Here's the problem. It's very easy to get cloaked pages ranked highly in Google. So easy that there are syndicates selling advertising presence in the searches of some high profile terms.
A quick review of what a cloak is - that's when a site shows different content to the search engines than to other visitors. It's very easy to identify a search engine bot by ip/name and conditionally serve files. Basically the cloak fools the search engine into thinking the content is something other than what it really is.
Now since this is a penalizable offense (will get you banned), the perpetrator never wants to risk his own sites. So most of these cloaks involve hacking an insecure infrastructure (like almost any .edu) and using that as the platform for the cloak.
Today (21 January 2011) you can see a perfect example of a successful cloak insertion into Google's search results. Do a search for "high roller online" and notice there are 2 .edu sites in the results (see screenshots below). The one that's #1 is from columbia.edu and is being pulled by the cloaker (only shows a php file at this time, but held the #1 rank for over a week). The result at position #3 is from ucsb.edu and is the money maker for the moment. (click images to enlarge)
Here's what Google sees - what the cached link reveals: (click images to enlarge)
So Google thinks this is a page from the history department at the University of California. But the visitors who click the search result go to one of six different casino sites - better promotion than any normal rotating ads presentation because of where this is occurring:
Keep in mind that this is happening at the TOP of searches - in this case claiming 20% of the page 1 organic search real estate. But even more valuable searches are often showing 3 or more such results on page 1.
Now why should we care that this is not only possible, but also happening with great regularity? We think all legitimate sites should be outraged at this, and therefore at Google. Because when 2 sites come onto page 1 via cloaks, 2 legitimate sites fall off of page 1.
Not only that, but often the rank is actually hijacked from some innocent site. Since it would be prohibitively difficult to insert a high ranking result from scratch, most cloaks actually take the rank away from someone who legitimately holds the position.
And when that happens, often the site that lost its rank also gets penalized by Google. Let me repeat this: victims can not only lose their ranks in Google as a result of the cloak, but can lose all their legitimately held ranks because Google blames them for the problem. In the past year we observed 5 separate instances of this. Up until this year, the victimized sites got penalty free almost immediately after reporting the hack. Right now, we know of at least one instance where the victim site remains penalized, even though the cloak was removed. The hack, by the way, is of Google's infrastructure via the search, not a hack of the victim's site. So it's a kind of indirect attack that has the effect of harming the business directly.
My biggest complaint about this is that the fix is so obvious and simple if Google chose to act. Just grab the page one results only (as a way to limit the resource outlay) two ways, once as Googlebot, and once as an anonymous user agent from the same geo area. If the two files don't match have a human review it. I believe this would catch every instance of this kind of embarrassment for Google. The question is why hasn't this happened already? The answer is obvious - they're only going to act when there's enough outrage. Victim sites should consider this: There's an argument to be made that Google is complicit in the malfeasance occurring within their search if they are permitting this to continue when they clearly must know about it. My clients have already reported this problem countless times via reconsideration requests and spam reports. So there's really no excuse any more.
It's very likely that by the time you read this the cloak I'm showing here will have been taken down. But it's also very likely that it will have been replaced by another.
24 January 2011 update:
I'm getting a lot of questions about how to protect a site from this. The answer, unfortunately, is that you can't - this is Google's problem. The attack is not to your site, so no amount of local robustness will prevent it. The fix is to get Google to make their search results more robust, and especially to pay more attention to cloaks in general. If you think this has happened to your ranks, point to this post in your reconsideration request. We need to get their attention onto this problem.
24 January 2011 update II:
uscb.com has found and removed the hacked page on this search ("high roller online") and on "high roller gambling" where there was a similar cloak result. The important point here is that the school took down the hack. It wasn't Google that fixed the problem - the problem still exists and will be evidenced again, count on it.
Complicity & Civil Conspiracy & RICO -
Historically, Google has been 100% successful in defending all civil claims against it for loss of profits. Why? It has successfully argued there is no legal duty owed to the domain. Put another way:
(a) The domain is voluntarily placed on the internet;
(b) the end "viewer" can utilize whatever search engine he/she wishes to obtain search results; and
(c) since Google receives no government dollars and is not considered a "public utility", i.e., it is completely privately owned,it can show the results it wants.
However, in the cloaking arena, Google may not be able to escape civil liability so fast.
Consider this:
(1) the victim site has a terms and conditions page;
(2) on the Terms and Conditions page it will undoubtedly state that what is a permissible use and what is not;
(3) obviously, partially commandeering any one of the victim's pages would be a violation of the Terms and Conditions.
If you stop with numbers 1 through 3, a Victim Site would have a civil cause of action for any damages it may suffer as well as an equitable remedy to have them cease and desist the cloak.
Question: If the Victim Site has a cause of action for damages against the Cloaker, would not the cause of action also extend to all entities that permit the Cloaker to successfully carry out its fraud? I think the answer is yes but, to be successful one would have to show that Google knew that it was helping perpetuate a fraud.
There are numerous methods already available to show that Google "knows". Remember, if its algorithm knows...then it knows! How could its algorithm not know something is amiss when you have a fine accredited school's web site, with countless pages of educational data, and then you have this one lone page with Casino related search terms? It does not take a rocket scientist to know that there is a problem with that "cloaked" page.
Food for thought.
SG
This is a stunning discovery. We all assume Google knows what it's doing, but there are cracks in the foundation that you keep pointing out. Good to know that someone's holding them to account.
I find this to be the most interesting and valuable blog on advanced seo topics that I'm aware of. Kudos, Bob. Keep up the excellent work. Will fyi this on to our development teams and seo agencies. Once again you guys are in the forefront of discoveries showing us what's behind the Google mask.
re1y.com
Enterprise SEO
Google Penalty Solutions
Automation & Search Compliance