It sounds like the beginning of a joke: What do a locksmith and the U.S. Secret Service have in common? The punch line, in this case, is “a Google Maps problem.”
Last month a Seattle techie named Bryan Seely—who is also, as it happens, into stand-up comedy—pulled off a gag to demonstrate the unintended consequences of Google’s (GOOG) lax oversight of its map service. Seely’s method involved setting up a fake listing for a Secret Service office. Loopholes in Google’s systems allow scammers to divert traffic from local services such as locksmiths, he says, and the problem has been around for years.
Here’s how he did it: Seely started with Map Maker, a crowdsourcing tool that allows regular users to add information on local places to Google Maps. He created entries for two ATMs, including a phone number for each. The ATMs were real; the phone numbers were ones he had set up. Then he went into a different service, Google Places, where businesses can create a place page for themselves, and he created a listing for the ATMs. An automated call to the phone number for each ATM gave him PIN numbers, which he could use to alter the place listings as he wished.
That’s how two ATMs became a Secret Service office in Washington and an FBI office in San Francisco, at least as far as Google Maps was concerned. It took Seely about half an hour.
He set up the phone numbers to forward any calls to the actual Secret Service office in Washington or the genuine FBI office in San Francisco, and he recorded the calls received. The fake listings got 15 calls, Seely says, three of them from a Washington police officer calling the Secret Service to discuss counterfeit money he had discovered.
He pulled the plug on the exploit after 24 hours, walking into a local Secret Service office in Seattle to rat on himself. He says he deleted the listings while there.
Secret Service spokesman Brian Leary directed an inquiry about the incident to the U.S. Attorney’s Office in Seattle, which declined to comment. Leary told the website Valleywag last month that the incident would be “investigated thoroughly and appropriately.” Seely says that as far as he knows, he’s not in any trouble.
Google also released a statement after tech news outlets picked up Seely’s story, and sent the same one to Bloomberg Businessweek:
“We work hard to remove listings that are reported to violate our policies as quickly as possible, and to check bad actors that try to game the system by altering business descriptions once they are live on Google Maps. We encourage users to let us know when they see something that might violate our guidelines by using our ‘Report a Problem’ tool, found at the bottom right corner of the map.”
Google has disabled instant phone verification, but you can still set up a business listing using the U.S. Postal Service to get your PIN. That leaves plenty of loopholes, Seely says.
The stunt highlights the downside of Google’s grand experiment in crowdsourcing, one that’s felt mostly by small businesses providing things such as locksmith services, carpet cleaning, and home repairs, according to Seely and other critics.
It’s cheap and easy to game the system, putting up false listings with virtual numbers that forward to a main office or call centers, according to Dan Austin, who has been trying to get Google to fix its spam-listing problem for years. Austin, who lives in Olympia, Wash., likes to call himself a “geo specialist” because of all the time he spends on Google Maps. The company promised four years ago to fix problems with verification, Austin pointed out in a recent blog post.
It remains very difficult to get listings taken down even when they’re clearly fake, and Google’s “Report a Problem” tool has become increasingly ineffective and opaque, Austin says. New layers of review haven’t solved that problem: Google listing editors, who are employees rather than volunteers, often resist taking down spam listings, Austin argues.
All of this ends up costing real local businesses their business, he says. Search for “locksmith in Denver, CO” in Google Maps, and you get more than 600 results. Virtually none of them, Austin says, are for licensed local locksmiths. Instead, your search for someone to get you back into your car in Denver pulls up numbers for a fake local business. Your call gets routed to a center somewhere far away, someone who’s not necessarily a licensed locksmith gets sent to help you, and charges you far above what you were quoted over the phone.
Austin says that Google’s inaction stems from the fact that the company is actually making money off the scammers through sales on Google AdWords for search terms such as “locksmith.”
“Google’s basically getting a not insignificant amount of their income from scammers—if you look at locksmiths, 99 percent of them are scammers,” says Austin. “It’s an investment of time and energy and resources to actually go through and verify all the legitimate locksmiths in the U.S. Google doesn’t really want to get into it—they don’t see it as a security issue.”
Google stands by its model: “Crowdsourcing makes Google and Google Maps a more comprehensive and useful source of local information,” the company says. “The vast majority of the time, people use these tools to improve the map—not create fake listings or spam.”