Does a Google Bulk upload create a verified listing or is it in reality just another data feed? Unfortunately it is the latter.
Danny Sullivan and Greg Sterling have been covering the recent multi listing hijacking of hotel pages at Google. The hijackers essentially were able to take control of numerous hotel listings and insert an affiliate booking site URL.
Here was part of my comment to Greg about how this might have occurred:
My working theory is that these listings were either unclaimed or possibly claimed via the bulk upload. Bulk upload is viewed by Google as more of a data feed than a listing verification method and it does not lock out [additional] local claimants. Thus the listings were “eligible” to be double claimed. And claimed into the new G+ Local environment. In theory that requires verification either by post or a call and exactly how this many listings were in fact verified with the new domain is unclear.
In the old Places Dashboard and the previous/current Bulk upload any data that Google received was just that. The data might have given it some preference if it was current but it received very little special treatment over any other data that Google had. If they trusted other data more than they yours that is what would show. Or rather if the algo trusted other data more than yours that was what would show.
Also “claiming” into either environment conferred no special rights to editing that data.
If you claimed the listing into another dashboard Google would just handle it as more data that would be considered as possibly better or more fresh for the listing.
This design, while not widely understood, had certain advantages. If a claimant died or lost his/her password the listing could be simply “reclaimed” into another dashboard. Thus Google did not have to get involved with accounts that had “aged out” or had lost the password. The new claimant could just create a new Google account and go at it.
If a franchisee didn’t agree with the franchisor messaging, likewise. The franchisor could do a bulk upload and the local franchise could go into their own dashboard and verify the listing via post card or phone and add their own data. With the hotel owner and the hotel operator a similar situation could occur.
The good news (from Google’s pov) was that Google could get fresh data with a minimal support structure. If there was a discrepancy the algo could sort it out every 6 weeks as Google “rebuilt” the world (more or less successfully).
The bad news was that there could be “dueling claimants”. The bulk provider would upload data and then the individual claimant would do a null edit or upload new data and override it. The listing content and photos could dance back and forth and angers would flare.
But Google didn’t (and still doesn’t) want to get involved in these claiming wars. The contestants would have to fight it out amongst themselves. Some of these battles can be extremely contentious and often there is no resolution. Its clear why Google might not want to “get involved” as there might be not simple, single answer.
With the rollout of G+ and the “real” persona required to be effective, Google moved to a true verification model of the G+ Page for local. A listing in the new dashboard/G+ management environment can only have one verified claimant. That data is both more trusted and more secure. If a second user tries to claim any given listing they are told that it isn’t possible.
But a listing that is uploaded via Bulk Feed is still effectively able to be double claimed (or reclaimed or in actuality verified) into a new Dashboard. The bulk listings, like listings from the old Dashboard, do not carry the verification symbol on the page and there is no warning given if you attempt to bring them into the new dashboard and generate a postcard to get a pin.
Unlike a listing claimed via the new dashboard a bulk uploaded listing is available to be claimed, its that simple. Just because you took the time to collate the data, put it into a form that Google can read and go through the bulk verification process doesn’t mean that it can’t be claimed again by someone into the new Dashboard.
Google never really educated businesses about the realities of this. I suppose its easy to understand why. It’s not a very compelling value statement: “COME CLAIM YOUR LISTING (oh and by the way if you claim your listing we might user your data, or not). COME CLAIM YOUR LISTING (oh and by the way we might let others also claim it and use their data instead)”.
I have no idea how the hijackers were able to claim as many listings as they did. Its hard but obviously not impossible.
But when you stop to think about it there are only a few possible pathways to actually obtain the necessary information for verification in the new Places Dashboard/G+ Mgt:
-A technological intrusion (like the NSA),
-Corruption at Google, a sub-contractor or the hotel system or
-Some form of social engineering.
My money is on the latter, social engineering. it’s simple, it’s cheap and any “good” salesman can pull it off.
What can be done?
There are several things that come to mind. First and foremost would be for Google to move the bulk data feeds into a verified Plus environment where they are truly a claimed listing rather than just user provided data.
Another might be to upgrade the messaging on post card sent warning about the dangers of sharing the number.
And a third should very well be communication and education.
In this situation Google did a great job getting the spam taken down but they did a terrible job communicating about the event and providing insights as to how it might be avoided in the future. I know that Danny Sullivan and Greg Sterling put a fair bit of time trying to get information. The sum total of Google’s communication was this extremely minimal statement by Googler Jade in the forums.
We live in an industry where shit happens. Our servers were recently cdorked. Google had the Chinese and NSA snooping in on theirs. But I don’t think that this was a technological hack. If it were it is understandable that Google would be circumspect and wouldn’t want to talk too much, at least until it was solved.
But if this incident were a result of social engineering as I suspect then this isn’t about technology its about humans and the need for them to understand that a pin is something that needs to be treated with care. For them to understand this requires education. That is something that Google could and should do.
In the meantime if you are responsible for managing a feed with Google, alert your locations to NOT fall for a Google phone call ruse or some other effort at social engineering.
A call might just be coming their way.Google Bulk Upload: Verified Listings Or Just Another Data Feed? by Mike Blumenthal