Comment by heybrendan
5 years ago
Can anyone "in the know" objectively comment if Google Safe Browsing (GSB) has had a net positive result or outcome for the Internet, at large?
Has GSB helped users, more than it has hurt them?
The anti-Google rhetoric [on HN] is becoming more tiresome as of late. Personally, I welcome the notifications in my browsers that a domain is unsafe. I can't possibly be the only one.
The problem, from HN's perspective, is that false positives on GSB hurt businesses a lot more than they hurt users or the internet at large.
If I'm a random person browsing the internet at large, and a website I try to visit gets flagged as "possibly malicious", well, I probably didn't need the information or services on that particular website that badly anyway. I can find another website that offers the same information and services easily enough. Meanwhile, if my computer or browser is infected with malware, that's pretty bad for me personally. I could lose money, time and personal data and security. The potential consequences are bad enough that I really shouldn't risk it.
On the other hand, if my business is blocked by GSB, that is very bad for my business. The customers I don't lose are going to lose confidence in me. Meanwhile, the cost to me if I am accidentally hosting malware is pretty minimal. Even if a large number of my users are harmed by the malware, they're unlikely to be so harmed they stop paying me, and it's pretty hard for to know where you picked up malware, so it's unlikely to be traced back to me. I've never actually heard of a lawsuit from an end-user against the website they downloaded malware from.
A false negative from GSB is a lot worse for internet users than a false positive; an internet business, on the other hand, would prefer a false negative to a true positive, let alone a false positive.
Add in that internet business owners (or people highly invested in internet businesses through their jobs) are over-represented on HN, and it's no surprise that HN is not a fan of Google Safe Browsing.
> an internet business, on the other hand, would prefer a false negative to a true positive, let alone a false positive.
[Emphasis mine]
This is crucial and it's why the sub-threads imagining suing Google aren't going anywhere. Google will very easily convince a judge that what they're doing is beneficial to the general public, because it is, even though some HN contributors hate it because they'd prefer to meet a much lower standard.
What I'm seeing a lot of in this thread is people saying OK, maybe a burger we sold did have rat droppings in it, but I feel like our kitchen ought to be allowed to stay open unless they buy at least a few hundred burgers and find rat droppings in a statistically significant sample and even then shouldn't I get a few weeks to hire an exterminator? Isn't that fairer to me?
I think GSB is great because there is no other product like it, it is very fast to respond to most threats and it can be used for free. The only thing about it that's not great is, in typical fashion, the lack of transparency about some of the processes. Not about how phishing verdicts are created, this should remain a closely guarded secret, but about what actually happens when you send a report or send a review request.
Author here. It's not really rhetoric, I wrote the post because it's downright scary that your business of over 10 years can vanish in a puff of smoke because Google didn't bother to require an offending URL field in an internet-wide blacklist. At the level they operate, there needs to be a semblance of due process.
Updated my post to make it more clear I was referring to HN and not your post specifically.
What about false positives?
From the fine article: one Google system was detecting emails coming from another Google system as phishing. This is ridiculous.
It's needed to make sure you can not claim bias. For example Google blocking competitors, or unfavourable information.
It's hard to argue against "safe". If they would name it "filtered browsing" it might be something arguable, but "safe browsing" who wouldn't want that?
If Safe Browsing were offered by some neutral internet organization (e.g., similar to IANA) I wouldn't mind. But it's offered by a private company: so it's naive to think that GSB benefits anyone other than Google itself.
I'd guess a large net positive among the general population but maybe neutral for the tech literate like HN readers. Most tech-literate people are careful enough to recognize tactics used by phishing sites and won't click on phishing links, or would click and immediately figure out it's phishing. That cannot be said for the general population.
It seems similar to the move from client side spam filters to the server side.
Spam filtering really didn’t get better with the change (for me), but now it’s orders of magnitude harder to run an email server.
Taking the article at face value, GSB makes it much harder to run a reliable web site. Has centralization of email into surveillance organizations hurt more than the benefit from saving bandwidth to download spams, and automatically deleting them at the client?
How much damage will (further) centralization of web hosting onto social network sites (Facebook, Twitter, GitHub, Stack Exchange, etc, etc.) hurt the internet?
It’s arguably already done more harm than good. I can’t even find a decent recipe that a high end laptop can efficiently display. I used to be able to download cookbooks worth of recipes, and my 386 could load them instantly.