Google Warns Users About "Unsafe Sites"

Dynamoo writes "The BBC is reporting that Google will start to warn users about unsafe websites, in particular those that host spyware or have privacy implications. The technology to do this has been developed in partnership with StopBadware, and appears to be an alternative to the popular McAfee SiteAdvisor application. Perhaps this will help curtail slimeware ridden sites from peddling their wares. But it will be interesting to see how Google rates some of its own products, including the potentially risky Google Desktop."

This will invite more unjust lawsuits

[etymxris]

If you thought Google had a lot of lawsuits when altering pageranks of linkfarms, wait until limewire et al start suing Google for "defamation".

Why not just stick them at the end of the search

[Snarfangel]

A "screensaver" site isn't going to get much traffic on page 1000.

flag javascript, flash, schlockwave

[Anonymous Coward]

You mean they will start flagging any site that uses javascript, flash, schlockwave etc, or is this too much to hope for?

Google Desktop

[corychristison]

But it will be interesting to see how Google rates some of its own products, including the potentially risky Google Desktop.

I still don't really see how potential problems are real problems unless they have already been exploited and proven.

In my opinion it's like saying I am a risk because I have arms. Potentially I could strangle someone with them. :-P

Many web sites are "unsafe" because

[portmapper]

their WWW browser and/or OS is unsafe in various ways. We know that IE and Windows is not the safest combination,
but looking at the recent string of security holes in Firefox/Thunderbird shows that this is not particulary
safe either.

Why not fix the software and/or its default configuration so that it is safe to use?

Google Dekstop isn't unsafe

[man_ls]

Google Desktop isn't unsafe in any way. Google fully discloses the fact that they'll be rooting around in your hard drive and mixing data from there, with data from their servers, for the purposes of providing a local Google search to you on your own machine.

There's nothing wrong with people who are willing to voluntarily give up some measure of their own privacy in exchange for a service provided on that data -- I use Gmail for all of my e-mail, even to the point of forwarding multiple accounts into my gmail inbox, and don't think twice about the fact that somewhere, Google is reading and storing it.

The problem arises when people aren't informed their privacy is being tampered with...malicious web toolbars and cursor packages, Gator, etc. No anti-spyware application I've seen to date has detected Google Desktop (granted, I've only seen 3 machines that actually used GD) but that says something to me.

Poop

[Known Nutter]

Google Desktop and crap-ware ridden screensavers have nothing to do with one another. Summary is a google-bashing troll, at best.

About Time

[Nom du Keyboard]

It's about time. I've been saying this to them, and about them, for a very long time. I can't think of a better value-added service that any search engine can provide in these days of dodgy web-sites. Would be nice if, like their Adult Content filter for images, you could simply set your Google to not even ask you if you wanted to continue, but block out these sites entirely (remember other people use your computer too).

Or even better still, read the Google cache of the site with all the bad stuff removed. That would be trick!

I'm sure my letter of commendation, along with Google stock options grant, is arriving any moment now.

Re:Google Dekstop isn't unsafe

[DamnStupidElf]

Nothing wrong with people installing Claria or spyware either, as long as they understand they're giving up their privacy. The difference is just in how much their privacy is worth to them. Some people's privacy is worth the ability to quickly search all their documents, other people's is worth a couple pretty screensavers. In that sense, it's good that Google will at least make people aware of any possible privacy/security issues.

Conflict of interest?

[tnk1]

Like Financial Services companies that used to advise their clients to buy their company's own investments, I can easily see how Google getting involved in this could be a quagmire. As the summary example pointed out, what happens when Google's own software is dangerous? Do they have to face down their own rating service to get it out there? Chances are... they won't. They will assume that all Google software is "Good" software.

Fair enough, since I guess you can assume that Google wouldn't be actually creating malware on purpose. If you just single out those sites with the 1000 porn banners that try and install virii and spyware on your computer, Google won't have a problem. However, I think, the real problem for most users is not sites like that which are obviously dodgy, its the sites that look clean and professional that seem to have a legitimate purpose for their software, and often those proprietors are quick to try and play up their legitimacy. When Google marks them as "bad", you can expect lawsuits.

While I find that this may be a big plus for a search engine that can be percieved as impartial to software makers, as Google becomes a notable software maker itself, it may be an issue. It certainly could leave them vulnerable to the charge of conflict of interest as time goes on.

Re:Many web sites are "unsafe" because

[ScentCone]

Why not fix the software and/or its default configuration so that it is safe to use?

That doesn't address sites that deliberately link people to executables that they delibrately download and run because they think they're about to see a 3D holographic movie of unicorns actually producing rainbows in the shape of guardian angel puppies protecting endangered species that are making jokes about the president.

The point is that if Google finds sites polluted by such malware - not just some plugin-abusing bit of blinking nonsense - then they're going to give you the heads up on the link. I think it's great - but it will just make the bad guys get involved in another hide-the-malware arms race.

Re:About Time

[Bryansix]

I agree that I love the service but I don't think they should block any sites entirely. If people want to ignore the warnings then they should be able to. The reason why is that it only takes one false-positive to make Google look dumb and get a bunch of bad PR for "censorship".

While they're at it ...

[cybermage]

Why not give users feedback about their browser or the browser compatibility of sites? I think it would be nice if Google would tell IE users with Active X on that a site they're about to visit contains Active X and may be a threat to their system.

Better yet, consider standards compliance and accessibility when ranking pages.

If Google wants to use their position to police the Internet, why stop with Spyware. Test whether people have a secure browser and tell them when they don't:

"FYI, your version of IE is 3 years out of date. Please go here [microsoft.com] to upgrade it, or go here [mozilla.com] to replace it."

They could fix a lot of the problem right there.

Re:Why not just stick them at the end of the searc

[bkgood]

Because google [claims it] doesn't alter search results. Flagging them doesn't technically alter them (it just displays a bit more information), but moving them to the bottom of the pile, so to speak, is.

But what if your site was somehow rated as "spyware-filled", when, in fact, it wasn't? Would you rather be flagged as dangerous, or would you rather be sent to the bottom? At least the flag can be ignored.

Re:This will invite more unjust lawsuits

[Jerf]

It would be a brief lawsuit.

The most important defense to an action for defamation is "truth", which is an absolute defense to an action for defamation. - Defamation: Libel and Slander Law [expertlaw.com] at ExpertLaw

To win this lawsuit, the malware providers are going to have to prove that they don't do exactly what Google says they do, which is going to be challenging.

Some borderline cases might slip through; I seem to recall Gatorsoft (maybe as Claria?) getting an exemption from some anti-spyware software/lists by claiming that the user installed their products for the features (like automated form-filling) and were 'clearly' notified about the other aspects of the software, but even catching the totally sleazy operators would be a major win. (And odds are Google would still find some verbiage to apply to even this edge case even if they were sued.)

Re:Conflict of interest?

[noidentity]

If you don't trust Google, then you won't trust their software or malware detection. If you do trust Google, then you will trust both. I don't get the problem.

Re:Pandora's Box

[Bryansix]

The original post never implied that searches for porn should turn up anything else but porn. It just said that if you search for kitty cat that you shouldn't get a bunch of beastiality websites. Now if you searched for "kitty cat porn" then fine.

Re:Dangerous Words

[AndreiK]

Google wouldn't profit by blocking 99% of the internet, including itself.

Re:Google Dekstop isn't unsafe

[Tweekster]

Google Desktop is a product in and of itself. No one WANTS claria. No one seeks out claria to install. People actively go get Google Desktop because they want Google Desktop for the features it provides. Find me one person that said "damn computer, I need that claria product to make it useful"

It piggy backs on other thigs that are useful..that is a significant difference

Re:flag javascript, flash, schlockwave

[Andrew Kismet]

What is it with the anti-javascript/flash attitude here? Properly managed use of Javascript is fine. Yes, it has more holes than swiss cheese, but it is so easy to disable and manage with firefox and the like; why claim that ANY site using Javascript is a "potential security risk"? The same goes for PHP, Flash, and every other web technology that has potential security holes; surely, nine outta ten times, the benefits outweigh the risks. Yes, AJAX is overhyped, but Javascript is in its name for a good reason.

They'll flag sites that deploy malware, spyware, and other junk. They'll flag sites that use unrestricted javascript and dangeous security workarounds. Not everything. Blanket labelling would only cause annoyance.

I'll tell you what a pandoras box really is

[deft]

People like you starting to censor things on the web for the rest of thw word..... how about a little self censorship for you and your family.

i'll keep your box closed for now.

Re:Many web sites are "unsafe" because

[GoodbyeBlueSky1]

I'm really getting sick of smartass comments like this.

Why not require users to pass a course on safe computing before they have a license to use the internet?
Why not format the hard drive of every user who picks up a virus from a website, to teach them a lesson?
etc...

How about: Why not stop spouting rhetoric and attempt to deal with the malware/trojan situation (which will NEVER fully be solved by OS/browser security) in a realistic manner without the high-and-mighty attitude?

Re:Here's the Link

[Suspended_Reality]

The grandparent wasn't trolling. It was satire. Note the non-link to a non-existent, yet parodied sub-pop culture reference for an article about harmful websites. I for one thought it was funny.

Re:This will invite more unjust lawsuits

[ackthpt]

And what about sites that sell malware as tangible goods, like anybody stocking Sony CDs?

I'm not terribly worried about these sites, for myself, as I'm pretty up on things. The real target would be the unsophisticated computer users (i.e. those who have several bots running on their computer and don't know it.)

What would be very useful is a Safe Mode button on browsers which turn off/on image viewing, flash, java, all plug-ins, etc. You'd need to reload, but if you are looking for text, the rest of that is so much dross anyway.

now lawsuits, just wait until they warn about FUD emitting sites. ha!

Re:Just Grow Up and Respect Women

[jellomizer]

Well there are other spots too. For example if you want Game Hints, (Many of those have Spyware), checking out some "Funny" stuff that a friend forwards you. or some other sites where the site owners don't ask to many questions about the add and revenu they get from it. Sure CNN and FOX News wont be filled with the crap. But the smaller web sites do. Also when you are searching for information on google sometimes they just bring you to the wrong spot because they found out how to get themselves ranked higher in google so you click on the link and bang you infected.

Re:This will invite more unjust lawsuits

[plover]

I think a big part of the problem lies in the precise definition of malware. What attributes, exactly, define malware? Some people suggest that malware is anything and everything that can't be 100% uninstalled. But many of Microsoft's OS packages fit that description (as does the "Windows Genuine Advantage" program.)

Is it software that reports individually identifiable tracking information? Any web page using Google Analytics, IMR Worldwide, Tacoda, or Overture is already doing that (as is the "Windows Genuine Advantage" program.)

Is it software that connects to a previously unrevealed external server? The "Help" button in many programs is nothing more than a link to a helpful web site, and sometimes that site isn't run by the company that wrote the original software. (So does the "Windows Genuine Advantage" program.)

I'm being somewhat facetious here, but there seems to be a lot more "I know it when I see it" attitude towards malware than there are actual definitions. Sure, there's a lot of crap I've scraped out of other peoples' computers that I'd call "malware", but I'd be hard-pressed to come up with a good definition that would withstand these sleazeballs' attempts to sue Google.

This Will Only Provide a False Sense of Security

[Jherek Carnelian]

This is one of those ideas that sounds good in theory, but isn't likely to help much in the long run.

The reason it won't work very well is that all the malware sites have to do is present a non-malware version of their pages to google's spiders. If they don't see the malware, they can't know it is there for everybody else.

So, at first we will see Google correctly identify malware sites, and that will be effective for just long enough that people will come to expect that sites without a malware warning are safe. By then, someone will have come up with an automated systems for giving google a "clean" version of the website and serving malware to everyone else. This automation will spread rapidly and then google will no longer be effective - but now some number of people will have started to rely on google's warnings (or rather lack of warning), thus making them more vulnerable than before.

I think another poster's idea is much better - include malware detection as part of the pagerank score. Don't advertise it, don't spell it out, just do it. Malware sites will sink to the end of the search results (where they belong anyway since they are rarely useful for anything but malware distribution). Eventually the malware distributors will figure it out and start feeding "good" pages to google's spyder - but at least no regular users will ever be lulled into a false sense of security by thinking that the lack of a warning is an indication of safety.

Re:Just Grow Up and Respect Women

[mikeswi]

You, sir, have swallowed someone's propaganda hook, line and sinker. Some sites do use porn to trick people into installing spyware, but they are just one of many types of sites that do this. I've gotten to know a number of porn site webmasters over the years and nearly all of them absolutely hate spyware.

I do spyware and antispyware testing all the time as part of my job. I go to sites with ActiveX installers or that exploit browser flaws and let a virtual machine become badly infected and then run various tests.

Not once have I ever had to go to a porn site to do this. Wrestling fan sites, yes. Serial number and warez sites, yes. Screensaver sites, yes. Certain "ad-supported free hosted" sites, yes. Porn, no, not once.

Re:This will invite more unjust lawsuits

[evil_Tak]

What attributes, exactly, define malware? Some people suggest that malware is anything and everything that can't be 100% uninstalled. But many of Microsoft's OS packages fit that description (as does the "Windows Genuine Advantage" program.)

This is not a coincidence.