So, clearly Google has too much power over the internet, it's arbitrary and opaque, etc. I agree. However, I think it is worth pointing out that:
1) malware is often very aggressive and fast-spreading, and once it's on a user's computer it's hard to get off, therefore...
2) the system to detect it and stop access to the site has to be automated, not a human-in-the-loop system that might take hours or days to shut off access to a site which is infecting many users per minute, and...
3) the more clarity there is on how exactly that automated system works, the more certain we can be that malware will be able to evade it; it's much like how spam detection or search page rankings are opaque, because the incentives to game the system are very great
I'm not saying Google's system is perfect, but I am saying it's a very hard problem to solve in a way that doesn't give us an even worse time stopping malware spread than we already have. So while it is hard to feel sorry for a company as wealthy and powerful as Google, I think the issue is not as clear-cut as some comments on this thread seem to suggest.
I absolutely agree, and the same applies to things like moderating YouTube and such. The scale is mind-boggling, and people will do anything to get past any measures you put in place. It's a hard problem to solve, and I feel people are too quick to jump to the "Google bad" bandwagon.
But that being said, by far the biggest problem is just the lack of recourse and communication. Compare this to email spam prevention and the like, which solves a very similar problem but if you accidentally get blacklisted you can just talk to the SpamHaus people or whatnot and get the problem sorted.
It's not hard to imagine how Google could improve here: send better notifications when something is blacklisted, provide a reason why, and offer a better procedure to get your problem fixed.
Yes, this will cost time and money due to the large scale of things. But if you have the ability to block parts of the internet for much of the population then you also have some responsibility here; you can quite literally kill companies with this. Email spam prevention usually step up to this responsibility. Google ... not so much.
Mistakes will still happen, and that's okay. I appreciate the hard job they're doing, which does provide a lot of value. It's how you deal with those mistakes that matters, and Google deals with them terribly across all of their products.
I think if Google is going to decide to police the web like this, they need to alert people more proactively. The first the OP should have heard of this was Google emailing them through uploader.win's Contact Us email address. It's easy and obvious to find on the site; seems like that should be part of the automated process.
Locating contact info for websites is not something that can be automated. Some sites provide an email address, some a form, some point people at twitter or facebook and some don't provide any contact information at all. None of this is arranged in any sort of standard way. Contact info may be under a link marked "contact" or "about" or "bio" or appear at the bottom of every page.
Legally, every web domain must have a contact point when you register. They shouldn't have to webcrawl for the contact info. Then again, they are already the kings of webcrawling....
Yeah; that was my original thought, but not sure how readily available that is without reaching out to the registrar. Certainly, the registrar could be reached out to.
of course it can. there have always been well known contact addresses: hostmaster, postmaster, webmaster, security, abuse, etc. addition now there is the .well-known URL which has an RFC.
Surely there is a better way to address malicious content than blocking the entire domain.
It also doesn't seem like sites like Facebook, Reddit, Youtube, Google photos, etc. run into this problem, even though they allow user uploaded content so there is some kind of bias against smaller companies.
You won't get away with uploading malware to your Google drive without Google noticing. The no-no here is that this guy is operating a demo site that allows anonymous file uploads without policing the content that goes there. That's just mind blowingly dumb and ripe for abuse.
> So you need a google quality malware detection filter to allow user content upload on your site? That's a pretty big barrier to entry.
No, but IF you allow people to anonymously upload malware to your site, Google-quality malware detection filters will absolutely do what they were designed to do and detect the malware on your site.
I just don't understand the people insisting on arguing that somehow this was a false positive. Google was right! This site was hosting malware! It's true it wasn't "intentionally" hosting malware, and that it was designed for benign purposes.
Which is to say, you are demanding that Google forgive this site automatically based on intent and not evidence. And sadly, while Google may have Google-quality malware detection filters, they haven't yet cracked the nut of thought crime detection.
my problem isn't that it flagged some user-uploaded malware, my problem is that the entire site is blocked without warning.
I am genuinely curious how you would prevent your site from being blocked like this? Sure in this case it was a demo, but what if it was an actual image hosting service that required login? What's to stop a bad actor from creating an account and uploading malicious content. Maybe you even have some filter that does image recognition on the images and tries to detect if it is phishing. But unless your filter is able to catch the exact same content that google's malware detector uses, there's still a chance that you'll miss something that google finds, and starts blocking your site.
Strictly that's not correct. The whole experience here was a "warning", though it was given to users of the site and not the owners directly. Chrome will allow access through that warning page via an override, and of course they have the option of using other browsers.
But even interpreting you narrowly: How much warning do you think Google should be expected to give before flagging sites with known malicious content? Would you apply that same logic to the sites you visit as a user?
I just don't see how the principle you want is going to work in concert with a world with rampant malware. Most of us very much want the trigger happy filers, because it keeps the problem manageable at the cost of some inconvenience and increased vigilance on the part of the content providers, which is IMHO exactly where it should be.
It would be individual users job to police what sites they go to. It would be hosting providers jobs to police the content of their hosters.
The person who makes the search engine, and the browser, and the black list should not be one in the same.
Do you know how many sites would be absolute minefields without google? They incentivise websites to commit to some clean standard so that the 'individual user' doesn't have to run a script every time they visit a website to make sure it's clean. And guess what: whatever script they run will just end up becoming a different google anyway.
We have enough history to know users can't self-police. This doesn't scale. Most users don't understand the internet nearly well enough to shoulder that burden.
At least in the Bay the police can't even stay in the confines of the laws they're sworn to uphold (stop signs, speed limits, not drunkenly swerving into the bike lane I'm inhabiting, ...). What reason do we have to believe they'd handle an unfamiliar problem domain with any better proficiency?
Police take reports from victims then what? How do police protect you from a site hosted outside their jurisdiction?
I think tech companies deciding what people can access is the most likely endgame no matter what. People will demand protection. Whether it's a great firewall, a whitelist-only internet, ...or just automated filtering like this, which may be the most liberal option we can realistically expect.
The police go and arrest them. This is true even for other jurisdictions. It's not as if there are no police in France or Australia.
What you're left with is things hosted out of uncooperative countries like Russia or China. But then shouldn't the block list consist entirely of things hosted out of uncooperative countries like Russia or China? How did this US-hosted business fall victim?
It's not just Google, Microsoft, Twitter and Facebook too. Our website was recently flagged by Facebook's ML [1], and the only way to "unban" it was to find ways to contact a human being inside.
PS. Twitter still does not allow me to share links to OP's website.
The things this situation posed in the article illuminate are that proper government oversight and distribution of concerns are a necessary part of balancing power. The tensions designed into a system help address its edge cases to varying degrees. And the article points out how to manage one of these situations generally--it's an excellent list of insights. Automation should be balanced with humans in the loop, automated systems are imperfect, humans are too. Balanced systems with separations of concerns yield good results. Discretion can be exercised and applied appropriately and the relationships with their respective concerns can sort out these edge cases and share that info when and where it furthers common interest.
1) malware is often very aggressive and fast-spreading, and once it's on a user's computer it's hard to get off, therefore...
2) the system to detect it and stop access to the site has to be automated, not a human-in-the-loop system that might take hours or days to shut off access to a site which is infecting many users per minute, and...
3) the more clarity there is on how exactly that automated system works, the more certain we can be that malware will be able to evade it; it's much like how spam detection or search page rankings are opaque, because the incentives to game the system are very great
I'm not saying Google's system is perfect, but I am saying it's a very hard problem to solve in a way that doesn't give us an even worse time stopping malware spread than we already have. So while it is hard to feel sorry for a company as wealthy and powerful as Google, I think the issue is not as clear-cut as some comments on this thread seem to suggest.