It’s an interesting little story. It won’t be entirely clear until Google conducts its own internal investigation, but Magdalinski’s amateur detective investigation is pretty damning, nonetheless—especially for a company with the slogan: “don’t be evil.”
According to Magdalinski’s blog, Mocality started getting odd phone calls from clients last September, shortly after Google launched its competitor service, Getting Kenyan Businesses Online (GKBO). The clients wanted help with their websites, but Mocality doesn’t do websites, just listings.
In December, Mocality analyzed their server logs to try to identify any common patterns among the clients asking for website help. They found one. An IP address had contacted all of those businesses, using Google Chrome on 32-bit Linux, which is very rare in Kenya—according to Magdalinski, “with the exception of this IP, it barely appears in our logs.”
The server logs showed that users from this IP address had made 33,261 requests on Business Profile pages—they were systematically gathering contact info for all of Mocality’s clients.
Furthermore, there was no evidence of automated scraping. Instead, the activity occurred primarily during business hours, Monday through Friday, meaning that it was a targeted effort by a staff of live humans (which makes it all worse somehow).
To catch them, Mocality set up a sting. They changed the contact numbers of some of their clients (only for the hackers’ IP address), then fed calls to those numbers to Mocality’s call center.
On Mocality’s end, employees pretended to be business owners when the scrapers called. The call center system recorded the calls.
“When we listened to the calls, we were beyond astonished,” wrote Magdalinski.
On one call, “Douglas” identified himself as a Google Kenya employee and stated that Mocality was working with Google to get GKBO off the ground (they’re not). Douglas attempted to upsell the “customer” a website (Mocality, a free site, only offers listings).
In another call, the Google employee told the “customer” that Mocality frequently uses bait-and-switch tactics to get customers to pay for listings. Magdalinski vehemently asserted that his company “has never and will never charge for listings.”
Other calls were similar. Then, after the Christmas break, the calling stopped, as did the scraping. Or, rather, the scraping switched to a different IP address. (The scrapers appeared to have outsourced the process to India.)
Mocality didn’t receive any more contact info requests from the Kenyan IP address, but the company got more odd calls from clients that led (through the same sting operation, just repeated) to an IP address in India. And what they found was surprising, to say the least.
“These new accesses were coming directly from Google’s network,” wrote Magdalinski.
On Saturday, Magdalinski busted Google with his blogspot. Google, (commendably) reacted with an immediate apology and promise to conduct an internal investigation.
Magdalinski said he wants to know three things: why Google didn’t just ask for the information (he said he’d talked to Google about working together before), who authorized it and who knew or should have known it was going on.
Hm. I’ll be interested to hear what the Google folks say.
