As I’ve noted many times, Google has world-class security and privacy teams. Great people.
But at least judging from the Google-related queries I get in my inbox every day, Google’s expanding efforts to warn users about perceived security issues are sowing increasing confusion and in some cases serious concerns, especially among nontechnical users who depend upon Google’s products and services in their daily lives.
A new example popped up today that I’ll get to in a moment, but I’ve been discussing these issues for quite a while, e.g.:
“When Google’s Chrome Security Warnings Can Do More Harm Than Good” –https://lauren.vortex.com/archive/001157.html
and:
“Here’s Where Google Hid the SSL Certificate Information That You May Need” –
https://lauren.vortex.com/2017/01/28/heres-where-google-hid-the-ssl-certificate-information-you-may-need
In a nutshell, Google’s continuing efforts at increasing user security — while utterly justifiable at the technical level — continue to marginalize many users who don’t really understand what Google is doing, are confused by Google’s security and other warnings, can’t effectively influence websites with “poor” security to make security improvements, and have no alternatives to accessing those sites in any case.
These are real people — I believe many millions of them — and I do not believe that Google really understands how important they are and how Google is leaving them behind.
Today brought yet another illustrative example that yes, even confused me for a time.
It involves cat food.
A friend forwarded me an email from PetSmart that included a link for an individualized 30% off coupon that they intended to use to buy cat food. That’s a damned good coupon, especially for those of us who aren’t rolling in dough. I wish I had a coupon like that today for Leela the Siamese Snowshoe.
The concern with this email was that every time the user clicked on the link in Gmail to access the site where the coupon could be printed, Gmail popped a modal security warning:
“Suspicious link – This link leads to an untrusted site. Are you sure you want to proceed to click email-petsmart.com?”
You can see a screenshot at the bottom of this post.
The obvious questions: What the hell does “suspicious link” mean in this context? What does Google mean by “untrusted site” in this scope?
There are no links to explanations, and if you Google around you can find lots of people asking similar questions about this class of Gmail warning, but no definitive answers, just lots of (mostly uninformed) speculation.
So I spent about 15 minutes digging this one down. Is email-petsmart.com a phishing domain targeting PetSmart users? Apparently not. It’s registered to ExactTarget, Inc. and has been registered since 2012. So while there’s no obvious authoritative mention of PetSmart there, my experience leads me to believe that they’re most likely a legit marketing partner of PetSmart, providing those emails and coupon services.
Of course, I still have no information about why Google is tagging them as suspicious. Is it the lack of https: security on the URL? Is it some aspect of their email-petsmart naming schema?
Damned if I know. Google isn’t telling me. And how would the average non-techie be expected to unravel any of this?
I told the user to go ahead and click the link. They got their coupon. Their kitties should be happy.
I’m not happy.
In the real world, most users don’t understand this stuff at the level they need to make truly informed decisions. So they’re forced — simply to get on with their lives every day — to click through such warnings blindly, to get to where they need to go.
And make no mistake about it, these kinds of scenarios are teaching these users absolutely abysmal security habits.
Google is terrific at tech. But Google is still struggling when it comes to understanding the broad range of their users and those users’ needs — particularly the non-techies — and especially how to communicate with those users effectively.
Google can do much better.
–Lauren–
Great article!
My friend sent me a link from verbmist.net. She’s not security savvy, and the url of the link is so complex, it just reeks of clickbait.
When I click on the link in my Gmail, I get the same error message Lauren discussed in Dec 2017. 8 months later, I guess Google still doesn’t care if their un-concise error messages cause people heaps of trouble in the name of keeping people out of trouble.
My friend’s email signature shows she got the “article” on her iPhone. She has a grandfathered Verizon account, so she has unlimited data. I’m just saying.
The name of the link is “Cure Tinnitus With This Easy Trick,” and the URL is [URL redacted – Lauren]
I thought that if the article had any legitimacy, maybe I could find it repeated on a domain that’s less problematic. My search-preferences are IXQuick, StartPage, and Duckduckgo, but they didn’t get me where I’m going, so I went to my last resort — google.com which is undeniably huge when the others fail, which hardly ever happens. I find it interesting that even searching Google for “Cure Tinnitus With This Easy Trick” did not provide any exact matches.
My last experiment was to try to open the “verbmist.com” homepage on Windows 7 > Firefox, and I got a blank page. “View Page Info” suggests the page exists but it’s 0 bytes. I tried adding https:// to the url, and firefox complained that the website doesn’t do secure connections.
I’m left with the hypothesis that one way of getting this error message from Gmail is when a link’s destination isn’t “https,” and the website doesn’t provide an https connection to the webpage. There may be other ways of provoking Gmail’s useless error message.