This is what happens when Google isn't sue-able by private entities.
In Germany, lieferando (subsidiary of takeaway.com) registers domains in the form of restaurantname-city.de, points them to their lieferando cloudflare account, and claims ownership for the google business entry where they set the phone number to their own call center.
Then they call the business owner and _force them_ to sign the contract with them, because effectively the owner knows they cannot be found anymore via google, and everyone that wants to order something will reach the call center hotline and leave a negative review after the hotline tells them wrong number, effectively destroying their business. And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision.
Crimeflare before it got taken down had around 130k domains that were pointing to the lieferando website using this kind of scheme, I helped provide the dataset for a couple of local business owners that were extorted this way and refused to abide by that scheme.
Guess what happened, nobody could be sued and the financial damages were too small to escalate it on the European court level. Sadly, class-action lawsuits don't work the same way as in the US, apparently.
Effectively Google does not abide by the laws and gets away with it due to their financial structures of their holding companies.
And they certainly know about this, they just don't give a single fvck.
VC knew this for just as long. Similar ideas brewed in the business model of TripAdvisor, and eventually crystalized in the form of GrubHub and Uber Eats.
I remember a growing amount of articles and on-line discussions about restaurants being extorted this way; then the pandemic came and removed the need for extortion by making delivery necessary for restaurants' survival. It's probably why the whole thing isn't talked about anymore these days.
That sounds absolutely insane. Doesn't Google have any way to dispute the business ownership? Can I take over any business on the maps by just registering a domain that contains the business name?
It is absolutely insane that organizations are weaponizing this.
> Doesn't Google have any way to dispute the business ownership?
I can only speak for the US and it’s been a few years since I’ve done it, but yes Google does have a way. You can report an issue, and “claim” a business. Google will literally send a postcard with a unique ID to the registered physical address, and whoever gets that postcard can take ownership.
> Can I take over any business on the maps by just registering a domain that contains the business name?
Absolutely not (at least legally I assume). It’s probably trademark infringement and potentially fraud to misrepresent that business, and also Google has other methods to verify ownership (see above).
> You can report an issue, and “claim” a business. Google will literally send a postcard with a unique ID to the registered physical address, and whoever gets that postcard can take ownership.
When you say "registered address", do you mean the actual business registered address (as in on Companies House in the UK, for example) or the address which was used to register the business with Google? Because if it's the latter, I think I see a problem ...
The "address" in question here is the location on Google Maps. I managed a few locations for a business and verified them this way. Google would frequently ignore our own posted opening/closing hours and phone numbers in favour of whatever some random user provided under "Suggest an Edit". Horrible system, and support requests just ended up at some Google contractor's inbox in India, where they request to have video calls at 3AM ET to verify our identity (again).
> Because if it's the latter, I think I see a problem ...
Believe it or not, someone spent at least a few hours thinking about this.
The address is physical address that a customer would go to when they look up the business on the map. If it's a restaurant, it's the address that has the tables and food and drinks.
It certainly sounds like they would be sending it to the address provided by the scammer. The issue is their system assumes the first person to interact with it is trustworthy: gives a real phone number and address. If that first contact with Google was MITM'd, they seem to have no way to develop an un-compromised relationship with the real entity.
In Germany, everybody and their siblings usually ask for a recent copy of the trade certificate of registration--it actually is quite annoying. Google could do the same.
I don't think it does. The postcard should go to the place where the customers go, so for a restaurant its the place with the tables and the food and stuff.
If the address is different than the address of the shop-owner, then how would a user who uses google maps get to the shop? And why wouldn't the shop owner just create a new, correct listing?
> Can I take over any business on the maps by just registering a domain that contains the business name?
yes, as long as the business doesn't have that already. And that's the point - many small restaurants, takeaways etc simply don't have a website because they think they don't need one, until they're fucked by Lieferando.
They're following the usual VC pattern: it's more profitable to ask for forgiveness instead of approval.
Plus, many restaurant owners are immigrants, and undocumented/underpaid labor is blooming as well. The last thing they want is to attract the eyes of the government.
I googled the name as I was unfamiliar with it, but immediately recognized the orange logo in search results.
Their entire business model seems to be centered around extorting businesses. I stopped giving them money after they inaccurately posted that a certain restaurant delivers to my location and got a phonecall from the place that this was the case so I agreed to pay extra to fulfill the order anyway, because Lieferando certainly wouldn't take responsibility.
Nowadays I use them only for discovery, but call the place directly or use the webpage if the business provides online ordering.
It appears that their initial value proposition to businesses was substituting delivery services so that restaurants could scale that up without hiring more staff. Of course enshittification made that service worse than just walking/driving/taking public transport there.
A year or two ago when I was doing some searching in Maps for trails to hike in Hawaii, I noticed that if a trail didn't have an "official" website i.e. pointing to a local government page, in several cases a certain photographer had put his website into that spot. And later I discovered he had done this not only in Hawaii but several trails in Utah as well. It would not surprise me if he's hit up hundreds of trails for free advertising via Google's lack of vetting.
I reported it, of course, (as someone else mentioned, Suggest an Edit) and they got changed, but I haven't checked to see if he changed them back.
At the time we didn't know how large the scheme is, because you only find out effectively about those domains if you let your own root/resolver running and listen for the A/AAAA entries coming from cloudflare.
So the real number of those domains is likely to be much much larger if you would have the same dataset like crimeflare had. You can find articles about it with the keyword "Schattenwebsites lieferando" because that's what the press seems to have settled on. Different press teams counted different amount of websites because of that. Another team where I knew people from the CCC that helped them confirmed the 120k number though.
Our final number in Q4 of 2021 was 130k domains that we found out about, and we were trying to contact a bunch of other business owners to be able to escalate the lawsuit onto the Landsgerichtsebene (so that it can go into the Bundesgerichtshofsebene afterwards, and then to the EU court).
CT logs usually don't identify the owner of a site in case of the usual domain validation (DV) certificates. Only OV or EV (organisation or extended validation) certificates provide some hint at the responsible party.
What laws Google (and Cloudflare) does not abide with?
It seems like Lieferando is the problem here. How comes that company is still in business? It seems like obvious identity theft to me, if anything Google is only guilty of trusting Lieferando too much.
There was a good comment on HN the other week about identity theft:
> There's no such thing as identity theft, it's all bank fraud or in this case student aid fraud. "Identity theft" is a term coined by banks to try to make it sound like random people should have to deal with the fallout of the banks' bad identity verification practices.
In this case, the ”identity theft” happens because Google trusts someone they shouldn’t. If they didn’t, the scam wouldn’t be possible. Yes, the scammer is the problem, but Google are providing them the opportunity, and leave it to each victim to deal with the situation.
Various rights to correct misinformation and misdirection exist that Google blatantly ignores. Google aides and abides identity theft, deception and fraud this way, also profiting from it. As soon as Google knows about a crime being committed and about information they spread being wrong or even fraudulent, they do have a duty to immediately take it down, otherwise they are an accomplice. As soon as a certain site like lieferando and cloudflare is known to provide mostly fraudulent information, Google also has the duty to implement more thorough checks for information from those parties and even stop trusting them.
IANAL and this probably differs a lot per country. But typically you do not need to register a trademark, you only lose it if you do not actively defend it. So a small business could still sue Lieferando when they take your name. However, I think most small companies with thin margins would find the idea too daunting.
For the usual case of "Ristorante Napoli #239878", "Bangkok Asia Imbiss #9999" and "Taverna Rhodos #4711" you cannot register a trademark because those names are usually not unique and often reference generic place names or stuff like that.
IANAL, but they are probably violating the UWG (https://de.wikipedia.org/wiki/Gesetz_gegen_den_unlauteren_We...), law against unfair competition, and there are possibly also trade mark violations (one does not need to register a trade mark for it to be protected, if the restaurant has an established presence in the area, it might be enough, but that's up to a court to decide of course).
I do not use lieferando because of this, and I think what they're doing is highly immoral and wrong. But I don't see where this is plain illegal. Can you elaborate?
"And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision."
Wire-fraud is a United States legal concept. It's probably not applicable to Germany (although Germany might have its own laws which cover this issue).
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er durch Vorspiegelung falscher oder durch Entstellung oder Unterdrückung wahrer Tatsachen einen Irrtum erregt oder unterhält, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> (2) Der Versuch ist strafbar.
> [...]
> (5) Mit Freiheitsstrafe von einem Jahr bis zu zehn Jahren, in minder schweren Fällen mit Freiheitsstrafe von sechs Monaten bis zu fünf Jahren wird bestraft, wer den Betrug als Mitglied einer Bande, die sich zur fortgesetzten Begehung von Straftaten nach den §§ 263 bis 264 oder 267 bis 269 verbunden hat, gewerbsmäßig begeht.
> § 263a Computerbetrug
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er das Ergebnis eines Datenverarbeitungsvorgangs durch unrichtige Gestaltung des Programms, durch Verwendung unrichtiger oder unvollständiger Daten, durch unbefugte Verwendung von Daten oder sonst durch unbefugte Einwirkung auf den Ablauf beeinflußt, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> [...]
My rough translations:
> Book of criminal law
> § 263 Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another through the presentation of untrue facts, or the misrepresentation or suppression of true facts to create or sustain an error, shall be punished by incarceration up to 5 years or monetary penalty.
> (2) The attempt is punishable.
> [...]
> (5) With incarceration from one to ten years, in cases of minor severity from six months to five years, shall be punished whoever commits the fraud as the member of a gang, which has banded together to continuously commit crimes as in §263-264 and 267-269, in a business-like fashion.
> § 263a Computer Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another by influencing the result of a data processing operation through incorrect design of the program, use of incorrect or incomplete data, through unauthorized use of data or through other unauthorized influence upon the operation, shall be punished by incarceration up to five years or monetary penalty.
lieferando has an identical logo to just-eat.co.uk . I already don't use the UK one: i often get their drivers coming to my house with other people's food so I don't trust them to get the basics of delivery right (they should capture the GPS where the successful handover takes place and learn from that for future orders).
Justeat (and flipdish) does the same thing in Ireland with bespoke looking domain names for each restaurant. Just eat is strictly an ordering platform though, despite their branding on insulated bags the delivery is handled by someone else.
Post author here. Nope, I'm in the UK, and therefore covered by the DPA2018 (which is basically the copy-paste version of the GDPR that the UK government made post-Brexit).
I'm not familair with German laws, but are you saying that there is some law that prevents individuals from sueing Google and liederando? That seems insane, in the US, you could absolutely sue both of these businesses.
Why are you framing this as being primarily about Google being un-sueable? There's clearly a problem with Google being difficult to work with to re-claim ownership of a business profile (no customer support, as always) and Google obviously has deep pockets that would be tempting to get access to, but isn't Lieferando the one engaged in the extortionate business practices?
Under US law I can see a few different things that would make the Lieferando behavior you describe illegal, whereas all Google is doing is being the unwitting vector for their illegal activity.
It's always more difficult to pin fault for a crime on unwitting enablers even when their negligence arguably rises to the level of a crime. The big question here is why businesses haven't successfully fought back against the ones doing the actual crime?
In Germany, lieferando (subsidiary of takeaway.com) registers domains in the form of restaurantname-city.de, points them to their lieferando cloudflare account, and claims ownership for the google business entry where they set the phone number to their own call center.
Then they call the business owner and _force them_ to sign the contract with them, because effectively the owner knows they cannot be found anymore via google, and everyone that wants to order something will reach the call center hotline and leave a negative review after the hotline tells them wrong number, effectively destroying their business. And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision.
Crimeflare before it got taken down had around 130k domains that were pointing to the lieferando website using this kind of scheme, I helped provide the dataset for a couple of local business owners that were extorted this way and refused to abide by that scheme.
Guess what happened, nobody could be sued and the financial damages were too small to escalate it on the European court level. Sadly, class-action lawsuits don't work the same way as in the US, apparently.
Effectively Google does not abide by the laws and gets away with it due to their financial structures of their holding companies.
And they certainly know about this, they just don't give a single fvck.