Google discriminates against small businesses

Google discriminates against small businesses

Google discriminates against small businesses 1
Does google live up to it’s own motto “Don’t be Evil”

Part of getting your business seen online is SEO, and an important part of this is getting your business registered with Google my business and Google maps.

Not only have I had to do this for my own business and my wife’s business but it is a service I provide to clients. When it works, this is a simple process, which involves Google sending a postcard to the business address with a code on it, which you then use to verify the business address.

However, sometimes the postcard doesn’t turn up, or some miscreant might report your listing and claim it is fraudulent or misleading and gets it suspended for review, at which point you have to contact Google my business support and request manual verification, which is where things get ridiculous.

You would be quite right to think, why on earth would Google discriminate against small businesses, this makes no sense and completely contradicts the whole purpose of Google my business.

Yet I have had this issue myself a few times now, and most recently when I changed my own listing to add my virtual office address.

According to Harisha at Google my business support, in order to pass the manual verification, every business must provide photos of their premises, must have their own dedicated entrance which is not shared with other businesses and must show signage with the company name in front of the building, WTF?

Google discriminates against small businesses 2

These requirements are clearly unfair, unethical and discriminate against every small to medium businesses in the world that uses shared/managed office spaces, people who work from home (including disabled people) or have virtual offices.

There are 125 million formal micro, small and midsize businesses in the world, including 89 million in emerging markets. How many of those do Google think have their own building, with their own entrance and signage?

What makes this even more illogical is how disparate this is from the automated postcard method. As long as you can receive that postcard with the verification code on it, then no other evidence is required, your office could literally be in your garden shed.

This means that most of the businesses already listed on Google (using the postcard method) do not meet these supposed requirements either, which I couldn’t actually find any mention of on the Google my business eligibility guidelines by the way.

Quite ironically, as I pointed out to Harisha, this also includes all the other business that reside at the same managed offices as myself.

So what’s the solution?

In the case of the postcard not turning up, I suggest trying a few more times before giving up. In my most recent attempt, I had to request the card 5 times before it finally arrived (thankfully bypassing this issue).

If you just cannot get that card or have your listing suspended for some other reason, and really have no other choice other than to comply with Google’s unfair demands, then Photoshop is your friend (nudge nudge, wink wink).

If you do not have the skills to manipulate images yourself, just pop along to fiverr.com and you will find someone willing to do some image manipulation for $20 or less 🙂

My Facebook account was disabled, WTF?

My Facebook account was disabled, WTF?

My Facebook account was disabled, WTF? 3

I got a big shock this week, I went to login to my facebook account only to be met with the dreaded “Account disabled” message.
Why the heck had my account been disabled?

I was very confused at first since I had received no warning or notifications and I could not think of any reason why. Then later that day, I got an automated email from Facebook. The short answer, because their AI (Automated Idiot) system is seriously flawed, screwed up, and incorrectly banned me for copyright infringement that never happened.

The long answer

I did some work for a client a few months back, and this client screwed me over and refused to pay me for any of the work I had done, but continued using the logos I had created on his facebook page (and other places).

As per the law and my terms and conditions, I still owned all intellectual property rights (IPR), which I reminded him of and asked him politely to stop using the images and remove them from his Facebook page, which he ignored. So I submitted copyright infringement reports to facebook to get the images removed.

The images in question were removed by Facebook, but that same automated AI also came to the ridiculous conclusion that I was the one committing the copyright infringement instead of the person reporting it and claiming copyright, and subsequently disabled my account for infringing my own copyright on my own images.

In addition, it seems that once you have been disabled, Facebook will do whatever it can to stop you from creating a new account. Any attempt to do so thus far had resulted in each account being disabled within 24 hours. Presumably, they are picking up the name and ip address or possibly the Windows tracking ID.

This is clearly completely unwarranted and unethical behaviour by Facebook to disable accounts in this way with ZERO verification of facts and way to get a mistake reversed. It also causes a bucketload of other problems as Facebook is the only method I have for contacting some people, it is also my default login (Single Sign On) method for multiple websites, meaning I can no longer get into those websites either.

I also had multiple business pages for my various websites, plus I also managed pages and ad campaigns for clients, all of which are also now gone.

What can I do about this? Nothing it seems, as the entire Facebook system, is completely automated and there is no human being to interact with. No one to contact, no email addresses, no phone numbers, nothing. So when Facebook F*cks up, you simply have to live with their mistake and suffer the consequences. You cannot get more unethical than that.

I have written a letter to the Facebook UK HQ based in London, explaining the obvious mistake their system has made, in the hope someone with morals and ethics might read it and care enough to sort it out, but I won’t hold my breath as Facebook do not have a reputation for being either caring or ethical.

If anyone reading this happens to know someone at Facebook who can fix this screw up, please send me a message.

The other very worrying thing I realized from this whole situation, is how open to abuse Facebook’s system is. It is obviously very easy to get someone banned from facebook simply by submitting a bunch of bogus complaints about them, which the automated system will blindly believe without any kind of validation or human interaction.

UPDATE 2nd May 2019 : My account has been re-enabled

I got a surprise today when my wife told me that my profile was back online.

I have no idea how or why, but clearly someone I contacted has resolved this for me, so thank you to that person.

For the benefit of anyone else who finds themselves in this situation, here are the various actions I took to try and get my account reactivated.

  • I owned multiple appeal cases, which resulted in a canned response. But I replied to that email every single day. I doubt this was ever read by a human being though.
  • I continued to reply to the original emails I received regarding the copyright infringement.
  • I sent continued emails to the facebook abuse address
  • I sent a message to the Facebook business page
  • I wrote a letter to the Legal Dept at the Facebook London office and sent it recorded delivery.
  • I looked up Facebook employees on Linkedin and sent tweets and emails to several people listed as management.

I am inclined to believe it is the letter that did the trick.

I have now taken the precaution of creating a backup Facebook account using a completely different name, email address, phone number etc, and giving that user ADMIN rights on my business and all my pages. So if this ever happens again, I won’t lose access to anything.

Update 10th May 2019

My Facebook account was disabled, WTF? 4

I received this canned response template letter from Facebook’s London office today, basically telling me that the website is nothing to do with them and they have no control over it or access to user accounts, so I have to contact Facebook in Ireland.

So clearly they are not the ones who re-activated my account. So I therefore must assume that it was one of the people I emailed or tweeted who resolved it for me anonymously.

How to create a privacy policy for your website

How to create a privacy policy for your website

How to create a privacy policy for your website 8

Privacy policies are one of the most overlooked aspects of most websites. If you stop to look around most of the popular sites you visit, you’ll find they all have unique privacy policies (though the specific page’s traffic is usually low). Even so, these documents are important if you want your website to comply with local and international regulations.

More importantly, you don’t need to be a lawyer to add a thorough privacy policy to your website. In this article, we’ll talk more about why privacy policies are significant and we’ll teach you about some essential clauses. Then we’ll introduce you to three tools you can use to help you create a privacy policy for your website.

Let’s talk privacy!

What Privacy Policies Are (And Why They’re Important)

Privacy policies can look intimidating, but you should always read them when possible.

Privacy policies are legal documents informing users what you do with their data. For example, if you collect email addresses, names, and birthdays during the user signup process, you need to tell users what happens with their information. For example, some websites might use it for internal purposes only (such as customer profiling). Others might sell the information to third-party services, in which case consent is necessary.

As you’ll be aware, privacy policies are usually skipped over by the majority of visitors. However, there are several benefits to adding one to your website:

Although some countries don’t require the use of a privacy policy, you can still be held liable under international law for not following regulations. If you have European Union (EU) users, for example, you need to comply with the GDPR. Given the chances of getting fined for non-compliance, adding a privacy policy to your website is simple – and it’s a smart business move.

Ideally, you’d enlist the help of a lawyer to help you draft your privacy policy. However, that’s not a practical option for the vast majority of site owners. Knowing this, a lot of online services have sprung up to help fledgling websites craft basic privacy policies to cover their bases. However, before discussing them, let’s look at what your privacy policy should contain.

3 Clauses Your Website’s Privacy Policy Should Include

These three clauses won’t, in most cases, be enough to craft a well-rounded privacy policy. Think of them only as the basics that any such document should include. We encourage you to do further research into other critical clauses.

The next section will explore some tools to generate full privacy policies with little input from your end. Even then, it’s essential you have a working understanding of what their basics are.

1. How and What Type of Information You Collect

This clause is the bread and butter of privacy policies. It details the exact information you collect, and how. To recall our earlier example, you can get email addresses and names directly from signup forms. However, there is also data you can obtain without the user knowing. For example, Google Analytics tracks the user’s preferred web browser, which needs to be mentioned.

Ideally, visitors would take a look at this clause and decide if they’re comfortable using your services, but more pertinently, it covers your bases legally. Here’s an excerpt from a common privacy policy, discussing what type of information we collect and how we do it:

Personally Identifiable Information refers to information that tells us specifically who you are, such as your name, email address, or phone number. Downloading information or logging in may allow the Company to “recognize” you to allow us to personalize our service for you.

This first section discusses what we consider to be personal information, as opposed to anonymous data we might collect. It also mentions we may use the information to personalize your user experience. In our case, logging in is only necessary to download products you may have purchased, so it’s not obligatory.

2. What You Do With the Information You Collect

Plenty of websites engaged in the practice of selling or sharing user data. Other services use this to personalize content and ads, among other elements. Other potential applications include using the information to enforce terms of use, improving your website’s services, and more.

Regardless of the application, this clause is critical because although users may consent to share personal data, they might not be happy with how you decide to use it. Here’s a short paragraph from our privacy policy outlining our general use of private information:

For our Clients, we use personal information mainly to provide the Services and contact our Clients regarding account activities, new version and product offerings, or other communications relevant to the Services. We do not sell or share any personally identifiable or other information of End Users to any third parties, except, of course, to the applicable Client whose website you are using.

For example, if your ZenMSP service is about to expire, we send you an email reminder. In this case, we’re using your personal information to provide an update.

In any case, if you’re not comfortable with the way a website uses your information, the GDPR outlines the ‘right to be forgotten‘. This means sites are bound by law to delete your information if you ask them to cancel your account, for example.

3. Your Use of Cookies

Cookies are files on your computer that contain personal settings for specific websites. The term itself supposedly comes from ‘magic cookies’, which are a type of token used by UNIX-based Operating Systems (OS).

In any case, websites use cookies to track what you do within them. For example, cookies enable you to stay logged in even if you leave the website (although there are limitations). According to the European Union’s Cookie Law and new ePrivacy Regulation, sites need to inform visitors about their use of cookies and provide an option to disable them. Here’s an excerpt from a privacy policy’s section on cookies:

We use cookies, tracking pixels and related technologies on our website. Cookies are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us or third parties for a variety of purposes including to operate and personalize the website. Also, cookies may also be used to track how you use the site to target ads to you on other websites.

The above explains how  cookies are used and what they are. Later on in the policy, we would also discuss how you can opt out of using cookies, including those served by third-party services on our website (such as Google and MailChimp).

3 of the Best Privacy Policy Generation Services to Consider

Although we fully recommend the services we include in this section, you should always review the language of any privacy policy you generate with any of them, just to be safe. Let’s take a look at the options.

1. iubenda

How to create a privacy policy for your website 9

iubenda is an online website privacy policy generator that stands out thanks to its ease of use. It uses modules to help you pick the exact clauses your privacy policy should include, and adjust their terms depending on which services you use. For example, if you’re part of the Amazon Associates program, you can add the necessary language to your policy with a single click.

Key Features:

  • Uses simple module system to build a comprehensive privacy policy.
  • Lets you customize your policy using your company’s information.
  • Enables you add necessary clauses for several popular third-party services, including Amazon Associates and Google Analytics.
  • Provides automatic updates to your policy based on any new regulations.

Price: Free and paid plans available | More Information

2. TermsFeed

How to create a privacy policy for your website 10

TermsFeed enables you to generate basic privacy policies in minutes, and customize them using your site’s information. Each time you want to create a new policy, the service will walk you through a questionnaire to help you determine the clauses you need. When the process is over, you’ll receive your new policy via email in seconds. The platform also offers you the option of updating your policies automatically as laws change.

Key Features:

  • Enables you to generate custom privacy policies using a simple questionnaire.
  • Lets you adjust your policy to comply with national and international laws.
  • Provides automatic policy updates whenever the law changes.

Price: Free and paid plans available | More Information

3. Shopify’s Privacy Policy Generator

Shopify's Privacy Policy Generator.

Shopify’s Privacy Policy Generator is a bit more narrow in scope than the other tools we’ve discussed. Its clauses are tailored for Shopify websites specifically. However, you can generate one of their policies in seconds and use it to check out essential clauses regarding how to deal with payment information.

Key Features:

  • Lets you generate a privacy policy for your Shopify store.
  • Enables you to outline how you deal with customer payment information.
  • Gives you the ability to customize your privacy policy based on your store and its location.

Price: Free, but you need a Shopify subscription to get the most out of it | More Information

How to Create a Website Privacy Policy Using iubenda

For this portion of the piece, we’ll use iubenda given its ease of use and reasonable pricing structure. To get started, go to the service’s home page and click on the GENERATE YOUR POLICY button to the top right of the page. On the next window, enter your website’s URL and click the blue button:

Entering your website's URL.

The service will ask you to register a free account or log in using Facebook. Either way, when you’re in, you’ll see an option to add any services your website uses to your privacy policy:

Add new services to your privacy policy.

Clicking on the button will show you a list of clauses you can add:

A sample of the services you can add to your privacy clause.

As you include more services, they’ll be added to your privacy policy automatically. You can preview it at any time by clicking on the Preview widget to the right of your dashboard:

Previewing your privacy policy.

When you’re done adding services, click on the Next button at the bottom of the page. You’ll now need to enter your company’s name and address, then click on Next again:

Entering your company name and address.

On the final screen, you’ll find options to embed your policy into your website:

Embedding your privacy policy into your website.

That’s it! If you’ve included all aspect of how you collect data, your privacy policy will be good to go. Do remember to give it a full read before publishing it, though!

Conclusion

Website privacy policies don’t get the spotlight they deserve. However, they’re essential elements of any website that takes data protection regulations seriously. On top of enabling you to keep your operations above board, privacy policies also outline how your site handles personal information, which should help put visitors’ minds at ease.

If you don’t know where to start when it comes to creating a website privacy policy, here are three online generators that are easy to use and feature-packed:

  1. iubendaA module-based privacy policy generator that supports dozens of third-party services.
  2. TermsFeedThis simple service enables you to create a basic policy through a questionnaire.
  3. Shopify’s Privacy Policy GeneratorThis generator is tailor-made for Shopify stores.

If you still need help, then feel free to contact me.

Add MariaDB support to MSP Control

Add MariaDB support to MSP Control

I have recently been setting up MSP Control (formerly WebsitePanel) on my new CFML Developer server. Unfortunately, it doesn’t support MariaDB out of the box and so won’t detect if you have it installed. Fortunately, this is an easy hack.

  1. Open up your MSPControl database in SSMS, and open the providers table.
  2. Now find the MySQL providerID that matches your MariaDB install
    i.e. MySQL 5.7 for MariaDB 10.1
    Add MariaDB support to MSP Control 13
  3. Now add a new entry into the SERVICES table, using the providerID you got from the last step and the appropriate serverID for the server you want to add it to. You get he ServerID from the servers table, or just edit the server in the control panel and get it from the URL.
    Add MariaDB support to MSP Control 14
  4. Now just edit this server in MSP Control, and you should see MySQL listed, just edit and setup as you would MySQL.
  5. Now you just enable MySQL on your hosting plans.

 

Why ColdFusion is not suited to shared hosting

Why ColdFusion is not suited to shared hosting

This is a topic I have found myself explaining a lot over the years, not just to customers but to developers as well, and one thing I can say with absolutely certainly from dealing with hundreds of developers of all levels over the years, from newbs to gurus, is that most devs in general do not really understand how things work on the server (they know how to write code and upload it to the server) and most CF devs additionally don’t understand how ColdFusion really works and how/why it differs from other scripting languages like PHP or Perl or ASP.net, so I decided it was time to write a complete blog post on the subject and hopefully to try and enlighten some of those developers a bit more. I have copied this article across from my old blog as it was a popular article with a lot of views. I have removed all references to Railo (since it is now dead) and replaced with Lucee.

Now I have heard many say “I am just a developer, it is my job to write code, not to understand the server stuff”, but i’m afraid I disagree with this and consider it a bit of a cop out, because If you don’t understand how things work on the server to at least some degree, how can you be sure you are writing code that is going to be scalable, reliable and is not going to cause problems? Sure no-one should expect you to know EVERYTHING to the same level as a sysadmin, but you certainly should know the basics that are relevant to your job, especially if you are going to be making any hosting recommendations to your clients, which most devs do.

The first thing to understand, is that ColdFusion and Lucee are not technically application servers (which most people believe them to be), they are simply Java applications (that convert CFML into Java bytecode) that run inside a java servlet container (e.g. Apache tomcat, Jetty, Jboss) which runs as a service/daemon, and all requests for all pages coming into the server go through that same service/daemon. This means that any problems with that service affect ALL CFML (or JSP)  websites on the server.
This is also a bad thing for security because it means that all sites on the server run within the security context of the service and so cannot have their own permissions. So any java code in any site can access files in site2, site3 or any other site on the server or in fact any part of the system that the service itself has access to. The only way round this is to use security sandboxes, which is a feature of ColdFusion enterprise and Lucee.
But BEWARE, CF sandboxes can give a false sense of security, they are only applied to CFML code and do not sandbox Java, so if you drop any Java code in your CFML pages (using CreateOnject(java), then you bypass the sandbox completely, so they not stop any vaguely competent coder/hacker. There is no way round this on a shared server, you simply have to take the risk. On a dedicated VPS you can mitigate this by using multiple instances of CF/Tomcat and isolating each site using server side permissions.

Before you say “so hosts shouldn’t allow Java”, this also is not even an option for any host as all moden frameworks and apps need createObject(java), so disabling this function would break almost every modern application, ergo it is a risk that has to be taken, because at the end of the day 99% of clients simply don’t care about the security risks, all they see is that their app doesn’t work and will just go elsewhere.

When we look at other common languages such as PHP, Perl, asp.net etc, these run as an ISAPI or CGI process, so every website on the server spawns its own process to handle the requests. So if there are 20 PHP sites then there are 20 x PHP processes running (think of this like 20 instances of ColdFusion). The process runs within the security context of the website that spawned it, so in the case of Windows it runs under the application pool identity. So this means that as long as you have every website/application pool  set to run under a different user account with access only to that website root, and so will php also have only this permissions, so it is more secure and also isolates each site in a separate process.
So if site1 crashes php or ASP, it will have no effect on any other site because they are running php/ASP in a separate process.

Here is a diagram to illustrate.

cf-server-diagram

This is the primary reason why CFML is not suited to shared hosting, no application isolation and no control over security.

Imagine the following (very common) scenario.

abc.com makes a cfhttp request to an external web service at xyz.com  to get syndicated content for its pages.
The web service at xyz.com goes down, which means all the pages on abc.com are now going to timeout. On a shared server this will very quickly result in all the ColdFusion max number of simultaneous requests to be consumed, and subsequent requests to then become queued. The result of this is that every other CFML site on the server now becomes slow as well as all their page requests have become queued behind the problematic site, and now are likely to also timeout as a result.

An even worse scenario is where native java requests are concerned, such as database queries as these cannot be killed automatically, not even with FusionReactor. If a page hangs in the middle of a database query because it is waiting for a response back from the db server, then this request will not ever timeout and will hang indefinitely, thus 1 cf thread is now no longer available. If this happens 10 times, now 10 cf threads are gone and no longer available, if your “max number of simultaneous  requests” is set to 10, then you now have 0 requests left and your server will stop serving up CFML and all websites will now hang/timeout untill the service is restarted.
If the original problem still exists then restarting CF also will not help, as the issue will simply continue until all the requests are again used up and all sites start to hang. The only solution at this point is to turn off the site causing the problem.

Then we have the security issues that I mentioned. Everyone by now is aware of the CFIDE hack which affected many cf servers. This was only possible because CF runs as service and because that service runs under the SYSTEM account by default, which has full file system access, which allowed the uploaded hack to access every part of the server. If CF worked like a CGI/ISAPI application, the effect of this hack would have been far less.

But my code has proper error trapping and caching and stuff, so this doesn’t affect me right ?

Wrong i’m afraid, on a shared server it doesn’t matter how brilliant your code is, or how well your have performance tested it, or how much error trapping you have, this does not stop the other sites on the server from causing you problems.
You could be lucky on a shared host for months or even years if you are on a server that doesn’t have many sites, or simple  sites that are not problematic (at the moment), but It only takes one poorly written app to bring CF to its knees.
It is also important to realize that almost nobody using shared hosting has ever done any kind of load testing or performance testing on their website and in most cases do not even know what this means or how to do it, the result of this is that web site owners have no idea how their site will perform under load nor did the developer who made it. This results in another very common scenario which usually begins with a statement like “Nothing has changed on my site and it has been running fine for years, so it must be your server”.
Again this is totally irrelevant in most cases, sure your site may well have run fine for years with 20-50  visitors per day, but what happens when it suddenly gets 1000 visitors per day as a result of some marketing or media attention, or if it starts getting hit by search engine bots, suddenly this once stable site falls over horribly due to poorly written or legacy code.

But Railo/Lucee is better right ?

Ultimately no i’m afraid, as they run on Java so work the same way as CF so the primary issues mentioned above apply just the same.

Lucee is however an improvement in that the security sandboxing is automatically applied at website context root level (if you set this in your Lucee server admin) and does not require admins to set up sandboxes for each site as with ColdFusion which is a sandboxing nightmare, which makes Lucee better for shared hosting. However the sandboxes like ColdFusion’s only sandbox CFML and can easily be overridden with Java code.
Lucee also has its per site web admin allowing all users to admin their own site, which is again a bit improvement over ColdFusion which has a single Admin which must be administered by the host.
So by using Lucee you don’t have to rely on your host, you can pretty much do everything yourself.

So what’s the solution ?

The only solution is to do some research, educate yourself and use a bit of common sense.
ColdFusion is intended to be an enterprise solution, and thus run on dedicated hosting solutions, it was never intended to be used for shared hosting and is not built to do this. So the simple answer is, use the right tool for the job.
If you just want to run a blog, personal website or simple brochure ware website and you don’t have your own server and only have the budget for shared hosting but do not want to be affected by the above problems, then use a technology more suited to this purpose, one that runs as a CGI/ISAPI process, the most popular of course being  PHP or ASP.net . Avoid any Java related choices as these will all suffer from the same issues.

If you love CFML and want to use it for everything you do, then do yourself a favour and get a VPS running Lucee (or ColdFusion if you can afford it).
On your own VPS you then also have the option to use multiple CF instances, so each of your sites runs on a dedicated instance of Tomcat or whatever is your java servlet container of choice, so you can still run multiple sites but avoid the shared hosting scenario and also lock down the security.

I am going to use shared hosting anyway regardless, what do you suggest ?

If you really have no choice (or simply won’t take good advice), then here are some tips on choosing a host.

  • Choose a host that specializes in Lucee  or ColdFusion and actually knows what they are doing, do not choose a generic host that simply has Lucee/CF installed and classes this as SUPPORTED.
  • Test your hosts knowledge, see how much they know about CF/Lucee, ask to speak to a CF specialist.
  • Make sure your host is secure
    • For ColdFusion they should be using enterprise edition, otherwise no sandboxes, and no security. If they are running standard edition, avoid.
    • Ask them if they run a bog standard out of the box CF installation, if yes then it is not locked down and is not secure.
    • Ask them if they use FusionReactor or HackMyCF. Preferably go with someone who says yes.
    • Ask them if they use security sandboxes, if no then avoid.
  • Ask your host how many sites they run on each CF server. Too many = bad
  • If you regularly need to set up data sources, mappings or anything that requires access to the CF Admin, you would be better of with Lucee.
  • Ask if you can get RDS access, if they say yes then avoid, as this should not be enabled in production
  • Check if you can access the cfadmin or adminapi from your site, is yes, change host now as they are not secure.

Unfortunately there are very few noteworthy CF hosts these days, the ones I see most commonly recommended are Viviotech, Hostek, HostMySite (although not so much since they got taken over by hosting.com), Host Partners (my company)