[ImPostingOnHN]

> The problem is that the divide of alignment of interests there is between new, small companies and users. New companies want to put up a website without tripping over one of the thousand unwritten rules of "How to not look like a phishing site or malware depot" (many of which are unwritten because protecting users and exploiting users is a cat-and-mouse game)... And users don't want to get owned

Some candidate language:

- Monopolistic companies may not actively impose restrictions which harm others (includes businesses)

or

- Some restrictions are allowed, but the company must respond to an appeal of restrictions within X minutes; Appeals to the company can themselves be appealed to a governmental independent board which binds the company with no further review permitted; All delays and unreasonable responses incur punitive penalties as judged by the board; All penalties must be paid immediately

or

- If an action taken unilaterally by a company 1) harms someone AND 2) is automated: Then, that automation must be immediately, totally, and unconditionally reversed upon the unilateral request of the victim. The company may reinstate the action upon the sworn statement of an employee that they have made the decision as a human, and agree to be accountable for the decision. The decision must then follow the above appeals process.

or

- No monopolies allowed

[shadowgovt]

> Monopolistic companies may not actively impose restrictions which harm others (includes businesses)

That's not generally how monopoly is interpreted in the US (although jurisprudence on this may be shifting). In general, the litmus test is consumer harm. A company is allowed to control 99% of the market if they do it by providing a better experience to consumers than other companies can; that's just "being successful." Microsoft ran afoul of antitrust because their browser sucked and embedding it in the OS made the OS suck too; if they hadn't tried to parlay one product into the other they would be unlikely to have run afoul of US antitrust law, and they haven't run afoul of it over the fact that 70-90% of x86 architecture PCs run Windows.

> Some restrictions are allowed, but the company must respond to an appeal of restrictions within X minutes; Appeals to the company can themselves be appealed to a governmental independent board which binds the company with no further review permitted; All delays and unreasonable responses incur punitive penalties as judged by the board; All penalties must be paid immediately

There may be meat on those bones (a general law restricting how browsers may operate in terms of rendering user content). Risky because it would codify into law a lot of ideas that are merely technical specifications (you can look to other industries to see the consequences of that, like how "five-over-ones" are cropping up in cities all over the US because they satisfy a pretty uniform fire and structural safety building code to the letter). But this could be done without invoking monopoly protection.

> If an action taken unilaterally by a company 1) harms someone AND 2) is automated: Then, that automation must be immediately, totally, and unconditionally reversed upon the unilateral request of the victim.

Too broad. It harms me when Google blocks my malware distribution service because I'm interested in getting malware on your machine; I really want your Bitcoin wallet passwords, you see. ;)

Most importantly: this whole topic is independent of monopolies. We could cut Chrome out of Google tomorrow and the exact same issues with safe browsing impeding new sites with malware-ish shapes would exist (with the only change probably being the false positive rate would go up, since a Chrome cut off from Google would have to build out its detection and reporting logic from scratch without relying on the search crawler DB). More importantly, a user can install another browser that doesn't have site protection today (or, if I understand correctly, switch it off). The reason this is an issue is that users like Chrome and are free to use it and tend to find site protection useful (or at least "not a burden to them") and that's not something Google imposed on the industry, it's a consequence of free user choice.

[ImPostingOnHN]

> Too broad. It harms me when Google blocks my malware distribution service because I'm interested in getting malware on your machine; I really want your Bitcoin wallet passwords, you see. ;)

That's okay, a random company failing to protect users from harm is still better than harming an innocent person by accident. They already fail in many cases, obviously we accept a failure rate above 0%. You also skipped over the rest of that paragraph.

> users like Chrome and are free to use it and tend to find site protection useful (or at least "not a burden to them")

That's okay, Google can abide by the proposal I set forth avoiding automated mistaken harms to people. If they want to build this system that can do great harms to people, they need to first and foremost build in safety nets to address those harms they cause, and only then focus on reducing false negatives.

[shadowgovt]

I think there's an unevaluated tension in goals between keeping users safe from malware here and making it easy for new sites to reach people, regardless of whether those sites display patterns consistent with malware distributors.

I don't think we can easily discard the first in favor of the second. Not nearly as categorically as is done here. Those "false negatives" mean users lose things (bank accounts, privacy, access to their computer) through no fault of their own. We should pause and consider that before weeping and rending our garments that yet another hosting provider solution had a bad day.

You've stopped considering monopoly and correctly considered that the real issue is safe browsing, as a feature, is useful to users and disruptive to new business models. But that's independent of Google; that's the nature of sharing a network between actors that want to provide useful services to people and actors that want to cause harm. If I build a browser today, from scratch, that included safe browsing we'd be in the same place and there'd be no Google in the story.

[ImPostingOnHN]

> I think there's an unevaluated tension in goals between keeping users safe from malware here and making it easy for new sites to reach people

To be fair, I evaluated that trade off before replying. It's also not just "new sites", but literally any site or person which could be victimized by "safe browsing".

> Those "false negatives" mean users lose things (bank accounts, privacy, access to their computer) through no fault of their own.

That was already happening, and will continue to happen, no matter what. The only thing that the false negative caused is, a stranger didn't swoop in to save a 2nd stranger from a 3rd stranger. That's ok: superheros are bad government. The government should be the one protecting citizens.

[shadowgovt]

> no matter what

Well, no... That's the thing about false negatives vs. true negatives. The more effective the safe browsing protection is, the fewer false negatives. I think we can agree to disagree on where one should tune the knob between minimizing false negatives and minimizing false positives, especially since

a) you have to be doing something pretty unusual to trigger a false positive (such as "setting up an elaborate mechanism to let user-generated content be hosted off of a subdomain you own")

b) there is a workaround once a publisher is aware of the issue.

> The government should be the one protecting citizens.

This seems to be a claim "Safe browsing should be a government institution." I don't immediately disagree, but we must ask ourselves "Which government do we trust with that responsibility?" In America, that's a near-vertical cliff to scale (and it was even before the current government proved a willingness to weaponize its enforcement capacity against speech that should by rights be protected).

If I don't like Chrome safe browsing protection, I can turn it off or change browsers. What do I do if I don't like my government's safe browsing protection? Is it as opt-out as a corporate-provided one is?

[ImPostingOnHN]

> Well, no... That's the thing about false negatives vs. true negatives. The more effective the safe browsing protection is, the fewer false negatives.

That reiterates what I said: the harms happened before, and will continue happening, no matter what. No action will reduce them to 0.

> a) you have to be doing something pretty unusual to trigger a false positive

I don't think that's true here. Many people have been harmed due to trivial, common actions. Other victims, their charges are secret, and they are not afforded due process, an impartial judge, or even the right to face their accusers. Very tyrannic and kafka-esque. Without transparency into the precise rules and process, we categorically cannot make the above claim, and evidence seems to belie it.

> This seems to be a claim "Safe browsing should be a government institution."... What do I do if I don't like my government's safe browsing protection? Is it as opt-out as a corporate-provided one is?

Good news! It isn't. Who says the government needs to provide safe browsing protection? There are other levers governments can take, like investigating and prosecuting criminals, and making victims whole. "Safe browsing" exists because the government has so far failed at that. Law enforcement is more focused on rounding up & perpetrating violence upon people with different skin color than them, I guess.

All that said, I feel like I articulated a pretty good alternative if google really wants to keep safe browsing going: just provide due process to their victims, which includes: a presumption of innocence (one even weaker than in public policy); the right to face their accusers; the right to a speedy, public trial; the right to defend themselves; and the right to an impartial judge/jury.