There is a phone number on your website, and the same one is also part of the public info on the business's Google Play developer profile. Please correct me if I'm wrong, but both are published by you.
I don't think it's unexpected when you use one phone number as both personal and business number.
Initially I still felt like it wasn't correct of Google to publish this as public phone number, but I think Google Play clearly asked what phone number customers can use to contact you.
Dan-Q · 1d ago
Post author here. There shouldn't be one on the website (and I can't see one?), but the Google Play developer profile is unfortunate: thanks for pointing it out.
modeless · 1d ago
So what actually happened is you gave Google your phone number for the specific purpose of publishing it so customers of your business can contact you, and forgot. You should update your post so people aren't misled.
Dan-Q · 1d ago
No, I gave my phone number to Google to gain access to Business Profile, as part of an identity verification process, and specifically didn't give them one to publish on the business listing. And they correctly didn't publish one. For 4+ years.
And then one day then decided to publish the one I'd given them for an identity check... in search results. I don't yet know why.
modeless · 1d ago
I don't believe the phone number in Google Play comes from Business Profile. Business Profile is a Maps thing. The way a phone number gets on the developer page of the Play Store is by you entering it into the Play Store developer console for that purpose.
Since it was published by you as public contact information for your business on Google, either a customer or one of the contractors Google employs to update phone numbers in Maps listings then added it to Maps.
Dan-Q · 1d ago
Sorry, I got mixed-up between this and another thread. You're right, the Google Play one was provided separately (and has now been corrected).
My post was about the Business Profile one. Which started (seemingly randomly) containing the same phone number.
modeless · 1d ago
Maps business listings are publicly editable and continuously updated by Google from any source they can find. Especially phone numbers. Google employs people to search the Internet all day long for business phone numbers to update on Maps. You published the number publicly, specifically listed as contact information for your business, on a Google site even. There is no mystery here.
Dan-Q · 1d ago
Could be! My only counterpoint is that every time they've previously made a change, they've emailed to say so, and I've searched my email (including spam) and not found any such mention this time around. /shrug/
modeless · 1d ago
You still need to update your post to include the obviously relevant information that you explicitly gave Google this phone number for the specific purpose of publishing it as public contact information for your business.
JKCalhoun · 1d ago
Only a reminder to never give out your phone number, I suppose.
TrueGeek · 1d ago
I got a Twilio number to give to Google for my Play store listing. It simply takes a message and then emails it to me.
codazoda · 1d ago
I should do this. Did you have to code something for it or will Twilio just do this if you set some settings?
TrueGeek · 14h ago
You can set it up in the Twilio studio without having to write code. I'm not 100% positive, but I seem to remember there was a template for it and I just had to fill in the details
ralferoo · 1d ago
This is a fairly recent thing. I didn't realise that Google had actually started publishing this contact but for about the last year or so, they've required that you provide a phone number that they can publish for users to contact you.
Honestly, this policy seems absolutely backwards to me. I'm fine for customers to contact me via e-mail or my website, but why do Google get to suddenly mandate that I need to provide 24/7 global phone support to anyone (who doesn't even need to me my customer)?
lo0dot0 · 1d ago
Maybe they also provide an AI hotline they have to sell to you?
raxxorraxor · 1d ago
Especially since Google doesn't offer anything like that.
pprotas · 1d ago
You should consider deleting this or amending your blog post, it is highly misleading. Your phone number is on the CV and in your Google Play.
Dan-Q · 1d ago
My phone number is on my CV, and that's deliberate (I want a job!). It's in plenty of other places online too.
But none of them (except the Google Play one, which I'm fixing) are associated with the business or were provided for the purpose of sharing when people search for a business that I happen to be involved with!
(I'm sure you wouldn't want your phone number to turn up every time anybody searched for your employer, even if you were happy for your phone number to appear on your personal website, right?)
I'm not claiming that my personal phone number shouldn't be online anywhere. There are plenty of places it's pretty easy to find!
I'm just saying that I didn't put my personal phone number onto a public Business Profile (only providing it for identity verification, many years ago). But then, randomly, one day Google decided to start publishing it to anybody who searched for that company name.
davidguetta · 1d ago
A few years ago i bought a Samsung with a feature that when possible, it gives me the name of unknown caller, i guess from the database they were gathering from other people's contacts.
One day my neighbor call me, and i had not register his number, so Samsung shows "<his name> GRINDER", because someone else had him like that in their contacts ^^.
He was openly gay within the neightborhood but he was also working as some sales representant for real estate and he was not exactly happy when i told him Samsung was broadcasting his sexual orientation to unknown people he would call >< (not to mention he told me hadn't used grinder in like 7 years).
justusthane · 1d ago
That seems absolutely insane! If this is (or was) actually happening, I’m surprised we haven’t heard more about this. As bad as your example is, I can easily think of way more damaging scenarios.
blueflow · 1d ago
There is a rumor that Instagrams "People you might know" feature also works on physical proximity.
forgotmypw17 · 1d ago
Instagram recently asked me for permission to “find devices on local networks”…
dan-robertson · 1d ago
My understanding is that this is usually for ‘play on smart tv’ situations, but the permission is most unclear.
h2782 · 1d ago
That's a common justification for access, but it is no assurance to how they will actually use the data they gain access to. Knowing how critical profiling is to the IG/FB business model, I bet it snatches a lot of data to exploit later.
areyourllySorry · 1d ago
iirc some samsungs come with truecaller or callapp, which do what you described.
speleding · 1d ago
In our case Google updated the company phone number from the Chamber of Commerce register. We don't provide phone support, but by law you have to have a phone number in that register (in the Netherlands). I put a voip number in there that goes straight to a voicemail, it tells people we don't offer phone support. So I removed it from the Google Business profile, but every once in a while they decide to "helpfully" put it back.
No comments yet
hn8726 · 1d ago
Or one of the users helpfully updated the business profile with the phone number, since they had it and thought it might be useful for some
bilekas · 1d ago
Well in the screenshot it clearly states : "Your phone number was Updated by Google."
That doesn't really sound like it was any users input.
hn8726 · 1d ago
I think that's what it always says — even when the business owners submits a change it's just a request, and the actual update is — technically — done by Google.
nicce · 1d ago
Then the text does not have purpose - when it shows something different?
bell-cot · 1d ago
Internally, I assume there would be an "updated and immutable per Legal Dept" status.
pinoy420 · 1d ago
That is what it says when you do it though.
mattigames · 1d ago
Random users can update business profile numbers and Google publishes them without asking the number's owner for permission? Seems like a huge oversight.
mcv · 1d ago
Also a nice opportunity to steal a company's business.
Didn't some food delivery service get their own phone numbers listed for various restaurants a few years ago?
DidYaWipe · 1d ago
Yes. I always bring this up when people in forums start talking about using these scumbag food-delivery operators.
jfoster · 1d ago
Not sure about phone numbers, but some of them were creating "websites" for restaurants.
zelphirkalt · 1d ago
It is so ridiculous how that works. Just imagine for a second that you make a lieferando fake website and bring that online and somehow manage to make the URL look alike. How quickly the lawsuits would be on your ass. Yet according to one of the top level comments, nothing is done here, when lieferando does this and even throws in some identity theft.
ferngodfather · 1d ago
If the owner isn't registered with Google business, yes. Other users (local guides) are asked to confirm the change.
If they are registered, the request goes to the business owner to approve in my experience. We used to get lots of phantom requests telling us our opening hours had changed but if you're registered you can just decline them.
saghm · 1d ago
This sounds like you're either forced to work with them, or they can just publish pretty much anything and claim plausible deniability about whether it's true or not?
AStonesThrow · 1d ago
I am a Local Guide and Google never prompts me to confirm anything.
Local Guides are ordinary unpaid Google accounts who submit reviews, photos, and other edits as I’ve detailed here. We are sometimes prompted to answer questions, but only with a blank to fill in.
You’d think users can update business information on Google Maps. Instead, most of the times when you correct, say, working hours, it just gets rejected by the business owner who wants people to keep traveling there in the evening just to be turned away or see the closed doors because their staff goes home early every day.
AStonesThrow · 1d ago
But wait, there’s more crowdsourcing!
Google Maps actually processes historical data about how busy the location is throughout the hours and each day of the week.
You can find this rendered as a little bar graph with a blurb describing the current estimate.
This is believed to be aggregated from everyone’s Android devices reporting their locations in a very small radius.
Also, Maps asks its users to answer extended questions about amenities. Such as: parking types, accessibility features, kid-friendly, vegan/vegetarian.
When I am on board a bus or light rail train, there is information about how full it is, what temperature, accessibility, etc. They are tracked in real time because the transit authority shares their live telemetry with Google. Once, Google had demonstrably wrong schedule information and I discovered that it reflected the official website’s version. (It was reporting every train canceled, but they were actually running.)
When I worked in an office in 2012, we were trying to get our arms around various listings in 3rd party "Yellow Pages" publications, on paper and online. It seems that compiling business listings has been around a long time. And every business needs a Social Media manager to be aware of their footprint and manage multiple sites like this. Yelp, TripAdvisor, you name it.
strogonoff · 1d ago
In a dense area where there’s 5 shops within less than a stone’s throw (pardon my reference) away from each other or on different floors of a building, this mechanism does not work. Besides, if the place is “not busy”, that’s when I want to go—who likes to wait in queues?
Not an oversight, illegal publishing of PI obtained without permission.
rplnt · 1d ago
They got the permission to publish it. Are they required to verify the number ownership though?
saalweachter · 1d ago
The tricky part is that the most straight forward verification -- call the number, ask "is this Bob's Shop?" -- fails immediately if Alice picks up and says "yes".
onli · 1d ago
The author of the article and owner of the data says he does not give permission, so no, I think they don't.
o11c · 1d ago
Only businesses have rights and thus may need to give permission. Individuals are considered common property.
Laws are useless when you live in a country that doesn't care about enforcing them.
miros_love · 1d ago
The same. One day I got a call at 2am.
A few years ago I worked for a company that no longer exists today. They had, among other things, a job search service connected to their ID system. I was also doing my own project at the same time and needed Python developers. I was young and naive and thought I could find a junior and train him quickly. So I posted a vacancy on this job board: "Looking for a Python developer without experience." It turned out that they showed my phone number and it couldn't be turned off.
I received about 3-4 calls from very strange people who demanded to know how to become programmers. For some reason, they all started calling at about 5am. I even gave some useful advice to the first one, because I was taken aback by such impudence.
Today I use about 4 different phone numbers to separate my private life and data leaks like that.
netsharc · 1d ago
> For some reason, they all started calling at about 5am.
My guess is the reason is they're from one particular geographical area, where 5am your time is their "start of business day" o'clock?
bn-l · 1d ago
> My guess is the reason is they're from one particular geographical area
I wonder what geographical area that is.
cookiengineer · 1d ago
This is what happens when Google isn't sue-able by private entities.
In Germany, lieferando (subsidiary of takeaway.com) registers domains in the form of restaurantname-city.de, points them to their lieferando cloudflare account, and claims ownership for the google business entry where they set the phone number to their own call center.
Then they call the business owner and _force them_ to sign the contract with them, because effectively the owner knows they cannot be found anymore via google, and everyone that wants to order something will reach the call center hotline and leave a negative review after the hotline tells them wrong number, effectively destroying their business. And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision.
Crimeflare before it got taken down had around 130k domains that were pointing to the lieferando website using this kind of scheme, I helped provide the dataset for a couple of local business owners that were extorted this way and refused to abide by that scheme.
Guess what happened, nobody could be sued and the financial damages were too small to escalate it on the European court level. Sadly, class-action lawsuits don't work the same way as in the US, apparently.
Effectively Google does not abide by the laws and gets away with it due to their financial structures of their holding companies.
And they certainly know about this, they just don't give a single fvck.
chatmasta · 1d ago
This was a well-published tactic on BlackHatWorld about 15 years ago. I love that VC companies have finally capitalized on it…
TeMPOraL · 1d ago
VC knew this for just as long. Similar ideas brewed in the business model of TripAdvisor, and eventually crystalized in the form of GrubHub and Uber Eats.
I remember a growing amount of articles and on-line discussions about restaurants being extorted this way; then the pandemic came and removed the need for extortion by making delivery necessary for restaurants' survival. It's probably why the whole thing isn't talked about anymore these days.
afarah1 · 1d ago
This seems about not being able to sue the company doing extortion (in your words), not Google...
cookiengineer · 1d ago
It would not be extortion if Google would verify their data sources and would have a working process to claim ownership of legal entities.
iakov · 1d ago
That sounds absolutely insane. Doesn't Google have any way to dispute the business ownership? Can I take over any business on the maps by just registering a domain that contains the business name?
vineyardmike · 1d ago
> That sounds absolutely insane.
It is absolutely insane that organizations are weaponizing this.
> Doesn't Google have any way to dispute the business ownership?
I can only speak for the US and it’s been a few years since I’ve done it, but yes Google does have a way. You can report an issue, and “claim” a business. Google will literally send a postcard with a unique ID to the registered physical address, and whoever gets that postcard can take ownership.
> Can I take over any business on the maps by just registering a domain that contains the business name?
Absolutely not (at least legally I assume). It’s probably trademark infringement and potentially fraud to misrepresent that business, and also Google has other methods to verify ownership (see above).
ghusto · 1d ago
> You can report an issue, and “claim” a business. Google will literally send a postcard with a unique ID to the registered physical address, and whoever gets that postcard can take ownership.
When you say "registered address", do you mean the actual business registered address (as in on Companies House in the UK, for example) or the address which was used to register the business with Google? Because if it's the latter, I think I see a problem ...
rchaud · 1d ago
The "address" in question here is the location on Google Maps. I managed a few locations for a business and verified them this way. Google would frequently ignore our own posted opening/closing hours and phone numbers in favour of whatever some random user provided under "Suggest an Edit". Horrible system, and support requests just ended up at some Google contractor's inbox in India, where they request to have video calls at 3AM ET to verify our identity (again).
vineyardmike · 23h ago
> Because if it's the latter, I think I see a problem ...
Believe it or not, someone spent at least a few hours thinking about this.
The address is physical address that a customer would go to when they look up the business on the map. If it's a restaurant, it's the address that has the tables and food and drinks.
MichaelZuo · 1d ago
So then how can the scam work after the german restaurant gets the unique postcard?
conartist6 · 1d ago
It certainly sounds like they would be sending it to the address provided by the scammer. The issue is their system assumes the first person to interact with it is trustworthy: gives a real phone number and address. If that first contact with Google was MITM'd, they seem to have no way to develop an un-compromised relationship with the real entity.
Propelloni · 1d ago
In Germany, everybody and their siblings usually ask for a recent copy of the trade certificate of registration--it actually is quite annoying. Google could do the same.
vineyardmike · 23h ago
I don't think it does. The postcard should go to the place where the customers go, so for a restaurant its the place with the tables and the food and stuff.
If the address is different than the address of the shop-owner, then how would a user who uses google maps get to the shop? And why wouldn't the shop owner just create a new, correct listing?
fallinghawks · 1d ago
A year or two ago when I was doing some searching in Maps for trails to hike in Hawaii, I noticed that if a trail didn't have an "official" website i.e. pointing to a local government page, in several cases a certain photographer had put his website into that spot. And later I discovered he had done this not only in Hawaii but several trails in Utah as well. It would not surprise me if he's hit up hundreds of trails for free advertising via Google's lack of vetting.
I reported it, of course, (as someone else mentioned, Suggest an Edit) and they got changed, but I haven't checked to see if he changed them back.
mschuster91 · 1d ago
> Can I take over any business on the maps by just registering a domain that contains the business name?
yes, as long as the business doesn't have that already. And that's the point - many small restaurants, takeaways etc simply don't have a website because they think they don't need one, until they're fucked by Lieferando.
Aerroon · 1d ago
But isn't that fraud? Lieferando is fraudulently pretending to be someone they aren't to profit from it.
mschuster91 · 1d ago
They're following the usual VC pattern: it's more profitable to ask for forgiveness instead of approval.
Plus, many restaurant owners are immigrants, and undocumented/underpaid labor is blooming as well. The last thing they want is to attract the eyes of the government.
Tade0 · 1d ago
I googled the name as I was unfamiliar with it, but immediately recognized the orange logo in search results.
Their entire business model seems to be centered around extorting businesses. I stopped giving them money after they inaccurately posted that a certain restaurant delivers to my location and got a phonecall from the place that this was the case so I agreed to pay extra to fulfill the order anyway, because Lieferando certainly wouldn't take responsibility.
Nowadays I use them only for discovery, but call the place directly or use the webpage if the business provides online ordering.
It appears that their initial value proposition to businesses was substituting delivery services so that restaurants could scale that up without hiring more staff. Of course enshittification made that service worse than just walking/driving/taking public transport there.
mikae1 · 1d ago
Geez. Has there been any good write-ups about this in the German press?
cookiengineer · 1d ago
At the time we didn't know how large the scheme is, because you only find out effectively about those domains if you let your own root/resolver running and listen for the A/AAAA entries coming from cloudflare.
So the real number of those domains is likely to be much much larger if you would have the same dataset like crimeflare had. You can find articles about it with the keyword "Schattenwebsites lieferando" because that's what the press seems to have settled on. Different press teams counted different amount of websites because of that. Another team where I knew people from the CCC that helped them confirmed the 120k number though.
Our final number in Q4 of 2021 was 130k domains that we found out about, and we were trying to contact a bunch of other business owners to be able to escalate the lawsuit onto the Landsgerichtsebene (so that it can go into the Bundesgerichtshofsebene afterwards, and then to the EU court).
You could perhaps parse the CT logs to see who registered certificates for such domains, no?
thyristan · 1d ago
CT logs usually don't identify the owner of a site in case of the usual domain validation (DV) certificates. Only OV or EV (organisation or extended validation) certificates provide some hint at the responsible party.
stavros · 1d ago
Yeah but you can visit the site and see if it's their usual landing page.
RataNova · 1d ago
Terrifying how easy it is to weaponize Google's ecosystem against small businesses like that
throwaway2037 · 1d ago
Wasn't this Yelp's business strategy for a while? I'm unsure if that finally changed.
GuB-42 · 1d ago
What laws Google (and Cloudflare) does not abide with?
It seems like Lieferando is the problem here. How comes that company is still in business? It seems like obvious identity theft to me, if anything Google is only guilty of trusting Lieferando too much.
tobr · 1d ago
There was a good comment on HN the other week about identity theft:
> There's no such thing as identity theft, it's all bank fraud or in this case student aid fraud. "Identity theft" is a term coined by banks to try to make it sound like random people should have to deal with the fallout of the banks' bad identity verification practices.
In this case, the ”identity theft” happens because Google trusts someone they shouldn’t. If they didn’t, the scam wouldn’t be possible. Yes, the scammer is the problem, but Google are providing them the opportunity, and leave it to each victim to deal with the situation.
ghusto · 1d ago
Came here to say this, thank you.
"Beware of scammers!!!111!". No, _you_ beware of scammers, that's what I pay you for.
thyristan · 1d ago
Various rights to correct misinformation and misdirection exist that Google blatantly ignores. Google aides and abides identity theft, deception and fraud this way, also profiting from it. As soon as Google knows about a crime being committed and about information they spread being wrong or even fraudulent, they do have a duty to immediately take it down, otherwise they are an accomplice. As soon as a certain site like lieferando and cloudflare is known to provide mostly fraudulent information, Google also has the duty to implement more thorough checks for information from those parties and even stop trusting them.
hyperman1 · 1d ago
Isn't trademark law designed to stop this?
briandear · 1d ago
Assuming you have registered the trademark. Most small businesses don’t think to do this.
danieldk · 1d ago
IANAL and this probably differs a lot per country. But typically you do not need to register a trademark, you only lose it if you do not actively defend it. So a small business could still sue Lieferando when they take your name. However, I think most small companies with thin margins would find the idea too daunting.
thyristan · 1d ago
For the usual case of "Ristorante Napoli #239878", "Bangkok Asia Imbiss #9999" and "Taverna Rhodos #4711" you cannot register a trademark because those names are usually not unique and often reference generic place names or stuff like that.
triknomeister · 1d ago
Why is google not sue-able?
ale42 · 1d ago
Here I'd rather ask, why Lieferando is not sue-able? What they did is not just unethical, it's plain illegal.
ale42 · 1d ago
IANAL, but they are probably violating the UWG (https://de.wikipedia.org/wiki/Gesetz_gegen_den_unlauteren_We...), law against unfair competition, and there are possibly also trade mark violations (one does not need to register a trade mark for it to be protected, if the restaurant has an established presence in the area, it might be enough, but that's up to a court to decide of course).
ahofmann · 1d ago
I do not use lieferando because of this, and I think what they're doing is highly immoral and wrong. But I don't see where this is plain illegal. Can you elaborate?
albumen · 1d ago
"And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision."
Extortion.
Koffiepoeder · 1d ago
It may constitute an infringement on common law trademark rules [0], but not sure what the German legislation around that is.
lieferando has an identical logo to just-eat.co.uk . I already don't use the UK one: i often get their drivers coming to my house with other people's food so I don't trust them to get the basics of delivery right (they should capture the GPS where the successful handover takes place and learn from that for future orders).
extraduder_ire · 1d ago
Justeat (and flipdish) does the same thing in Ireland with bespoke looking domain names for each restaurant. Just eat is strictly an ordering platform though, despite their branding on insulated bags the delivery is handled by someone else.
lou1306 · 1d ago
Well that is simply because Lieferando is just the subsidiary of Just Eat that operates in German-speaking countries.
deno · 1d ago
Isn’t this business model (as described above) literally the definition of racketeering?
I guess there might not be an equivalent in Germany.
lou1306 · 1d ago
The part where they claim their phone number is the restaurant's borders on wire fraud, plus the extortive bit pointed out by other users.
StressedDev · 1d ago
Wire-fraud is a United States legal concept. It's probably not applicable to Germany (although Germany might have its own laws which cover this issue).
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er durch Vorspiegelung falscher oder durch Entstellung oder Unterdrückung wahrer Tatsachen einen Irrtum erregt oder unterhält, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> (2) Der Versuch ist strafbar.
> [...]
> (5) Mit Freiheitsstrafe von einem Jahr bis zu zehn Jahren, in minder schweren Fällen mit Freiheitsstrafe von sechs Monaten bis zu fünf Jahren wird bestraft, wer den Betrug als Mitglied einer Bande, die sich zur fortgesetzten Begehung von Straftaten nach den §§ 263 bis 264 oder 267 bis 269 verbunden hat, gewerbsmäßig begeht.
> § 263a Computerbetrug
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er das Ergebnis eines Datenverarbeitungsvorgangs durch unrichtige Gestaltung des Programms, durch Verwendung unrichtiger oder unvollständiger Daten, durch unbefugte Verwendung von Daten oder sonst durch unbefugte Einwirkung auf den Ablauf beeinflußt, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> [...]
My rough translations:
> Book of criminal law
> § 263 Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another through the presentation of untrue facts, or the misrepresentation or suppression of true facts to create or sustain an error, shall be punished by incarceration up to 5 years or monetary penalty.
> (2) The attempt is punishable.
> [...]
> (5) With incarceration from one to ten years, in cases of minor severity from six months to five years, shall be punished whoever commits the fraud as the member of a gang, which has banded together to continuously commit crimes as in §263-264 and 267-269, in a business-like fashion.
> § 263a Computer Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another by influencing the result of a data processing operation through incorrect design of the program, use of incorrect or incomplete data, through unauthorized use of data or through other unauthorized influence upon the operation, shall be punished by incarceration up to five years or monetary penalty.
pqkejfjcosp · 1d ago
Because it's Google. Do you have a couple million dollars to spare?
This is a government-level issue. It's a clear breach of gdpr, but I get the feeling this guy is in America.
Dan-Q · 1d ago
Post author here. Nope, I'm in the UK, and therefore covered by the DPA2018 (which is basically the copy-paste version of the GDPR that the UK government made post-Brexit).
harvey9 · 1d ago
It was post the leave vote but still during EU membership, and still on the statute books.
I'm not familair with German laws, but are you saying that there is some law that prevents individuals from sueing Google and liederando? That seems insane, in the US, you could absolutely sue both of these businesses.
lolinder · 1d ago
Why are you framing this as being primarily about Google being un-sueable? There's clearly a problem with Google being difficult to work with to re-claim ownership of a business profile (no customer support, as always) and Google obviously has deep pockets that would be tempting to get access to, but isn't Lieferando the one engaged in the extortionate business practices?
Under US law I can see a few different things that would make the Lieferando behavior you describe illegal, whereas all Google is doing is being the unwitting vector for their illegal activity.
It's always more difficult to pin fault for a crime on unwitting enablers even when their negligence arguably rises to the level of a crime. The big question here is why businesses haven't successfully fought back against the ones doing the actual crime?
chaosbolt · 1d ago
Wow that scheme sounds exactly like mafia activities in the Sopranos or other movies.
danpalmer · 1d ago
There are at least 3 alternative explanations posted in these comments.
Applying Occam's Razor here, the explanation given in the post seems like possibly the least likely option.
One way to shed some light on this would be to use Takeout to get a copy of data held and see if they still have the number and what they hold it for.
Dan-Q · 1d ago
Not sure that Google offer Takeout on Business Profiles. Businesses aren't often protected by the kinds of PII-protecting laws (GDPR etc.) that individuals are, and so tech companies are less-inclined to make tools to streamline bulk export of data.
danpalmer · 1d ago
So was the identity verification process you spoke about in the blog post for your personal account or your business profile?
If it was your personal account, I really don't see how a personal verification ends up on a business account. I'm not saying it's not possible, but it seems like it would introduce extremely bad data. I've verified my phone number, but (personal speculation) I doubt Google would want my number showing up on my employer's business profile.
If it was for your business account... I can see how that would be unexpected, but also the point of verifying that would I guess be to increase the level of trust that customers could have in the business based on it being verified, and I can see how that might lead to that number being public. It also sounds like this is what you did with Play too, and as a user I would expect that Play's company data aligns with data on Google Search.
I can empathise with the shock here, I've had people call me up from google searches and finding my number on my CV, but I am struggling to find a link here that doesn't make sense.
Dan-Q · 1d ago
For the business account.
I wanted to take control of the Google Business Profile (back then: Google My Business) listing. To do that, Google asked for a phone number they could call. I provided one, and then double-checked that they hadn't put it on the public profile (they hadn't).
They emailed me about once a year after that to suggest that I might like to put a phone number on the business profile. I declined. But I always checked, and sure enough: they hadn't put one on there. All was good.
Then one day, randomly, my phone number started appearing on the public profile/being served to search users. That's the whole story here.
I don't yet know how or why it started appearing. A few ideas have been posed here and elsewhere, including:
1. Some runaway automated process at Google, trying to "fix" the absence of a business phone number, took the one that was previously used to ID the business contact. (Some folks seem to think that this is what I'm claiming happened, but I'm only putting it forward as a possibility.)
2. Google "joined the dots" from the Google Play profile and the Google Business Profile. This currently seems like the most-likely explanation, to me. I'm getting the former corrected anyway; we'll see what comes out of it.
3. Some third-party Google user added it. That seems possible, but in my experience once you've verified and own a Google Business Profile, you get an email to confirm any "suggested changes" and I didn't see any such email.
4. Some kind of user error by me or by somebody else who has access to the profile. I obviously can't rule this out, but I've checked and I personally haven't even logged into it in over a year (and I've had emails since that confirm that a phone number wasn't listed), so it seems unlikely. Also, the message said that Google had updated the phone number (not me).
danpalmer · 1d ago
This list seems reasonable, but I do think your blog post strongly implies (to the point of effectively stating it) that you believe (1) was what happened.
I have to be careful about what I say, and very much cannot say in this case, nor do I know anything specific to the business profile area, but my experience of data at Google is that one does not simply join a table and fill in the blanks. In my experience there's a lot of privacy and legal review, and that's only after someone thinks it would be a good product idea (which in this case feels unlikely). At a technical level, there are many safety checks that are intended to prevent things like this from happening unless all that review and sign-off has happened.
profsummergig · 1d ago
If I search my phone number on certain online white-page sites, every single house I've ever lived in for the last 25 years shows up in a list, along with a whole bunch of other very personal information (e.g. the people who lived in the same house at the same time).
There should be laws against this sort of thing.
charcircuit · 1d ago
Google takeout is older than the laws you bare referring to.
Dan-Q · 1d ago
Sure. But I still don't think it covers Business Profile. But I'll check.
sschueller · 1d ago
Google published my private cell phone number in the play store as after spending over a month trying to get my business number verified under the threat of account termination I ran out of options.
brisky · 1d ago
Similar situation - I was an independent app publisher on app store, but I don't feel comfortable publishing my phone number next to my apps. I don't do customer support. This punishes indie app devs. After I saw this requirement I decided to remove my app from the app store.
aydgn · 1d ago
Anyone using Google Search can edit a business's phone number. Weird, but true.
Anyone with a Google Account who uses Google Maps can submit edit suggestions, but they are all reviewed before publication. You can inform them if the business doesn't exist, has a different address, new website, existing website doesn't work, new business hours; all sorts of things. Not limited to businesses: includes bus stops and train stations, historic landmarks, basically anything where you can drop a pin and see a database entry.
This is probably linked to the process for Search. It's called "crowdsourcing".
The article mentions having control of the Google Business Profile. It was sometimes called "Google My Business". You can register and verify that you're the owner, and then you'll have tools to reply to reviews and manage your own Maps entry, etc.
I do this quite a lot, most get accepted, some don't. It typically takes a few days to get reviewed and published.
jmkni · 1d ago
FYI it's blurred out in the screenshot but I feel like I can still make it out
Dan-Q · 1d ago
Blog owner here. You're welcome to unblur it: I swapped the number out in the screenshot for one of Ofcom's list of official never-to-be-assigned telephone numbers for drama (e.g. film & TV) use (https://www.ofcom.org.uk/phones-and-broadband/phone-numbers/...) before I applied the blur.
That number isn't mine, and will never belong to anybody!
kotaKat · 1d ago
Ahhh, that's a cheeky move :)
Love it.
Dan-Q · 20h ago
Often I'm lazy and just black out revealing information, like I did in my blog post about how British Gas can't understand my name (https://danq.me/it-is-only-q).
But sometimes I've done the same thing in other places and gone further, sometimes concealing "fun" messages. In my post about Halifax putting the wrong names on a letter to me (https://danq.me/halifax-dun-goofed), I changed my address to a message along the lines of "what, you think I'd put my actual address here, like it's my first day on the Internet" and then blurred that.
Incidentally, I think that one was the first times that anybody contacted me to say that they'd noticed the unblurrability of my images, but I've been using this approach for years!
saretup · 1d ago
Then why bother to blur it?
Dan-Q · 1d ago
To indicate to the reader that the information represented by this area of the image should be considered private.
It's like how they blur nipples on TV. We all know what nipples look like! But they're blurred to say "yeah, but maybe you shouldn't be looking".
saretup · 1d ago
That serves a purpose. This is more like choosing abstinence as a form of birth control but wearing a condom anyway.
Dan-Q · 20h ago
Yeah, it was a bad metaphor. I was sleepy.
Blurring makes sense as a way to say "this is private". It's almost lampshading, in this case, because it's the bit I want you to look at!
But blurring doesn't make sense from a privacy perspective, because unblurring is pretty easy. So I modified the number to a known-fake, will-never-be-valid one.
But if I just did that, people would probably try to call it, or would say "but you've put it back online here", or similar. Or else would say "that number's fake anyway, why are you worried?". Blurring it as well achieved the best of all worlds: it lampshades the bit I'm talking about, and it indicates that the kind of data stored there should be considered private, and it prevents the actual extraction of the (real) private data from the image. Win, win, win.
Unless the question "why bother" was to imply that blurring was hard to do? Because it definitely wasn't. Changing the number took much more effort! The blur was just two clicks; significantly less effort than, say, explaining why I chose to do so! :-D
threeducks · 1d ago
Definitely readable. A stronger blur would not have helped the situation either. It is absolutely insane how well information from a blurred image can be reconstructed. For example, consider the "Data" column of the following image, which basically looks like a gray image without any content, but neural networks can recover most of the blurred characters: https://fips.fi/wp-content/uploads/2024/07/HDC_result_exampl...
lo0dot0 · 1d ago
Algorithms can see the difference between RGB 245, 245, 245 and RGB 246, 245, 245 (it's 1, 0, 0) but the eye can probably not, also depending on the monitor hardware. Thus the blurring effect might not be as strong as it looks like at first glance.
lostlogin · 1d ago
The person who posted it has said elsewhere here that the number is faked.
And yes, your comments re blur have plenty of precedent.
mstkllah · 1d ago
It looks like it's a fake number anyway as it's 07700 987654
hnlmorg · 1d ago
There are computer techniques that can be used to de-blur sensitive information, so the expert advice is not to use simple blurring effects.
But in this instance, it’s trivially easy to read the numbers even without any fancy software.
@author, if your reason for blurring was to protect your identity, then you should update that image asap because you’re not succeeding at hiding your number.
kgeist · 1d ago
I heard new AI crawlers extract text from images too, hoping to get that extra dataset. So with that kind of blur, it might end up in LLMs.
Twice I have had listings for companies or organizations I was associated with get phone numbers added to their listings in Google Maps automatically. In both cases, it was worse than this: the numbers were people in the same industry, but completely unrelated. One was bemused, the other was quite angry with me.
saravanan2661 · 1d ago
This was one scenario where the number was auto-mapped to the person's business. It's definitely wrong without consent. But for someone like me who isn't associated with any business or company, is my personal data secure? Are there any possible threats?
neuroelectron · 1d ago
This is quite an upsetting development and while I do think I know a solution it's in my best interest not to share it. That's just the nature of dealing with Google.
RataNova · 1d ago
The fact that they quietly slurped up a personal number from a verification process years ago and then just decided to publish it later is exactly the kind of dark pattern you'd expect from a smaller, shady adtech company, and not the world's largest one
jeroenhd · 1d ago
It's possible, but I think it's more likely that the Google account that has made the Three Rings app (https://play.google.com/store/apps/details?id=uk.org.threeri...) with a listed phone number (+44 7795...) also claimed ownership of the Three Rings website through whatever domain tools Google offers.
In that case, the developer provided Google with a way for Three Rings customers to reach them and they then published that number.
I don't know why the app's developers decided to use their personal phone number for their Google Play business contact information, but that seems like the most reasonable explanation to me.
If the author did not provide that phone number to Google Play, then he will need to also update his information there to get the phone number delisted, or it will be a matter of time before it appears on the Google Search page again.
oarfish · 1d ago
I cant be the only one who's default assumption about personal data is exactly this.
RataNova · 1d ago
At this point, "they'll use it however they want, eventually" feels like the default mental model for any data you hand over, no matter what the original context was
surfingdino · 1d ago
Nobody at those big corps has any control of or time to pause to think over the effects of their actions.
Brajeshwar · 1d ago
I've long back realized that it is not just the big corps, but every employee of a company, after a while began to think everything outwards. Their focus, the work, they playbook always from them. There are only a very few that things from outside.
During my consultation, the team I was helping keep talking about "Our App", "Our Process", "Our Use", "How do we get this data into our System?" I had to ask them multiple times, "How does your users or customers outside of your company uses them?" "Have you thought of how people usually do these kind of steps?"
surfingdino · 1d ago
Exactly. That's their default mode of thinking.
sdflhasjd · 1d ago
I've got my own personal story about a cold call revealing my personal phone number had been leaked by Lusha, a "GDPR Compliant" B2B tool that sourced data from shady apps.
On a day off work, I got a cold call to my personal mobile. This salesperson called me by my name and then tried to flog something relevant to my job. Being hugely irritated, I shared my thoughts with the caller demanded to know where they'd found my number. They were at least a little bit apologetic, and said they found it on LinkedIn using a plugin called "Lusha".
Lusha's website has claims about being GDPR compliant, but at the same time being a "crowsourced data community". They do at least publish a "Privacy Policy" and some contact details for a data controller.
I emailed them with a Subject Access Request, which they responded to two weeks later in a very cagey manner. Actually, I did some sleuthing of my own. I found an unlisted link for a broken OneTrust request form. This didn't seem to be linked anywhere on the website and I literally guessed the URL for it. After some poking around in the debugging console, I recieve a more fully furnished copy of my profile.
The data source for my email was... "Lusha's email guess algorithm" - now, one of the downsides of working for a small business and getting a firstname@domain.com is that guessing it isn't particularly difficult.
The data source for my phone number was more interesting. "L.S Mobile Apps Holdings Ltd." a company I'd never heard of, but eventually found an App Store[0] and Play Store[1] listing under a very similar name.
Looking at the apps published by this company, you can immediately see where this is going: a "Caller ID" and an even more transparent "Contacts Backup" app - both having complete access to all your contacts. At this point it becomes clear where my contact information has actually come from: someone I probably work with has created a contact in their phone with both my email and personal phone number, then used one or two of these apps.
I decided to pick the Contacts backup app to take a closer look. Installing the app on a wiped phone, I explored the UI, disassembled code and snooped the requests to their servers to see where exactly this mysterious "GDPR Compliance" was. The primary functionality is of course to create an account, upload all your contacts, and let you sign in on another phone to download them. There was some effort to make this work for most users, workarounds for edge cases, etc. It was more than the low-effort app I was expecting.
All the sharing functionality was checked behind a "consent" dialogue (and I use that term extremely loosely). The deal was that app would helpfully hydrate my entire contacts book with missing details! All I had to do was share it in turn. What I found peculiar about this was it simply didn't work. It seemed as through not only would the server not populate the missing data, but the code that handled this client-side was unfinished.
If you're wondering what the link between Lusha & L.S Mobile Apps is, they're effectively the same company. Yoni Tserruya, the co-founder of Lusha, has their fingerprints all over the the certificates used to sign the Android LSM Apps. It's clear this app's data is what they've built their company on.
Now, both Google and Apple have well known to display "Data Sharing" information as part of the store pages. The Play Store page explicitly says "No data shared with third parties", whereas the App Store omits the usual section you'd see when data is shared with third parties.
I contacted both Apple and Google with full details about what I'd found, and in the least surprising event to my saga, they did nothing.
Sadly, instead of having any satisfying conclusion, what I saw was what I already knew. I even got angry when reading their privacy policy, and how completely clear that all this "GDPR Compliance" labelling they have is there to sell their product to EU customers and they're clearly not compliant.
Here's some ragebait for the rest of HN who cares about their data:
- French DPA (CNIL) says Lusha is full of shit, but they can't do anything because they're based in Israel[2]
I've been narrowing my eyes at the "add your phone number/backup email" thing for a while now because it seems like a transparent and deceitful attempt to increase the reach of the FB/Google "cross device graph". So seedy.
kalaksi · 1d ago
Many years ago, Facebook started to ask for phone number for "security reasons" and so that you wouldn't "lose access to your account". They emphasized that the number wouldn't be used for anything else. I never gave it, and nowadays don't even have an account, and wasn't surprised when it was later revealed that they were lying.
latchkey · 1d ago
Oh it totally is, ignore it and don't ever add your phone as "backup".
johnisgood · 1d ago
Of course. That said some (increasing number of) places do require phone number verification.
josephg · 1d ago
It makes sense. Phone numbers aren’t trivial to acquire in bulk; so requiring unique phone numbers per account is a good way to push back against bot farms.
I’d really rather not provide it. But we don’t have many good options to demonstrate you’re a real human to computer systems.
johnisgood · 1d ago
Someone said "Phone numbers are very easy to get in large numbers. US-based SMS numbers that will pass verification for buying sneakers are ~$0.25 each.".
It's worse than that. Not only are temporary bulk phone numbers cheap, phone verification is a profit center for spammers. Because they acquire a bunch of phone numbers for their own use, but each phone number can be used on any service that requires phone verification, so they can then sell phone verification service to other spammers or privacy-conscious individuals who don't want to give out their phone number, or set up a web page to do it that makes money from ads, and use the profits to expand their spamming operation. Not only that, the more services require phone number verification, the more profitable spamming becomes, because each number has an increased return since it can be used to sell an activation for an account on another service.
Meanwhile people who actually want privacy get screwed, because the spammer's account is going to get banned for spamming in less than a month either way, but a normal user would want to keep the same account indefinitely, and then the site demands that they keep access to the same phone number indefinitely. So then the honest users are stuck paying a monthly fee at the retail rate for a separate phone number for each service in order to avoid giving them all the same phone number to correlate with you. Whereas the spammers pay the wholesale rate once and then more than break even.
The anti-spam value of phone number verification is not just zero but actually negative. Its purpose is to harvest phone numbers from honest people for mass surveillance, and anyone requiring it is making the spam problem worse.
johnisgood · 1d ago
I agree.
Do you have any ideas against bots, or perhaps even spam? Or do we even need any verification to begin with? There are ways to prevent both, at different layers, but I am not sure what would be the best way, especially something that does not sacrifice privacy.
AnthonyMouse · 1d ago
One of the things that works pretty well is invite codes. People want to use a service because their friends use it. Which is to say, because they have someone to get an invite code from. And invite codes don't track very much more than the service is going to learn by who you use the service to communicate with anyway.
But then banning spammers and bots gets a lot easier because it becomes trivial to trace where they got their invite codes and then shut off that account's ability to give them any more, and you have something to investigate if you see large numbers of accounts getting invite codes from the same account.
They can also be used as an alternative to other forms of verification. So to create an account you can either get an invite code, or provide something even more scarce than a phone number, like payment info. Either you have an invite code or you pay $5. Then most people don't have to pay anything because they get a code, people who want in but don't know anyone there yet can pay a nominal fee, and the spammers and bots can't easily do either of these things at scale.
johnisgood · 1d ago
My problem with invite codes is precisely the association to someone (metadata). It is a double-edged sword, because I would think twice before inviting someone (good!), but at the same time I do not want to be responsible for what they do, nor do I want to be associated to it. As for payment information, I would rather not provide that just to use an instant messenger, for example. Thankfully we have metadata-free IMs (e.g. Ricochet Refresh, Session, Briar). That said, I would not dismiss the idea of invite codes so quickly.
AnthonyMouse · 1d ago
The premise of invite codes shouldn't be that you're responsible for anything someone you invite does. You are not your brother's keeper. If you invite a bot, the worst thing that should happen to you is that you're not allowed to issue invite codes anymore. But that's also all you need to solve the problem, because then the set of people who are careless with invite codes and the set of people who can still issue them ceases to overlap.
The nice thing about payments is that it makes an excellent fallback option, because spammers can't use it. It's not even about identifying the user, you can accept cryptocurrency and allow them to stay anonymous because someone who is going to have their account banned after only a few hours regardless can't invest even $5 in it, so it's about the money rather than the identity. And then it's not supposed to be the default option, but it can exist as an option for anyone the other options aren't working for.
tomlockwood · 1d ago
I disagree. They're hard for a non-technical user to acquire in bulk. This makes me think their purpose isn't really to prevent bot farms.
josephcsible · 1d ago
You're lucky if you can do that. Occasionally, when you try to log in to your Google account, it will demand a phone number before it lets you in.
latchkey · 1d ago
It asks very aggressively, but I have always found a way to skip it. You can also remove after the fact too.
profsummergig · 1d ago
And these days everything is 2FA. All that phone data is going to start leaking when they need to growth-hack further.
gblargg · 1d ago
It's part of the know your customer (KYC) push, which is likely for this cross-device graph side benefit in many cases.
username223 · 1d ago
Same. I never trusted tech companies not to use my cell number in shady ways, and wasn't surprised when it came out the first few times that they were using 2FA numbers for other purposes. Long random passwords and throwaway email addresses have been good enough for me.
saurabhshahh · 1d ago
Now, I use perplexity to get any customer care number of any company and most of the time they provide the right number compared to google.
I don't think it's unexpected when you use one phone number as both personal and business number.
Initially I still felt like it wasn't correct of Google to publish this as public phone number, but I think Google Play clearly asked what phone number customers can use to contact you.
And then one day then decided to publish the one I'd given them for an identity check... in search results. I don't yet know why.
Since it was published by you as public contact information for your business on Google, either a customer or one of the contractors Google employs to update phone numbers in Maps listings then added it to Maps.
My post was about the Business Profile one. Which started (seemingly randomly) containing the same phone number.
Honestly, this policy seems absolutely backwards to me. I'm fine for customers to contact me via e-mail or my website, but why do Google get to suddenly mandate that I need to provide 24/7 global phone support to anyone (who doesn't even need to me my customer)?
But none of them (except the Google Play one, which I'm fixing) are associated with the business or were provided for the purpose of sharing when people search for a business that I happen to be involved with!
(I'm sure you wouldn't want your phone number to turn up every time anybody searched for your employer, even if you were happy for your phone number to appear on your personal website, right?)
I'm not claiming that my personal phone number shouldn't be online anywhere. There are plenty of places it's pretty easy to find!
I'm just saying that I didn't put my personal phone number onto a public Business Profile (only providing it for identity verification, many years ago). But then, randomly, one day Google decided to start publishing it to anybody who searched for that company name.
One day my neighbor call me, and i had not register his number, so Samsung shows "<his name> GRINDER", because someone else had him like that in their contacts ^^.
He was openly gay within the neightborhood but he was also working as some sales representant for real estate and he was not exactly happy when i told him Samsung was broadcasting his sexual orientation to unknown people he would call >< (not to mention he told me hadn't used grinder in like 7 years).
No comments yet
That doesn't really sound like it was any users input.
Didn't some food delivery service get their own phone numbers listed for various restaurants a few years ago?
If they are registered, the request goes to the business owner to approve in my experience. We used to get lots of phantom requests telling us our opening hours had changed but if you're registered you can just decline them.
Local Guides are ordinary unpaid Google accounts who submit reviews, photos, and other edits as I’ve detailed here. We are sometimes prompted to answer questions, but only with a blank to fill in.
https://support.google.com/maps/answer/7084895?hl=en
Google says "We review all the edits you make."
Google Maps actually processes historical data about how busy the location is throughout the hours and each day of the week.
You can find this rendered as a little bar graph with a blurb describing the current estimate.
This is believed to be aggregated from everyone’s Android devices reporting their locations in a very small radius.
Also, Maps asks its users to answer extended questions about amenities. Such as: parking types, accessibility features, kid-friendly, vegan/vegetarian.
When I am on board a bus or light rail train, there is information about how full it is, what temperature, accessibility, etc. They are tracked in real time because the transit authority shares their live telemetry with Google. Once, Google had demonstrably wrong schedule information and I discovered that it reflected the official website’s version. (It was reporting every train canceled, but they were actually running.)
When I worked in an office in 2012, we were trying to get our arms around various listings in 3rd party "Yellow Pages" publications, on paper and online. It seems that compiling business listings has been around a long time. And every business needs a Social Media manager to be aware of their footprint and manage multiple sites like this. Yelp, TripAdvisor, you name it.
Laws are useless when you live in a country that doesn't care about enforcing them.
A few years ago I worked for a company that no longer exists today. They had, among other things, a job search service connected to their ID system. I was also doing my own project at the same time and needed Python developers. I was young and naive and thought I could find a junior and train him quickly. So I posted a vacancy on this job board: "Looking for a Python developer without experience." It turned out that they showed my phone number and it couldn't be turned off.
I received about 3-4 calls from very strange people who demanded to know how to become programmers. For some reason, they all started calling at about 5am. I even gave some useful advice to the first one, because I was taken aback by such impudence.
Today I use about 4 different phone numbers to separate my private life and data leaks like that.
My guess is the reason is they're from one particular geographical area, where 5am your time is their "start of business day" o'clock?
I wonder what geographical area that is.
In Germany, lieferando (subsidiary of takeaway.com) registers domains in the form of restaurantname-city.de, points them to their lieferando cloudflare account, and claims ownership for the google business entry where they set the phone number to their own call center.
Then they call the business owner and _force them_ to sign the contract with them, because effectively the owner knows they cannot be found anymore via google, and everyone that wants to order something will reach the call center hotline and leave a negative review after the hotline tells them wrong number, effectively destroying their business. And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision.
Crimeflare before it got taken down had around 130k domains that were pointing to the lieferando website using this kind of scheme, I helped provide the dataset for a couple of local business owners that were extorted this way and refused to abide by that scheme.
Guess what happened, nobody could be sued and the financial damages were too small to escalate it on the European court level. Sadly, class-action lawsuits don't work the same way as in the US, apparently.
Effectively Google does not abide by the laws and gets away with it due to their financial structures of their holding companies.
And they certainly know about this, they just don't give a single fvck.
I remember a growing amount of articles and on-line discussions about restaurants being extorted this way; then the pandemic came and removed the need for extortion by making delivery necessary for restaurants' survival. It's probably why the whole thing isn't talked about anymore these days.
It is absolutely insane that organizations are weaponizing this.
> Doesn't Google have any way to dispute the business ownership?
I can only speak for the US and it’s been a few years since I’ve done it, but yes Google does have a way. You can report an issue, and “claim” a business. Google will literally send a postcard with a unique ID to the registered physical address, and whoever gets that postcard can take ownership.
> Can I take over any business on the maps by just registering a domain that contains the business name?
Absolutely not (at least legally I assume). It’s probably trademark infringement and potentially fraud to misrepresent that business, and also Google has other methods to verify ownership (see above).
When you say "registered address", do you mean the actual business registered address (as in on Companies House in the UK, for example) or the address which was used to register the business with Google? Because if it's the latter, I think I see a problem ...
Believe it or not, someone spent at least a few hours thinking about this.
The address is physical address that a customer would go to when they look up the business on the map. If it's a restaurant, it's the address that has the tables and food and drinks.
If the address is different than the address of the shop-owner, then how would a user who uses google maps get to the shop? And why wouldn't the shop owner just create a new, correct listing?
I reported it, of course, (as someone else mentioned, Suggest an Edit) and they got changed, but I haven't checked to see if he changed them back.
yes, as long as the business doesn't have that already. And that's the point - many small restaurants, takeaways etc simply don't have a website because they think they don't need one, until they're fucked by Lieferando.
Plus, many restaurant owners are immigrants, and undocumented/underpaid labor is blooming as well. The last thing they want is to attract the eyes of the government.
Their entire business model seems to be centered around extorting businesses. I stopped giving them money after they inaccurately posted that a certain restaurant delivers to my location and got a phonecall from the place that this was the case so I agreed to pay extra to fulfill the order anyway, because Lieferando certainly wouldn't take responsibility.
Nowadays I use them only for discovery, but call the place directly or use the webpage if the business provides online ordering.
It appears that their initial value proposition to businesses was substituting delivery services so that restaurants could scale that up without hiring more staff. Of course enshittification made that service worse than just walking/driving/taking public transport there.
So the real number of those domains is likely to be much much larger if you would have the same dataset like crimeflare had. You can find articles about it with the keyword "Schattenwebsites lieferando" because that's what the press seems to have settled on. Different press teams counted different amount of websites because of that. Another team where I knew people from the CCC that helped them confirmed the 120k number though.
Our final number in Q4 of 2021 was 130k domains that we found out about, and we were trying to contact a bunch of other business owners to be able to escalate the lawsuit onto the Landsgerichtsebene (so that it can go into the Bundesgerichtshofsebene afterwards, and then to the EU court).
[1] https://www.stern.de/wirtschaft/lieferando-lockt-kundschaft-...
[2] https://notizlo.ch/wie-man-gegen-lieferando-domains-arbeitet...
[3] https://t3n.de/news/lieferando-restaurants-schattenwebsites-...
[4] https://www.trendingtopics.eu/lieferando-provisionszahlungen...
[5] https://www.deutschlandfunknova.de/beitrag/schattenwebseiten...
It seems like Lieferando is the problem here. How comes that company is still in business? It seems like obvious identity theft to me, if anything Google is only guilty of trusting Lieferando too much.
> There's no such thing as identity theft, it's all bank fraud or in this case student aid fraud. "Identity theft" is a term coined by banks to try to make it sound like random people should have to deal with the fallout of the banks' bad identity verification practices.
https://news.ycombinator.com/item?id=43923179
In this case, the ”identity theft” happens because Google trusts someone they shouldn’t. If they didn’t, the scam wouldn’t be possible. Yes, the scammer is the problem, but Google are providing them the opportunity, and leave it to each victim to deal with the situation.
"Beware of scammers!!!111!". No, _you_ beware of scammers, that's what I pay you for.
Extortion.
[0]: https://en.wikipedia.org/wiki/Unregistered_trademark
I guess there might not be an equivalent in Germany.
> Strafgesetzbuch (StGB)
> § 263 Betrug
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er durch Vorspiegelung falscher oder durch Entstellung oder Unterdrückung wahrer Tatsachen einen Irrtum erregt oder unterhält, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> (2) Der Versuch ist strafbar.
> [...]
> (5) Mit Freiheitsstrafe von einem Jahr bis zu zehn Jahren, in minder schweren Fällen mit Freiheitsstrafe von sechs Monaten bis zu fünf Jahren wird bestraft, wer den Betrug als Mitglied einer Bande, die sich zur fortgesetzten Begehung von Straftaten nach den §§ 263 bis 264 oder 267 bis 269 verbunden hat, gewerbsmäßig begeht.
> § 263a Computerbetrug
> (1) Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er das Ergebnis eines Datenverarbeitungsvorgangs durch unrichtige Gestaltung des Programms, durch Verwendung unrichtiger oder unvollständiger Daten, durch unbefugte Verwendung von Daten oder sonst durch unbefugte Einwirkung auf den Ablauf beeinflußt, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.
> [...]
My rough translations:
> Book of criminal law
> § 263 Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another through the presentation of untrue facts, or the misrepresentation or suppression of true facts to create or sustain an error, shall be punished by incarceration up to 5 years or monetary penalty.
> (2) The attempt is punishable.
> [...]
> (5) With incarceration from one to ten years, in cases of minor severity from six months to five years, shall be punished whoever commits the fraud as the member of a gang, which has banded together to continuously commit crimes as in §263-264 and 267-269, in a business-like fashion.
> § 263a Computer Fraud
> (1) Everyone who, with the intent to create an illegal estate gain for himself or a third party, diminishes the estate of another by influencing the result of a data processing operation through incorrect design of the program, use of incorrect or incomplete data, through unauthorized use of data or through other unauthorized influence upon the operation, shall be punished by incarceration up to five years or monetary penalty.
This is a government-level issue. It's a clear breach of gdpr, but I get the feeling this guy is in America.
Under US law I can see a few different things that would make the Lieferando behavior you describe illegal, whereas all Google is doing is being the unwitting vector for their illegal activity.
It's always more difficult to pin fault for a crime on unwitting enablers even when their negligence arguably rises to the level of a crime. The big question here is why businesses haven't successfully fought back against the ones doing the actual crime?
Applying Occam's Razor here, the explanation given in the post seems like possibly the least likely option.
One way to shed some light on this would be to use Takeout to get a copy of data held and see if they still have the number and what they hold it for.
If it was your personal account, I really don't see how a personal verification ends up on a business account. I'm not saying it's not possible, but it seems like it would introduce extremely bad data. I've verified my phone number, but (personal speculation) I doubt Google would want my number showing up on my employer's business profile.
If it was for your business account... I can see how that would be unexpected, but also the point of verifying that would I guess be to increase the level of trust that customers could have in the business based on it being verified, and I can see how that might lead to that number being public. It also sounds like this is what you did with Play too, and as a user I would expect that Play's company data aligns with data on Google Search.
I can empathise with the shock here, I've had people call me up from google searches and finding my number on my CV, but I am struggling to find a link here that doesn't make sense.
I wanted to take control of the Google Business Profile (back then: Google My Business) listing. To do that, Google asked for a phone number they could call. I provided one, and then double-checked that they hadn't put it on the public profile (they hadn't).
They emailed me about once a year after that to suggest that I might like to put a phone number on the business profile. I declined. But I always checked, and sure enough: they hadn't put one on there. All was good.
Then one day, randomly, my phone number started appearing on the public profile/being served to search users. That's the whole story here.
I don't yet know how or why it started appearing. A few ideas have been posed here and elsewhere, including:
1. Some runaway automated process at Google, trying to "fix" the absence of a business phone number, took the one that was previously used to ID the business contact. (Some folks seem to think that this is what I'm claiming happened, but I'm only putting it forward as a possibility.)
2. Google "joined the dots" from the Google Play profile and the Google Business Profile. This currently seems like the most-likely explanation, to me. I'm getting the former corrected anyway; we'll see what comes out of it.
3. Some third-party Google user added it. That seems possible, but in my experience once you've verified and own a Google Business Profile, you get an email to confirm any "suggested changes" and I didn't see any such email.
4. Some kind of user error by me or by somebody else who has access to the profile. I obviously can't rule this out, but I've checked and I personally haven't even logged into it in over a year (and I've had emails since that confirm that a phone number wasn't listed), so it seems unlikely. Also, the message said that Google had updated the phone number (not me).
I have to be careful about what I say, and very much cannot say in this case, nor do I know anything specific to the business profile area, but my experience of data at Google is that one does not simply join a table and fill in the blanks. In my experience there's a lot of privacy and legal review, and that's only after someone thinks it would be a good product idea (which in this case feels unlikely). At a technical level, there are many safety checks that are intended to prevent things like this from happening unless all that review and sign-off has happened.
There should be laws against this sort of thing.
https://www.google.com/search?q=Three+Rings+CIC&hl=en#irp=ph
This is probably linked to the process for Search. It's called "crowdsourcing".
https://support.google.com/business/answer/3038311
The article mentions having control of the Google Business Profile. It was sometimes called "Google My Business". You can register and verify that you're the owner, and then you'll have tools to reply to reviews and manage your own Maps entry, etc.
https://business.google.com/us/business-profile/
That number isn't mine, and will never belong to anybody!
Love it.
But sometimes I've done the same thing in other places and gone further, sometimes concealing "fun" messages. In my post about Halifax putting the wrong names on a letter to me (https://danq.me/halifax-dun-goofed), I changed my address to a message along the lines of "what, you think I'd put my actual address here, like it's my first day on the Internet" and then blurred that.
Incidentally, I think that one was the first times that anybody contacted me to say that they'd noticed the unblurrability of my images, but I've been using this approach for years!
It's like how they blur nipples on TV. We all know what nipples look like! But they're blurred to say "yeah, but maybe you shouldn't be looking".
Blurring makes sense as a way to say "this is private". It's almost lampshading, in this case, because it's the bit I want you to look at!
But blurring doesn't make sense from a privacy perspective, because unblurring is pretty easy. So I modified the number to a known-fake, will-never-be-valid one.
But if I just did that, people would probably try to call it, or would say "but you've put it back online here", or similar. Or else would say "that number's fake anyway, why are you worried?". Blurring it as well achieved the best of all worlds: it lampshades the bit I'm talking about, and it indicates that the kind of data stored there should be considered private, and it prevents the actual extraction of the (real) private data from the image. Win, win, win.
Unless the question "why bother" was to imply that blurring was hard to do? Because it definitely wasn't. Changing the number took much more effort! The blur was just two clicks; significantly less effort than, say, explaining why I chose to do so! :-D
And yes, your comments re blur have plenty of precedent.
But in this instance, it’s trivially easy to read the numbers even without any fancy software.
@author, if your reason for blurring was to protect your identity, then you should update that image asap because you’re not succeeding at hiding your number.
In that case, the developer provided Google with a way for Three Rings customers to reach them and they then published that number.
I don't know why the app's developers decided to use their personal phone number for their Google Play business contact information, but that seems like the most reasonable explanation to me.
If the author did not provide that phone number to Google Play, then he will need to also update his information there to get the phone number delisted, or it will be a matter of time before it appears on the Google Search page again.
During my consultation, the team I was helping keep talking about "Our App", "Our Process", "Our Use", "How do we get this data into our System?" I had to ask them multiple times, "How does your users or customers outside of your company uses them?" "Have you thought of how people usually do these kind of steps?"
On a day off work, I got a cold call to my personal mobile. This salesperson called me by my name and then tried to flog something relevant to my job. Being hugely irritated, I shared my thoughts with the caller demanded to know where they'd found my number. They were at least a little bit apologetic, and said they found it on LinkedIn using a plugin called "Lusha".
Lusha's website has claims about being GDPR compliant, but at the same time being a "crowsourced data community". They do at least publish a "Privacy Policy" and some contact details for a data controller.
I emailed them with a Subject Access Request, which they responded to two weeks later in a very cagey manner. Actually, I did some sleuthing of my own. I found an unlisted link for a broken OneTrust request form. This didn't seem to be linked anywhere on the website and I literally guessed the URL for it. After some poking around in the debugging console, I recieve a more fully furnished copy of my profile.
The data source for my email was... "Lusha's email guess algorithm" - now, one of the downsides of working for a small business and getting a firstname@domain.com is that guessing it isn't particularly difficult.
The data source for my phone number was more interesting. "L.S Mobile Apps Holdings Ltd." a company I'd never heard of, but eventually found an App Store[0] and Play Store[1] listing under a very similar name.
Looking at the apps published by this company, you can immediately see where this is going: a "Caller ID" and an even more transparent "Contacts Backup" app - both having complete access to all your contacts. At this point it becomes clear where my contact information has actually come from: someone I probably work with has created a contact in their phone with both my email and personal phone number, then used one or two of these apps.
I decided to pick the Contacts backup app to take a closer look. Installing the app on a wiped phone, I explored the UI, disassembled code and snooped the requests to their servers to see where exactly this mysterious "GDPR Compliance" was. The primary functionality is of course to create an account, upload all your contacts, and let you sign in on another phone to download them. There was some effort to make this work for most users, workarounds for edge cases, etc. It was more than the low-effort app I was expecting.
All the sharing functionality was checked behind a "consent" dialogue (and I use that term extremely loosely). The deal was that app would helpfully hydrate my entire contacts book with missing details! All I had to do was share it in turn. What I found peculiar about this was it simply didn't work. It seemed as through not only would the server not populate the missing data, but the code that handled this client-side was unfinished.
If you're wondering what the link between Lusha & L.S Mobile Apps is, they're effectively the same company. Yoni Tserruya, the co-founder of Lusha, has their fingerprints all over the the certificates used to sign the Android LSM Apps. It's clear this app's data is what they've built their company on.
Now, both Google and Apple have well known to display "Data Sharing" information as part of the store pages. The Play Store page explicitly says "No data shared with third parties", whereas the App Store omits the usual section you'd see when data is shared with third parties.
I contacted both Apple and Google with full details about what I'd found, and in the least surprising event to my saga, they did nothing.
Sadly, instead of having any satisfying conclusion, what I saw was what I already knew. I even got angry when reading their privacy policy, and how completely clear that all this "GDPR Compliance" labelling they have is there to sell their product to EU customers and they're clearly not compliant.
Here's some ragebait for the rest of HN who cares about their data:
- French DPA (CNIL) says Lusha is full of shit, but they can't do anything because they're based in Israel[2]
- Lusha doesn't think consent is important[3]
I’d really rather not provide it. But we don’t have many good options to demonstrate you’re a real human to computer systems.
Related submission: https://news.ycombinator.com/item?id=44084677
Meanwhile people who actually want privacy get screwed, because the spammer's account is going to get banned for spamming in less than a month either way, but a normal user would want to keep the same account indefinitely, and then the site demands that they keep access to the same phone number indefinitely. So then the honest users are stuck paying a monthly fee at the retail rate for a separate phone number for each service in order to avoid giving them all the same phone number to correlate with you. Whereas the spammers pay the wholesale rate once and then more than break even.
The anti-spam value of phone number verification is not just zero but actually negative. Its purpose is to harvest phone numbers from honest people for mass surveillance, and anyone requiring it is making the spam problem worse.
Do you have any ideas against bots, or perhaps even spam? Or do we even need any verification to begin with? There are ways to prevent both, at different layers, but I am not sure what would be the best way, especially something that does not sacrifice privacy.
But then banning spammers and bots gets a lot easier because it becomes trivial to trace where they got their invite codes and then shut off that account's ability to give them any more, and you have something to investigate if you see large numbers of accounts getting invite codes from the same account.
They can also be used as an alternative to other forms of verification. So to create an account you can either get an invite code, or provide something even more scarce than a phone number, like payment info. Either you have an invite code or you pay $5. Then most people don't have to pay anything because they get a code, people who want in but don't know anyone there yet can pay a nominal fee, and the spammers and bots can't easily do either of these things at scale.
The nice thing about payments is that it makes an excellent fallback option, because spammers can't use it. It's not even about identifying the user, you can accept cryptocurrency and allow them to stay anonymous because someone who is going to have their account banned after only a few hours regardless can't invest even $5 in it, so it's about the money rather than the identity. And then it's not supposed to be the default option, but it can exist as an option for anyone the other options aren't working for.