SANEBUTDIFFERENT

Feb 28, 2015

Background

I’ve been helping out with the Singapore Press Club website, and recently I decided to do a search just to see the rankings. What I found instead was that the site URL was being abused by a company on their Google Plus page. My subsequent tests and findings made me facepalm over the decisions that Google took when building the Plus platform.

Google should not have linked Plus to Search results, especially without being verified

spc-gplus.001

Not only did Google Search associate the website with the Google Plus page directly in-line, it even blew up the address and map on the sidebar. I’ll admit that this can be somewhat useful (when it’s legit), but this scenario illustrates what happens when things aren’t.

spc-gplus.002

Any entity without an existing Plus page is vulnerable to getting their search results hijacked.

How did this happen? Simply because we didn’t have a Google Plus page first, and they beat us to it by putting the URL. I don’t actively use Google Plus, and I assume that many brands and businesses focus on Facebook and Twitter rather than Google Plus for their social strategy right now. This means that any entity without an existing Plus page is vulnerable to the same situation of getting their search results hijacked.

But wait a minute you say, there must be some forms of checks and balances.

spc-gplus.004

spc-gplus.005

Unverified URLs on Pages will still be presented by Google Search as legit.

Basically, anyone can add any URL that they want on their Google Plus page. In my test page I’ve linked the Coca-Cola website and it accepted just like that. Of course, you can see that the Coca-Cola page has been verified because of the ticks. Verification of URL involves putting a link on your website, similar to how it’s done for Google Analytics/Webmaster Tools.

The thing is, the rogue company’s Plus page with our URL wasn’t verified, and still it was treated as legit and presented to search users! IMO, Google really dropped the ball on this one.

It’s not easy to report abuse on Google Plus

On the Plus page, there’s a bunch of icons for review, sharing and stuff like that, but nowhere was there a Report Abuse link. The closest thing I could find was the generic Feedback link in the dropdown menu, which was for general feedback and not for reporting page-specific abuse.

With some work, I was able to find the page to report impersonation. However, the burden of proving legitimacy lies on the complainant, with official documentation needed. I suppose they could ask for these upfront when creating the page, but that’d be a royal pain and I understand why they wouldn’t. Still, there must be a better way to do this.

Another pain point is perhaps for startups and informal things like FYP campaigns where they don’t have proper paperwork. How then can they prove their legitimacy? And notice that the form basically forces you to have a Plus page just to complain that somebody is impersonating them.

spc-gplus.008

Google should not just allow anyone to own the page

The last straw is when I poked around Plus and tried to create a “Storefront”-type Page, where you can select an address for your page. Thinking I wanted to create a Plus page for The Nanyang Chronicle, I keyed in the address for Wee Kim Wee School of Communication and Information.

Just selecting the address made me the owner of the Page.

spc-gplus.006

The checkbox is all that stands between you and creating a page — Google basically just gives you a moral checkpoint to consider if you really want to do something malicious.

What’s more, I didn’t want to create a WKWSCI page, but just selecting the address led me to become the owner of the WKWSCI page.

spc-gplus.007

At least here they require a physically-mailed code in order to verify and edit the details on the page, but the fact is that the ownership has already gone to someone else, in this case me, when I have no right to own it. That’s like locking the stable after the horse has fled.

Closing Thoughts

Even if your brand or business has no intention of using Google Plus actively, it now seems like a requirement to get a page, for defensive purposes. And that’s just absurd.

Please feel free to share any thoughts or suggestions in the comments below as to what Google can do to fix this.