Who picks the badware? Dispute erupts after Google glitch

For about 40 minutes early Saturday morning, a URL with a single forward slash was inadvertently checked into a list of potential malware sites operated by Google, with some help...maybe...from StopBadware.org.

As a result, its search results partner, Google, was flagging nearly every Web site on the planet as a potential conveyor of malware, from about 6:40 am to 7:25 am PST.

It was an everyday human error, it turns out, and Google admitted as much right up front: "Unfortunately (and here's the human error), the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs," reads a blog post from Google Search VP Marisa Mayer Saturday afternoon. "Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes."

That sounds gracious and humbling enough, and anybody who's ever typed the wrong character and caused an avalanche of problems can relate to Google's position. But StopBadware, which was supposedly Google's partner in all of this, effectively accused the company of out-and-out lying later that day. Specifically, it said Mayer was wrong to say that StopBadware maintains the list that Google uses.

"Google has posted an update on their official blog that erroneously states that Google gets its list of URLs from us. This is not accurate," read a post from StopBadware's Maxim Weinstein later in the day. "Google generates its own list of badware URLs, and no data that we generate is supposed to affect the warnings in Google's search listings. We are attempting to work with Google to clarify their statement."

Well, Google did make an adjustment to that statement, as it turned out, effectively admitting that the partnership with StopBadware was more limited than Google said it was at the time. "We work with a non-profit called StopBadware.org to come up with criteria for maintaining this list, and to provide simple processes for webmasters to remove their site from the list," reads Mayer's adjusted text.

But that revised explanation would appear to contradict the stated cause of a malware-flagging glitch that happened almost exactly one year ago. At that time, StopBadware was flagging RealPlayer's Message Center as being "malware" in and of itself -- a decision that was apparently being reflected in Google's search results for a time.

StopBadware's flagging of RealPlayer wasn't a glitch, though -- it was intentional, and it was Maxim Weinstein who took credit for doing so at the time. "When RealPlayer 10.5 is installed, the advertising features of this 'message center' are enabled by default for users who choose not to register their personal information with RealNetworks after the software is installed," Weinstein said in a statement last year.

StopBadware.org is a non-profit organization that does compile an ongoing list of malware based on consumer complaints. Up until last weekend, it had been generally believed that StopBadware provided Google with hard information, not just advice.

But that's not what StopBadware's own FAQ reads: "Google independently checks the web for badware and badware-linking code, and places warnings in its own search results. StopBadware's role is to help site owners who want to remove the warnings to learn about badware and website security. StopBadware also administers an independent review process through which a website owner can request the removal of a warning. Although Google's warning pages contain a link to the StopBadware.org site for more information, the decision to post a warning page is an independent decision made by Google, not by StopBadware, and does not reflect any testing or review by us in advance."

However, the organization goes on, a Web site wishing to protest its inclusion in Google's list can speak directly to StopBadware.org, a process which begins by filling out a form that it maintains.