Most active commenters

    ←back to thread

    Google flags Immich sites as dangerous

    (immich.app)
    742 points janpio | 13 comments | 22 Oct 25 20:53 UTC | HN request time: 0.603s | source | bottom
    1. jdsully ◴[23 Oct 25 01:39 UTC] No.45677260[source]
    The one thing I never understood about these warnings is how they don't run afoul of libel laws. They are directly calling you a scammer and "attacker". The same for Microsoft with their unknown executables.

    They used to be more generic saying "We don't know if its safe" but now they are quite assertive at stating you are indeed an attacker.

    replies(4): >>45677490 #>>45677615 #>>45678221 #>>45678896 #
    2. pasteldream ◴[23 Oct 25 02:23 UTC] No.45677490[source]
    > The one thing I never understood about these warnings is how they don't run afoul of libel laws.

    I’m not a lawyer, but this hasn’t ever been taken to court, has it? It might qualify as libel.

    replies(2): >>45677851 #>>45678158 #
    3. crazygringo ◴[23 Oct 25 02:41 UTC] No.45677615[source]
    > They are directly calling you a scammer and "attacker".

    No they're not. The word "scammer" does not appear. They're saying attackers on the site and they use the word "might".

    This includes third-party hackers who have compromised the site.

    They never say the owner of the site is the attacker.

    I'm quite sure their lawyers have vetted the language very carefully.

    replies(2): >>45679027 #>>45679299 #
    4. altairprime ◴[23 Oct 25 03:24 UTC] No.45677851[source]
    I know of no such cases, and would love to know if someone finds one.
    replies(1): >>45678457 #
    5. modzu ◴[23 Oct 25 04:23 UTC] No.45678158[source]
    you only sue somebody poorer than you
    replies(1): >>45679182 #
    6. acoustics ◴[23 Oct 25 04:41 UTC] No.45678221[source]
    This is tricky to get right.

    If the false positive rate is consistently 0.0%, that is a surefire sign that the detector is not effective enough to be useful.

    If a false positive is libel, then any useful malware detector would occasionally do libel. Since libel carries enormous financial consequences, nobody would make a useful malware detector.

    I am skeptical that changing the wording in the warning resolves the fundamental tension here. Suppose we tone it down: "This executable has traits similar to known malware." "This website might be operated by attackers."

    Would companies affected by these labels be satisfied by this verbiage? How do we balance this against users' likelihood of ignoring the warning in the face of real malware?

    replies(1): >>45678892 #
    7. trenchpilgrim ◴[23 Oct 25 05:32 UTC] No.45678457{3}[source]
    I worked for a company who had this happen to an internal development domain, not exposed to the public internet. (We were doing security research on our own software, so we had a pentest payload hosted on one of those domains as part of a reproduction case for a vulnerability we were developing a fix for.)

    Our lawyers spoke to Google's lawyers privately, and our domains got added to a whitelist at Google.

    8. donmcronald ◴[23 Oct 25 06:43 UTC] No.45678892[source]
    The problem is that it's so one sided. They do what they want with no effort to avoid collateral damage and there's nothing we can do about it.

    They could at least send a warning email to the RFC2142 abuse@ or hostmaster@ address with a warning and some instructions on a process for having the mistake reviewed.

    9. heavyset_go ◴[23 Oct 25 06:43 UTC] No.45678896[source]
    Imagine if you bought a plate at Walmart and any time you put food you bought elsewhere on it, it turned red and started playing a warning about how that food will probably kill you because it wasn't Certified Walmart Fresh™

    Now imagine it goes one step further, and when you go to eat the food anyway, your Walmart fork retracts into its handle for your safety, of course.

    No brand or food supplier would put up with it.

    That's what it's like trying to visit or run non-blessed websites and software coming from Google, Microsoft, etc on your own hardware that you "own".

    10. msl ◴[23 Oct 25 07:02 UTC] No.45679027[source]
    "The people living at this address might be pedophiles and sexual predators. Not saying that they are, but if your children are in the vicinity, I strongly suggest you get them back to safety."

    I think that might count as libel.

    replies(1): >>45679203 #
    11. tgsovlerkhgsel ◴[23 Oct 25 07:29 UTC] No.45679182{3}[source]
    It depends, if it's a clear-cut case, then in jurisdictions with a functioning legal system it can be feasible to sue.

    Likewise, if it's a fuckup that just needs to be put in front of someone who cares, a lawsuit is actually a surprisingly effective way of doing that. This moves your problem from "annoying customer support interaction that's best dealt with by stonewalling" into "legal says we HAVE to fix this".

    12. bstsb ◴[23 Oct 25 07:32 UTC] No.45679203{3}[source]
    i think it's more akin to "people may have broken in and taken over this house, and within the house there may be sexual predators"
    13. josfredo ◴[23 Oct 25 07:45 UTC] No.45679299[source]
    You can’t possibly use the “they use the word ‘might’” argument and not mention the death red screen those words are printed over. If you are referring to abidance to the law, you are technically right. If we remove the human factor, you technically are.