Tread softly, because you tread on our websites

[As ever, this is also on the BBC website, edited to take out the Yeats…]

Sometime in October a malicious program exploited a security flaw in the WordPress software I use to host my weblog and injected some extra commands into one of the widgets I use to add features to the site.

They opened up a connection between the blog and a site that tried to download a malicious piece of software to any site visitor unfortunate enough to be using Microsoft’s Internet Explorer.

Anyone who visited my site would have been prompted to install a clearly unwanted piece of software, although as far as I know nobody was affected. However I can’t be sure and hope that I didn’t unwittingly cause damage to anyone else’s computer.

I upgrade my installation regularly, and apply new security patches as they come out, but this happened in the few days before the release of a new version and I was caught.

Yet I only found out about the problem when a kind reader emailed me to tell me that Google was warning prospective visitors that my blog might ‘harm’ their computer.

I hadn’t noticed the warning because, strange as it may seem, I don’t Google my own name that often (searching blogs is a different matter, of course!)

And I hadn’t found out from Google, either because they didn’t send any emails or because the company that acts as technical contact for my site didn’t bother passing them on.

Once I knew what had happened I searched for and found the offending code, but it has taken three weeks to get the Google warning removed, and the experience has been a salutary one.

I started off at StopBadware, the organisation Google works with to flag sites hosting malicious code. Run by Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute, it describes itself as ‘a “Neighborhood Watch” campaign aimed at fighting Badware’, and it does a good job of listing sites and providing information for users and site providers.

I searched for information about what they had found on my site and discovered that although Google had flagged my blog it hadn’t passed any information on to StopBadware.  So I requested a review using the form provided, hoping to get some information to help me find out what had happened and which pages were affected.

I had to email them three times before I got a reply, and had to wait ten days for that, and even then there was no information on exactly what Google had found on my site, so I had to search myself.

Eventually I discovered that I could find a lot more information and request a review more effectively by signing up for Google’s Webmaster Tools. This is a great service, but it isn’t something my small blog really needs and of course signing up gives Google access to a lot of information about what I’m up to, information I’d rather they didn’t have.

But when the alternative is a blood-red sign saying ‘All hope abandon, ye who enter here’ splashed over Google’s search results there really is no choice.
And now my site is clean and Google likes me again.

Malware on websites isn’t the only area where private organisations are taking on this sort of police action. There is a similar debate going on over email and spam, with groups like Spamhaus creating lists of servers that they believe are sending out spam. Other organisations subscribe to the Spamhaus Block List and will block emails from those servers.

Their approach is pretty effective at closing spam relays, but of course sometimes the listing is wrong and sometimes there is collateral damage, when a server used by an ISP is listed and all of its customers are affected.

Part of me would like to see this sort of listing done by the appropriate authorities, perhaps even the police, with some degree of judicial overview and a formal appeals process.

Of course this is not going to happen, at least not on the global basis that would be needed to make it effective.

And the only real option for anyone who runs their own website is to sign up  Webmaster Tools to keep an eye on what the rainbow monster thinks of them.
But if we’re going to live in a world where Google, StopBadware, Spamhaus and all the other private organisations offering to make the net safe have so much power then we have to push them to do a better job, especially when it comes to communication.

The point is not that this is online vigilantism, although it surely is. The point is about accountability, openness, responsiveness and the other things that we require from state actors but too often leave up to the market to enforce for private companies.

In his poem ‘Cloths of Heaven’ WB Yeats asks his lover to ‘tread softly because you tread on my dreams.’  For many of us our websites, email addresses, personal profiles and the other aspects of our online lives are vital parts of who we are, and at least as important as our dreams.

The organisations and companies seeking to fill the gaps left by law enforcement need to tread carefully too, and must treat those affected with respect and care, or they cannot expect us to support them, however noble their intentions.

Bill’s Links

The Spamhaus Project:
StopBadware blog:
Google Webmaster Tools: