Combating rogue online pharmacies

Tuesday, June 18, 2013 at 11:13 AM ET

Posted by Adam Barea, Legal Director

Editor’s note:  Over the years, we have run a series of blogposts detailing our efforts to remove bad ads from our systems, and describing our approach to handling controversial content on our services.  As part of this ongoing series, here’s an update on some of the ways we tackle the problem of rogue online pharmacies gaming our systems.

For the last several years, Google has worked closely with a number of organizations, government agencies, and businesses to combat rogue online pharmacies from all angles.  

Collectively, we are making it increasingly difficult for these operators to effectively promote their rogue pharmacies online. A variety of websites and web services are refusing ads from suspected rogue pharmacies. Domain name registrars are removing suspect rogue pharmacies from their networks.  Payment processors are blocking payments to these operators, and social networking sites are removing them from their systems too.

As a result, rogue pharmacies continually adapt their online marketing practices, meaning this is an ongoing battle.  We wanted to share some of the steps Google takes to combat them.

Keeping ads safe

Making sure ads appearing on Google and our partner sites are safe continues to be a top priority.  We have extremely stringent ads policies, and use sophisticated automated systems, along with some human review, to identify, block and remove ads suspected of linking to rogue pharmacies.  We disrupt their marketing efforts by making it difficult for rogue pharmacies to abuse our services and evade our filters.

• Since 2010, we’ve only permitted U.S.-based online pharmacies accredited under the National Association Boards of Pharmacy “VIPPS” program to run pharma ads in our AdWords program.  We were the first online search provider to require this certification - there are less than 40 VIPPS certified pharmacies operating in the U.S.

• We partner with LegitScript, an independent company with deep knowledge about online pharmacies, to conduct weekly “sweeps” of ads on Google to help ensure that we are keeping our ads safe.

• According to LegitScript, the number of illegal drug and pharmacy ads on major search engines like Google and Bing has declined by 99.9% percent since 2010.
• In the last two years alone, Google has blocked or removed from its systems more than 3 million ads by suspected rogue pharmacies.

Search results

Our stance on filtering our search results is well-publicized. We do not remove content from search results except in narrow circumstances (e.g., child sexual abuse imagery, certain links to copyrighted material; spam; malware).

Search results reflect the web and what’s online - the good and the bad.  Filtering a website from search results won’t remove it from the web, or block other websites that link to that website.  It's not Google's place to determine what content should be censored - that responsibility belongs with the courts and the lawmakers.

Google will abide by court decisions deciding which content on the web is and is not legal.   We have always removed from our search results any page found by a legitimate court to be unlawful, whether an online rogue pharmacy or otherwise.

Rogue pharmacies are clearly a matter of public concern. This is why we work closely with the Center for Safe Internet Pharmacies (“CSIP”), a 501(c)(3) organization dedicated to stopping rogue online pharmacies and keeping consumers safe on the web.  If a user searches on Google for terms related to online pharmacies or buying pharmaceuticals, a prominent advertisement from CSIP will often appear on the search results page, urging caution and linking to the LegitScript pharmacy verification tool.

CSIP’s ad campaign on Google is funded by a Google Grant, which provides non-profits like CSIP with financial and technical assistance to promote their important missions online.  Campaigns like these help users to better understand the risks involved with rogue pharmacies and fake drugs, at the moment they’re searching for them, and provides users with a simple way to check if any pharmacy they find online is legitimate.

Updating autocomplete predictions

Autocomplete helps our users search faster.  While a user types, autocomplete predicts the user’s most likely search queries based on what the user has already typed. These predictions are an algorithmic reflection of the search terms that are popular with users and on the Internet.  We occasionally tweak autocomplete to prevent shocking or offensive entries from being displayed, but don’t otherwise decide which entries appear in autocomplete.  

Because the feature is algorithmic, some autocomplete entries may include phrases that potentially relate to rogue pharmacies.  We’re evaluating how best to address this issue, have already started running tests on the subject, and always welcome feedback.  

It is still important to understand that - whether or not a predicted query is shown in autocomplete - people can still search for objectionable content that might exist on the web.

Enforcing YouTube guidelines

YouTube has implemented robust community guidelines governing uploaded content and user activity on YouTube.  These guidelines prohibit spam, which includes the posting of large amounts of untargeted, unwanted, and repetitive content. YouTube's guidelines also prohibit the sale of illegal goods or promotion of dangerous activities. Our teams respond around the clock when such content is reported to us. To make the notification process as effective as possible, YouTube provides a flagging tool under every video on the site that lets users and law enforcement easily alert us whenever a video contains content that violates YouTube’s policies regarding pharmaceuticals or illegal drugs.

Earlier this month, YouTube was notified of a number of videos promoting pharmaceuticals that violated its guidelines, and immediately removed them.  YouTube will continue doing so when notified.

Working together with regulators and the industry

In 2010, following discussions with the White House, Google teamed-up with organizations across different industries — including GoDaddy, Microsoft, Visa, Yahoo! —  and took the important step of founding the industry group CSIP. In addition to its public awareness campaigns (such as the one mentioned above), CSIP recently highlighted some industry initiatives by its member companies against rogue pharmacies, and specifically called out the efforts of companies like Google here.

Over the last few years, Google has made thousands of referrals to law enforcement concerning suspected rogue online pharmacies, and will continue to do so.  

In October 2012, we participated in the successful Operation Pangea, in which the U.S. Food and Drug Administration, in partnership with international regulatory and law enforcement agencies, took action against more than 4,100 Internet pharmacies worldwide. We also regularly keep officials up to date on our efforts - in writing and in person.   For example, when the National Association of Attorneys General Intellectual Property Committee invited multiple search engines to participate in discussions with the Committee on November 28, 2012, Google was the only search engine to do so.

*****

The industry as a whole has made significant strides in the fight against rogue pharmacies.  Working together, companies in the private sector, non-profit organizations, and law enforcement have made it increasingly difficult for rogue pharmacies to effectively market their illegal products online, and operators of these sites are being forced to turn to much less effective marketing techniques from the outskirts of the Internet.  

This is great progress, and Google remains committed to working with others in this important fight to protect our users.

Iranian phishing on the rise as elections approach

Wednesday, June 12, 2013 at 6:09 PM ET

Posted by Eric Grosse, VP Security Engineering

Cross-posted from the Google Online Security Blog

For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.

Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance. If the user clicks the link, they see a fake Google sign-in page that will steal their username and password.

Protecting our users’ accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users. Especially if you are in Iran, we encourage you to take extra steps to protect your account. Watching out for phishing, using a modern browser like Chrome and enabling 2-step verification can make you significantly more secure against these and many other types of attacks. Also, before typing your Google password, always verify that the URL in the address bar of your browser begins with https://accounts.google.com/. If the website's address does not match this text, please don’t enter your Google password.

Asking the U.S. government to allow Google to publish more national security request data

Tuesday, June 11, 2013 at 1:39 PM ET

This morning we sent the following letter to the offices of the Attorney General and the Federal Bureau of Investigation. Read the full text below. -Ed. 

Dear Attorney General Holder and Director Mueller

Google has worked tremendously hard over the past fifteen years to earn our users’ trust. For example, we offer encryption across our services; we have hired some of the best security engineers in the world; and we have consistently pushed back on overly broad government requests for our users’ data.

We have always made clear that we comply with valid legal requests. And last week, the Director of National Intelligence acknowledged that service providers have received Foreign Intelligence Surveillance Act (FISA) requests.

Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

Google appreciates that you authorized the recent disclosure of general numbers for national security letters. There have been no adverse consequences arising from their publication, and in fact more companies are receiving your approval to do so as a result of Google’s initiative. Transparency here will likewise serve the public interest without harming national security.

We will be making this letter public and await your response.

David Drummond
Chief Legal Officer

Helping passwords better protect you

Thursday, May 30, 2013 at 1:10 PM ET

Posted by Diana Smetters, Software Engineer

Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. Starting today, we'll also be posting regularly with privacy and security tips. We hope this information helps you understand the choices and control that you have over your online information. -Ed.

It could be your Gmail, your photos or your documents—whatever you have in your Google Account, we work hard to make sure it’s protected from would-be identity thieves, other bad guys, or any illegitimate attempts to access your information.

But you can also help keep your information safe. Think of how upset you would be if someone else got access to your Google Account without your permission, and then take five minutes to follow the steps below and help make it more secure. Let’s start with the key to unlocking your account—your password:

1. Use a different password for each important service
Make sure you have a different password for every important online account you have. Bad guys will steal your username and password from one site, and then use them to try to log into lots of other sites where you might have an account. Even large, reputable sites sometimes have their password databases stolen. If you use the same password across many different sites, there’s a greater chance it might end up on a list of stolen passwords. And the more accounts you have that use that password, the more data you might lose if that password is stolen.

Giving an account its own, strong password helps protect you and your information in that account. Start today by making sure your Google Account has a unique password.

2. Make your password hard to guess
“password.” “123456.” “My name is Inigo Montoya. You killed my father. Prepare to die!” These examples are terrible passwords because everyone knows them—including potential attackers. Making your passwords longer or more complicated makes them harder to guess for both bad guys and people who know you. We know it’s hard: the average password is shorter than 8 characters, and many just contain letters. In a database of 32 million real passwords that were made public in 2009, analysis showed (PDF) only 54 percent included numbers, and only 3.7 percent had special characters like & or $.

One way to build a strong password is to think of a phrase or sentence that other people wouldn’t know and then use that to build your password. For example, for your email you could think of a personal message like “I want to get better at responding to emails quickly and concisely” and then build your password from numbers, symbols, and the first letters of each word—“iw2gb@r2eq&c”. Don’t use popular phrases or lyrics to build your password—research suggests that people gravitate to the same phrases, and you want your password to be something only you know.

Google doesn’t restrict password length, so go wild!

3. Keep your password somewhere safe
Research shows (PDF) that worrying about remembering too many passwords is the chief reason people reuse certain passwords across multiple services. But don’t worry—if you’ve created so many passwords that it’s hard to remember them, it’s OK to make a list and write them down. Just make sure you keep your list in a safe place, where you won’t lose it and others won’t be able to find it. If you’d prefer to manage your passwords digitally, a trusted password manager might be a good option. Chrome and many web browsers have free password managers built into them, and there are many independent options as well—take a few minutes to read through reviews and see what would be best for your needs.

4. Set a recovery option
Have you ever forgotten your password? Has one of your friends ever been locked out of their account? Setting a recovery option, like an alternate email address or a telephone number, helps give the service provider another way to contact you if you are ever locked out of your account. Having an up-to-date recovery phone or email address is the best thing you can do to make sure you can get back into your account fast if there is ever a problem.

If you haven’t set a recovery option for your Google Account, add one now. If you have, just take a second to make sure it’s up to date.

We have more tips on how to pick a good password on our Help Center, and in the video below:



Your online safety and privacy is important to you, and it’s important to us, too. We’ve made a huge amount of progress to help protect your Google Account from people who want to break into it, but for the time being, creating a unique, strong password is still an important way to protect your online accounts. Please take five minutes today to reset your important passwords using the tips above, and stay tuned for more security tips throughout the summer.

Protecting Seniors from Identity Theft

Tuesday, May 7, 2013 at 7:51 AM ET

Posted by Jenny Backus, Public Policy Team

Every day in this country, someone’s mother, grandfather, or older neighbor is a victim of identity theft. Whether the identity thieves attack through a confusing telemarketing scam, a misleading piece of mail, or over the Internet, seniors and their families are increasingly at risk of long-term financial and emotional damage that can take years to undo.

In order to address this issue, the Federal Trade Commission and a coalition of public and private partners like the National Consumer League’s Fraud.org are working together to protect seniors from identity theft. Google will also be recognizing Older Americans Month this May by offering tips for seniors to help them stay safe and secure online.

The FTC’s report of 2012 consumer complaint data recently showed that complaints about identity theft from older Americans are increasing at a faster rate than for any other age group. In fact, identity theft complaints from those over 70 increased by almost 70% since 2010, while complaints from 60 to 70 year olds increased by 53% in the same period.  

Google’s Good to Know site is designed to help educate consumers of all ages about online threats and tools they can use to protect themselves, including information on how to protect themselves from identity theft.

Here are five tips from our security experts:

• Don’t reply if you see a suspicious email, instant message or webpage asking for your personal or financial information. Identity thieves can steal your information and then use it to withdraw money from your bank account.
• Never enter your password if you’ve arrived at a site by following a link in an email or chat that you don’t trust.
• If you see a message from someone you know that doesn’t seem like them, their account might have been compromised by a cyber criminal who is trying to get money or information from you. Think before responding!
• Don’t send your password via email, and don’t share your password with others. Legitimate sites won’t ask you to send them your passwords via email, so don’t respond if you get requests for your passwords to online sites.
• Report any suspicious emails and scams. Many email providers, including Gmail, provide an easy way for you to report fishy emails and scams, and it can help our teams stop similar mail from being sent to you and others.

Seniors around the country can also learn more by attending or viewing by webcast the FTC’s workshop today on protecting seniors from identity theft. With speakers from some of the most trusted consumer groups, local, state and government leaders, and lead experts on fraud prevention, the FTC workshop will focus on forms of ID theft that are particularly significant for seniors, from the risks that seniors face in nursing homes to the identity theft concerns that arise when they file their taxes or seek government assistance, which is increasingly happening online.

Stopping bad actors who target seniors and preventing the rise of identity theft is a shared mission for all of us. Google is committed to making the Internet safer, and protecting our users of all ages.

Congress, now live on YouTube

Tuesday, April 30, 2013 at 2:39 PM ET

Posted by

Robert Kyncl, Vice President, Global Head of Content Partnerships for YouTube

& Susan Molinari, Vice President, Public Policy and Government Relations

Video plays a powerful role in bringing us closer together, especially when it connects people in real time. By transcending borders, empowering citizens, and increasing transparency, it’s one of the many ways technology allows democracy to thrive. Starting this week, all members of the U.S. Congress will have the opportunity to access enhanced features on their YouTube channels, including the ability to live stream video.

Live video is already allowing elected officials and their constituents to reach one another in innovative ways. Thousands tuned in to YouTube to watch the president’s State of the Union address and the corresponding Republican response this February. Engagement is growing across many types of platforms — Google+ Hangouts, for example, have sparked face-to-face conversations on topics ranging from gun control to the national economy and have allowed people on the other side of the world to share their stories at Congressional hearings.

If you’re a member of Congress and would like to know more, check out these Dear Colleague letters issued by the House and Senate. Whether it’s to share a look into your daily work, broadcast speeches and meetings, or showcase events in your state or district, we can’t wait to see how you connect with your constituents.

The Big Tent comes to Washington

Friday, April 26, 2013 at 10:30 AM ET

Posted by Susan Molinari, Vice President, Public Policy and Government Relations

When we started holding our Big Tent events in London two years ago, we wanted to stir up lively conversation about some of the hot topics relating to the Internet and society. After all, the political meaning of a “big tent” is to attract diverse viewpoints to come together in one place. Since then, we’ve held more than 20 Big Tents on three different continents to debate issues ranging from arts and culture online to the economic impact of the web.

Later today, the Big Tent is coming to Washington, D.C. for the first time. Along with our partner Bloomberg, we'll hear from some of the top names in media, government and the arts for discussions about one of the values we hold most dear: the right to free expression.

Can free speech survive in the digital age? At a time when too many governments deny their citizens the right to dissent, we’ll ask if the Internet is reaching its promise of empowering people around the world. We’ll have sessions on the limits to free speech online, national security in the Internet age, and creativity and freedom on the web.

Google’s executive chairman Eric Schmidt and senior vice president and chief legal officer David Drummond will be joined by a variety of speakers, including former U.S. attorney general Alberto Gonzales, deputy secretary of homeland security Jane Holl Lute, Bloomberg chief content officer Norman Pearlstine, former New York Times executive editor Bill Keller, and Saudi Arabian comedian and YouTube star Omar Hussein.

Things kick off at 1:30pm EDT today—you can watch the entire event on Bloomberg’s live stream and tune in to the Big Tent Google+ page for updates as the event unfolds. Later on, we’ll also upload video clips to the Big Tent YouTube channel. We hope you’ll join us for exciting conversations about how to best keep the Internet free and open.

Transparency Report: More government removal requests than ever before

Thursday, April 25, 2013 at 12:08 PM ET

Posted by Susan Infantino, Legal Director 

Three years ago when we launched the Transparency Report, we said we hoped it would shine some light on the scale and scope of government requests for censorship and data around the globe. Today, for the seventh time, we’re releasing new numbers showing requests from governments to remove content from our services. From July to December 2012, we received 2,285 government requests to remove 24,179 pieces of content—an increase from the 1,811 requests to remove 18,070 pieces of content that we received during the first half of 2012.

As we’ve gathered and released more data over time, it’s become increasingly clear that the scope of government attempts to censor content on Google services has grown. In more places than ever, we’ve been asked by governments to remove political content that people post on our services. In this particular time period, we received court orders in several countries to remove blog posts criticizing government officials or their associates. You can read more about these requests by looking at the annotations section of the Transparency Report. Of particular note were three occurrences that took place in the second half of 2012:

• There was a sharp increase in requests from Brazil, where we received 697 requests to remove content from our platforms (of which 640 were court orders—meaning we received an average of 3.5 court orders per day during this time period), up from 191 during the first half of the year. The big reason for the spike was the municipal elections, which took place last fall. Nearly half of the total requests—316 to be exact—called for the removal of 756 pieces of content related to alleged violations of the Brazilian Electoral Code, which forbids defamation and commentary that offends candidates. We’re appealing many of these cases, on the basis that the content is protected by freedom of expression under the Brazilian Constitution.
• Another place where we saw an increase was from Russia, where a new law took effect last fall. In the first half of 2012, we received six requests, the most we had ever received in any given six-month period from Russia. But in the second half of the year, we received 114 requests to remove content—107 of them citing this new law.
• During this period, we received inquiries from 20 countries regarding YouTube videos containing clips of the movie “Innocence of Muslims.” While the videos were within our Community Guidelines, we restricted videos from view in several countries in accordance with local law after receiving formal legal complaints. We also temporarily restricted videos from view in Egypt and Libya due to the particularly difficult circumstances there.

We’ve also made a couple of improvements to the Transparency Report since our last update:

• We’re now breaking down government requests about YouTube videos to clarify whether we removed videos in response to government requests for violating Community Guidelines, or whether we restricted videos from view due to local laws. You can see the details by scrolling to the bottom of each country-specific page.
• We’ve also refreshed the look of the Traffic section, making it easier to see where and when disruptions have occurred to Google services. You can see a map where our services are currently disrupted; you can see a map of all known disruptions since 2009; and you can more easily navigate between time periods and regions.

The information we share on the Transparency Report is just a sliver of what happens on the Internet. But as we disclose more data and continue to expand it over time, we hope it helps draw attention to the laws around the world that govern the free flow of information online.

More momentum toward digital due process

Posted by David Lieber, Privacy Policy Counsel

Three years ago, Google helped found a coalition of technology companies, privacy advocates and academics to update the Electronic Communications Privacy Act (ECPA) of 1986. Today the Digital Due Process coalition includes more than 90 members, all devoted to bringing this federal law in line with how people use the web today.

ECPA no longer reflects the expectation of privacy that Google users and other users of the Internet reasonably have. For example, an email may receive more robust privacy protections under ECPA depending on how old it is or whether it has been opened. The privacy of electronic communications should not hinge on such arbitrary factors.  

Today, the Senate Judiciary Committee took a significant step toward updating ECPA by passing legislation that would require the government to obtain a warrant in order to compel service providers to disclose the content of emails and other electronic content that they store on behalf of users. The bill replaces a confusing array of distinctions that ECPA makes with a bright line, warrant-for-content rule.

This is an important moment for all Internet users, and we’re deeply appreciative of Senators Leahy and Lee’s leadership in advancing this bill. We’ve also been working closely with the House Judiciary Committee on this issue and we look forward to continuing to work with Congress to update ECPA.

YouTube wins case against Viacom (again)

Thursday, April 18, 2013 at 6:00 PM ET

Posted by Kent Walker, Senior Vice President & General Counsel, Google
 
Cross-posted from the Official YouTube Blog 

Today is an important day for the Internet. For the second time, a federal court correctly rejected Viacom’s lawsuit against YouTube. This is a win not just for YouTube, but for the billions of people worldwide who depend on the web to freely exchange ideas and information.

In enacting the Digital Millennium Copyright Act, Congress effectively balanced the public interest in free expression with the rights of copyright holders. The court today reaffirmed an established judicial consensus that the DMCA protects web platforms like YouTube that work with rightsholders and take appropriate steps to remove user-generated content that rightsholders notify them is infringing.

The growing YouTube community includes not only a billion individual users, but tens of thousands of partners who earn revenue from the platform -- from independent musicians and creators to some of the world’s biggest record labels, movie studios, and news organizations. Today’s decision recognizes YouTube as a thriving and vibrant forum for all these users, creators and consumers alike. Today is an important day for the Internet.

Improving software patent quality to support innovation

Tuesday, April 16, 2013 at 2:31 PM ET

Posted by Suzanne Michel, Senior Patent Counsel

We filed comments yesterday with the U.S. Patent and Trademark Office (PTO) on software patent quality, where we argue that better application of established legal principles can help reduce the number of vague, overbroad software patents issued. We think this will protect real innovation while helping to solve some growing problems in the patent system.

Many software patents are so broad as to claim every way of doing something on a computer. And the boundaries of these patents are often unclear. The Patent Office would never permit a patent that covered “any combination of molecules to treat a headache with a pill,” but it regularly does this by allowing software patent claims covering only a goal—not an inventive solution.

By more consistently applying legal rules that require specificity around functional software claims, the PTO can ensure that software patents reward and protect the creative work of building great software products—not just coming up with vague or abstract ideas.

We filed our comments in response to the PTO’s new partnership with the software community and its recent call for public comment on improving patent quality. We commend the PTO’s efforts in this area and look forward to working constructively with the agency in the future.

In our comments, we also suggest that the PTO consider how improved technical training for patent examiners, expanded prior art databases, and standardized terminology used across all software patent applications can help improve quality.

Improving software patent quality is critically important to innovation, which is under attack by patent assertion entities (also known as patent trolls). Trolls don’t make anything; they simply use patents to extract money—almost $30 billion a year—from productive companies through litigation. Trolls often target startups and small businesses that lack the resources or expertise to effectively deal with such lawsuits.

The trolls’ weapons of choice are low-quality software patents: today, most patent litigation is brought by trolls, and about 82% of those suits involve software. There is no single fix to the troll problem, but improving software patent quality will help stem the tide while also supporting real innovation.

Beyond the Password: Protecting Your Online Identity

Friday, April 12, 2013 at 2:47 PM ET

Posted by David Lieber, Public Policy Team 

Just like burglars and thieves, cyber criminals have many different ways to steal personal information and money. Consumers and technical experts alike are awakening to the reality that passwords - even those that are developed in ways that reduce the likelihood of a breach - are not the cure-all for online security.

Last year, Wired senior writer Mat Honan drew attention worldwide for his first-person account of having his online identity hijacked -- a story that spurred a conversation about passwords and online privacy and security.  On Wednesday, April 17th, Google DC is hosting a talk with FTC Commissioner Maureen Ohlhausen on data security, followed by a fireside chat with Mat Honan and security experts to discuss security challenges and the solutions that companies are working on to protect consumers against existing and emerging threats. 

Beyond the Password: Protecting Your Online Identity

Wednesday, April 17th

5:00 PM - 6:00 PM

Google DC

If you are in the DC area, please join us for an engaging discussion about protecting your online identity. RSVP by clicking here.