Adware Report: Google: Killing the Internet One Site At A Time
Update: this article has received tens of thousands of visitors in the past 24 hours, resulting in a lot of healthy debate. I am not able to respond to all of it, but I have included my response to some objections raised on the StopBadware usenet group at the end of this article.
Update 2: I took down the ads from this page because I didn't want to offend all of the digg users visiting us. However, the bandwidth you guys are consuming is out of control, so I had to put them back up. I have to do something to pay the bills around here.
| Are Google and StopBadware unfairly punishing innocent website owners? Let your voice be heard by digging this article (click the icon to the left). |
StopBadware and Google have been getting a lot of bad press from both bloggers and mainstream media outlets (such as CIO magazine) lately for flagging sites as containing malicious software when in fact these sites are harmless. The people at StopBadware are unsympathetic and various posts in their forum illustrate the fact that they do not consider themselves responsible for their actions. Hopefully this article will reach someone at Google and spark a change for the better.
For those of you who are here for the first time, AdwareReport provides independent testing and reviews of many anti-spyware products and have been helping people solve their spyware-related problems since early 2004. We've broken a number of stories about spyware and rogue software scams, and most recently, we were the first site to educate people about the flooder.ake bug saving many many Grisoft AVG users from having to reformat their computers.
Sometimes we've lost a lot of money in the process of helping people (breaking the flooder.ake problem ran up several thousands dollars in advertising costs), but overall the site makes a small profit, allowing me to work from home. This is really important for my family, as my young son is a heart transplant recipient and requires his mother or I to be around at all times, in case of a sudden rejection or other medical problem. StopBadware's "false positive" has put us in serious financial distress. This site is expensive to run, and I am now forced to consider the possibility of shutting it down.
How StopBadware Is Screwing the Internet
In late November, StopBadware flagged our site as one that "hosts or distributes badware". This resulted in the following:
- Our website traffic has dropped by over over 70%
- In late November, we were ranking in the top 10 for over 50 terms on Google ... today we rank for only 4.
- We lost our DMOZ listing, which is a serious blow to our future on the web.
If you do happen to find us through Google, you are greeted with a page that looks like this:
Screenshot showing how Google has blacklisted us based on StopBadware.org's recommendation
If you click on the link, you will be presented with an ominous page that warns the user that our site "may harm your computer!" There is no way to continue on to our site unless you manually copy the link into your address bar:
This is happening to hundreds of great sites all across the internet.
Why We Were Blacklisted
We can't say exactly why StopBadware blacklisted us, because they haven't bothered to share this data with us. However, the guys at Siteadvisor did help us pin down an old archived page that contained an iframe redirect. This is an encrypted javascript snippet that embeds a hidden iframe on a page. This frame redirected visitors to a Russian malware site. I won't put the code here - if you are really interested, look up "adwarereport.com" on SiteAdvisor and you can see it there. The important thing to know about this is that we didn't put it there - it was injected by someone else through a server vulnerability that we've since closed. Furthermore, only a handful of people ever visited this page (fewer than 20).
It might have been fair if Google issued the warning only for this page, but they didn't. They issued the warning for every page on our site. We used to get thousands of visitors daily from Google. Today we average 30.
In other words, if you, the webmaster of your site happen to get victimized by a hacker, then you will also be severely punished by Google/StopBadware on top of it. Fair?
StopBadware is Broken
In another post, we compared the way that StopBadware is run today with McCarthyism. Joe McCarthy was a senator of Wisconsin from the late '40s to late 50's who was responsible for what became known as the "Second Red Scare". If you didn't hear about him in history class or missed the recent movie, "Good Night and Good Luck", Joe McCarthy accused thousands of Americans of being Communists or communist sympathizers. Many of these people suffered loss of employment, lost their careers, or were even thrown in jail. It turned out in the end that Senator McCarthy's witch hunts were little more than an abuse of power, a way to scare others for his own benefit.
Maybe this is a little extreme, maybe not. But the lessons I learned from history class was that character assassinations by those in power could happen anytime, anywhere. And those in power will deny it and find all sorts of rationalizations to defend their actions, even when those actions are clearly wrong. In their minds, the ends justify the means. Re-read that last sentence, because it's about to come up again really quickly.
Not Only Are They Broken, They Don't Care What You Think
This attitude is demonstrated in post after post at the StopBadware forums. They make some good points over there, such as this one made by Michael Buckley:
Next, I'd like to go through a few of the arguments point-by-point:
1. StopBadware/Google are not differentiating between the good guys and the bad guys.
Unfortunately, intent doesn't come into play here. Whether or not you intended your site to infect customer machines is irrelevant to the end result. (emphasis mine)
Applying this logic to StopBadware, we can conclude that while StopBadware may have good intentions, it simply doesn't matter ... the end result does. To them, they are fighting the spread of malicious software on the net. But to us innocent website owners who have been victimized by them, the end result is that they are taking away our livelihood and harming our families.
Another favorite argument of theirs is that website owners are responsible for ensuring the safety of their site. A reasonable enough statement, but consider for a second that a site such as this one has hundreds of pages and thousands of links, many of which I haven't visited in years. StopBadware expects me to check every page and every link daily to ensure that they haven't been hacked and that they don't lead to possibly dangerous sites. Guys, I would love to - but I'm trying to stay focused on fighting the spyware problem. I can't do that if you expect me to constantly monitor every nook and cranny of my website, most of which are never visited (except by your spiders).
I won't go into picking apart the rest of the erroneous arguments that are put forth on their forum, as it would be boring for our readers. I will simply describe the situation as it is:
- StopBadware flags whatever websites it wants as being potentially harmful and reports these findings to Google, resulting in a nearly complete shut-off of all internet traffic. Those of us who run good sites depend on this traffic for their livelihood - it's usually impossible to run a quality site simply as a hobby, especially if that site runs up expensive hardware and software bills like this one does.
- They do not inform the website owner that they have been flagged. For instance, they flagged us two months ago ... we just found out a few days ago.
- They do not work with website owners in any way to help them identify or fix any problems. The StopBadware Clearinghouse is meant to do this, but it's a joke ... they don't provide any useful data at all.
- If a flagged website wants to resolve the problems brought about by all this, they have to first figure out what the problem areas are (which is like finding a needle in a haystack), and then send in an appeal to a blind email address. Appeals are supposed to be answered within 10 days, but there are reports of people waiting two months or longer to hear back (we've been waiting 5 days so far).
A Wake-Up Call To Google: "Don't Be Evil"
Those in power have the responsibility to wield it properly. Any organization running a blacklist has a duty to inform those they put on the list of their actions, the reasons why they were blacklisted, and to provide acceptable feedback mechanisms, including a grace period within which to correct the problems. There must be sufficient steps taken to ensure a 100% transparency into this process.
You took it upon yourselves to become the internet policeman. I did not appoint you. Nobody held a gun to your head and made you do this, therefore you have a moral obligation to do it properly.
This is what you must do to fix this:
- Inform websites of their inclusion on the blacklist. This should be done via WHOIS email or through contact information on the website (this can be easily found through the same automated agents that StopBadware uses today).
- Provide sufficient information to webmasters of any problems identified by StopBadware's automated agents.
- Allow sufficient grace period for webmasters to fix any problems that have been identified on their sites.
Other Innocent Sites Screwed By Google Has your site been blacklisted? Post a comment and we'll add you to the list. We also welcome comments from StopBadware and Google.
Update: My response to objections raised on the StopBadware forum
CometCom1,
I am the owner of AdwareReport and I wrote the article. It seems that you've put some serious thought into this, and I felt this was worth replying to.
1. You mention that I blame StopBadware and not Google, and then make the claim that this was an instance of social engineering.
Actually I placed the blame squarely on StopBadware *and* Google in several places, and I've done so on other articles on my site as well. Someone pointed out that it was Google who flagged the site and then submitted it to StopBadware. I have no reason not to believe them, but take into account this quote from Google's Webmaster Help Center (http://www.google.com/support/webmasters/bin/answer.py?answer=45432):
"All appeals and reviews are handled by StopBadware.org. Please send an email to appeals@stopbadware.org explaining why you think your site was mistakenly identified or how you have modified your site. They will investigate and contact you with their findings. If they determine that your site does not spread malicious software, they will inform Google, who will remove the identification from the search results."
Let's be clear - both parties share the responsibility. Google is responsible for flagging the site, placing an ominous warning on my search results, removing the direct link to my site, and not informing me nor giving me any grace period. StopBadware is responsible for listing my site in their clearinghouse, not providing any helpful data to resolve the problem, not informing me that they've put me in the clearinghouse, and not responding to my appeals email in a timely manner.
Corporations often use policies and buck-passing to avoid taking responsibility for their actions. This is not conjecture. I have an MBA from Kellogg with a concentration in management psychology, but it doesn't take an masters degree to recognize that these two organizations are hurting people through their neglect and inefficiency.
2. You criticize the fact that I mention my family's medical problems in this post:
>This is really important for my family, as my young son is a heart
>transplant recipient and requires his mother or I to be around at all
>times, in case of a sudden rejection or other medical problem.
Ah ok, if you have a prescription from your doctor, it's ok?
I am exercising considerable restraint in replying to this, but I'm going to assume that you didn't mean to come off as callous as you did.
I mentioned this fact in the article as a direct response to the laissez-faire attitude that most of those who defend StopBadware's and Google's actions to date. They want you to think that it's just a bunch of bits-and-bytes, or perhaps a little money that is at stake. It's way more than that - many people depend on the internet to support their families, and Google/StopBadware is vicitimizing them through their lack of attention and carelessness.
3. "McCarthyism also does not cover quite, as 1. It has nothing to do with the government, 2. there is proof. "
To answer your first point, the use of the term McCarthyism is no longer limited to government activities. From wikipedia (http://en.wikipedia.org/wiki/Mccarthyism#Current_use_of_the_term):
Current use of the term
Since the time of McCarthy, the word "McCarthyism" has entered American speech as a general term for a variety of distasteful practices: aggressively questioning a person's patriotism, making poorly supported accusations, using accusations of disloyalty to pressure a person to adhere to conformist politics or to discredit an opponent, subverting civil rights in the name of national security and the use of demagoguery are all often referred to as McCarthyism.
In regards to your second, neither StopBadware nor Google has come up with any proof. They have not responded to my appeals email, they have not listed any helpful data in their Clearinghouse. There is nothing but a vague description that says we "host or distribute badware" and a URL to a directory listing on our site. We've searched that directory and there is absolutely nothing in it that would constitute "badware". Wouldn't you agree that this is an unfounded accusation?
If you are referring to the iframe redirect that we found on our site, the URL of that code is not listed in the clearinghouse, and this problem was identified by SiteAdvisor. And to their credit, they contacted me via email several weeks before the problem report was uploaded to their site.
4. You critique my suggestion to get in touch with the webmaster of a site to inform them of inclusion on the blacklist:
Fact - There doesnt exists provisions on the internet to get in contact with a webmaster.
This is not fact. Any programmer can write code in a matter of minutes to mine all of the email addresses found on a website. Then it's a simple matter to match the URL. In our case, In our case, there is a spider-friendly link in our top navigation bar with our email address ("Everything Else" -> "Contact Us"). Most reputable sites have contact information. Most unreputable websites (ie: those with malicious intent), do not. Implementing this procedure would actually reward the good guys and punish the villains.
Not only is this easy to do, it is likely that Google already has this information in their search index. For instance, it is widely conjectured that Google has technology that looks for common indicators of trust, such as privacy policies and "contact us" links, and uses the presence of these factors in calculating their search rankings.
5. Your parting guesses about why I wrote about this:
I do expect Richard to follow up on this, and work with stopbadware to improve this - otherwise why all the fuzz - a damage control and free advertising campaign ?
Actually, it was to fight back against this injustice being pushed upon innocent webmasters all over the internet. It was a response to the condescension and antipathy shown towards webmasters by certain posters in this group. Or to be less abstract about it, the attitude some of you have of "fuck you, so what if this process is broken, you have no right to complain because you are a guilty badware distributing motherfucker. Now shut up and comply."
Why should I work with StopBadware any more than I have? I didn't appoint them to be the internet's policeman. They took this on themselves, so they can fix their own damn problems. I've given them a crystal-clear checklist of improvements, fixed all known problems, and filed my appeal, so now they can stop penalizing my site and let me get back to what I like doing - helping people fight spyware.
Tells the story about how StopBadware.org libels innocent websites by falsely accusing them of distributing badware.
All articles and reviews are copyright 2004, Gooroo, Inc. All Rights Reserved.
Adware Report (http://www.AdwareReport.com) delivers objective news and reviews about the best and the worst spyware removal products.