The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
What Radix does has no impact on Google, and I don't see how Google would be incentivized to pressure Radix. So I don't see how to make the leap blaming Google for Radix's incompetence. Yes, Google should recognize the risk of this happening, but they'd have to balance that against the rewards (or at least what they consider rewards)
I had my main family domain put on Google's safe browsing block list and it has a massive impact. No one can visit the site. I think apps using system browser runtimes (ie: mobile) may stop working. I've seen reports that it can impact email deliver-ability. And, now, we see that it can get your domain put on serverHold so the problem becomes impossible to rectify.
Google should have to pay for the damage. In my case, it was about 4h of work to figure out what was going on and how to fix it, so not much, but I've seen small businesses that rely on their primary domain to drive most of their sales via web and email. In those cases, having your domain placed on server hold because of Google's false statements can have a serious, detrimental financial effect.
But my point is that any knock on effects like domain suspension, email deliver-ability, etc. stem from 3rd parties misusing the safe browsing list outside the scope of safe browsing.
I don't see how Google can be blamed for other companies erroneously treating the safe browsing list as a source of truth for generally malicious domains
That's fair and I agree. My opinion is that both should be liable in a case like this. If I had to attribute it, my starting point would be that Google is liable for the loss of website traffic and the registry is liable for the loss of email and all other lost services due to the domain suspension.
It spirals though because, like you pointed out, no one forced (ex:) Mozilla or Apple to adopt the blacklist. They did that voluntarily, so they should be responsible for their share. That's why nothing ever gets fixed. It's broken, but there's so much potential for finger pointing that no one gets pinned down and held responsible.
The answer is always the same IMO. Break up big tech companies into a million little pieces.
Google should not have known that someone would misuse their block list to block domains. But now that someone is misusing their block list to block domains, if someone brings it to their attention, the next time this happens, they will have known it.
I am not a lawyer, I am not your lawyer, and this is not legal advice.
And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.
If all it takes to be taken from the blacklist was to temporarily delete the NS record - the list would be useless against malware.
What is to stop everyone from doing this blacklisting?
Spyware filters used to boast about how many domains they filter out because they wanted you to buy their filters instead of someone else's. By the time they hit a false positive, they've already sold a year's subscription to that customer.
The incentives are different.
Step 2: Alter filters to mark newly-registered domains and low-traffic websites as "potentially harmful".
Step 3: Charge a lot of money for "business verification" - which gives them a fancy badge somewhere and incidentally makes their website trustworthy in the eyes of your filter.
Step 4: Profit!
The Big Tech cartel has been doing this pretty successfully with email (see the weekly "Don't self-host your email" posts), why should we assume they are doing anything different with browser-based website blocking?
Indeed. I was going to register an account somewhere the other day, and the signup form had a list of acceptable email domains. Gmail, Protonmail, Outlook, Yahoo, Icloud... a few others. It's not the first time that's happened to me. Sad.
EDIT: Didn't even include Fastmail, who's pretty big after all. They host MX for my domain, so I could have "circumvented" it that way with their disposable address feature, but nope.
- They make almost all their money on advertising
- They have deep ties to the US intelligence agencies (To the point that a Google employee managed the appointment calendar for our Secretary of State a few years ago!)
So, how would these incentives apply to their Internet blacklist?
- If you are parking lots of Google ad spam, they are taking a cut of your revenue, so they have an incentive to take you off the list (evidence and testimony from the antitrust trial documented ongoing fraud in every layer of Google's vertical ad monopoly)
- If you are hosting something the intelligence agencies dislike / are neutral to / like, that'll impact your presence on the list.
There is also the headache of PR issues when they get a false NEGATIVE. “Google didn’t protect grandma from this scam website!”
There is no incentive for adding false positives to lists of malicious websites.
Chrome is big enough that a website owner can't afford a false positive on their malware list, just like they can't afford to have all their email end up in spam for all Gmail users.
Due to their near-monopoly Google also has no incentive to avoid adding false positives to their blocklist - provided they don't accidentally block high-profile targets. And if a CxO is screaming over your shoulder that your website has been blocked, arguments about "false positives" aren't very compelling: they'll just demand you move off the "shitty basement provider" and switch to "proper hosting, like the Google Cloud"...
that whiny bullshit about somebody elses website? you dont have to rely on a website or app. either you need their monopoly because you cant do it yourself, or you have options.... in both cases the whining is not needed
It doesn't really matter that it's Google. It could have been Microsoft, or PAN, or McAfee or some fly-by-night vendor. The problem was Radix taking the list as iron-clad truth and disabling the domain without any notification or way to resolve the issue.
Libel suits can be financially catastrophic, so even a tiny false positive rate could present risk that disincentivizes producing such software at all.
And a threat detection mechanism that has a 0.0% false positive rate is conservative to the point of being nearly useless.
In other words, if you can't deal with the false positives in a timely manner. You SHOULD be liable for the damages.
I can't build a budget car put together in an unsafe manner. Then complain I can't compete due to all the peoples cars crashing and blowing up and suing me.
Scalable systems need to use heuristics to catch threats. Needing concrete evidence in every case means that an enormously higher amount of malicious resources will not be flagged.
There is a policy argument as to the right balance of concerns here. But there is a clear trade-off to make.
"Your Honor, we banned this person's website because his web page contained the word 'bitcoin' more than 5 times" will not hold up.
"Your Honor, we banned this person's website because it contains a bitcoin miner script. See, here is the script, and it matches the hash value found in these other attacks" hopefully holds up.
Giving everyone a fair trial just doesn't scale. It costs too much.
It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.
No, it's not.
You're welcome to cite case law if you want to insist. Otherwise, unsafe (in the context of infosec) has a definition of likely or able to cause harm or malfunction. Something that is provable or falsifiable with evidence.
I reported a falsely flagged site repeatedly for weeks with absolutely no action from them.
Mozilla and Microsoft both did actually remove the warnings after the reports (Edge and Firefox stopped displaying the warning). Google did not. Google strong armed me into registering for google products, like a fucking bastard of a company.
This was the moment I went from "I don't love google anymore" to "Google can get fucked".
I wish them bankruptcy and every damn legal consequence that is possible to enforce.
For clarity I'm not agreeing or disagreeing, but what means sense to the layperson (including experts in a particular field) is sometimes at odds with what the law says.
If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.
I agree with this! The registrar should not have triggered a suspension because of this. They're not obligated to, and the two processes should be decoupled.
No.
The source should be more careful. It's the equivalent of a renowned newspaper printing warning a restaurant being unsafe to visit. Should the customers' willingness to visit be magically decoupled from this opinion?
I'm not saying they should "ignore" reports of abuse but treat them as they are -- reports. They can then perform their own independent investigation.
That may well have happened here. I suspect the author isn't telling us something.
“unsafe” is a term that is both broader and more vague, so I would consider it opinion unless backed up by appropriate facts (like “contains CSAM”, “contains malware”, and so forth).
Except when it isn't. CSAM may be easier to define and identify than pornography, but there still exists material that treads a moral grey area.
Fuck Google.
This is absolutely libel. They put a big fucking red banner on top of my site, telling the world that it's unsafe, using all the authority they have as one of the largest tech companies in the world.
In my case - it was a jellyfin instance I'd stood up to host family videos of my kids for my parents.
It was not compromised, and showed only a login page. I reported it as a false flag repeatedly, for weeks, with Google doing jack fucking shit.
Only after signing up in their search console and registering the site did the warning disappear.
They are abusively forcing people into their products. Fuck Google.
In case it wasn't entirely clear - Google can get fucked. Fuck Google.
What you can't do is imply non-public knowledge, aka "I heard from my cousin who works in law enforcement that Kyle murdered a hobo when he was 12 but the records were sealed", or state specific facts that can be proven true or false: "Kyle murdered a hobo on September 11, 2018 out back of the 7-11 in Gainesville, FL"
The standard for libel/slander is much, much higher than people think. It's extremely difficult to meet them, and for public figures, it's almost impossible.
That's ... not quite true. I wouldn't go that far.
1A rights are construed really broadly. The courts don't do the 'he wasn't legally convicted therefore it's illegal to call him one' thing.
The First Amendment doesn't protect the speaker against all forms of defamation (though it does put some barriers up that make it harder to win in some circumstances). If it did, defamation as a cause of action wouldn't exist at all.
As a practical matter, though, this is largely theoretical. Once you've been through the rigamarole of arrest, prosecution, and trial, even if you're found not guilty of the crimes committed, the reputational damage is just too widespread. You're not going to go after the defamers: there are just too many, and if you tried, there would be a fair question as to whether you have any positive reputation left to injure. Your life is pretty much ruined. It's a pretty terrible situation for the wrongly accused.
In other countries local TLDs are of course normal (e.g. .it for Italy, .za for South Africa, .cn for China...) and not only used for scam links.
I dont care if their pre-LLM ai says "thingy bad". They are responsible for the scripts or black boxes they control. I dont care if they dont give a reason.
Claiming bad/malicious/etc site is 100% libel. And doubly so, anybody who has been forced to agree to a ToS with binding arbitration should have it removed for libel.
No it isn't. https://www.law.cornell.edu/wex/defamation
Please, use words correctly.
> a plaintiff must show four things: 1) a false statement purporting to be fact; 2) publication or communication of that statement to a third person; 3) fault amounting to at least negligence; and 4) damages, or some harm caused to the reputation of the person or entity who is the subject of the statement.
They falsely marked the site unsafe[1] on a published list[2], the results weren't checked and couldn't be appealed[3] and OPs site was taken down[4].
Opinions and facts in a legal context usually comes down to who is saying what. Someone personally says "this soup is bad" on a review site = opinion. A news site plastering it on their front page = fact.
A person saying something as an individual is usually considered an opinion. A company doesn't have that same protection.
Whom are you quoting here? A court opinion?
In the US, it really doesn't matter who says it, the only thing that matters is who it's being said about.
If you are a "public figure" -- which is a much broader category in 1A law than you think -- then in order to prove defamation, you have to prove the thing was false _and_ that the person saying it knew it was false at the time. Not that they were mistaken, not that they were careless, not that they knew later, they deliberately lied and knew they lied as they said it.
If your next question is "how do you prove what someone was thinking", then yes. That is the reason it's nearly impossible.
Opinions (Protected) vs Facts (Not Protected)
Defamation cases where individuals say something are usually considered opinions and companies are usually considered facts in the eyes of the courts. I say "Usually"
Defamation also DOES NOT require intent, but it requires a minimum level of fault (negligence)
Google saying something is unsafe in the web search or browser would not be considered an opinion because of their position of authority. It would not even be a debate since Google has already said they make decisions based on facts and data presented to them.
The only question is are they negligent in their assessment or response to a false report. And what would be the damages. In the case of a phishing report that is false courts would already consider it defamation per se (damages presumed)
Everything the Supreme Court rules is an "opinion." And they're the ultimate arbiter of legal questions in the U.S.
Whether a statement is a fact and whether the person who said it is considered an "authority" or not are independent concerns.
And we are also 100% talking about public figures. "Public figures" include companies and it's a critical part of 1A since Times v Sullivan.
Google is a US company and has 1A rights. That's how it works. The rest of what you said is nonsense and is your idea of how it should work, but has nothing to do with how it actually works.
Same with if they become aware of defamation and fail to retract and make a statement. But newspapers will generally also thoroughly investigate themselves to make sure what they are publishing is true.
It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.
The problem is that these gatekeepers of the internet respond to false statements of facts/opinions by so called professionals.
I had cloudflare mark a worker as phishing because a AI "security company" thought my 301 redirect to their clients website was somehow malicious. (url redirects are normal affiliate things)
If the professionals don't understand the difference and cloudflare and google blindly block things, this is scary.
That is more than an opinion. Chrome has a monopoly and should act accordingly. Blocking entry to a website should be a last resort, not just because someone didn't add their website to the whitelist.
I use Ubiquiti as an example for an update they pushed to their UniFi systems a long time ago (5+ years). Some people were configuring their devices to use an https URL to connect to a management console when it was supposed to be http. Before the update, the console accepted http on the https port. After it didn't. That caused devices to disconnect from the management portal and remain offline.
When people complained, Ubiquiti said they realized it would happen, but it "would only affect a tiny percentage of customers." However, most customers that were affected had a 100% rate of failure. One person had something like 600-700 devices that got disconnected and required manual reconfiguration.
A 1% failure rate might be ok for the company, but it shouldn't be if the 1% of people affected suffer 100% failure. The distribution of the failures needs to be considered.
I had my primary domain that my entire family has used for 25 years put on that blacklist. If I hadn't been able to get it removed it would have had a massive negative impact on my life. Had it been suspended by the registry the way the OP of this article describes, I'm not sure how it would have worked out.
So it may be a false positive of .0000000001%, but would have ruined my life. I have 900 entries in my password manager and probably half of them are tied to that domain. Is my entire digital life acceptable collateral damage? Is yours?
I get that's mostly what corporate lawyers argue about, but it's functionally dishonest in this case.
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
Because keeping Google happy or at least not bothered is an existential priority for registrars
Which likely is slow without a poke it's reasonable to base the decision on whats available.
That's just how reputation works.