Cloaking of public reviewer access

[dmarti]

A deceptive associated set could make easily-findable pages (home page, About Us, privacy policy) that are clearly presented to the user, and then drive traffic to other, harder-to-find pages that are deceptively presented as independent.

For example, the sites of a bogus medical journal, clinic, and online pharmacy could be clearly co-branded on their home pages and on pages linked to from the home page - and then use social media ads to drive traffic to "research" "patient guide" and "order pills now" pages that are styled and branded completely differently.

The deceptive set would pass public review because from the point of view of home page visitors, it's obviously co-branded. And the set would not need to be large. (A small, well-tested set of 3 or so deceptively connected domains would probably be able to do this kind of scam best.)

Even highly conscientious independent reviewers would have trouble detecting a bogus set simply by surfing around -- reviewers would likely not be in the target group to which the deceptive deep pages would be promoted, and they wouldn't be able to get there from a link. Some kind of user research covering the actual audience experience would appear to be needed.

(cc @johannhof, based on today's WICG meeting)

[johannhof]

Thanks for filing this, Don! I agree that this kind of "bait and switch" attack isn't inherently prevented by a numeric limit, but I actually think that this example outlines the need for manageable set sizes, to enable public reviewers to assess the list at any point in time without significant investment. If the set owner had the ability to add 200 sites with valid presentation on top of 3 that don't play by the rules, public spot checking would have a much lower chance of success.

As to the attack itself, it seems difficult to eliminate the threat entirely, but at least building this kind of setup requires effort, and branding a site's easily accessible public pages in extreme contrast to its ad-reachable pages presents obvious risks of exposure from a single knowledgeable user. This is why I think focusing on public participation and attention is preferable to submitter-sponsored user research. There is nothing (as to my knowledge) preventing a set owner from changing site design or behavior in a similar manner after a user researcher (paid by them) has attested that a subset of pages appear associated to users.

[dmarti]

The bigger the set, the bigger the risks for doing fraud. Most scammers could expect to get sets of 3 domains regularly banned from FPS as a regular business expense, but getting a 200-domain set banned would be much more costly.

Reporting by interested users is going to be hard to evaluate. How do you tell these two cases apart?

• malicious reviewer reports legitSite.example/buy-miracle-virus-cure.html and other participants can't see it because it was never there

• honest reviewer reports scamSite.example/obvious-scam-page.html, the scammer sees the report in their GitHub notifications and moves the page to another URL before other reviewers can verify

It would be very helpful to have a skilled, motivated, and honest reviewer community, but FPS needs to work even in cases where reviewers get behind in their work, or dishonest reviewers join.

(Remember the Kasparov versus the World chess match? Just like Kasparov could see the other side's discussion board, FPS scammers will be able to follow, and participate in, the set review forum.)