Welcome to WebmasterWorld Guest from 3.80.6.254

Forum Moderators: martinibuster

Message Too Old, No Replies

Policy breach notice

Anyone have experience?

     
3:43 pm on Feb 12, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


i've received about 10 days a go email about PII policy breach by displaying information on one of pages which pass PII:

Url group: mydomain.org/whatever/whatever.php
Found 12 time(s) or 0.038834952 of the total records
Url sample: http://www.mydomain.org/whatever/whatever?itff=redacted@example.com
Record sample: GET /pagead/ads?client=Myid&output=html&h=15&slotname=3335930592&adk=3157866232&w=728&lmt=1423255001&flash=16.0.0&url=http%3A%2F%2Fmydomain.org%2Fwhatever%2Fwhatever.php%3Fip%3Dredacted@example.com&dt=1423255001602&bpp=22&bdt=48&shv=r20150203&cbv=r20141212&saldr=sa&correlator=2781547126785&frm=20&ga_vid=*&ga_sid=*&ga_hid=*&ga_fc=0&u_tz=60&u_his=7&u_java=1&u_h=900&u_w=1600&u_ah=860&u_aw=1600&u_cd=24&u_nplug=9&u_nmime=13&dff=trebuchet%20ms&dfs=13&adx=398&ady=103&biw=1600&bih=775&eid=317150304&oid=3&ref=http%3A%2F%2Fmydomain.org%2Fwhatever%2whatever%3Fitfff%3Djustanotherreferer&rx=0&eae=0&fc=24&brdim=0%2C0%2C0%2C0%2C1600%2C0%2C1600%2C860%2C1600%2C775&vis=1&rsz=0%7C0%7C%7C&abl=CS&ppjl=u&srr=1&fu=0&bc=1&ifi=1&xpc=ueIWGb69vp&p=http%3A//www.mydomain.org&dtd=85 HTTP/1.1
Most recent time: 2015-02-06 20:37:49 UTC


There is warning for 3 domains from a couple more that i own. You can imagine that i'm a bit in panic if you realize that my earnings are 3x higher than my salary.

My consultant do not reply (and yes he got CC by warning email 10 days a go abd i've mailed him twice). Wonder why.

Anyway i need to solve this out. I have good feeling that rules in htaccess file that block any GET request which contain @ (such an whatever.com/?whatever=redacted@example.com ) but you can not be absolute sure.

Not sure because i've received sample for one url which site used in past (a couple years a go) GET protocol but switcher to POST and in POST is not possible to pass any PII. But they told me that there is still issue and i have checked 10x that there is method=POST and not GET. Hmm....

Anyone experience with similar issue in past?

btw

It is very frustrating that only communication here seems to be via form. It looks as you can not talk with anyone who can give you a bit more informations (consulent do not reply). And i'm publisher since 2003 with higher earnings what is good for both side.
3:40 am on Feb 13, 2015 (gmt 0)

Junior Member

10+ Year Member

joined:Aug 31, 2009
posts: 91
votes: 0


Other than the URLs etc. have they given any description to the issue? I mean what is the issue they are citing? Also what is PII?
1:32 pm on Feb 13, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:13012
votes: 222


PII is Personally identifiable information. Usually happens when Google detects that personal information (such as an email address) is being passed as an URL parameter. I've heard several people who have gotten this notice in the past week.

[support.google.com...]

I have no idea how to solve the problem though; I probably wouldn't want ads on these pages myself.
3:10 pm on Feb 13, 2015 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4556
votes: 362


Do you store any account information on your site? Have you taken steps to make sure no ads are shown in structural elements on pages where you (or your account owners) might access that information such as the sidebar or footer?
9:19 pm on Feb 13, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


Exactly as netmeg explained. PII is related to emails, usernames, passwords. In my situation they show everywhere example with emails.

If you have static page then is easiest solution to not place ads on that page.
But if you have dynamic pages where they are generated 10.000 pages automatically then you need something better.

My site is something where you can get more information about some subject by using form. So people come looking to get more information;s and then is unique page generated by each request because every page give other information's. Of course not email, passwords or any PII...

But... I have not blocked using of therms such as @. So it is possible that someone try looking for email (it is get FORM to tag more traffic) and page come back with unknown information (and unknown page are not saved in database automatically) but because url is with ?=emailwhatever@hotmail.com google see it as passing PII.

For me is clearly what was wrong and what i must do.

Blocking using of @ in any request. So i did with htaccess. Tested and seems to be blocked any request which contain @, LAter i;ve add also %40 to be absolutelly sure. NOw waiting on second rapport.

The problem is that rapport is generated for last 7 days. So if you make changes on 13 February for example and they send you that in they testing on 15 February they still see passing PII you will not know of your changes are good or not.

I have also implemented second level protection similair with php but i'm gonna tomorrow to implement finally protection with UUID where if for any any reason
nothing works (in my testing works very well) then url with any email will be scrambled/hashed.

It is on me to wait and to do what they asked from me. I will post full solution in code if i get positive reply.

btw

It is really surprising such an email. Everything works excellent. Earnings are never ever better in last 10 years.
Unique users daily for most visited website are more than 20.000 and then warning email.
2:03 pm on Feb 14, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:13012
votes: 222


It is really surprising such an email. Everything works excellent. Earnings are never ever better in last 10 years.
Unique users daily for most visited website are more than 20.000 and then warning email.


I dunno; maybe once you hit a particular threshold of earnings or traffic, a flag trips and someone comes and looks at your site. That's only a guess, I have no idea, but I've heard of situations like that more than once, so it wouldn't surprise me if it were true.
4:31 pm on Feb 17, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 27, 2003
posts:1600
votes: 0


I got a PII violation for one of my sites when Google first handed it out last year. I have no idea how I tripped the filters as I was not collecting any PII from my site. But I got it resolved and received the all-clear message

First, be sure to respond to what you got and say that you are looking into the problem. That will buy you a couple of weeks before they disable your account (and yes, they've disable accounts!)

For all your forms, change POST instead of GET. I just use Wordpress forms straight out of the box so I don't even know how or why my forms was using one or the other

I think I implemented some other stuff, but can't remember. But I definitely got the tips from the Adsense thread, where Adsense staffer gave suggestions on how to fix the problem

[productforums.google.com...]
11:30 pm on Feb 20, 2015 (gmt 0)

Junior Member from GB 

10+ Year Member Top Contributors Of The Month

joined:Aug 18, 2005
posts: 144
votes: 30


I've seen a flurry of these lately. email addresses in URL params seems to be the most common cause. If you are creating dynamic URLs based on user generated data stripping @/. is a good first step.
8:04 am on Feb 22, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


I've already blocked %40 and @.If you type in form field @ then you will get url with %40 what is same as @.First time i've blocked only @ but got another email that they stiil seeing passing of redakted@wjatever.com in url. Now i hope that with blocking %40 and @ everything will be alright.
1:49 pm on Feb 23, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


Regarding:
[support.google.com...]

"Publishers are given 30 days to remediate breaches of the identifying users policy. During this period, publishers will receive weekly email messages containing a list of ad requests grouped by domain from which PII is being detected.

For each weekly email, please investigate the list of ad requests and respond to the policy team using the form linked in the email."


I have not received any email messages last week. I guess that it is good sign but hopefully this week i will got more information and 'clear all' message.
12:48 pm on Feb 24, 2015 (gmt 0)

Junior Member

5+ Year Member

joined:Mar 9, 2012
posts: 114
votes: 29


I got the message a couple weeks ago. The offending pages were thank you pages after a user signed up for the newsletter or bought a downloadable product for which they paid using paypal. I kept the pages but removed all the adsense. Yesterday got a message from G saying the problem was resolved.

System

6:57 pm on Feb 24, 2015 (gmt 0)

redhat

 
 


The following message was cut out to new thread by martinibuster. New thread at: google_adsense/4740104.htm [webmasterworld.com]
8:23 am on Mar 2, 2015 (utc -5)
7:04 pm on Feb 24, 2015 (gmt 0)

Junior Member

10+ Year Member

joined:Aug 31, 2009
posts: 91
votes: 0


I just feel glad to hear your story. It's difficult to get an adsense account these days. And they are so quick to revoke accounts and without any transparency. So finally it was the @ (and urlencoded %40) symbol in the url that was creating the issue. Good luck!
9:32 pm on Feb 24, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


Thank you varun21 for response.

I'm with Adsense almost since they started with Adsense. 11 years now. In begin it was funny to earn some money but now it has been grow up to my most important earnings.

The last email make me happy and it means that rules that i have implemented works very well. Blocking @ and especially %40 is key to prevent passing of PII to Adsense.

Of course i will be 100% happy if they send final note that the problem is resolved. Righ now is OK (for the last 8 days) but they continue monitor. Probably for the next 7-8 days. Till then ...
4:44 pm on Feb 25, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


I think that emails about PII coming from other team than Adsense team. Each email is signed with 'The Google Policy Team' while Adsense teams sign it always with 'The Google AdSense Team'.

It looks as they are separated teams and both teams works independent from each other.

System

7:32 pm on Mar 1, 2015 (gmt 0)

redhat

 
 


The following 2 messages were cut out to new thread by martinibuster. New thread at: http://www.webmasterworld.com/google_adsense/4740104.htm [webmasterworld.com]
8:24 am on Mar 2, 2015 (utc -5)

[edited by: martinibuster at 1:31 pm (utc) on Mar 2, 2015]
[edit reason] Started new thread about probable false positive email notice [/edit]

7:49 am on Mar 4, 2015 (gmt 0)

Full Member from US 

10+ Year Member

joined:Apr 11, 2006
posts:244
votes: 21


Remember the cover of the old Roxy Music album "Country Life" with one woman in a sheer bra and one woman with her hands over her breasts? I have a page with the story behind that cover and just got a 3 day warning from Google ("Adsense Team"), they even went into how the nudity doesn't necessarily have to be explicit. So I put up two Amazon ads in the place of the Google ads.

That album cover was so provocative back then the record comany reissued it with a green wrapper, guess the more things change the more they stay the same.

I just remembered I have a separate page for a review of the album's music, guess I should put Amazon ads on that one too!

System

5:41 am on Mar 5, 2015 (gmt 0)

redhat

 
 


The following 4 messages were cut out to new thread by martinibuster.

This discussion is about an actual policy breach. For the discussion about the policy breach email sent by mistake please post here:

http://www.webmasterworld.com/google_adsense/4740104.htm [webmasterworld.com]

[edited by: martinibuster at 7:22 pm (utc) on Mar 5, 2015]
[edit reason] Split thread. Two different topics. [/edit]

6:47 pm on Mar 16, 2015 (gmt 0)

Full Member

10+ Year Member Top Contributors Of The Month

joined:Feb 17, 2005
posts:315
votes: 19


Finally: "Dear Publisher,

We have now verified that we are no longer detecting PII being passed to Google from the account(s) under your control.

Thank you for helping to resolve this matter.

Regards,

The Google Policy Team"
5:28 pm on Mar 20, 2015 (gmt 0)

Senior Member from GT 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2006
posts:1615
votes: 163


Something went broken on their detection systems... probably.

I never received any warning or mail regarding policy breach, still I received a SORRY note "we sent you a warning by mistake..." never got it, it was legit, all from G.