Death by Google

Rumours, and the habit of spreading them, have probably been around as long as intelligent speech. It doesn't seem to matter what industry you care to examine, people just love to pass on the latest gossip.

Recently, while planning some firewall upgrades, I was advised against a particular platform. After some gentle probing, it turned out that the person's reticence about the product was not based on personal experience or even technical detail. No, he had a friend who had told him to steer clear.

Of course, sometimes advice offered in this fashion is very useful. One of my regular sources of technical support is a closed discussion group. Its members are undoubtedly opinionated, but always willing to back up their opinions with evidence and experience.

As with most sociological phenomena, the growth of the internet has given the rumour mill a new lease of life. Whereas previously rumours were fairly self-limiting, and indeed often diluted or changed unrecognisably as they spread, the web and its plethora of search engines makes it trivially easy for rumours to persist and spread worldwide.

Many years ago, I wrote in this column about a major anti-virus vendor who nearly ended up with a PR disaster due to an overzealous Usenet posting. The poster had claimed they had found a major security hole in the product, whereas in fact there was no hole at all. I happened to know the product manager and managed to get him on the case before things got out of hand.

More recently, another friend has fallen victim to the same problem. During a job application, after he had been made an initial offer, one of the potential employer's staff decided to Google his name.

Top of the list of hits were a couple of posts accusing him of plagiarism that are in fact untrue and bordering on libel. Further down are a couple of mentions of his previous involvement in the shadier side of computer security.

In his younger days he wrote viruses and was, at one point, on the receiving end of a search warrant. This combination gave the employer cold feet and, despite my friend's attempts to explain the situation, the offer was withdrawn.

Although, in principle, the UK law gives some course of action to get such statements withdrawn, the web brings with it the complexity and expense of transnational legal proceedings. Such action is usually well outside the budget of the average internet user; indeed many companies would think twice about it.

Now, had the prospective employer followed things up with his referees, they would have got a different view. Yes, he did some unfortunate things more than ten years ago. He was not prosecuted, merely cautioned, and has since become a very talented security professional.

I have no doubt that he would never repeat his previous mistakes. Apart from anything else, I suspect he is far more concerned about how his wife would react. Perhaps telling the employer up front would have been prudent, but there was no attempt to conceal anything; he was simply not asked about the issue.

The root of the problem is the psychological effect that the "top ten" Google hits have on viewers. Page down his search results and you'll get a continuous stream of hits showing helpful technical advice, security research and the like. Unfortunately people seldom make it past the first 20 hits, so if the top ten are rumours that happen to score well in Google's ranking engine, you're pretty much out of luck.

With the increasing use of Google and similar search engines in personnel departments (indeed many vetting processes include it as a specific requirement), the need to interpret the results carefully is paramount. In the same way that other databases such as DNS can be "poisoned" by attackers, it will only be so long before attackers take advantage of search engines' algorithms to promote false information.

In the meantime, my friend's still looking for work, and the potential employer has lost out on an excellent member of staff.