Wednesday, July 30, 2008

McAfee and Yahoo Unethical - Above the Law Too?.

McAfee and Yahoo, in an effort to compete with Google, have for several months now attempted to identify and censure websites that they say are sources of "unsolicited emails" or spam.

Sounds good. We all hate spam. Problem is the McAfee SiteAdvisor software isn't always accurate. They make mistakes. "Shane Keats, research analyst for McAfee, admitted as much last May to blogger Stephanie Hoffman when he said, "Occasionally it's our fault. We absolutely do have false positives."*

Personally, I know that McAfee makes errors. Our website, www.rumford.com, which is all about fireplaces - not spam - was falsely targeted by McAfee as a source of "unsolicited emails".

All this might be understandable and forgivable since the McAfee SiteAdvisor program is in beta which should mean that all the bugs have not been worked out. But McAfee and Yahoo have been difficult to contact, evasive, arrogant, unwilling to accept any responsibility and ultimately untruthful - and not just with me.** Here's a comment from Spartanicus on the Google webmaster help blog:

SiteAdvisor has trashed many good sites and then revised their ratings 
after being called on it. In the past their "methodology" could be 
summed up as "shoot first, revise later"

In our case it took a whole month to get to anyone at McAfee with a name. In frustration I filed complaints with the Better Business Bureau and with the Washington State Attorney General and started reading and contributing to several blogs** about Yahoo and McAfee. I also tried to reach someone at Yahoo but was told they took no responsibility for the "warring" posted prominently on their search engine next to our website.

I know that McAfee made a mistake. They said right on the warning that they had posted an email address on our website that resulted in the unsolicited spammy email messages they said they received. They could not have posted an email address on our website. I manage the webiste myself, manually. Could I have a worm? Could I be wrong? I'm not the most sophisticated website manager, so I asked the owner of our server who said,

"The claim on McAfee Site Advisor "After entering our e-mail address on this site, we received 3.8 e-mails per week. They were very spammy." demonstrates no credible evidence that you are the source of that spam. This is sloppy analysis and sloppy disclosure.

McAfee has the power to damage organizations but does not exercise the corresponding responsibility. I would recommend that you ask them for the detailed evidence they gathered to make their assertions. You might use our certified mail in your correspondence with them in case they do not acknowledge your mail."

Yet I never got McAfee to even admit that they may have made a mistake. All they would say is that I should fix "our problem", let them know and they would re-test the site in about eight weeks to see if we still deserved the "redX" warning.

I persisted. I thought they had not read or understood my questions: Since we have no forms to fill out nor any other way to automatically post email addresses,
1) How did your crawler post an email in the first place?
2) How will it now retest by posting another email address?

I was referred to another Executive Services Team Specialist - and another, and another and another. The last Specialist, Kimberly Smith, after several email exchanges, I'm sure did understand my questions but still wrote back, refusing to answer my direct questions, with:

"McAfee's position has been expressed clearly to you, I'm sorry that you find this unsatisfactory. I'm unsure how else to say that your site was tested and received a rating based on that result. When the site is retested if no forms are found and your site warrants an adjustment, the rating will be changed."

This is doublespeak right out of George Orwell's "1984". Kimberly even referred me to the McAfee legal department, which I understood to mean that they would support the company line that Kimberly espoused that McAfee would admit no error,l would not reveal their methods or evidence (that's proprietary) and that the rating was somehow my fault. I stand falsely accused, my website publicly defamed, and unable to confront my accusers or know the evidence they used to make their accusations.

Two months after it all started I must have made enough of a fuss that McAfee changed our rating from a "red X" to a "green check" and about a week later Yahoo followed suit. I know they did not re-test. They just corrected the problem and said, for the record covering up their mistake, that they re-tested.

Stefanie Hoffman quoted Priyank Garg, director of product management for Yahoo Search, that "there was an escalation process to evaluate false positives that could take days to a matter of weeks, depending on the nature of the detected security threat".

That "escalation process" appears to have only been used when Yahoo had listed Google as a site that distributed malware, according to a May 11 Techcrunch report--an error that was remedied within a few hours of discovery.

Stephaie Hoffman also quoted Shane Keats on her blog.

"We're very proud of our ability to respond quickly and fairly to those concerns, and when we make a mistake, we admit it and correct it and do our best not to do it again,"

But that's not the response I was getting. By now I had been lied to by Yahoo and McAfee repeatedly making a mockery of the comments made by Shane Keats and Priyank Garg.

Even though McAfee finally corrected their error, I was feeling violated and angry and had hired a lawyer who only told me it would take at least $200,000 to sue McAfee - although he would love to take the case.

If McAfee had demolished my car legally parked out in front of my house I would expect them or their insurance company to pay for the damage. Even if they denied any wrong-doing and I had to take them to court, I wouldn't expect it to cost $200,000.

What's wrong with our system that allows a big international Internet corporation to run over my little website and damage my business with impunity?

Based on McAfee's statements both the BBB and the Attorney General's office consider the case resolved. But I don't. It's as if McAfee claimed they weren't responsible for damaging my car because it was my fault for parking it in the street but that if, when they raced by next month, if they didn't hit my car again, they'd consider the issue resolved.

I wish the BBB and the Attorney General would hold McAfee and Yahoo - and all other businesses - to some commonly accepted ethical standards which should include being available, responsive and honest. In the particular case where McAfee and Yahoo are "rating" or "evaluating" other websites, using a method known to be faulty and being fully aware that their ratings could damage the reputation or business represented by the websites they rate, McAfee and Yahoo should at least be required to:

1) Notify the person managing the webiste before publishing the rating to verify it's accuracy and to allow for an explanation or solution to the problem, if any, before the damage is done.

2) Be available, responsive and honest in trying to fix any mistake McAfee or Yahoo may have made.

I think the Attorney General or the Small Business Administration or the Better Business Bureau should set up some sort of mediation hearing process where the rules of legal procedure apply such as the right to be assumed innocent until proven guilty and the right to be confronted by an accuser with evidence supporting the accusation. And, if that fails, help in filing a lawsuit.

This should be a lot more like traffic court or small claims court and big corporations should be held at least as responsible as common thieves or drunk drivers are. Our damages are small compared with the projected $200,000 cost of taking the issue to court. I lost about 100 hours of time and a few hundred dollars in legal fees. I can't tell for sure if it hurt our business at all since most of our customers (fortunately) use Google instead of Yahoo. Our page hits are actually up. But what assurances do I have that McAfee and Yahoo - or worse yet Google - won't damage us with a false rating next week?

_______________

* From http://www.crn.com/security/208401061

** See the blogs and comments at:
http://www.ghacks.net/2008/05/07/yahoo-marks-dangerous-search-results/
http://www.hamburg-english.de/http://search.yahoo.com/search?p=hamburg-english.de&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8
http://www.snowwowl.com/flashyahoomacafeetargetsnowwowlcom.html
http://goodle.crmreports.com/2008/05/yahoo-search-adds-searchscan-malware.html
http://www.straightupsearch.com/archives/2008/05/yahoo_turns_on.html