[midenginedcoupe]

This bot's behaviour made me drop all Google products.

A few years ago it marked my company's entire domain as unsafe without any reason. Any human would have been able to tell the flag was incorrect, but "algorithm says no".

There is no team in Google to escalate to, no team managing this service, and no way to get an incorrect flag lifted in anything like an acceptable timeframe.

In the meantime, Gmail just silently decided to drop any email I either sent or received that mentioned my own domain name. I didn't know my customers were notifying us of the problem, and they weren't getting any of my updates. It was horrific. Our production service was down for ~ 3 days whilst Google just sat on their hands and refused to do anything about it. We were running a highly visible citizen-facing service for the UK Government and Google didn't care they'd broken it for everyone.

This runaway bot is a menace to the web and I refuse to give Google any more money until they've demonstrated they can run this responsibly.

[gmerc]

This is the thing that needs to be regulated. It will force these companies to spend actual money on stuff. they’ll be still insanely profitable but not able to run quasi monopolies on infrastructure and extract all profits while externalising all the damage.

[jstarfish]

I agree in principle, and this is a shitty situation for the GP, but Google's "contract" with the public doesn't even comprise a gentlemen's agreement. They don't owe anybody anything, they're just the cool kid at school who won't acknowledge your existence. You can't (and shouldn't be able to) force them to be your friend. You can't claim harm because someone stopped being friends with you either.

There is a question to be asked of where does one draw the line about policing stuff that happens in virtual reality. Are we to start prosecuting people for espionage and insider trading in Eve Online too? Can we punish the church because God isn't answering my prayers in a timely manner?

(I don't think regulation is the answer. They had their 15 minutes of fame; it's time for everybody to form a new clique and cut Google out of it-- just like the Twitter exodus.)

[justinclift]

Well, it seems like Google / Alphabet ran a bunch of their services at a loss for years, until their practical competitors had been extinguished.

Youtube and Gmail spring to mind, though there seems to be a resurgence of people moving away from Gmail these days (my perception anyway).

Since Google wanted to be a monopoly in various markets so badly, they should be required to serve those markets properly.

Like, with customer service / support, and similar. "You won! Here are the consequences..."

It's a shame the push a while ago for them to be regulated like a utility didn't succeed.

[gmerc]

It doesn’t matter, the EU already has definitions for companies that are big enough to be of public interest.

The majority of economic value creation over the long run happens on the internet, it’s high time to adjust the laws to match physical reality.

You can’t just randomly discriminate against people in the physical worlds too.

[paulryanrogers]

In practice Google is more like the security guard at the school entrance, who decides you can't come in and won't tell you why. Not just a popular kid who ignores you.

[patmorgan23]

Regulation absolutely is a solution that should be pursued. Companies are responsible for what their automated services do. Your two examples are absurd red harrings and not at all comparable to this situation.

[Libcat99]

Google is effectively the gatekeeper to the internet for most people. That did not happen by accident, but through deliberate actions on their part.

They owe it to society to manage what they've built in a fair and attentive fashion, or to give it up to someone who will, for the public good.

[JohnFen]

If there's one thing that Google couldn't care less about, it's "the public good".

[Libcat99]

Which is why we need regulations to make holders of effectively public commons responsible.

[pevey]

I'm not saying this is acceptable in any way... But there IS something you can try to get resolved fairly quickly if it ever happens again.

Be sure to claim domain ownership in the Google search console. If there is a flag of some sort, it will show up there. And you can address it there.

I worked for a financial services company where this happened. The public-facing .com domain was set up first, before I got there. Later, I added the .net domain behind zero trust to serve as our entry point for internal apps. Google marked the .net as a phishing domain. Verifying ownership of both under the same google search console account and then contesting the flag got it removed.

[midenginedcoupe]

This evidently doesn't work for all flags. Your own experience != all other peoples' experience.

My domain ownership was already registered even before it was flagged. I _think_ it was the search console I used to request a review of the flag. But it still took that long to resolve.

This wasn't an issue of not realising what had happened for 3 days, it was 3 days after letting Google know they'd got it wrong. And spending hours on the phone to anyone I could get hold of to try to escalate etc.

[mike_d]

You want the Postmaster Console for delivery and abuse issues, not the Search Console which is probably why you couldn't find anything.

If you've already verified your domains in the search console it is one click to add them. https://postmaster.google.com/

[midenginedcoupe]

I think you misunderstand. I did challenge the flag in the correct place in Google's byzantine UIs. I just don't remember today exactly which UI that was.

The flag was raised against web content on our domain - it claimed our online demo was a phishing site - not on use or content of our email.

[ImPostingOnHN]

what number do you call to speak to a human at Google to help when this doesn't work "fairly quickly"?

obviously the biggest issue described in the above post is the lack of humans in the loop

[hansvm]

If you can afford it, the fastest and easiest technique I've found is just showing up at HQ. The front desk is kind and helpful and knows the right person to route you to.

[retrac]

Not a lawyer and not legal advice, but isn't labelling something malware -- that isn't malware -- libel? I'm wondering if you could sue them for defamation.

[mike_d]

No. This all got hashed out in the early 2000s when spammers tried to sue organizations that blacklisted them using everything from libel to contract interference.

One of too many to list: https://archive.is/jvJhl

[wnoise]

The spammers were actually spammers though.

[duped]

Yea, the remedy for this isn't an email to support. It's a letter to their legal from your legal.

[spacebanana7]

Many big tech companies also have government relations teams who I suspect have the internal power to get issues like this fixed.

[Modified3019]

Something similar happened to Gnif. Google’s bot decided it hated his lookingglass project.

And since that was attached to his business domain, it fucked with his business website too.

https://forum.level1techs.com/t/google-now-considers-looking...

[asu_thomas]

> no way to get an incorrect flag lifted in anything like an acceptable timeframe

Define "acceptable timeframe"

[midenginedcoupe]

Surely you'd agree that breaking a government service for 3 entire days is unacceptable!?

Ideally they'd have an SLA measured in hours, the lower the better. Like 1. Because the consequences of their bot flagging a domain are so severe, both in terms of availability and in reputational damage.

If you're about to submit commercially sensitive information to a company providing a service on behalf of your government and instead you see a massive red screen that screams of dire consequences of using that site, how likely would you go back and try again later? They need to be damned sure they're right, and to provide a quick way to resolve false flags.

Instead the only answer I got from Google was "lol, no".

[Am4TIfIsER0ppos]

1 picosecond is the acceptable time frame for google to block my connections to someone's server. I don't need their permission to visit. It is why I turned off the feature the first time I got a red screen in 2010 or thereabouts.

[Avamander]

Yet there are many more users that actually get protected from actual phishing thanks to Safe Browsing. A microscopic false positive rate does not a bad tool make.

[ImPostingOnHN]

yet there are nonetheless many people harmed by the service, an issue unresolved by any amount of unrelated goodness

>A [low] false positive rate does not a bad tool make.

It does, if your tool fails to address the issue of false positives to the satisfaction of the people you harm with them, and especially if it fails to provide a quick, easy, direct line to humans, to deal with false positives

obviously it's not acceptable to screw people over and justify it by saying "we're not screwing over everybody, and look, we're doing good stuff, too!”

if you can't resolve the negative externalities of your service to the satisfaction of the people you're harming with them, don't roll out the service

[Avamander]

> obviously it's not acceptable to screw people over and justify it by saying "we're not screwing over everybody, and look, we're doing good stuff, too!”

That's the thing, the benefits immensely outweigh the small negatives. Small inconvenience from even tens of thousands of false positives out of tens of billions site visits is such a small cost.

You do understand that the alternative would be most phishing sites remaining active for days, if not months, if this service didn't exist? That means a significantly higher amount of people getting significantly more inconvenienced than some false positives cause.

> if you can't resolve the negative externalities of your service to the satisfaction of the people you're harming with them, don't roll out the service

Case study of letting the perfect become the enemy of the good.

[ImPostingOnHN]

> That's the thing, the benefits immensely outweigh the small negatives

that's the thing: they don't. both co-exist, and you must address the negative externalities individually, vs. saying "well we think we do more good so suck it, too bad" to the people you harm.

> You do understand that the alternative would be most phishing sites remaining active for days, if not months, if this service didn't exist?

the alternative could be a meteor hitting the planet, that doesn't justify your creating new negative externalities and unleashing them on the world with no reasonable recourse for the people you harm

indeed, your stated excuse for wrongdoing is a case study in letting the ends justify the means

you also neglect the many other alternatives, one of which is properly staffing and funding enough humans to deal with the harm you're inflicting on other people, and providing easy access to them from the people you've harmed, and scaling your service up only so long as you can support that proper level of staffing

[BizarroLand]

If a weapons manufacturer made a gun that 1 in every billion times shot you in the head instead of your target, we wouldn't say, "well, sometimes accidents happen" and brush it off.

There would be a full investigation as to how and why this happened and someone somewhere would be held accountable.

Google in its current form is immune to the consequences of the decisions of its robots, and that is not acceptable.

[midenginedcoupe]

It's beside the point, but is it just me that finds this reply really quite rude? You wouldn't jump in to someone's conversation with such a demand, especially in response to them recounting an experience that was stressful to them and had consequences for the fledgeling company they'd founded at great personal expense?