As some of you may have noticed, this site was shut down for 2 days last week, along with a variety of sites we host on this same server for local charities and friends. This happened as a result of a short line of code inserted in a comment to a post on the Typesmith.com site which is a mirror of this site in a different presentation format. The comment was from a spammer and the code it included was a redirect to another site which is accused of hosting Malware.
Very bad stuff. We don’t want anyone going to any of our sites and getting involuntarily redirected or being exposed to malware in any way. Google also doesn’t like it, and they responded by effectively blacklisting our site, which caused all of the visitors for about 48 hours to receive this ominous malware warning instead of being able to access this site or any others we host:
That’s a pretty alarming message to see in your browser. Possibly more alarming for us than it was for any customers who came to the site during that period. But on reflection what seems most alarming about this is the fact that Google has somehow acquired the power to do this.
Put aside the fact that our page was not hosing any actual malware, just a redirect to a site which Google had already interdicted and which was ultimately shut down by its ISP for spamming and distributing malware, so no one redirected would ever have actually been effected. Put aside the fact that Google blocked our entire server, not just the offending site itself. What is really troubling about this is that Google has put itself in a position to essentially be the policeman of the internet entirely on its own authority. Through deals with browser manufacturers they have been given this ability to shut down websites – effectively entire businesses – with no legal authority, no oversight, no accountability and no legally recognized process of appeal, adjudication or remedy. Google just decides there’s a problem with your site and they shut it down. My elected representatives in Congress didn’t give them this authority. The FCC didn’t give them this authority. They just took it.
There are good things about the “wild west” character of the largely unregulated internet, but the ability of a single powerful company to shut down websites like this is not one of them. Google’s influential search engine already makes them enormously powerful. That it has given them the leverage to set up this internet policing system is truly disturbing. Big Brother turns out not to be the government, but to be a well intentioned internet business with too much power and no constraints on its actions.
We would never knowingly host malware or a redirect to a questionable site, and we appreciate anyone who will help us keep our site clean and safe. Had Google just sent us a warning email the potential problem we would have fixed it as a top priority. But their unilateral actions and their practice of interdicting our whole server rather than warning us directly made it look very much like we were the source of the malware and that all of our sites were infected, when in reality neither was the case. No one was ever exposed to the redirect in question and since the site it referenced – the proper target for any action – was already shut down there was never any real risk to anyone.
On the web you live and die by the reputation of your company. We’ve been working for years to establish a reputation as a stable and trustworthy supplier of the very specialized fonts and graphic arts products we deal in. We would never want that reputation tarnished by being involved in distributing malware, but we also don’t much appreciate it being tarnished by the actions of Google which we never asked to provide this service and which has never been given the power to regulate the internet by any legitimate authority. Though hard to estimate exactly, the damage done by their actions has to be substantial. Every time they drove away one of the thousands of users turned away in this period who may never return to the site, Google did us direct and irreparable harm.
Of course, we immediately followed through on Google’s suggestions for how to address this problem. We found and removed the offending line of code. We installed clean and updated versions of WordPress on our various pages. We changed our admin passwords. We protected key directories from any kind of outside access. We even took several pages offline completely in the short term just to be safe. Then we requested a “reconsideration” of our situation from Google. We did all that within a couple of hours and it still took Google almost two days to remove us from their blacklist.
All of this could have been avoided if they had just sent us a simple warning email. This is the first time we’ve ever had a problem in 15 years online, and as a company which is not involved in scams or distributing questionable software we deserve to be treated better. It’s important to protect consumers, but it’s also important to give people a chance to solve their problems voluntarily and not treat everyone like criminals when your malware bot flags them. it’s not like they don’t know how to get hold of us. We’re signed up for their site analytics, so they have our email. Had they just contacted us we would have fixed the problem. They would have helped us and our customers out and built good will all around. They’d be heroes. But instead, their arrogant and dictatorial approach to this problem has made them villains as much as the authors of the original malware — moreso as that malware did no real harm despite its potential, while Google knowingly and unnecessarily harmed an innocent party, because we were the actual target of the exploitative script.
So take this as a warning. Make sure your websites are kept clean and that any web software you’re running is up to date. Reduce your vulnerability to exploitative scripts as much as you can, because that is your responsibility if you run a website. But be warned. If you ever have a problem like we did, there are mindless malware bots out there and Google has given itself the power to shut you down and ruin your reputation because they’re big enough to do it and no one is willing to challenge them.
And, of course, we apologize for any inconvenience this caused any of our customers, both on our own behalf and on behalf of Google, because they don’t have to apologize to anyone.