A message to the WebSecurityGuard team:

Hi Guys,

I took a look at your vendor dispute page – it took me several minutes to find it since I assumed there would be an actual link to it next to the data classifying my blog as a “phishing” site – but rather than fill in your bizzare little RTF form and mail it back to you, I thought I would blog about you instead.

How others see it.

On the WebSecurityGuard website

Their analysis.

For my readership, perhaps I should explain: apparently Dropsafe – and in fact all of crypticide.com – have been classified as spamming and phishing websites by WebSecurityGuard – this gives me the excuse to analyse the procedures of such censorship providers and share my thoughts with the few hundred security geeks who read this blog.

The “Dispute Page” is rather fun – it smacks of unwarranted authoritarianism:

To initiate the review, please follow these steps:

1. Download our Website Publisher dispute form.
2. Fill in the form.
3. Send the filled-in form to contact@websecurityguard.com.

You will receive an email from our development teaam that confirms the receipt of your Website Publisher dispute form.

For some reason they cannot just provide a HTML form – I suppose they want to try and tie disputes to an e-mail address and therefore take the whole matter offline[1] – but there are ways around that nowadays, like e-mail conformation click-URLs for instance.

There is also the point that (at worst) I should have to click a button that says “this is incorrect” to have someone human go look at the matter – it’s clear that nobody has actually looked at Dropsafe else there would be no classification in the first place, so therefore a human review on WebSecurityGuard’s part should be the first resort, and it should not cost me much effort.

The form itself is a marvel of “trying to make someone else do all the work, and I don’t actually think they have the right to demand all this information off anyone, especially in the European Union.

I think the reason WebSecurityGuard think they can get away with this behaviour is hidden in the first word of the “Vendor Dispute Section” – there it is, “Vendor”; they appear to assume that the Web is made up of people selling stuff rather than of people-speaking-unto-people, so of course you can farm work out onto “vendors” whom WebSecurityGuard have just cut-off from their customers.

They’ll be motivated to get back to selling, right? So we can make them jump through hoops. It’s horrid how this toxic mentality of treating people as sheep leads to vendors treating other vendors as sheep, also.

However: I am not a vendor and my blog posts have other routes of propagation, so I can afford to spend lots of time taking WebSecurityGuard apart. 🙂

Here are the questions they ask you in the RTF form:

Website Publisher Dispute Form

Important: All form fields below must be filled in to initiate the review for website reclassification.

Email address:

Company name:

Company URL:

Your name:

Name of website:

Date of Last Update:

Description of website content:

URL of website:

Classsification assigned to your website:

Reason for disputing the classification:

What version of Web Security Guard detected your website?

Do you collect any personal information?

Describe all the collected information:

How is this information used?

Do you share this information?

If yes, what information do you share?

With whom do you share the information?

How is the information protected?

Paste your EULA into the form (or enter the URL of your EULA).

Where is the EULA displayed to the end user?

Paste your privacy policy into the form (or enter the URL of your privacy policy).

Where is the privacy policy displayed to users?

Please list all known ways in which the behavior of your website can be changed from its default behavior.

Describe how the behavior of the website has changed by disclosing material edits, enhancements or updates since the date the website was last reviewed by Web Security Guard.

Additional information you want to submit that is relevant to this review:

I hereby confirm that the submitted data is accurate. I understand my request will not be processed if it is not accurate or complete. If a review is rejected, I can resubmit all required information to activate a new dispute.

I love the little pseudo-legalese affirmaiton at the end of it all. Other than the description of “it’s a security blog” none of the above really applies to me and I can’t be arsed to debug what “version” of their code is blocking me, that’s their problem. Also my feeling is that none of the information is really relevant to the issue at hand, nor should it be required for unblocking.

“Disclosing material edits”? Give me a break…

This leads me to the question of “how did my blog get into their phishing database in the first place” – answer, I don’t know, but if you Google for “syndicated from dropsafe” (which is the token attached to everything that is fed from Dropsafe via RSS) then you’ll find bits of my blog everywhere.

I strongly suspect that some phishing website plagiarised my blog for free text, and WebSecurityGuard (or perhaps their parent company, Crawler) swept through the resultant mess looking for URLs – and decided to ban the lot of them. Alas I can only hypothesise, but I will be mailing the URL for this posting to WebSecurityGuard, and to the contact details for Crawler.com / Xacti.com (the parent company) for an explanation.

Finally, a question for my readers: did you notice the Learn more about Advisory provided by Google bit in the third image, above? Is it just me, or did its position on screen lend a false credibility to the line above?

Updates will be posted as events warrant.

—
[1] isn’t it funny how e-mail can be considered “offline” nowadays?