TXT records are useful for OSINT. I've used them to tie together fake business listings on Google Maps. It also allowed me to tie the listings directly to the marketer responsible.
No blog post. But, since you and another have requested I'll just write a comment.
I work for a small, local, family company. I maintain the websites and do some of the marketing.
We've noticed an uptick in websites for fake businesses and fake business listings in our area/industry in the past 3-4 years. The goal is to generate leads which can be resold to local contractors--usually without the customer knowing. It's a scheme called "rank and rent."
A few months ago, I noticed a new listing in our area. I started digging into the SEO spam for it. There was a website, a couple of one-episode podcasts, social media profiles, business listings, PDF spam, and more.
Looking into the HTML source of the site, I discovered some JSON-LD for a completely different company. I looked up the company on Google Maps. Sure enough, there was a listing. And the website was using the same theme as the one I was digging into.
I decided to pull the DNS records. They both used the same Cloudflare NS. Not a smoking gun, but interesting. Then when I pulled the TXT records, I noticed both used the same IP for the SPF record. Bingo!
A quick cURL resolving the domains to the IP, and I had proof they were hosted on the same shared hosting server.
With the IP, I was able to do a reverse lookup for other sites hosted on the same server. This netted me several domains that also used the same theme and had Google Maps listings (GBP). The money result was several marketing firm domains.
One turned out to have a GBP. It had videos and photos the person used to verify the listing. Fortunately, it had the marketer speaking in the video as well. That voice sample allowed me to compare it to the podcasts mentioned above. Aside from him faking an accent, it was definitely the same guy. I've since discovered ~30 such podcasts for his different listings.
The other marketing domains were even more interesting. They were also run by the same guy. Again, verified via voice in a video on these sites. He used these websites to recruit people for "social media gigs." The gigs were setting up Google Business listings in their area. They'd setup a listing, get the postcard with a verification code, pass it off to the marketer, and he'd pay them $50-100.
The kicker was a Google form on the recruitment page. It asked if the person would be willing to leave 5-star reviews for businesses they'd never done business with for $20.
I went back to Google Maps and started bouncing through people who'd left reviews. That opened up a whole world of listings that I hadn't known about.
At present, I'm over 80 listings which can be tied back to him.
I've also identified several websites that don't have GBP listings yet thanks to the TXT records and reverse lookups.
I left a comment in the thread. Feel free to ask questions. Though, I'm cautious about giving too many details as I plan to report the guy to the AG in his state.
I appreciate email as a marketing channel. I sign up for several newsletters. I read them sometimes. I don't at others. If I find they offer nothing of interest or value to me, I unsubscribe. If I continue receiving emails after unsubscribing, then we have a problem.
I rarely have issues with companies which actually abide by things like the CAN SPAM Act.
The power Google has over small, local businesses is ridiculous.
I work for a small local business. We've been struggling to get rid of the "lead generation" spam from the Google Maps listings. This is costing us on the order of thousands to tens-of-thousands a month in work. (That's significant for our business, on the ~10-15% of monthly revenue.)
I dug into these listings. I discovered the company behind them, a marketing firm in Hawaii. I uncovered a network of 80+ listings across the US they operate. I even discovered their recruiting websites where they pay people to create the listings for them and go on to pay people for 5-star reviews.
I provided all of this information to Google via their "business redressal form." Nothing. It's been months. I keep reporting the listings. Nothing.
We're losing work. Other local contractors are losing work. And Google twiddles its thumbs.
What good is it for Google to have a policy if they're not going to uphold it when their inaction is harming others?
I'm surprised at that level of loss you haven't just end-run around Google and the lead-gen firm and gotten together with your peers to blackball them. Those lead-gen companies can't actually deliver real service, they still need someone local to your community to pick up the lead and do the work.
I doubt it would take very long before they realized they can't fill any contracts and give up. And plus wouldn't it sound super cool to say you started a guild?
The most famous case is locksmiths.[0] Google recently went after another company using the "rank and rent" scheme.[1]
The company which is causing us issues is also using the "rank and rent" scheme. They're running listings for everything from pool resurfacing to concrete driveways to tree services.
The company recruits people via Craigslist with an offer to pay them $50-100 to setup a Google Business Profile and receive the post card with a code for verification. They also offer $20 for a 5-star review.[2]
I am thinking about going to the FTC and the media at this point. I've also discovered that there's a small community but poorly connected that goes after this type of spam.
Not OP but I may have experienced what they are describing. I saw a contractor on Google maps and made an inquiry for some work. They basically just forwarded my request to other, actual contractors, likely with the intention of taking a cut for providing a "successful lead". I basically ignored all of that nonsense and went to find actual local contractors myself. I think I just reported it for being misleading and I don't know what happened after, I don't think I've seen it again, but I could see how that poisons the well for a lot of people's livelihood.
The legislation appears to be limited to data brokers. While this is nice and welcomed, this also means it doesn't cover entities like Google or Facebook.
CCPA already requires Google to delete your data on request. Though AFAIK CCPA didn't produce any changes as Google already allowed you to do that.
The same applies to any non-small business that you have a direct relationship with and provide your information to; CCPA requires that business to delete the info if you request it.
Data brokers are a special case because they don't get their information directly from you, instead they slurp up whatever public and private data they can scrape or buy, and then resell that to other companies. Given you don't have a direct relationship with the data brokers, it's hard to even figure out who has your information.
Note, CCPA seems to have excluded the credit bureaus from designation as data brokers, even though those guys are responsible for leaking SSN and full personal information on the majority of US citizens.
The US system of credit surveillance is pretty unusual (EU countries don't do anywhere near that much stalking and they have functioning debt markets) so I'd love to learn what would actually break if people were allowed to opt out of that tracking. Presumably there are some government records you can't opt out of like UCC filings and bankruptcy, and any potential creditor could just look up the primary sources themselves.
The standard answer (at least for Google, not sure about Facebook) is that they're not considered data brokers because they only sell ad placement based on the data, not the data itself.
One could make a case for splitting the data collection activities from the ad sales business as part of an anti trust case. Or pass regulations and laws to that effect.
That would be a pretty weird case to make. Typically anti trust is used to prevent a business from using market dominance in one market from entering another market. Considering they don’t participate in the data sales business it’d be a weird scenario to force them to start. I’d prefer we don’t force them to start.
Gmail with ads seems way preferable to Gmail who sells your data to others.
> One could make a case for splitting the data collection activities from the ad sales business as part of an anti trust case. Or pass regulations and laws to that effect.
That would be a net negative for privacy, because it would mean more parties having access to your data (without your consent or even knowledge). And given the state of security in ad-tech aside from Google, that means the chances of your data getting breached and leaked would increase exponentially.
Google helped craft these laws. This is classic regulatory capture.
In particular, it is banning horizontally integrated surveillance capitalism (which requires the sale of data between the data gathering companies and the people using it), but not vertically integrated surveillance capitalism.
In all likelihood, some companies in this ecosystem will be forced to sell at fire sales to conglomerates (like Google) simply to avoid having to comply with this law. Of course, this benefits organizations that are large enough to acquire the companies, and no one else.
So, people with financial conflicts of interest are picking winners and losers, which is pretty much standard practice in US politics these days.
I personally think this whole consumer tracking industry should be shut down. It should be illegal to gather the types of information that this bill regulates.
Exactly, for data sales, the advertiser gets the information up front.
For ad placement, they only get it after you click on the ad, and it's only linked to you personally by your IP address and browser fingerprinting, or more directly if you log in or buy something.
... except when they sell their domain registration business.
And yes, I realize that there's a (technical) difference between selling data and selling a business including its data assets.
But then again, maybe a really big chunk of the value of that business is its customer data.
For some business acquisitions special terminology like "aqui-hiring"[0] has evolved so it's understood that not every sale of a business is of the same nature.
And since the value of data has arguably become much higher than ever before, the distinction of selling data by itself and selling the entire business is becoming smaller as time goes on.
Who knows what they'd sell if their business declined for a while and there was a hostile takeover or they otherwise got desperate for new revenue streams.
And then if you were paying attention you could make a new one of these requests... but maybe you'd miss it for a bit, and then it would be too late.
The law should be based on what you collect instead of what you sell to better protect against this sort of thing.
Thats not relevant of what they could do. This laws covers what you are doing and applies to entities selling your data. Big ad players don't sell their data because that is their secret sauce in ad targeting.
Companies selling your data are your bank(credit card purchases), mobile carriers(location), your DMV(photos, driving record, misc PII including address, dob etc), state/county government(public records like marriage licenses). Its weird everyone bashes on google and FB for something they don't even do.
This misses the point. The issue is not whether or not Google/Facebook should be classified as data brokers or not. The issue is that they are data collectors who invade our privacy.
I want the means to tell companies "Do not collect information on me." And I want that to be enforceable by law.
