Google said this week that it was expanding the types of data people can request to remove from search results, to include personal contact information such as your phone number, email address or physical address. The move comes just months after Google rolled out a new policy allowing people under the age of 18 (or a parent/guardian) to request removal of their images from Google search results.
Google has for years accepted requests to remove certain sensitive data such as bank account or credit card numbers from search results. In a blog post on WednesdayGoogle michelle chang wrote that the company’s expanded policy now allows for the removal of additional information that may pose an identity theft risk, such as confidential login credentials, email addresses, and phone numbers when appear in search results.
“When we receive removal requests, we will assess all web page content to ensure that we are not limiting the availability of other widely useful information, such as in news articles,” Chang wrote. “We will also assess whether content appears as part of the public record on government or official source sites. In such cases, we will not perform removals.
Google says a removal request will be considered if the search result in question includes the presence of “explicit or implied threats” or “explicit or implied calls to action to harm or harass others.” The company indicates that if it approves your request, it may respond by removing the URL(s) provided for all queries or only for queries that include your name.
While Google removing a search result from its index will do nothing to remove the offensive content from the site hosting it, getting a link decoupled from Google search results will make the content of that link much less visible. According to recent estimates, Google has a market share close to 90% in the use of search engines.
KrebsOnSecurity decided to test this expanded policy with what seems like an obvious request: I asked Google to remove the search result for BriansClub, one of the biggest (if not THE biggest) cybercrime shops for sale of stolen payment card data.
BriansClub has long abused my name and likeness to pimp its products on hacking forums. His homepage includes a copy of my credit report, social security card, phone bill, and a fake official government ID.
Briansclub updated their homepage with this information in 2019, after it was massively hacked and a copy of their customer database was shared with this author. The leaked data – which included 26 million credit and debit card records from hacked online and physical retailers – was eventually shared with dozens of financial institutions.
Tech Crunch writing That the policy expansion comes six months after Google began allowing people under the age of 18 or their parents’ request to remove their photos from search results. For do so, users must indicate that they want Google to remove “the image of an individual currently under the age of 18” and provide certain personal information, image URLs, and search queries that would bring up the results. Google also allows you to submit requests to remove non-consensual explicit or intimate personal images from Google, as well as unintentional fake pornography, TechCrunch notes.
This post will be updated in case Google responds in some way, but it may take a while: Google’s automated response said: “Due to preventative measures being taken for our support In light of COVID-19, it may take longer than usual to respond to your support request. We apologize for any inconvenience this may cause and will respond to you as soon as possible.