the standard way to interact with businesses of all sizes. Broken interactions that previously would be worked around now leave customer service reps stumped and with no recourse except the most blunt choices.

This may be best for the bottom line, but we’ve lost some humanity in the process. I fear that the margins to return to some previously organic interaction would be so high that it would be impossible to scale and compete. Boutique shops still offer this service, but often charge accordingly and without the ability to maintain in person interactions at the moment, I worry there won’t be many left when pandemic subsides.

Very poignant observation. I have run into this as well in situations in meat-space everywhere from the DMV queue to grocery pickup.

Empathy and understanding for fellow humans is at an all time low, no doubt exacerbated by technologies dehumanizing us into data points and JSON objects in a queue waiting for the algorithm to service.

As wonderful as tech has made our lives, it is not fully in the category of "better" by any stretch. You're totally right about margins being too high, but I do hope it opens up possibilities that someone is clever enough to hack.

One of the things I hate the most is people I'm transacting with telling me something has to be done in a certain way because that's how "their system" works.

A recent example, I forgot to pay my phone bill on time and network access got turned off. I came to pay it on Friday, and they tell me the notice will appear in their systems only on Monday and then it takes 2 days for the system to automatically reactivate my access. No, they can't make a simple phone call to someone in the company, yes I will be charged full monthly price for the next month even though I didn't have access for a few days, nothing we can do - ciao

Systems (normally) model organizational processes, so companies with garbage processes usually have garbage systems in place too. This highly specific case reeks of fraud, and you should be able to report them to some kind of ombudsman so you could get your couple days' worth of fees back.
I would bet they have some terms & conditions the person agreed to that leaves them legally SOL.
I would also bet that the right kind of escalation leads directly to the desk of someone who will give them a refund.
Yes, the terms probably were written when it took two days for a check to clear.

No, the ombudsman probably can’t get legal to update the T&Cs

Contracts by definition cannot bind people into illegal conditions, and there's degrees of neglect that can be considered illegal. The entire point of an ombudsman is to keep actors within "this is not illegal" lines; I'm guessing you could do this on small claims court too, but with the plague and everything it can take a lot longer
I have not been noticing that.

I am finding the poorly paid workers who provide service to me polite and helpful.

Perhaps this is geography? Different in different places?

I'd add to this that willfully refusing to remedy stupid can be an act of malice.
That's a very good point. Actually, I just thought about something in the context of this conversation: one's absolute top priority, both in life and tech, should be to stop the bleeding[1] that emerges from problematic circumstances.

Whether those problematic circumstances, harm, arise due to happenstance, ignorance, negligence, malice, mischievousness, ill intentions or any other possible reason is ancillary to the initial objective and top priority of stopping the bleeding. Intent should be of no interest to first respondents, rather customers or decision makers in our case, when harm has materialized.

Establishing intent might be useful or even crucial for the purposes of attribution, negotiation, legislation, punishment, etc. All those, however, are only of interest, in this context, when the company in question hasn't completely damaged their brand and the public, us, hasn't become unable to trust them.

All this to say, yes, this is a terrible situation to be in, how are we going to solve it?

Do I care if Google is doing harm to the web due to being wilfully ignorant, negligent, ill-intentioned, etc? no, not an iota, I care about solving the problem. Whether they do harm deliberately or for other reasons should be of no interest to me in the interest of stopping the bleeding.

[1] https://isc.sans.edu/diary/Making+Intelligence+Actionable/41...

I agree with your sentiment. Modeling intent is useful in two cases: (1) predicting the future, and (2) in court. When modeling intent has no predictive power, it’s generally irrelevant, as you said.
I would argue that a consistent behave defeats the benefit of the doubt or involuntary stupidity. Also I believe most of good sounding quotes may be easy to remember but not backed by many truths.
I think mistakes just happen and are possibly just as helpful as they are harmful to Google. If they find something they particularly hate or damaging they can just "oops" their way to the problem being gone. Take Firefox[1], each time a service went "oops" on Firefox they gained marketshare on Chrome.

I have no doubt they'd use similar "oops" for crushing a new competitor in the ad space. Or perhaps quashing a nascent unionizing effort. It's all tinfoil of course because we don't have any public oversight bodies with enough power to look into it.

[1] https://www.techspot.com/news/79672-google-accused-sabotagin...

That's the nature of a dominant position. It gives you the power to engineer "heads I win, tails you lose" dynamics.
"Consciously malicious" is not a good rule of thumb standard to measure threats to yourself or your business; it only accounts for a tiny bit of all possible threats. GP isn't claiming that Google is consciously malicious, they are claiming that you should prepare as if they were. These are not the same thing.

A lion may not be malicious when it's hunting you, it's just hungry; look out for it anyway. A drunk driver is unlikely targeting you specifically; drive carefully anyways. Nobody at Google is specifically thinking "hehehe now this will ruin jdsalareo's business!" but their decisions are arbitrary, generally impossible to appeal, and may ruin you regardless; prepare accordingly.

Yes, exactly what I meant, thank you.

And very well said I might add. I don't mean to leave a vapid "I agree with you" comment, but your analogies are fantastic. They are accurate, vivid, and easily understandable.

"The decisions are arbitrary, impossible to appeal, and may ruin you."

This is a monopoly.

Google may be a monopoly, but this quote has nothing to do with monopoly status. It has to do with power.

As a local businessman I can ruin someone’s life by applying the right legal pressure. Likewise, if one of my customers is reliant on my product to run their own business, and I drop them suddenly (akin to what google sometimes does), that could ruin them. But it’s not because I’m a monopoly, only because people rely on me. Monopoly implies there’s no choice, and while that IS true with google and search. It is not implied by “arbitrary, impossible to appeal, and may ruin you”. The two are distinct (though often related) problems that are both exemplified in Google.

I personally find Hanlon's Razor to be gratuitously misapplied. Corporate strategy is often better described as weaponized willful ignorance. You set up a list of problems that shall not be solved or worked on, and that sets the tone of interaction with the world.

Plus financial incentive creates oh so many opportunities for things to go wrong or be outright miscommunicated it is not even funny.

Your comment made me think that they have the same attitude with support as they do with hiring, they are ok with a non fine-tuned model as long as the false positives / negatives impact individuals rather than Google’s corporate goals.
Employees and managers at Google get promoted by launching features and products. They're constitutionally incapable of fixing problems caused by over-active features for the same reason they've launched seven different chat apps.
We are all living at the whim of Google’s technical debt.
They're never gonna care. They aren't incentivized to care. The only thing that can change the situation is the power of the American federal government, which needs to break Alphabet into 20-50 different companies.
> nobody in power at Google cares

My assessment might be “nobody in power has time to prevent the myriad of problems happening all of the time, even though they handle the majority, with help from businesses, government agencies, etc., and given the huge impact of some problems to society as a whole, they may feel as though they’re rising in the front seat of a roller coaster, unaware of your single voice among billions from the ground down below.”

I'm with you on the rest, but what has DO done to not have the benefit of doubt?

Also, to your point, an organization becomes something else than the sum of its parts, especially the bigger it gets.

Google can be a malicious actor without necessarily having individuals make act maliciously.

Yeah that's a fair question. I had a bad personal experience with them, but I've also seen plenty of issues too. There was a big one a little while ago about how Digital Ocean destroyed somebody's entire company by banning them with AI: https://news.ycombinator.com/item?id=20064169 Original Twitter thread: https://twitter.com/w3Nicolas/status/1134529316904153089

In their defense they acknowledged it and some changes. I can't find the blog post now so going from memory. But that only happened because he got lucky and it blew up on HN/twitter and got the attention of leadership at DO. How many people have beenh destroyed in silence?

In my case, Digital Ocean only allows one payment card at a time and my customer (for whom the services were running) provided me with a card that was charged directly.

A couple months later my customer forgot that he had provided the card. He didn't recognizer "Digital Ocean" and thought he had been hacked (which has happened to him before) and called the bank and placed a chargeback.

When DO got the charge back they emailed me and also completely locked my account so I was totally unable to access the UI or API. I didn't find out about the locked account until the next day. I responded to the email immediately, and called my customer, who apologized and called the bank to reverse the chargeback. I was as responsive as they could have asked for.

The next day I needed to open a port in the firewall for a developer to do some work. I was greeted with the dreaded "account logged" screen. I emailed them begging and pleading with them to unblock my account. They responded that they would not unlock the account until the chargeback reversal had cleared. Research showed that it can take weeks for that to happen.

I emailed again explaining that this was totally unacceptable. It is not ok to have to tell your client "yeah sorry I can't open that firewall port for your developer because my account is locked. Might be a couple of weeks." After a day or so, they finally responded and unlocked my account. Fortunately they didn't terminate my droplets, but I wonder what would have happened if I had already started using object storage as I had been planning. This was all over about $30 by the way.

After that terrifying experience, I decided staying on DO was just too risky. Linode's pricing is nearly identical and they have mostly the same features. Prior to launching my new infrastructure I emailed their support asking about their policy. They do not lock accounts unless the person is long-term unresponsive or has a history of abuse.

I've talked with Linode support several times and they've always been great. They're my go to now.

I see where you're coming from. I've also had a bad experience with DO (CC arbitrarily blocked them which ended up with my droplets getting terminated and all data and backups wiped). That was at least as much an error on my part, though.

It does seem that they're unfortunately borrowing the playbook from AWS/Azure/GCP wrt over-automization as they scale. More old-school support could have been their differentiator, but it seems they're going for growth. They're getting close to the razor's edge.

Jon Williams, circa 1987, wrote a story of a far-flung humanity's future in "Dinosaurs," in which humans had been engineered into a variety of specialized forms to better serve humanity. After nine million years of tweaking, most of them are not too bright but they are perfect at what they do. Ambassador Drill is trying to prevent a newly discovered species, the Shar, from treading on the toes of humanity, because if the Shar do have even a slight accidental conflict as the result of human terraforming ships wiping out Shar colonies because they just didn't notice them, the rather terrifyingly adapted military subspecies branches of humanity will utterly wipe out the Shar, as they have efficiently done with so many others, just as a reflex. Ambassador Drill fears that negotations, despite his desire for peace, may not go well, because the terraforming ships will take a long time to receive information that the Shar are in fact sentient and billions of them ought not to be wiped out ...

Google, somehow, strikes me as this vision of humanity, but without an Ambassador Drill. It simply lumbers forward, doing its thing. It is to be modeled as a threat not because it is malign, but because it doesn't notice you exist as it takes another step forward. Threat modeling Lovecraft-style: entities that are alien and unlikely to single you out in particular, it's just what they do is a problem.

Google's desire for scale, scale, scale, meant that interactions must be handled through The Algorithms. I can imagine it still muttering "The algorithms said ..." as anti-trust measures reverse-Frankenstein it into hopefully more manageable pieces.

Sounds like a non-aligned AI.
It essentially is a non-aligned AI. AIs don't need to be implemented in silico. Bureaucracy is by itself a computing medium too.
That makes me wonder if someone has ever written a scientific paper proving that the bureaucratic processes in place at their company are Turing Complete. You can imagine some sort of Rule 110 cellular automaton being implemented in TPS reports.
A cellular automaton over office documents would be a nice thing to try! That said, a proof of turing-completeness of bureaucracy is relatively trivial:

  FROBNICATION QUERY      ID [#1234]

  1. Requester data
     [bunch of boxes]
  1a. (*) Details on stuffs
     [bunch of boxes]
  1b. (*) Details on different stuffs
     [bunch of boxes]
  (...)
  4. Additional documents
    - [Frobnication Registration #432]
    - [Frobnication Query #1111]

  --
  (*) - Fill section a) if $something. Fill section b) if $somethingelse.
With sections 1a/1b implementing conditional branching, and section 4 implementing storage.
> proving that the bureaucratic processes... are Turing Complete

It's called COBOL

> Google's desire for scale, scale, scale, meant that interactions must be handled through The Algorithms

That's fine when you're a plucky growth startup. Less fine when you run half the internet.

If Google doesn't want to admit it's a mature business and pivot into margin-eating, but risk-reducing support staffing, then okay: break it back up into enough startup-sized chunks that the response failure of one isn't an existential threat to everyone.

I agree. Google is such a large behemoth who actively tries to avoid customer support if they can. Splitting it to smaller business with a bit of autonomy and not having to rely on ad money fueling everything else means those smaller businesses have to give a shit about customers and compete on even ground.

Same applies to Facebook and other tech companies. The root issue is taking huge profits from area of business into other avenues which compete with the market on unfair ground (or out right buying out competition)

However anti-trust in US has eroded significantly.

> However anti-trust in US has eroded significantly.

Perhaps compared to the 40s-70s, but certainly not compared to the Reagan era. Starting with the Obama administration, there's been a strong rebirth of the anti-trust movement and it's only gaining momentum (see many recent examples of blocked mergers)[1].

[1] https://hbr.org/2017/12/the-rise-fall-and-rebirth-of-the-u-s...

The Obama admin used it only to attack enemies.

Renata Hesse was part of that effort, and has since worked for Google and Amazon, and is now expected to be in charge of anti-trust at Biden's DOJ.

And as long as the internet giants are on the correct side of the culture war there will be scant appetite for breaking them up or reigning them in. As long as you need 5 phone calls to silence someone and erase them from the online, there is no chance in hell that the government will try to break them up.
This is probably a big part of why Google is invested in (limited) AI, because a good enough "artificial support person" means having their cake and eating it too.
The issue with (limited) AI is that it's seductive. It allows executives to avoid spending actual money on problems, while chalking failures up to technical issues.

The responsible thing would be to (1) staff up a support org to ensure reasonable SLAs & (2) cut that support org when (and if) AI has proven itself capable of the task.

This lack of staffing is something that really annoys me. It's all over the big tech companies, and is often cited as the reason why (for example) YouTube, Twitter, Facebook, etc cannot possibly proactively police (before publishing) all their user content due to the huge volume.

Of course they can; Google and the rest earn enough to throw people at the problems they cause/enable. If they can't, then they should stop. If you cannot scale responsibly, then you should not scale at all as your business has simply externalised your costs onto everyone else you impact.

There is a limit to which problems you can throw people at, though. Facebook’s and Youtube’s human moderators suffer from the trauma of watching millions of awful videos every day. Policing provocative posts that are dogwhistling while still allowing satire and legitimate free expression is incredibly challenging and requires lots of context in very different fields. It’s not as simple as setting up a side office in the Philippines and hiring a thousand locals for moderation.
Yes: skilled labor. This is not a novel problem. Other companies create internal training pipelines and pay higher wages to attract those sorts of employees, when they're critical to business success.
> That's fine when you're a plucky growth startup. Less fine when you run half the internet.

It's never fine.

The abdication of responsibility and, more importantly, liability to algorithms is everything that's wrong with the internet and the economy. The reason these tech conglomerates are able to get so big when companies before them couldn't is because it's impossible to scale the way they have without employing thousands of humans to do the jobs that are being poorly done by their algorithms. Nothing they're doing is really a new idea, they just cut costs and made the business more profitable. The promise is that the algorithms/AI can do just as good of a job as humans but that was always a lie and, by the time everyone caught on, they were "too big to fail".

> It's never fine.

It kind of is, though.

The idea is that the full algorithm is "automation plus some guy". Automation takes care of 99.9% of it, and some guy handles the 0.01% that's exceptional, falls through the cracks, and so on.

The problem is when you scale from 100,000 events per day to half a trillion, and your fallback is still basically "some guy". At ten failures a day, contacting The Guy means sending an email, and maybe sometimes it takes two. At a million failures a day, your only prayer of reaching The Guy is to get to the top of HN, or write a viral Twitter thread.

There are some things which are important enough that they can't be left up to this formula, and maybe you're thinking of those. I'm not, and I doubt the person you're replying to is either.

> It simply lumbers forward, doing its thing. It is to be modeled as a threat not because it is malign, but because it doesn't notice you exist as it takes another step forward.

This is a concept that I think deserves more popular currency. Every so often, you step on a snail. People actually hate doing this, because it's gross, and they will actively seek to avoid it. But that doesn't always work, and the fact that the human (1) would have preferred not to step on it; and (2) could, hypothetically, easily have avoided doing so, doesn't make things any better for the snail.

This is also what bothers me about people who swim with whales. Whales are very big. They are so big that just being near them can easily kill you, even though the whales generally harbor no ill intent.

I'm curious if whales more dangerous on an hour-by-hour basis than driving?

That's generally my rubric for whether a safety concern is possibly worth avoiding an activity over.

> I'm curious if whales more dangerous on an hour-by-hour basis than driving?

It depends on how many passengers you pack in a whale.

My understanding is that a Chrysler as big as a whale can seat about 20. (Love Shack, 1989)
Your making another perfect case of why Google should be broken up. It’s important that we can choose again.
Thanks for the story recommendation!
Modern large corporations are just an more inefficient, less effective paperclip maximizer, with humans gumming up the works.

Google is striving hard to remove the "human" part of the problem.

After finished reading the parent comment,

> Google's desire for scale, scale, scale, meant that interactions must be handled through The Algorithms. I can imagine it still muttering "The algorithms said ..." as anti-trust measures reverse-Frankenstein it into hopefully more manageable pieces.

I immediately pressed C-f to search the string "paperclip maximizer", and was not disappointed. Thanks for mentioning it.

> “You will have killed us,” Gram said, “destroyed the culture that we have built for thousands of years, and you won’t even give it any thought. Your species doesn’t think about what it does any more. It just acts, like a single-celled animal, engulfing everything it can reach. You say that you are a conscious species, but that isn’t true. Your every action is... instinct. Or reflex.

Good story. I can imagine what the specialized humans did to the generalist humans eons ago.

Except in our case, Google's terraforming ships couldn't care less. It's just not part of their programming that there might be some intelligent life out there worth caring about that might be hurt by their actions, so there's no way for them to receive this information. It's not that it's hard to explain, there's nobody to explain it to.
Thanks for mentioning this story; I just finished it and it's a great read.
Of course they care. They've taken over everything they've been able to take over and they're still going strong. This is not by mistake. They just care about different things than you do. This is why Google needs to be broken up.
Your clients will hate you for this as you are creating false positives. Sure, Google is sometimes unethical, but calling them a malicious actor? Really?
Massive bureaucratic nightmares never act with malice, but the people get crushed all the same.
Worms on the sidewalk.
> I am not saying Google is acting with malice (I don't believe they are personally)

I'd agree. The problem is there is no financial or regulatory incentive to do the right thing here.

It has zero immediate impact on their bottom line to have things work in the current fashion, and the longer term damage to their reputation etc. is much harder to quantify.

There's no incentive for them to fix this, so why would they?

Following "Consider Google as a malicious actor/threat" with "I am not saying Google is acting with malice" is probably a strong indicator that you should have thought it through before posting it.
"Consider as" does not mean "is". Your lack of reading comprehension is not the fault of the poster.
They care, but the dominant policy in Google's calculus about what features should be released is "Don't let the exceptional case drown the average case." A legitimate SaaS providing business to customers might get caught by this. But the average case is it's catching intentional bad actors (or even unintentional bad actors that could harm the Chrome user), and Google isn't going to refrain from releasing the entire product because some businesses could get hit by false positives. They'd much rather release the service and then tune to minimize the false positives.

To my mind, one of the big questions about mega corporations in the internet service space is whether this criterion for determining what can be launched is sufficient. It's certainly not the only criterion possible---contrast the standard for us criminal trial, which attempts to evaluate "beyond a reasonable doubt" (i.e. tuned to be tolerant of false negatives in the hope of minimizing false positives). But Google's criterion is unlikely to change without outside influence, because on average, companies that use this criterion will get product to market faster than companies that play more conservatively.

Nah-- I think you've got it all wrong. The problem isn't the false positive/false negative ratio chosen.

The problem is that there's false positives with substantial harm caused to others and with little path left open to them by Google to fix them / add exceptions-- in the name of minimizing overhead.

Google gets all of the benefit of the feature in their product, and the cost of the negatives is an externality borne by someone else that they shrug off and do nothing to mitigate.

One solution, perhaps, could be to have some kind of turnaround requirement---a "habeas corpus" for customer service.

By itself, it won't solve the problem... The immediate reaction could be to address the requirement by resolving issues rapidly to "issue closed: no change." But it could be a piece of a bigger solution.

> they probably don't realize what's happening and will fix it

“If only the czar knew!”

Google Safe Search is only half the story. Another huge problem is Google's opaque and rash decisions about what sites throw up warnings in Chrome.

I once created a location-based file-transfer service called quack.space [0] very similar to Snapdrop, except several years before they existed. Unfortunately the idiot algorithms at Chrome blocked it, throwing up a big message that the site might contain malware. That was the end of it.

I had several thousand users at one point, thought that one day I might be able to monetize it with e.g. location based ads or some other such, but Google wiped that out in a heartbeat with a goddamn Chrome update.

People worry about AI getting smart enough to take over humans. I worry about the opposite. AI is too stupid today and is being put in charge of things that humans should be in charge of.

[0] https://www.producthunt.com/posts/quack-space

[1] https://snapdrop.net/

(comment deleted)
I'd go a step further and claim that most tech companies are ultimately a threat to people's freedom and happiness. Not the tech itself, but the people that wield and profit from it.
It's probably "scale thinking" that makes google seem like they don't care: Everything is huge when you're "at scale"; the impact of a small blunder can take down companies or black out nation states. It's part of the game of being "at scale". They probably believe that it's untenable to build the necessary infrastructure to where everything (website, startup, person, etc.) matters.

This will sound crass, but it reminds me of Soviets cutting off the food supply to millions of people over the winter, due to industrial restructuring, and they brushed it off as "collateral damage".

Google has a lot of control of the Web.

Much less control of the Internet.

One lesson is use IP and not the Web.

(Googler)

You are only focusing on the negatives while completely ignoring the positives here.

Here are a few questions to consider that may give you better perspective:

1) Do you know the magnitude of financial and psychological damage caused by malware, phishing, etc on the web?

2) Do you believe that it is possible to have a human review every piece of automation generated malware on the internet?

3) Do you believe it is possible to build an automated system that provides value with zero false positives?

4) Do you think an open standards body or government bureau would perform any better at implementing protections from the threats described here?

2*) Do you believe that it is possible to have a human review every FALSE POSITIVE result from automated malware detection on the internet, when reported by those adverse affected by the false positive result?

Yes, yes I do. Banks do it for their customers today at scale.

So what happens when the fraudsters automate clicking the "request review" button? They can spin up as many phishing sites as they want, and request as many human hours in review as they want.

With banks, they only have to do that for their customers, whom they've at least had a chance of getting money from. But Google would need to provide it to every site which gets blocked, (as malware sites pretend to be legitimate). Which

There are plenty of mechanisms to tackle this problem. But you have to want to care.
Author here - I don't underestimate the complexity of the task that Google Safe Browsing tries to accomplish.

But: Do you believe there is no room for improvement in an automated, opaque system with clear evidence of malfunction, that quite succinctly decides if hundreds of people go unemployed when their company tanks for nothing other than an incorrectly set threshold on some algorithm?

That is the real question to ask. Google is nowhere near its limits in terms of capability, as is made abundantly clear by its extremely comfortable financial position.

I do agree that there's room for improvement. There's always room for improvement, but there are also limits to the transparency one should provide for an anti-abuse system. It's difficult for anybody except for an expert in this area to say what would be a safe and satisfactory way to expose appeal and remediation for false positives. In the example from the story it looks like the turn around time was just an hour for your case, which seems rather good. The fact that not all consumers of this data were as responsive looks out of Google's control, and should be taken up with those companies.

I don't agree with the premise of your last question. It's not Google's responsibility to protect the internet and provide a free anti-abuse database for other browser vendors, and yet Google does do this at significant cost. The fact that they don't do it perfectly is not a rationale for killing it or providing it with infinite resources.

> It's not Google's responsibility to protect the internet and provide a free anti-abuse database for other browser vendors, and yet Google does do this at significant cost. The fact that they don't do it perfectly is not a rationale for killing it or providing it with infinite resources.

I think that's a naive perspective. Google did not create the database to be nice to other vendors, and it also did not make it available to them for that purpose.

An Internet-wide blacklist represents strategic leverage over competitors (or maybe even dissonant voices, should the need arise) and an massive source of data collection probe points. These facts were certainly brought up internally and deemed worth the risk when the massive legal liability of this product was assessed.

Therefore, because of the pervasiveness of this system, it needs to be handled responsibly. They are not doing anyone a favor by making sure it functions correctly. Google is well aware of this, because they don't need regulators and lawmakers gaining yet another excuse to try and dismantle them.

> I use Linode now as their support is great and they don't just drop ban hammers and leave you scrambling to figure out what happened.

Linode once gave me 48 hours to respond (with threats to take down the site) because a URL was falsely flagged by netcraft based on what looked like an automated security scan of software I was hosting. Granted, they did not take any action and dropped the report once I pointed out that it was bullshit, but I do not consider this great service. If there is no real evidence of wrongdoing I should not be receiving ultimatums.

This is not new; such things happened many times in the past (25 years ago Microsoft was the behemoth trampling small companies) and will happen again. I do not think Google is doing it consciously -- this is probably just collateral damage from some bot or rule.

The way to handle it is to reduce dependencies on the cloud. This does not mean cutting cloud services altogether, but once the company is big enough (and the author talks about 1000s SMEs and millions of users), plan for graceful degradation with a fallback to a different provider and another fallback to owned servers.

This takes work and reduces capability during the crunch, but it is often a lot easier and cheaper than people think if planned properly and not in a shotgun style of crisis engineering. My 2c.

Author here. The scary bit is that the blacklist is enforced client side in Chrome and other programs. Our servers and systems were running just fine when this happened, but if Google Chrome refuses to open your website, you're still down.

The closest parallel I can think of are expired SSL certificates, but the level of transparency and decentralization of that system vs. this opaque blacklist is not really on the same league.

Some derisking solution may be wrapping your web app as native client. E.g. Electron app is Chrome technically but you get more control over its settings. I know Microsoft (SmartScreen) and Apple may block apps for many reasons too but at least you get more baskets for your eggs.
Yeah i read stories that Yahoo in 1990s called itself a media company and it's product managers "producers" out of fear that once you call yourself a software company - Microsoft will crush you...

As for using clouds - there is absolutely no point in the world to use them for anything above staging level, or very very low level launches. People should switch away from cloud as soon as they see even tentative signs of a product-market fit.

You will save so, so much money switching away from clouds too.

No, you don't need to use a hundred different AWS/GCP/whatever services, and yes, managing your own infrastructure is a lot easier than you think (and sometimes easier/faster than AWS).

The Stack Exchange network, at least around 2018 or so, was hosted on 12 servers they own!

Completely agree. The clouds are still very comfortable for development though, and i use them a lot. But i'd never even think of using cloud in production.
> this is probably just collateral damage from some bot or rule

The point is, collateral damage and/or false positives are not acceptable for a service with an impact like this. In the real world, we consider them war crimes, etc. Bots and rules are implementations of policies and policies come with responsibility.

> I do not think Google is doing it consciously -- this is probably just collateral damage from some bot or rule.

"Collateral damage" from some bot or rule just means that Google doesn't care enough about the edge cases (which, at Google scale, are particularly harmful): Google consciously decided this when implementing their algorithms.

Being completely blacklisted is very bad, but u know at least that something needs fixing. Imagine if google partially punishes u and downrank you in the search for no reason. This is harder to figure out. It took us several months to discover such a problem until finally we registered to google websmaster tool.
what was the problem?
What are you talking about? The article said that they didn't change anything, because they found nothing wrong with the site. The ban from google was totally random without any explanation. And it went away without any changes or explanations about what was wrong.
Can anyone "in the know" objectively comment if Google Safe Browsing (GSB) has had a net positive result or outcome for the Internet, at large?

Has GSB helped users, more than it has hurt them?

The anti-Google rhetoric [on HN] is becoming more tiresome as of late. Personally, I welcome the notifications in my browsers that a domain is unsafe. I can't possibly be the only one.

I think GSB is great because there is no other product like it, it is very fast to respond to most threats and it can be used for free. The only thing about it that's not great is, in typical fashion, the lack of transparency about some of the processes. Not about how phishing verdicts are created, this should remain a closely guarded secret, but about what actually happens when you send a report or send a review request.
Author here. It's not really rhetoric, I wrote the post because it's downright scary that your business of over 10 years can vanish in a puff of smoke because Google didn't bother to require an offending URL field in an internet-wide blacklist. At the level they operate, there needs to be a semblance of due process.
Updated my post to make it more clear I was referring to HN and not your post specifically.
What about false positives?

From the fine article: one Google system was detecting emails coming from another Google system as phishing. This is ridiculous.

It's needed to make sure you can not claim bias. For example Google blocking competitors, or unfavourable information.
The problem, from HN's perspective, is that false positives on GSB hurt businesses a lot more than they hurt users or the internet at large.

If I'm a random person browsing the internet at large, and a website I try to visit gets flagged as "possibly malicious", well, I probably didn't need the information or services on that particular website that badly anyway. I can find another website that offers the same information and services easily enough. Meanwhile, if my computer or browser is infected with malware, that's pretty bad for me personally. I could lose money, time and personal data and security. The potential consequences are bad enough that I really shouldn't risk it.

On the other hand, if my business is blocked by GSB, that is very bad for my business. The customers I don't lose are going to lose confidence in me. Meanwhile, the cost to me if I am accidentally hosting malware is pretty minimal. Even if a large number of my users are harmed by the malware, they're unlikely to be so harmed they stop paying me, and it's pretty hard for to know where you picked up malware, so it's unlikely to be traced back to me. I've never actually heard of a lawsuit from an end-user against the website they downloaded malware from.

A false negative from GSB is a lot worse for internet users than a false positive; an internet business, on the other hand, would prefer a false negative to a true positive, let alone a false positive.

Add in that internet business owners (or people highly invested in internet businesses through their jobs) are over-represented on HN, and it's no surprise that HN is not a fan of Google Safe Browsing.

> an internet business, on the other hand, would prefer a false negative to a true positive, let alone a false positive.

[Emphasis mine]

This is crucial and it's why the sub-threads imagining suing Google aren't going anywhere. Google will very easily convince a judge that what they're doing is beneficial to the general public, because it is, even though some HN contributors hate it because they'd prefer to meet a much lower standard.

What I'm seeing a lot of in this thread is people saying OK, maybe a burger we sold did have rat droppings in it, but I feel like our kitchen ought to be allowed to stay open unless they buy at least a few hundred burgers and find rat droppings in a statistically significant sample and even then shouldn't I get a few weeks to hire an exterminator? Isn't that fairer to me?

It seems similar to the move from client side spam filters to the server side.

Spam filtering really didn’t get better with the change (for me), but now it’s orders of magnitude harder to run an email server.

Taking the article at face value, GSB makes it much harder to run a reliable web site. Has centralization of email into surveillance organizations hurt more than the benefit from saving bandwidth to download spams, and automatically deleting them at the client?

How much damage will (further) centralization of web hosting onto social network sites (Facebook, Twitter, GitHub, Stack Exchange, etc, etc.) hurt the internet?

It’s arguably already done more harm than good. I can’t even find a decent recipe that a high end laptop can efficiently display. I used to be able to download cookbooks worth of recipes, and my 386 could load them instantly.

It's hard to argue against "safe". If they would name it "filtered browsing" it might be something arguable, but "safe browsing" who wouldn't want that?
If Safe Browsing were offered by some neutral internet organization (e.g., similar to IANA) I wouldn't mind. But it's offered by a private company: so it's naive to think that GSB benefits anyone other than Google itself.
I'd guess a large net positive among the general population but maybe neutral for the tech literate like HN readers. Most tech-literate people are careful enough to recognize tactics used by phishing sites and won't click on phishing links, or would click and immediately figure out it's phishing. That cannot be said for the general population.
Yes, the power of something like Google Safe Browsing is scary, especially if you consider the many many downstream consumers who might have an even worse update / response time. Responsiveness by Google is not great, as expected, we recently contacted Google to get access to the paid WebRisk API and haven't heard anything in a few months...

However, phishing detection and blocking is not a fun game to be in. You can't work with warning periods or anything like that, phishing websites are stood up and immediately active, so you have to act within minutes to block them for your users. Legitimate websites are often compromised to serve phishing / malicious content in subdirectories, including very high-level domains like governments. Reliable phishing detection is hard, automatically detecting when something has been cleaned up is even harder.

Having said all that, a company like Google with all of its user telemetry should have a better chance at semi-automatically preventing high-profile false positives by creating an internal review feed of things that were recently blocked but warrant a second look (like in this case). It should be possible while still allowing the automated blocking verdicts to be propagated immediately. Google Safe Browsing is an opaque product / team, and its importance to Google was perhaps represented by the fact that Safe Browsing was inactive on Android for more than a year and nobody at Google noticed: https://www.zdnet.com/article/mobile-chrome-safari-and-firef...

Lastly, as a business owner, it comes down to this: Always have a plan B and C. Register as many domains of your brandname as you can (for web, email, whatever other purpose), split things up to limit blast radius (e.g. employee emails not on your corporate domain maybe, API on subdomain, user-generated content on a completely separate domain) and don't use external services (CDN) so you can stay in control.

(comment deleted)
The story he links to, about the "Online Slang Dictionary" being removed from google search because the founder of Urban Dictionary was friends with googlers (true) and (allegedly) used his influence is fascinating:

http://onlineslangdictionary.com/pages/google-panda-penalty/

My plans to trickle out details of my conversation with the Google employee were put on hold due to a massive change in my life responsibilities due to the novel coronavirus, but it’s my intention to resume soon.

As I say on the website, this will culminate in my releasing the MBOX formatted file of the conversation, with full headers.

> I received an automated email confirming that the review had been successful around 2 hours after that fact. No clarification was given about what caused the problem in the first place. ... We never properly established the cause of the issue, but we chalked it up to some AI tripping on acid at Google's HQ.

I expect more of this Kafkaesque experience to come in the future.

This is no longer a technical problem, but a social one. It can only be solved through legislation.

Author here. The second time around, the review confirmation email took around 12 hours to get to us.
Thank you for posting all the info here. And I’m glad that you managed to fix the problem. I think it must have caused you a lot of stress.
Yes, this was a massive headache and we got very lucky with the timing of the incident and the blast radius of the system in question. I can't really say the issue is fixed so much as it is mitigated, hence the writeup to gain some awareness. Some of the other comments have valuable anecdotes too.
Great, so legitimate businesses need to implement tactics commonly used by c2c and malware to operate successfully
I wonder if a blockchain/bittorrent decentralized option could exist to replace google.

most people don't have billions lying around to compete, but you could reward people who rented out space for the indexing data, and have advertisements baked in that could maybe still use some retargeting but without tracking any personally identifiable data about a person.

Nodes could double as ai/cpu processing for algorithms related to search and storage. Computation and storage amounts could have their own payout per action, or per time on storage.

Most people have their computers on all the time anyways, so if they're working in the background for them to earn some side income, while helping create a better internet.

Would need some centralization I'd imagine though, I think the problem with de-centralization is the goal is ALL or nothing.

Like one or two big servers that maybe tie everything to the rest, and push 'updates' on algorithms, contracts,etc... to end users. Maybe a segregation index, knowing all airplane related searches are indexed on cluster c which has nodes 1-8, so you know where to go to get the info being searched.

I'm a mainly full-stack but 'dumb' developer, not an algorithms wiz, mostly focused on crud apps. But this would be fun to build.

Wait until this is also applied to a list of domains from the SPLC and other groups to further censor “hate speech” on the internet.
I wonder if it would be faster to deal with this through legal. I’m not a lawyer, but I wonder if you could send a C&D to Google legal or something because this seems like an actual case of slander and reputation damage.
If your systems have any number of nines in their SLA, drafting a letter to Google's legal department is not a viable strategy.
To any lawyers or even well-read armchair legal analysts, could this be a case of libel?
Once you enter litigation with Google, good luck accessing your Android.

You may believe this is extreme, but many people have had their Gmail account suspended without known reason. So if they also have a reason...

So de-google first, then sue.

Otherwise you might as well give up and conclude that google not just controls the internet but is also above the law.

If you are a big enough company your lawyers could have a stern but relatively friendly chat with Google’s lawyers.

I can neither confirm or deny this myself...

Yeah my thought behind this was you are a large enough or wealthy enough company that you can afford lawyers. If you are an individual or mom and pop business whose blog or small e-commerce shop are blocked then you are probably SOL.
Our company [0] was also hit by this too.

We receive email for our customers and a portion of that is spam (given the nature of email). Google decided out of the blue to mark our attachment S3 bucket as dangerous, because of one malicious file.

What's most interesting is that the bucket is private, so the only way they could identify that there is something malicious at a URL is if someone downloads it using Chrome. I'm assuming they make this decision based on some database of checksums.

To mitigate, we now operate a number of proxies in front of the bucket, so we can quickly replace any that get marked as dangerous. We also now programmatically monitor presence of our domains in Google's "dangerous site" database (they have APIs for this).

0: https://www.enchant.com - software for better customer service

Author here. I'm not sure exactly how they actually decide to flag. Alternatively, Amazon might somehow be reporting files in S3 onto the Google blacklist.

It would seem surprising, but it's the other possibility.

> What's most interesting is that the bucket is private, so the only way they could identify that there is something malicious at a URL is if someone downloads it using Chrome. I'm assuming they make this decision based on some database of checksums.

Doesn't Chrome upload everything downloaded to VirusTotal (a Google product)?

(comment deleted)
The hashes of all things that match a "probably evil" bloom filter, yes.

Hosting a virus on a domain and then downloading it a few times with different chrome installations sounds like a good way to get the whole domain blacklisted...

That's why user uploads are worth some thought and consideration. File uploads normally gets treated as a nuisance by developers because it can become kind of fiddly even when it works and you are getting file upload bugs from support.

It normally isn't that much of a challenge to mitigate the issues, but other things get priorities. Companies end up leaving pivots to XSS attacks and similar bugs too.

Google has a great service for this called Checksum. You upload a file checksum and it validates it against the database of all known bad checksums that might flag your website as unsafe. The pricing is pretty reasonable too and you can proxy file uploads through their service directly.

I'm actually not telling the truth but at what point did you realize that? And what would be the implications if Google actually did release a service like this? It feels a bit like racketeering.

Ha! You got me. I was like, wow, that sounds really useful. I'd love to sign up for that, and built my app to use it, if that were the case.

But then, I realized: 1). I'd be integrating further into Google because of a problem they created (racketeering), and 2). They seem to really dislike having paying customers (even if they made it, they'd kill it before long).

And 3), they would later update their evil-bloom-filter and all of the sudden the file you paid to get verified is now an Evil File, and they blacklist you anyway.

They actually blacklist you even faster, because of course they have in their database that you have the now-evil-file.

Real shame if this domain got blocked because of a contraband file, eh? Just pay us and we'll make sure you don't have any problems.
Why isn't Dropbox blacklisted? Too big?
Dropbox actually provides an unique domain for each and every user - and separates the UGC from the web front code and Dropbox own assets that way - that's where the files you preview/download are actually coming from. I have no doubt a fair number of those is blacklisted.
unique TLD? that should be very costly?

or does GSB not ban the entire TLD when a subdomain has malicious content?

Would be great if our overlords at least publish the overzealous rules we need to abide by.

Dropbox DL and Preview urls take a form of https://uc[26 character hex string].dl.dropboxusercontent.com/... and https://uc[26 character hex string].preview.dropboxusercontent.com/... - it does not have to be a separate TLD to avoid being blocked, but it has to be differentiated.

This is the same reason why the block of the TFA company did not cause an outage of everyone using CloudFront - GSB does not block full TLDs if it can be shown content is distinct. Same for anyone using S3, Azure equivalents and so on.

I wonder if there's a threshold here.. When I researched this issue (while we were figuring out how to mitigate it), I did encounter some people who had their entire domains blocked because 1 subdomain had bad content. In fact, this thread itself has mention of that happening to neocities
Author here. It's really not clear what criteria GSB uses to decide at which level the ban should apply.
Probably when the ratio of bad sites to good sites at a particular subdomain level passes a threshold.
Or when a significant litigation risk is perceived, if the domain level block review is human
My Google-fu is failing me right now, but there is a list of domains like dropboxusercontent.com that are treated as pseudo second-level domains for purposes like this.

e.g. u1234.dropboxusercontent.com is treated as a unique domain just like u1234-dropboxusercontent.com would be.

Edit: here we go, from another comment - the Public Suffix List: https://publicsuffix.org/

I wonder if that could be triggered even when the certificate chain is not validated... you could MITM yourself (for example, using Fiddler) and make Chrome think it's downloading files from the real origin. In that case, an attacker could do that from multiple IPs and force Google to flag your whole domain.
Sounds rather too resource-intensive? I've just tried with current Chrome on Windows and a 32MB zip on my personal domain, Wireshark says the file has not been sent anywhere.
Wouldnt it be more efficient to grab it in parallel to your download?
That only shifts the bandwidth cost between the original server and the user, Google's resources are unaffected. And it's not what GP claimed.

I just checked the nginx access logs - both the 32MB and the 8MB zip files have been accessed only once (both were created only for this experiment).

> Doesn't Chrome upload everything downloaded to VirusTotal (a Google product)?

It doesn't, unless you opt for SafeSearch "Enhanced Protection" or enable "Help improve security on the web for everyone" in "Standard Protection". Both are off by default, IIRC. Without it, it periodically downloads what amounts to bloom filter of "potentially unsafe" URLs/domains.

On the other hand, GMail and GDrive do run the checks via VirusTotal, as far as we know - which means that OP case may have been caused by having some of the recipients having their incoming mail automatically scanned. It's similar for Microsoft version (FOPE users provide input for Defender Smart Screen), at least last time I checked.

What happens if it is a hit against the bloom filter / checksum? Would it transmit the URL so that it can be blocklisted?
https://developers.google.com/safe-browsing/v4/update-api#ch...

TL;DR is you download a chunk of SHA-256 hashes and check if the hash for your URL is there. There is of course the chance of collision but that is minuscule.

Oh I know that's how that works, I meant, does Google transmit back the URLs once it does get a hit, to protect others from downloading that file?
Why would it need to do that? To protect others from the same url, the same hash checking method should work.
The blacklisted URL in this case is found in a downloaded file from a S3 bucket.

Other people downloading the same file would get the same "protection", but in this case this goes a step further:

The S3 bucket itself gets then blacklisted. As it was a private bucket, one of the ways this could happen is that once chrome found the blacklisted URL, it sent back to Google the url (s3 bucket) where the file with the blacklisted URL was found.

Or you could screen your attachments for malware?
We do, but it's not good enough for Google.
(comment deleted)
One corporation must not have so much power over billions of citizens of many countries. A power like that must only come from a transparent non-profit organization with a publicly elected management board.

We will get to that point sooner or later. But the road there will be long and painful.

Said NPO will be captured and subverted when the need arises and it is cost effective to do so.
> We will get to that point sooner or later.

Is there anything in particular that makes you believe that it'll eventually happen?

Because personally my outlook on things is a bit more pessimistic - oftentimes the main concerns of individuals and organizations alike are financially-oriented and few share the enthusiasm for transparency and openness like Richard Stallman does.

The trend of SaaSS ( https://www.gnu.org/philosophy/who-does-that-server-really-s... ) because of companies not wanting to invest time in engineering their own solutions or even using FOSS, alongside with how many of them are handling GDPR and even cookie compliance, with the use of UX "dark paths" (e.g. it being easier to accept advertising cookies rather than deny them) doesn't let me keep a positive outlook on things.

It feels like we'll all be reliant on the "tech giants" for a variety of things for the decades to come, even "de-Googling" oneself not always being feasible.

>Is there anything in particular that makes you believe that it'll eventually happen?

Humans have demonstrated the ability to eventually improve social systems to make them account for the needs and demands of the majority of stakeholders. In the offline world it has evolved into what is known as democracy. It started several centuries ago and eventually evolved into modern governments as we know it - publicly elected management boards.

Recently, there was an excellent article [1] on HN. It rightfully compared the current state of internet to the feudal times and warlords common in the offline world many centuries ago. From that point through a long and painful process we've come to elected governments as the most sustainable form of governing a large number of humans. All other forms of government turned out to be unsustainable (no matter how attractive they were to certain individuals or organizations) and inevitably led to all kinds of social catastrophes.

I believe, the same will eventually happen to the internet, our new brave world we used to love, but now seem to become increasingly disenchanted with.

[1] https://locusmag.com/2021/01/cory-doctorow-neofeudalism-and-...

If their claim is false, then is it, in any jurisdiction, libelous?

Maybe, legislation to bring consequences for false claims will help ensure algorithms, and the support teams that monitor them, do a better job. In an internet focused world, especially one with lock downs, wiping sites off of the internet with false claims is a heinously bad act.

As of today there are no legal protection framework for digital services.

Banking is heavily regulated , you are protected by hundreds if not thousands of laws.

For digital services ? Twitter and Google can legitimately suspend ALL your accounts because you liked a Trump video on YouTube or Tweeted something « Hateful » to Biden.

You can try to go court. You will loose 100% of the time. They are private businesses operating within their own terms, there is not « false » flag or wrong « ban »

They’re private businesses offering a free service, they can cease to offer that at any moment that they want.

In this case they do not provide a service to the OP. There is no agreement between OP and Google.

This is happening on browsers of their customers. And I'm quite sure that if Google hits a company that competes with Google services there must be a law that they will be breaking.

There was a big case in Poland where Google blocked a SaaS web shop provider using the same exact mechanism [0]. Polish courts decided that Google claims displayed on block page were untrue. Unfortunately, the suing company did not receive compensation, because Google Poland does not operate Chrome browser. The court indicated that the right party to sue is Google incorporated in USA...

[0] https://www.silesiasem.pl/iai-przegralo-proces-sadowy-z-goog...

Aside from abusive dominent position there is no law they would break.

When you download and use chrome you ACCEPT the Terms and Conditions of Google.

There is no law that prevents a web browser from blocking access to a website or modifying the page . If the TOS stipulate « pages may differ from the original or be subject to third party software » , they are in within their rights and the customer accepted it when he started using the product.

Don’t get me wrong. I’m on OP sides and everything , but we have let big tech become too big by giving us free stuff for decades.

Now they they decide what’s good for us or not with side effects that often damage small business.

But I insist that in 99% , they operate within the law.

I'm not a US citizen, but just 5 min of scanning US laws makes me think that there are basis for a lawsuit.

Essential facilities doctrine seems to be appropriate: https://en.wikipedia.org/wiki/Essential_facilities_doctrine

Google has already been condemned by UE for this type of issue for 150M. That's literally nothing , at least not enough to hit their wallet.

This type of battle take months if not years in court and cost millions of dollars.

Google products can be shipped and removed in a few weeks , far beyond the reach of operation of the current judiciary system.

Today the problem is GHS , tomorrow it'll be "GSuite Safe Account" or "Youtube Safe Video" etc...

There is no point in taking Google to court just for a "one time" condemnation, it's a systematic issue that is tied to Google itself.

EU is working on addressing these issues. They specifically want to label companies like Google as "gatekeepers" in The Digital Markets Act.

From: https://www.pinsentmasons.com/out-law/news/gatekeepers-face-...

> In case of violations, the new law would provide for fines of up to 10% of a gatekeeper's total global turnover. Lasseur said: "The fines are high, but they correspond to the usual sanction regime for violations of European competition law."

> In the event of a repeated offence, following a detailed market investigation by the Commission, the company could even be broken if the Commission finds that there is no effective alternative to ensure that the gatekeeper obligations are complied with.

The fines will no longer be just a cost of doing business, but an existential threat. It may take 10 or 15 years in courts but EU will break down likes of Google for repeated offenses even if the relevant products will no longer exist.

You ignored the issue of libel, though. Do you have a reason it's not?
There may be a number of civil causes of action available...

But litigate against a multi-billion dollar tech company? good luck.

These companies are borderline immune to prosecution by the government, much less a small business.

I'm unsure whether it would be ruled libel, but I lean towards yes it would. There are two ways of seeing it:

1) It is a false statement by google themselves (so no §230 protection) that caused material damage and is thus libelous 2) It is an opinion protected under free speech, and the free behavior of a private company, and the words like "may have" show it is not a statement of fact, and "deceptive" is just an opinion.

Yet it feels very wrong and definately Google's fault, and Google should be responsible for the damages, morally speaking.

It's more than just a false statement, the pop-up is keeping users from visiting the website. However, Google doesn't intend to harm these companies in order to gain competitive advantage, it just harms them accidently, so the monopoly argument also has problems.

It seems to me that we need a new law, or that current jurisprudence has let this one slip through and perhaps there will (in America) never be a proper crime for this situation due to divergent jurisprudence in this space that left open this gap.

I would like to know whether it has been tested in court, or if anyone is in process of doing so.

This seems like something the FTC should be looking into, abuse of market position.
Of particular note:

"Don't host any customer generated data in your main domains. A lot of the cases of blacklisting that I found while researching this issue were caused by SaaS customers unknowingly uploading malicious files onto servers. Those files are harmless to the systems themselves, but their very existence can cause the whole domain to be blacklisted. Anything that your users upload onto your apps should be hosted outside your main domains. For example: use companyusercontent.com to store files uploaded by customers."

Pardon my ignorance as I have few years of web dev experience. What exactly does it mean to store data on a domain? Does he mean serve data via a domain URL? And if so, how does Google have discovery of that data?
Author here. Yes, "serve" is the correct interpretation. It is not clear how Google gets ahold of offending URLs within blacklisted domains (like the article says, there were no offending URLs provided to us).

Theories:

* Obtained from users of Google Chrome that load specific URLs in their browsers

* Obtained from scanning GMail emails that contain links to URLs

* Obtained from third parties that report these URLs

The main way is via the Googlebot crawler.

They also use user reports from Chrome, and links in "mark phishing" emails from Gmail. Those latter two cases the URL is considered private data, so won't be reported in webmaster tools.

We’ve seen internal firewalled URLs in the webmaster tools, so I’m not sure the private data works as intended.
Maybe there is some kind of "if multiple users see the same URL, it isn't private" logic going on.
I've seen some bot of Google's in the server logs on my in-construction not-publicly-available page, a minute after I opened the page in Chrome. That was about five of six years ago, shortly before I stopped using Chrome.
How would you even “store” data on a domain?
Look up how DoH and ECH store public keys in the DNS system :)

Not what the author intended but DNS as a Database is a thing.

Ah yes, customer generated data sounds just like public keys
We’re pretty sure they get reports from Chrome. A security researcher at my workplace was running an exploit against a dev instance as part of their secops role and got the domain flagged, despite the site being an isolated and firewalled instance not accessible to the internet.
Yes, I have noticed that creating a brand new dev domain with crawler blocking norobots file, it is not found on any search on Google, until I open the dev url in Chrome, then bam! watch as their crawler starts trying to search through the site just from opening the url in Chrome.

This is why I never use Chrome. They scrape the Google Safe Browsing sent from chrome browsers and just do not care about privacy.

Maybe it's from search suggestion API? Anyway, I turn that off as soon as I create a new browser profile, along with the safe browsing list and automatic search when I type unrecognized URL. When I want to search I use search input of the browser. (ctrl+k) URL bar is for URLs only.
You realize that robots.txt is an "on your honor" system and that any one can write a script that doesn't look at robots.txt and post anything they find to the internet and that therefore other sites could find your site via 3rd party data.

Chrome does not do what you claim it does

I have trialed this several times, not using chrome and everytime I then use it, the site can be found on google. Remember, these sites are completely unlinked and fresh URLs. So, yeah it really does..
But that means they can't verify it, right? Couldn't a malicious actor use this to attack their competitors?

Add an internal DNS entry for your competitor's domain, spin up an internal server hosting some malware and open it from chrome.

We use a fair number of google products, and you can turn on a lot of enhanced protection, and many businesses do. This means even password protected / private URLs may generate scans from what I've seen. I'm not sure how they actually fingerprint files (maybe locally) but it seems pretty broad

This seems to work across a lot of google products (gmail, drive, chome etc) so it scoops up a ton.

More here:

https://security.googleblog.com/2020/05/enhanced-safe-browsi...

Not sure if this is related to safe browsing. We also can turn on more scanning and other features of all email users.

The key though, if you allow users to PUT files onto your S3 (even private / signed in) then google may scan them. That means if your user uploads a suspicious file to a trouble ticket system, if there IS a virus in there and google sees it, wham. Obviously most folks will segregate those uploads off into their own s3 bucket by user/account to avoid contamination, but you really have to be careful not to hose viruses AT ALL on your key domains.

I imagine your service still won't have a great time when Google blacklists companyusercontent.com

A proper mitigation would be to serve user data from one domain per user, no?