Theft Detection

Sort of a painful post today. I hate to publish a downer about Google right after the neutral-to-good things I said yesterday, but putting it off doesn’t make it any better.

There’s an interesting story on The Verge about Google uncovering a ring of Chinese car thieves.

The gist of it is that the thieves would take pictures of cars parked on the street and use the photos in ads offering the cars for sale. When they found a buyer, they would go steal the car, take the buyer’s money, and leave him to deal with the repercussions of having purchased stolen merchandise. It’s a clever scam: the JIT procurement processes means that the car probably doesn’t get reported as stolen until after the deal is done, and the delays built into the Chinese banking system apparently make it almost impossible for the buyer to stop payment–and give the thieves several days to make their getaway.

So what’s the Google connection? It seems that when they were updating their tools for detecting fraudulent ads in their AdWords network, a bunch of used car ads were getting flagged alongside the expected ads for counterfeit designer goods and phishing schemes. Nobody was sure why, as the ads didn’t appear significantly different than other ads for used merchandise that didn’t get flagged. In fact, as far as I can tell from the article, nobody is still quite sure exactly what caused the fraud flag to be set. There are some obvious clues, most notably a pattern of quick buys from new accounts. But because the main algorithm incorporates its own feedback loop, using the results of past runs as input for new runs, the specific combination of pieces of information is obscure, to say the least.

Of course, there really isn’t much Google can do when they spot a fraudster in China. They can delete the ad from AdWords, but that’s about it. Their relationship with China is rather rocky, making the sort of fast, targeted communication necessary to catch the scammers somewhere between “difficult” and “impossible”.

But they’re spotting crime, and there are other countries where Google has better access. This is a good thing, right?

Well, no. Even without considering the question of false positives–not everything that gets flagged as fraudulent will actually turn out to be an actual crime–consider this quote from AdWord’s director David Baker: “There’s no one thing or even a handful of things. It’s thousands of pieces of information in aggregate.” In other words, it’s Google’s massive database of information about who is doing what using their system.

This is, of course, exactly the same database that the NSA and other law enforcement and intelligence agencies are accessing in secret. Do you really want Google being forced to produce a list of suspected terrorists based on advertising history? Keep in mind that the database doesn’t just include the ad buyers, it also includes who sees which ads, what pages the ads were shown on, and whether the viewer clicked on them. Are you confident that your name won’t show up on the list?

Sure you’re OK with that risk–terrorism is pretty bad stuff, after all? Consider the FBI’s definition of terrorism: “…the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives”. “Any segment” could be as small as one or two people, which means it could apply to breaking windows during a protest (see, for example the recent protests in Oakland over the Zimmerman trial verdict). I’m not the only one who thinks this is a legitimate risk. As far back as 2002, the ACLU pointed out that Greenpeace, Operation Rescue, and WTO protesters were at risk for being treated as terrorists. Open Salon pointed out that the Department of Defense explicitly defines protests as “low-level terrorism” and that definition was used in responding to the 2008 “RNC Welcoming Committee” protests.

Still totally confident that your name isn’t going to show up on the suspect list? Let’s face it: if you came to this post via a Google or Bing search, you’re going to be on that list. Chances are good that even if you just have this blog bookmarked, a simple demand that WordPress turn over their activity logs would include enough information for you to be tied to your other web actions and identified.

And none of this discussion even considers the possibility of scope creep. If the NSA can use this approach to fight terrorism, who’s to say that the local police can’t use it to fight serious crimes like rape and murder? And once that door is open, history shows that other crimes won’t be far behind. Fraud (remember where this discussion started?), theft, and even driving violations could be next).

I implied back at the beginning of this post that it’s Google’s problem. It is and it isn’t. As with the NSA’s reported surveillance activities to date, Google wouldn’t have a whole lot of choice about cooperating with a demand for such materials. It’s their problem, but it’s ours too. And there isn’t any more of a good solution for this part of the problem than the rest of it.