Companies Struggle To Reverse McAfee's False Positives On Yahoo Search

The partnership between Yahoo and security giant McAfee has come under fire over the past few weeks after Yahoo's new SearchScan feature, powered by McAfee's SiteAdvisor, labeled some Web sites with false positives that erroneously warn users about potential security threats.

McAfee and Yahoo broke new ground in the online security space at the beginning of this month with a partnership that provides Yahoo users with red alerts when they're visiting sites that contain spyware, adware, malicious code or are otherwise considered "risky." SearchScan also identifies spamming sites or sites with questionable e-mail practices.

The combined technology, launched in beta form May 6, enables Santa Clara, Calif.-based McAfee to scan numerous well-trafficked Web sites with its SiteAdvisor technology and flag them with red or yellow security icons. Yahoo then displays this information on its search engine results page.

However, some businesses with a Web presence on Yahoo, such as e-commerce site AnyCoupons, say that the security measures have gone too far and, in some cases, have been downright inaccurate. AnyCoupons executives say that the company, which offers deals from major brands and box stores, was falsely labeled with a red security warning indicating that the site produces spam shortly following Yahoo's announced partnership with McAfee.

Sponsored post

"I hate spam. I hate it to the point that my company does too little e-mail marketing. We do not and will not ever spam," said David Lewis, CEO and founder of AnyCoupons, on his blog.

In a series of subsequent e-mail communications between Lewis and Yahoo, posted on Lewis' blog between May 12 and May 15, Yahoo repeatedly maintained that the search engine company was not responsible for the designation and had no control over the security rating powered by McAfee's scanning technology.

Priyank Garg, director of product management for Yahoo Search, said that there was an escalation process to evaluate false positives that could take days to a matter of weeks, depending on the nature of the detected security threat.

Garg added that security data came from McAfee and encouraged users who have experience false positives on their Web site to first contact McAfee to get a more timely response.

"If it's a site that has to fix the issues observed on their site, they get the data from McAfee and address the issues and then ask for a retest," said Garg. "They're welcome to work with (Yahoo) and we'll work with McAfee to get the right rating."

While Garg said that he couldn't reveal exact figures, the amount of false positives equaled a "small, countable number."

"It's not like hundreds of sites are seeing false positives. But any false positives are not ideal. We don't want any publishers to have a bad experience like that. The number is small and we're working to make it even smaller," he said.

Garg said that the company was learning from AnyCoupons' experience and planned to make the process easier for reversing a false positive by looking at methodologies, and working through support issues.

However, for Lewis the proposed changes aren't coming fast enough.

"Beta means they know there are problems and they're willing to fix them," said Lewis in an interview with ChannelWeb. "If they're telling us they have no responsibility for what's on their site, that's not beta."

Lewis said that the red alert exclamation point that appeared next to his site on Yahoo's search page earlier this month resulted from a faulty test McAfee conducted in October.

In a May 13 e-mail message between Lewis and McAfee that was posted on Lewis' blog, Shane Keats, research analyst for McAfee, admitted that the security company had erred and agreed to retest. The AnyCoupons site was subsequently relabeled with a yellow warning icon last week after researchers read Lewis' blog post and re-evaluated the site. The yellow security warning indicates a potential as a spamming site pending further testing.

In the case of AnyCoupons, Keats said the October test resulted in a high volume of spam from the AnyCoupons' site, which led to a red flag that didn't get re-evaluated before the collaborated launch of Yahoo's SearchScan service.

"Occasionally it's our fault. We absolutely do have false positives. And we're very proud of our ability to respond quickly and fairly to those concerns, and when we make a mistake, we admit it and correct it and do our best not to do it again," said Keats.

Next: McAfee Outlines Risk Designation Process

However, McAfee contends that in most cases there is a fact-based reason that clean or legitimate sites are designated as a security risk. Keats said that site safety ratings are achieved through a testing process with crawlers that search the Web and compile copious sites into a database for scanning.

"The technology is designed to be scientific repeatable evidence based," said Keats. "This is not McAfee's hunch that it's doing x or y."

When legitimate sites are given a red security warning, often it's because their Web page has somehow connected to a malicious or harmful site, such as linking to a spam-producing site or a screensaver that bundles adware, Keats said.

"It's a process of education between McAfee and the site owner," said Keats. "Nine times out of 10, the site owner is unaware that they've done something that is in fact risky."

Keats said that McAfee technology errs in cases equaling a small faction of a percentage point of the 20 million Web pages the company has tested.

Despite attempts to correct the mistake, Lewis said that the misunderstanding cost his company a week of lost time and thousands of dollars in lost online revenue as well as lost business from potential users who might have reconsidered clicking on his site after viewing the red warning icon. He also noted that the mistake was only corrected after he posted details of the incident on his blog.

While Lewis said he has no immediate plans for litigation with Yahoo in the near future, he said he's "not ruling out anything."

"We'll see how Yahoo handles it over the next few weeks," said Lewis. "Many people out there are questioning the management at Yahoo, and I can see why Yahoo is no longer a leader in the space."

Meanwhile, AnyCoupons isn't the only site that claims to have been unfairly labeled with a security warning. Earlier this month, Yahoo had listed Google as a site that distributed malware, according to a May 11 Techcrunch report--an error that was remedied within a few hours of discovery.

And IAC's, a personalization news and media Web portal, is currently undergoing a process to re-evaluate mislabeled red security alerts for several of its domains on Yahoo's search page—a "misunderstanding" company executives say has hurt the company's business.

"Anytime we see any company erroneously detecting [security threats in] our software, it's detrimental," said Michael Primiani, senior vice president of strategic partnership and product operations at IAC CAP. "It's obviously detrimental to our business and to our reputation."

Primiani maintained that in the past, McAfee had been "very communicative and open in terms of reviewing the products."

"We don't like the fact that we're being flagged, but we're hopeful for a positive result," he said.

While McAfee is still attempting to rectify mistakes, AnyCoupons' Lewis said he is disappointed in the way Yahoo handled customer service in the face of the error.

In the meantime, Lewis said his company is undergoing a rigorous reinstatement process on Yahoo's Paid Inclusion program--a service that guarantees listing on a search engine ranking in exchange for payment-- after the search engine Yahoo terminated its listing due to its "spamming" designation. Lewis also said his company has been blacklisted from Yahoo Search marketing.

"It wouldn't have been an issue had Yahoo or Outrider recognized that my company has had relationships with each of them for several years and that I used to work at what is now Yahoo's paid search division. I'm not looking for favors. I just think that there are ways to operate companies and ways to treat your partners," said Lewis in his blog. "This isn't it."