Google, Click to Call, and Prank Calls
By Eric Goldman
Google has [re]launched [see below] a crazy feature called “Click to Call” in Google Maps that allows users to initiate a telephone call from their search results. When you search on a business in Google Maps, the left hand nav bar will display the business’ name, address and phone number. Next to that is the word “call.” Click on that, and it asks for your phone number. Provide your phone number, and Google will immediately call you. Pick up the phone, and the system will say “connecting,” and then it will ring the business you’ve searched for. Pretty slick.
But…as usual, there’s a dark side. In this case, Google doesn’t authenticate that you entered your phone number. Want to play a joke on a friend? Search for a funky business, click call, enter your “friend’s” phone number, and your “friend’s” phone will ring. When your “friend” picks up the phone, they will be automatically connected with the funky business, wondering why they are now speaking to Frederick’s of Hollywood, or the local police office, or the Federal Trade Commission. Ha ha ha.
Or, want to surprise a “friend”? Pick any business and put in your “friend’s” number at 2 am in the morning. Do it twice for good measure. And if you really want to win adulation among your friends, put in their cell phone number repeatedly and burn up their minutes. I’m sure there’s yet other mischief possible (but I’m not deviant enough to think it all through). Best feature of all–the caller ID displays the target business’ number, so there’s no way for recipients to block the incoming calls or even trace who’s pranking them.
Obviously, it’s stupid for Google to allow a person to initiate a telephone calls without doing any authentication. Google weakly acknowledges the mischief risk in their help information:
Google takes fraud and spamming very seriously. We use technical methods to prevent future prank calls from the same user within a reasonable period of time. You won’t be charged for any such calls. Please contact firstname.lastname@example.org if you believe someone is entering your phone number without your permission or knowledge.
Gee, thanks, that will help me fall back asleep when I get the 2 am call. Even better would be authenticating people before allowing them to initiate a phone call. I have to believe that Google will fix this oversight soon. Until then, party on!
UPDATE: It appears that the prank risk was spotted back in November and Google pulled the feature at the time. It looks like Google relaunched it without any new controls.