Throwback Tuesday- Google, what were you thinking?
This shocking story is talking about how Google is using your own data against you. This might open some eyes in SEO community. Stop using all Google products if you’re into SEO, they ARE collecting data and they will use this data against you when the time comes. They collect your PBN data, Emails, Contacts, Passwords, WM Tools data etc…
Majority of SEOs never heard about it so I am sharing this with you. The story originate from Africa (year 2012) and originally appeared on Kenyan owned Mocality blog (site Mocality.co.ke does not exist anymore).
I’m very proud of the business that we’ve created here at Mocality, but I’m especially proud of two things:
- Our crowdsourcing program. When we started this business, we knew that (unlike in the UK or US, where you can just kickstart your directory business with a DVD of business data bought from a commercial supplier), if we wanted a comprehensive database of Kenyan business, we would have to build it ourselves. We knew also that if we wanted to build the business quickly, we’d have to engage a lot of Kenyans to help us. So we built our crowd program that utilises M-PESA (Kenya’s ubiquitous Mobile Money system) to reward any Kenyan with a mobile phone who contributes entries to our database, once those entries have been validated by our team. Over two years, we’ve paid out Ksh. 11m (over $100,000) to thousands of individuals, and we have built Kenya’s most comprehensive directory, with over 170,000 verified listings. Personally, I regard the program as one of THE highlights of my 18 year career on the internet.
- From day 1, we aimed to target all Kenyan businesses, irrespective of size. As a result, for about 2/3rds of our listed businesses, Mocality is their first step onto the web. That’s about 100,000 businesses that Mocality has brought online.
Please bear these two facts in mind as you read what follows.
Our database IS our business, and we protect and tend it very carefully. We spot and block automated attacks, amongst other measures. We regularly contact our business owners, to help them keep their records up-to-date, and they are welcome to contact our call centre team for help whenever they need it.
In September, Google launched Getting Kenyan Businesses Online (GKBO). Whilst we saw aspects of their program that were competitive, we welcomed the initiative, as Kenya still has enough growth in it that every new entrant helps the overall market. We are also confident enough in our product, our local team, and our deep local commitment that we believe we can hold our own against any competition, playing fair.
Shortly after that launch, we started receiving some odd calls. One or two business owners were clearly getting confused because they wanted help with their website, and we don’t currently offer websites, only a listing. Initially, we didn’t think much of it, but the confusing calls continued through November.
The Forensic analysis
What follows is necessarily a little technical. I’ve tried to make it as clear as I can, but two definitions may help the lay reader:
- IP Address – the numerical id by which computers identify themselves online.
- User-Agent – When a browser requests a page from a webserver, it tells the server what make, model, and version of browser it is, so that the webserver can serve content tailored to that browser’s capabilities. Webservers keep a log of both these details for every page requested, allowing us to do interesting detective work.
At the start of December we analysed our server logs to look for a common pattern for the businesses that had contacted us with these confused calls. We found a single IP/ User-Agent combination that had accessed all these businesses:
IP Address: 22.214.171.124
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
The user agent is unusual for Kenya: the stable version of Google Chrome released on 20 September 2011, running on 32-bit Linux. With the exception of this IP, it barely appears in our logs.
We looked up the ownership record for 126.96.36.199 via WHOIS.
% Information related to '188.8.131.52 - 184.108.40.206' inetnum: 220.127.116.11 - 18.104.22.168 netname: Fixed_Wimax-Fiber-Rollout-Central-Kenya descr: Fixed Wimax and Fiber Roll out for Central Kenya Region country: KE admin-c: OC406-AFRINIC tech-c: OC406-AFRINIC status: ASSIGNED PA mnt-by: ONECOM-MNT remarks: Wimax and Fiber Roll out for Central Kenya Region source: AFRINIC # Filtered parent: 22.214.171.124 - 126.96.36.199
So a Kenyan ISP. But how were they accessing us? We did some analysis.
Of the 65,851 requests, there were 33,261 requests to a Business Profile page, i.e. accessing the contact details for a business.
- No evidence of automated scraping, this appears to be a team of humans.
- Since 3 Nov, requests originate from a WIMAX connection in Nairobi (188.8.131.52). Prior to that, various addresses.
- Business profile requests are referred by Mocality search result pages having 100 results/page
- Peak rates are 2500 pages per day (1.73 per minute)
- The User-Agent originated from many different IPs starting on 4 September, started scraping on 12 October, abrubtly stopped on 29 October, resumed on 3 November from the Safaricom Wimax IP.
- Pattern of access is mainly 8am-6pm Weekdays, a few hours on Saturday, and never Sunday.
- No other non-robot (IP,User-Agent) combination has such a pattern of activity at that scale (2500/day).
So a person or (judging by the access rate) team of people were systematically accessing our database, during office hours, and it looked like they moved into a new office over the weekend at the start of November. But who were they, and what were they doing?
We decided to find out. We made some changes to the site:
- For visitors from the 184.108.40.206 address, we changed the code to serve slightly different content 10% of the time.
- Instead of the real business phone number, we served a number that fed through to our call centre team, where the incoming calls would also be recorded. Our team were briefed to act like the business owners for the calls.
We switched the new code on December 21st.
When we listened to the calls, we were beyond astonished.
I’d like you to meet Douglas. On this call (first 2 minutes) you can clearly hear Douglas identify himself as Google Kenya employee, state, and then reaffirm, that GKBO is working in collaboration with Mocality, and that we are helping them with GKBO, before trying to offer the business owner a website (and upsell them a domain name). Over the 11 minutes of the whole call he repeatedly states that Mocality is with, or under (!) Google.
Between 10am and 1pm on December 21st, we received 6 others just like it (from 5 different Google Kenya employees) before switching back to normal service. We estimate that this team were calling 20-25 Mocality business per hour, since 7 calls over 3 hours, only 10% of calls redirected: 7*10/3= 23.3. calls/hour)
On all calls, the same script is followed – A Google Kenya employee calls a Mocality business and tries to deceive them into signing up for their competing product, by claiming that we are working together.
It gets worse: Here’s a complete transcript ( with translation of the kiSwahili portions) of a another call, in which the caller goes further, claiming that Mocality engages in bait-and-switch practices to try and charge businesses upto Ksh. 20,000 ($200) for their listings. Mocality has never and will never charge for listings. The irony: on the same call, the caller tries exactly that tactic for GKBO’s hosting fees.
I have redacted the details (except first name) of both parties on the call, and highlighted key sections inYELLOW.
What happened next?
Having gathered our evidence, and needing to wait for transcription and translation (as parts of the conversations were in kiSwahili (the local East African language)) of the recordings , and feeling pleased with detective work, we had a lovely Christmas break. I started writing this blog post.
So that we had the latest stats on our return to work, we re-analysed the logs, on Monday 9th January.
There were no further accesses from the IP address 220.127.116.11 after 4pm 23rd December. Co-incidence? or had someone realised we were onto them?
However, there were some NEW strange messages from business owners- they’d apparently been contacted by a call centre in India with the same promise of a website.
So we reran the whole analysis. We quickly identified a new IP/User-Agent combination.
We found another IP address and User-Agent that accessed two businesses that had been contacted:
IP Address: 18.104.22.168
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
NetRange: 22.214.171.124 - 126.96.36.199 CIDR: 188.8.131.52/16 OriginAS: NetName: GOOGLE NetHandle: NET-74-125-0-0-1 Parent: NET-74-0-0-0-0 NetType: Direct Allocation RegDate: 2007-03-13 Updated: 2007-05-22 Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1 OrgName: Google Inc. OrgId: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US RegDate: 2000-03-30 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/GOGL OrgAbuseHandle: ZG39-ARIN OrgAbuseName: Google Inc OrgAbusePhone: +1-650-253-0000 OrgAbuseEmail: firstname.lastname@example.org OrgAbuseRef: http://whois.arin.net/rest/poc/ZG39-ARIN OrgTechHandle: ZG39-ARIN OrgTechName: Google Inc OrgTechPhone: +1-650-253-0000 OrgTechEmail: email@example.com OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN
These new accesses were coming directly from Google’s network.
The IP address 184.108.40.206 made 17,645 requests (15,554 to BusinessProfile.aspx). Activity really kicked off on 22 December 2011, with 8 different user agents mostly running Chrome on Linux: The top 3 are :
- Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7 11249 64.268982
- Mozilla/5.0 (Ubuntu; X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 4247 24.264412
- Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/10.04 Chromium/15.0.874.106 Chrome/15.0.874.106 Safari/535.2 1000 5.713306
Search for “tag=mo.request 220.127.116.11″ from 20 December 2011 to 9 January 2012. Found 17,049 requests
On 10th January, we re-enabled the Sting code. Again, within a couple of hours, we’d received calls from the new call centre to our dummy numbers.
Here is Deepthi, from Google India. On this call, you can hear her talking about her partnership with Mocality, and offering us a free website.
It looks like Google has now outsourced the Getting Kenya Businesses Online operation to India!
Since October, Google’s GKBO appears to have been systematically accessing Mocality’s database and attempting to sell their competing product to our business owners. They have been telling untruths about their relationship with us, and about our business practices, in order to do so. As of January 11th, nearly 30% of our database has apparently been contacted.
Furthermore, they now seem to have outsourced this operation from Kenya to India.
When we started this investigation, I thought that we’d catch a rogue call-centre employee, point out to Google that they were violating our Terms and conditions, someone would get a slap on the wrist, and life would continue.
I did not expect to find a human-powered, systematic, months-long, fraudulent (falsely claiming to be collaborating with us, and worse) attempt to undermine our business, being perpetrated from call centres on 2 continents.
Google is a key part of our business strategy. Mocality will succeed if our member businesses are discoverable by people via Google. We actually track how well our businesses place on Google as a key metric, and have always regarded it as a symbiotic relationship. We are in the business of creating local Kenyan content that Google can sell their adwords against. More than 50% of our non-direct traffic comes via Google (paid or organic). For us, the cost of going elsewhere is NOT zero.
Furthermore, we spend a very significant sum on advertising with Google Kenya. I wouldn’t be surprised if we are one of their largest local customers, between Mocality and our sister site Dealfish.co.ke.
Kenya has a comparatively well-educated but poor population and high levels of unemployment. Mocality designed our crowd sourcing program to provide an opportunity for large numbers of people to help themselves by helping us. By apparently systematically trawling our database, and then outsourcing that trawl to another continent, Google isn’t just scalping us, they’re also scalping every Kenyan who has participated in our program.
I moved to Africa from the UK 30 months ago to be CEO of Mocality. When I moved, Kenya’s reputation as a corrupt place to do business made me nervous. I’ve been very happily surprised- until this point, I’ve not done business with any company here that was not completely honestly conducted. It is important for global businesses to adapt to local cultural practice, but ethics are an invariant. As a admirer of Google’s usually bold ethical stance around the world, to find those principles are not applied in Kenya is simply… saddening.
Someone, somewhere, has some questions to answer.
These are my personal top 3:
- If Google wanted to work with our data, why didn’t they just ask?
In discussions with various Google Kenya/Africa folks in the past, I’d raised the idea of working together more closely in Kenya. Getting Kenyan businesses online is precisely what we do.
- Who authorised this? Until we uncovered the ‘India by way of Mountain View’ angle, I could have believed that this was a local team that somehow forgot the corporate motto, but not now.
- Who knew, and who SHOULD have known, even if they didn’t know?