71 comments

[ 3.8 ms ] story [ 151 ms ] thread
This bot's behaviour made me drop all Google products.

A few years ago it marked my company's entire domain as unsafe without any reason. Any human would have been able to tell the flag was incorrect, but "algorithm says no".

There is no team in Google to escalate to, no team managing this service, and no way to get an incorrect flag lifted in anything like an acceptable timeframe.

In the meantime, Gmail just silently decided to drop any email I either sent or received that mentioned my own domain name. I didn't know my customers were notifying us of the problem, and they weren't getting any of my updates. It was horrific. Our production service was down for ~ 3 days whilst Google just sat on their hands and refused to do anything about it. We were running a highly visible citizen-facing service for the UK Government and Google didn't care they'd broken it for everyone.

This runaway bot is a menace to the web and I refuse to give Google any more money until they've demonstrated they can run this responsibly.

This is the thing that needs to be regulated. It will force these companies to spend actual money on stuff. they’ll be still insanely profitable but not able to run quasi monopolies on infrastructure and extract all profits while externalising all the damage.
I agree in principle, and this is a shitty situation for the GP, but Google's "contract" with the public doesn't even comprise a gentlemen's agreement. They don't owe anybody anything, they're just the cool kid at school who won't acknowledge your existence. You can't (and shouldn't be able to) force them to be your friend. You can't claim harm because someone stopped being friends with you either.

There is a question to be asked of where does one draw the line about policing stuff that happens in virtual reality. Are we to start prosecuting people for espionage and insider trading in Eve Online too? Can we punish the church because God isn't answering my prayers in a timely manner?

(I don't think regulation is the answer. They had their 15 minutes of fame; it's time for everybody to form a new clique and cut Google out of it-- just like the Twitter exodus.)

In practice Google is more like the security guard at the school entrance, who decides you can't come in and won't tell you why. Not just a popular kid who ignores you.
It doesn’t matter, the EU already has definitions for companies that are big enough to be of public interest.

The majority of economic value creation over the long run happens on the internet, it’s high time to adjust the laws to match physical reality.

You can’t just randomly discriminate against people in the physical worlds too.

Regulation absolutely is a solution that should be pursued. Companies are responsible for what their automated services do. Your two examples are absurd red harrings and not at all comparable to this situation.
Well, it seems like Google / Alphabet ran a bunch of their services at a loss for years, until their practical competitors had been extinguished.

Youtube and Gmail spring to mind, though there seems to be a resurgence of people moving away from Gmail these days (my perception anyway).

Since Google wanted to be a monopoly in various markets so badly, they should be required to serve those markets properly.

Like, with customer service / support, and similar. "You won! Here are the consequences..."

It's a shame the push a while ago for them to be regulated like a utility didn't succeed.

Google is effectively the gatekeeper to the internet for most people. That did not happen by accident, but through deliberate actions on their part.

They owe it to society to manage what they've built in a fair and attentive fashion, or to give it up to someone who will, for the public good.

If there's one thing that Google couldn't care less about, it's "the public good".
Which is why we need regulations to make holders of effectively public commons responsible.
> no way to get an incorrect flag lifted in anything like an acceptable timeframe

Define "acceptable timeframe"

Surely you'd agree that breaking a government service for 3 entire days is unacceptable!?

Ideally they'd have an SLA measured in hours, the lower the better. Like 1. Because the consequences of their bot flagging a domain are so severe, both in terms of availability and in reputational damage.

If you're about to submit commercially sensitive information to a company providing a service on behalf of your government and instead you see a massive red screen that screams of dire consequences of using that site, how likely would you go back and try again later? They need to be damned sure they're right, and to provide a quick way to resolve false flags.

Instead the only answer I got from Google was "lol, no".

1 picosecond is the acceptable time frame for google to block my connections to someone's server. I don't need their permission to visit. It is why I turned off the feature the first time I got a red screen in 2010 or thereabouts.
Yet there are many more users that actually get protected from actual phishing thanks to Safe Browsing. A microscopic false positive rate does not a bad tool make.
yet there are nonetheless many people harmed by the service, an issue unresolved by any amount of unrelated goodness

>A [low] false positive rate does not a bad tool make.

It does, if your tool fails to address the issue of false positives to the satisfaction of the people you harm with them, and especially if it fails to provide a quick, easy, direct line to humans, to deal with false positives

obviously it's not acceptable to screw people over and justify it by saying "we're not screwing over everybody, and look, we're doing good stuff, too!”

if you can't resolve the negative externalities of your service to the satisfaction of the people you're harming with them, don't roll out the service

> obviously it's not acceptable to screw people over and justify it by saying "we're not screwing over everybody, and look, we're doing good stuff, too!”

That's the thing, the benefits immensely outweigh the small negatives. Small inconvenience from even tens of thousands of false positives out of tens of billions site visits is such a small cost.

You do understand that the alternative would be most phishing sites remaining active for days, if not months, if this service didn't exist? That means a significantly higher amount of people getting significantly more inconvenienced than some false positives cause.

> if you can't resolve the negative externalities of your service to the satisfaction of the people you're harming with them, don't roll out the service

Case study of letting the perfect become the enemy of the good.

> That's the thing, the benefits immensely outweigh the small negatives

that's the thing: they don't. both co-exist, and you must address the negative externalities individually, vs. saying "well we think we do more good so suck it, too bad" to the people you harm.

> You do understand that the alternative would be most phishing sites remaining active for days, if not months, if this service didn't exist?

the alternative could be a meteor hitting the planet, that doesn't justify your creating new negative externalities and unleashing them on the world with no reasonable recourse for the people you harm

indeed, your stated excuse for wrongdoing is a case study in letting the ends justify the means

you also neglect the many other alternatives, one of which is properly staffing and funding enough humans to deal with the harm you're inflicting on other people, and providing easy access to them from the people you've harmed, and scaling your service up only so long as you can support that proper level of staffing

> the alternative could be a meteor hitting the planet, that doesn't justify your creating new negative externalities and unleashing them on the world with no reasonable recourse for the people you harm

Either you have no clue how much phish there really is or you know exactly. In both cases it sucks to be you.

> you also neglect the many other alternatives, one of which is properly staffing and funding enough humans to deal with the harm you're inflicting on other people, and providing easy access to them from the people you've harmed, and scaling your service up only so long as you can support that proper level of staffing

Sure, you're free to pay for an antivirus product that does the same and you can contact them.

It's thankfully not up to you to decide if people want to be inconvenienced or protected by what Google offers for free.

> Sure, you're free to pay for an antivirus product that does the same and you can contact them.

this is disingenuous: sure, you could, but no amount of antivirus can stop google from blocking customers or potential customers from seeing you without either of your informed, affirmative consent

in any case, thankfully your opinions that the ends justify the means (and also justify easily avoidable negative externalities), and that the lack of recourse available to the people you harm is somehow justified (unspecified how), seems to be the exception among people, rather than the norm

one wishes google actually cared what people thought, rather than professing to know better than them what's best, and directing them through the service without their informed, affirmative consent

> this is disingenuous: sure, you could, but no amount of antivirus can stop google from blocking customers or potential customers from seeing you without either of your informed, affirmative consent

No amount of Google will stop an antivirus from doing the same without your consent. What's your point? Anti-phish solutions must have the site owners' consent? Don't be ridiculous.

based on your non-response to them, it sounds like you're conceding the following points:

- google could harm people less by providing recourse to the people they harm, but instead chooses not to;

- your suggestion that those harmed by google "just use another antivirus software" is irrelevant and doesn't apply here;

- market forces would not, in fact, be involved here;

- disabling Google's opt-out-only service is more than trivial for the average user; and

- google exploits this non-triviality by making the service opt-out, vs opt-in with informed consent.

> No amount of Google will stop an antivirus from doing the same without your consent.

I wish this didn't need to be explicitly specified, but "someone else could harm people" isn't a defense for google actively harming people

if that happened, and the antivirus company was in google's place, and they also failed to provide recourse to the people they were harming with their negative externalities, that would also be bad, just like it is now bad that google is actually doing it

so, what exactly is your point here in trying to justify google harming people via negative externalities while at the same time totally failing to offer proper recourse to them, when google has the option of harming people less, and chooses to avoid that option?

> I wish this didn't need to be explicitly specified, but "someone else could harm people" isn't a defense for you actively harming people

A statistical inevitability is a defense for something. The world doesn't have perfect things.

Stop trying to frame something bad just because it isn't perfect. If you manage to stop that, then it would be possible to have a constructive discussion.

> A statistical inevitability is a defense for something

no it isn't, and also being screwed over by the leading search provider isn't a statistical inevitably anyways

> Stop trying to frame something bad just because it isn't perfect. If you manage to stop that, then it would be possible to have a constructive discussion.

stop trying to justify the means with the ends, more specifically trying to justify google actively harming people (sorry to break the news to you, but harming people IS bad), just because they also happened to do a good thing, when they have the non-mutually-exclusive option to harm people less, and instead choose to avoid that option

if you manage to stop that, then it would be possible to have a constructive discussion about how google can harm people less, since currently it seems like you're okay with google actively harming people any amount less than or equal to the amount of "good" they claim to do (with the determination made by you personally, natch), even when they could choose not to

> no it isn't

If you think it's possible to be 100% accurate detecting phish then I've got a bridge to sell you.

if you think it's a statistical inevitability that every single website will eventually be screwed over by google, well, that's just weird given how much you've been defending google

even if that were true, it simply isn't a defense for google choosing to actively harm people: "google was going to screw over this site sooner or later, so you can't get mad at them for doing it now."

like, is that supposed to make google look better? It really doesn't.

If a weapons manufacturer made a gun that 1 in every billion times shot you in the head instead of your target, we wouldn't say, "well, sometimes accidents happen" and brush it off.

There would be a full investigation as to how and why this happened and someone somewhere would be held accountable.

Google in its current form is immune to the consequences of the decisions of its robots, and that is not acceptable.

> If a weapons manufacturer made a gun that 1 in every billion times shot you in the head instead of your target, we wouldn't say, "well, sometimes accidents happen" and brush it off.

A more apt comparison would be with seatbelts or airbags.

> Google in its current form is immune to the consequences of the decisions of its robots, and that is not acceptable.

The market forces are sufficient. If the FP rate climbs too high more people will disable the feature, easy.

>The market forces are sufficient

Try explaining that to people who lost tens of thousands of dollars or more in missed transactions due to Google's fuckups. I'm sure they will be consoled that one day if the right fairy farts in the right direction google will stop screwing people over in this particular way.

That's a business risk alright. Some other AV vendor or RBL might list you as well.

Inevitably anti-phish solutions end up with false positives, but it's utterly out of the question and silly to ask everyone to stand down defenceless.

I get that you're deadset on defending googoo no matter what, but surely you have to agree that the fact that they made browsers block access to your site AND that you have no ability to do anything about it short of filing a lawsuit or waiting for them to get around to fixing it if they ever do is unconscionable, right?

I get that it's a service.

I don't get how not having human intervention available to fix it when it goes wrong is defendable business practices.

> that they made browsers block access to your site AND that you have no ability to do anything about it short of filing a lawsuit or waiting for them to get around to fixing it if they ever do is unconscionable, right?

So do AV vendors. What specifically makes it not okay for Google? Have you tried delisting a website from other vendors' products? Microsoft SafeScreen?

If you want to hate on Google doing (or not doing) something, do it based on criteria that can actually be fulfilled.

considering the topic is google's wrongdoing, discussing google's wrongdoing seems appropriate

your repeated attempts to deflect to literally anything except google's wrongdoing makes it seem like you think google should receive special treatment versus the others you're deflecting to

if not, then take your issues with others up with others, or perhaps in a discussion about others, rather than in a discussion about google's wrongdoing, which we can discuss here

You're trying to discuss Google's inability to be perfect, I'm trying to give you a chance to ground this discussion in reality. So far you've dead-stuck on hating Google just for the sake of it, even if they'd deserve it, you're making the discussion ridiculous and useless.
you're refusing to discuss anything google has done which is imperfect

I'm trying to give you a chance to ground this discussion in unbiased reality

so far you're dead-stuck on defending google's decisions to harm people, but you've still failed to articulate a valid defense for it ("they also did good thing" is not a valid defense)

you're making the discussion (which, remember: is about google's wrongdoing) ridiculous and useless by refusing to discuss the topic and instead attacking people who do for "hating on google" or whatever other paranoid persecution fantasies you dream up

if you don't like people discussing the harms google is doing to people, why even join a discussion which is literally about that, and why attack people for discussing it? why not just move onto the next topic whose very existence doesn't personally offend you, and leave everyone here alone?

They're probably either a GOOGOO employee, a massive fanboy, a troll, or a paid shill.

If they're not one of those 4, then they are lamentably pathetic wasting their time like this.

> The market forces are sufficient. If the FP rate climbs too high more people will disable the feature, easy

do you have any evidence this is true? it seems like a hypothesis that you totally made up just now

it's hard to even imagine the feedback loop that would convince the average user to enter their browser settings and change one of them just to view a website for a product they're interested in but google wrongly blocked them from seeing

indeed, if it were so easy to convince a user to do so, google could make the feature opt-in, with informed consent that the feature might wrongly block them from seeing sites they want to see, letting the user decide for themselves if they want to enable it

no, it seems common sense that they'd just move onto another website/product, and market forces would never actually come into play

I mean, most weapons probably have a 1 in a billion chance (or much higher) to misfire
In this case, a bullet would be fired hundreds of thousands of times a second every second always though, and the gun would never heat up or suffer mechanical damage, and the supply of bullets would never run out.
It's beside the point, but is it just me that finds this reply really quite rude? You wouldn't jump in to someone's conversation with such a demand, especially in response to them recounting an experience that was stressful to them and had consequences for the fledgeling company they'd founded at great personal expense?
Not a lawyer and not legal advice, but isn't labelling something malware -- that isn't malware -- libel? I'm wondering if you could sue them for defamation.
Yea, the remedy for this isn't an email to support. It's a letter to their legal from your legal.
Many big tech companies also have government relations teams who I suspect have the internal power to get issues like this fixed.
No. This all got hashed out in the early 2000s when spammers tried to sue organizations that blacklisted them using everything from libel to contract interference.

One of too many to list: https://archive.is/jvJhl

The spammers were actually spammers though.
I'm not saying this is acceptable in any way... But there IS something you can try to get resolved fairly quickly if it ever happens again.

Be sure to claim domain ownership in the Google search console. If there is a flag of some sort, it will show up there. And you can address it there.

I worked for a financial services company where this happened. The public-facing .com domain was set up first, before I got there. Later, I added the .net domain behind zero trust to serve as our entry point for internal apps. Google marked the .net as a phishing domain. Verifying ownership of both under the same google search console account and then contesting the flag got it removed.

This evidently doesn't work for all flags. Your own experience != all other peoples' experience.

My domain ownership was already registered even before it was flagged. I _think_ it was the search console I used to request a review of the flag. But it still took that long to resolve.

This wasn't an issue of not realising what had happened for 3 days, it was 3 days after letting Google know they'd got it wrong. And spending hours on the phone to anyone I could get hold of to try to escalate etc.

You want the Postmaster Console for delivery and abuse issues, not the Search Console which is probably why you couldn't find anything.

If you've already verified your domains in the search console it is one click to add them. https://postmaster.google.com/

I think you misunderstand. I did challenge the flag in the correct place in Google's byzantine UIs. I just don't remember today exactly which UI that was.

The flag was raised against web content on our domain - it claimed our online demo was a phishing site - not on use or content of our email.

what number do you call to speak to a human at Google to help when this doesn't work "fairly quickly"?

obviously the biggest issue described in the above post is the lack of humans in the loop

If you can afford it, the fastest and easiest technique I've found is just showing up at HQ. The front desk is kind and helpful and knows the right person to route you to.
This tool has completely destroyed my opinion of Google. As a developer in my 30s, Google was a huge part of tech in my formative years - in a positive way.

Today... Google flags my domains as "unsafe" at least 3 times a year (For deceptive login forms - apparently having the gall to host tooling like bookstack/jellyfin/mealie is "deceptive" because they... ask for my login info? I don't fucking know, google won't tell me why they flag it)

They are about as locked down as you can get - 100% A scores on securityheaders.com - traffic monitoring so I know nothing untowards is happening. I don't see any particular or unusual traffic before they flag me.

But just hosting the login is enough - apparently I'm unsafe in Google's eyes. I spam the misdetected link, and 2 months later the unsafe warning pops off.

...only to show up again 6 to 8 weeks later. Rinse and repeat.

My opinion of Google today? Google can get fucked. I want the company to die. I want them out of browsers, I want them out of phones, I want this fucking ad company to get the fuck off my internet.

Your internet? It’s my internet.
I think we can both agree that it shouldn't just be "Google's internet" and leave it there...
Even Firefox blocks it for me, they're using Google Safe Browsing too apparently
> Firefox blocked this page...

> Advisory provided by Google Safe Browsing.

Firefox clearly says it is using Google.

Yes, I said in my comment that “they're using Google Safe Browsing too apparently”
You can turn "safe browsing" off in your user.js file. Replacing the urls with "" is unnecessary if the booleans are respected. But, nuking the urls provides an extra layer if Mozilla decides to add a new boolean that defaults to true (they do this with their telemetry settings all the time).

   // dont send urs to whoever to decide if they are "safe"
   user_pref("browser.safebrowsing.malware.enabled", false);
   user_pref("browser.safebrowsing.enabled", false);
   user_pref("browser.safebrowsing.malware.enabled", false);
   user_pref("browser.safebrowsing.phishing.enabled", false);
   user_pref("browser.safebrowsing.downloads.enabled", false);
   user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
   user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
   user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
   user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
   
   // disable binaries NOT in local lists being checked by Google (real-time checking)
   user_pref("browser.safebrowsing.downloads.remote.enabled", false);
   user_pref("browser.safebrowsing.downloads.remote.url", "");
   
   // disable reporting URLs/
   user_pref("browser.safebrowsing.provider.google.reportURL", "");
   user_pref("browser.safebrowsing.reportPhishURL", "");
   user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // (FF50+)
   user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); // (FF54+)
   user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); // (FF54+)
   user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); // (FF54+)
   user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); // (FF54+)
   // disable Mozilla's blocklist for known Flash tracking/fingerprinting
   user_pref("browser.safebrowsing.blockedURIs.enabled", false);
   user_pref("browser.download.manager.scanWhenDone", false);
   
   // may only affect windows, but disable mircosoft family safety MiTM
   user_pref("security.family_safety.mode", 0);
When you consider that Google is optimizing its experience for the idiot-consumer everything they’re doing makes sense. Google isn’t for us so this shouldn’t be too much of a surprise or insult.
old.r... isn't a thing.

https://www.reddit.com/r/programming/comments/15pxt76/why_ha...

works great, with the old look. Just set preferences!

> old.r... isn't a thing.

... yes it is. It's still up and running at the moment.

no, point is, you don't need it. www. works with preference settings, old UI in all its glory.
That's different from "isn't a thing", because the thing definitely still exists. Plenty of people, myself included, don't have an account and absolutely find old.r useful whenever we feel the need to use Reddit. I'd be careful to assume that everyone uses something the exact same way that you use that thing.
Guess which method doesn’t require an account.
Back when I still used Reddit, it conveniently kept forgetting this setting. old.reddit.com on the other hand never failed.
I’ve experienced old.* misbehaving with TLS before, where the cert was either not the right name or wasn’t yet valid (12mo ago perhaps) - I’m wondering if it may be related to an earlier crawl where that has happened