Would customers be better off if Google comprised many smaller businesses, each custom-tailored to understand and serve their customers? It's a question beyond the pay grade of this particular author.


But what I can say with confidence is that loyal customers of the current Google super-conglomerate regime are struggling to be heard under the weight of a bureaucracy that seems incapable of adjusting when facts exist that contradict the approximated heuristics that power their web-scanning tools.


For about 6 7 8 9 weeks now (as of Dec 14, 2024), our Google Ads account has been suspended/marked compromised in spite of 20+ emails and 10+ phone calls where we have attempted to substantiate why our company deserves the privilege of paying for Google Ads. For anyone who has felt trapped in a web of bureaucracy and wants company in their misery, or just anyone that loves a good yarn about weeks of suffering, I present to you the details of our past six weeks trying to escape our Google Ads account activated.



linkPart I: Suspended for paying with a credit card (3+ weeks)

My experience with Google's 2024 approach to "customer service" began in October 2024, when one day I logged into Google Ads and noticed that our account had been suspended. It was a curious development, since we had been spending a few thousand dollars per month on Google Ads for 10+ years, between our previous business Bonanza (which averaged $60-150k per month on Google Ad spend until we sold it in 2023) and our new businesses, GitClear and Amplenote.


But as I came to learn, Google had concluded that our business, and its 100% on-time payment record, could no longer pay for ads with a credit card. Moreover, instead of notifying us about this conclusion, our account would be suspended until we managed to connect with the Google Support agents capable of setting up a "Payment Profile," which is Google's fancy way of requesting a direct connection to our bank account.


I am not crazy about opening the door to Google directly debiting an unlimited amount of cash from our bank account. I quickly determined that, until we capitulated to this demand, we stood no chance of tapping into what remains, for the time being, the web's largest ad network. Of course, getting Google to accept our direct debit bank connection was no mean feat. Following is a taste for the how many interactions were required before our direct deposit connection was accepted. Not shown: Upwards of 10 government documents and tax returns I was required to send Google to be eligible to give them our bank account details. Maybe it bears repeating: we have never had a late payment. Our credit card has always been set up to "Automatically pay whatever is due," and that had worked without issue since 2020, when we began running GitClear ads.


Three weeks worth of bureaucracy to accept our application to pay via the only option Google allows


So, we capitulated and set up the Direct Deposit. Then went through the steps to create a new payment profile. Even though it took two weeks for Google to adjust the payment profile so it was not labeled after (and ambiguously connected to) our previous business (now owned by another party).


Yay! We finally escaped weeks of back-and-forth in Google Ads' support purgatory.


Or had we?


linkPart II: Suspended for "Compromised site" (3 weeks)

It was an exciting day in November 2024 when our Payment Plan was finally approved, and we were back in business, paying Google thousands of dollars for nominally effective ads!


Except, upon logging in to the newly-unsuspended account, I observed that all of our campaigns... were still marked as suspended. What the heck?


What was going on was that GitClear had been tagged by Google Ads heuristic bot as a "compromised website."


How could GitClear's website, with its SOC2 compliance, ISO 27001 accreditation, and zero security issues as reported by Google's own Search Console, have been compromised? After appealing our suspended campaigns and waiting a day, we finally received our answer:

Google automatically and consistently scans all web domains on the ad network for suspicious links which might be harmful to Google's users (see policy here). Whenever any compromised links are discovered, a site is flagged until those links are removed and a subsequent scan comes back clean.

Thus, to fix the issue, the malicious links must be removed from the website. Please have the site owner/webmaster check the site to find and remove the compromised elements.

amplenote.com

Once the compromised links have been removed, please appeal relevant ads using the 'made changes to comply with policy' button. Note that ads disapproved for this reason cannot be manually re-approved.

According to Google's "automatic and consistent web scanner" that stays ever-vigilant for suspicious links, GitClear has apparently been infiltrated by this Amplenote.com domain!


But wait, was that really a malicious domain? Its domain sounded very familiar, almost as if I had seen it featured on the home page for our company...


The home page for our company, Alloy.dev: Yes, GitClear links to Amplenote & vice versa.


GitClear's ad campaigns had been suspended because we link to Amplenote.com, a domain that we own, as is the other half of our company's product line-up.


But wait, maybe Amplenote was compromised and Google is helping prevent would-be GitClear visitors from getting hacked? No. Google's own Search Console tool attests that neither GitClear nor Amplenote have any sort of security issue, nor malicious link:






Those facts have not stopped Google from emailing us about our "compromised" site, that upon careful reviewed, is "correctly deemed" as compromised (no further explanation provided).


Maybe, even though Google's Search Console calls our sites malware-free, there is some other third-party site that has designated Amplenote to have questionable content? Again, no. A comprehensive check of spam- and malware-lists on URLVoid further confirms that Amplenote is 100% free from any negative reports from any third-party service. As it always has been since we launched it in 2020. Not surprising, since our transparent security design has been the cornerstone guiding Amplenote's development.


If you have ever had the misfortune of being on the wrong side of Google's automated heuristics, I'm sorry. We feel your pain. It is the pain of helplessness, when you are a small company struggling against much richer competitors, and you end up stuck in an inflexible set of policies that can not account for the reality of the situation.


If you haven't had the misfortune yet of being on the wrong side of Google heuristics, I'll provide a taste of what you'll be in for. These are the chronological emails and phone calls that Google has sent us since we escaped from Part I of our bureaucratic purgatory.


First, on November 25th, the initial explanation that "our webmaster" needs to scrub our site of references to the offending site:




On November 26th, I respond with a copious set of links substantiating why we embed pages from our Amplenote product. Their next response, also sent November 26, was the standard "please wait a few business days." That was followed on November 27th by a veeeery familiar-sounding conclusion from Google's policy prophets:


Do you feel valued as a 10+ year, 100% on-time payment customer now?


So, after proving we own Amplenote, and link to it out of pragmatism, Google responds with a verbatim copy of their message from two days earlier. Scream all you want: in outer space, nobody will hear you.


It was unclear what next move makes sense when you've carefully articulated why a policy doesn't apply, and then you receive an identical response that does not acknowledge any of the points I spent 45 minutes gathering to help Google understand or situation.


This seemed to boil down to a showdown between their automated web scanner and the members of Google's support team, who seem completely unable to override the conclusions of their heuristic-driven web scanner.


Still, I kept trying. What choice did I have? I explained:

You are asking me to remove malicious elements, but we have no malicious elements on our site, so I'm not sure what we are supposed to do?

Their response? To call me on Monday, Tuesday, and three times on Wednesday, to inform me that our site has malicious links to Amplenote.com, and that our webmaster really needs to remove these links in order for our campaigns to restart. After one of the Wednesday calls, their support team followed up with the recommendation that I should remove the compromised links from our site:



If your life is too short for reading boilerplate, the key takeaway:

The dedicated team reviewed and informed that ads are correctly labeled in campaign as the requested site is detected as a malicious domain [amplenote.com] by our system and unfortunately we should not be able to re-enable it."

Round and round we go... if this ever stops, nobody knows.


Here are three weeks in the life of a loyal Google Ads customer that has run into a bureaucracy the likes of which reason can not penetrate:


Apparently, in addition to the 3 support phone calls I received today, we've now traded 38 emails with Google about our "Compromised" web site


linkPart III: Can our protagonists escape this merry-go-round?

This part of the story is still being written. As of December 3rd, I received five calls from Google, four of which I was available to answer.


Ask me to critique the Google Ads hold music sometime


Every call, I would dutifully provided my name, my authorization to be recorded, my email address, and my Google Ads account number to a series of kind-sounding Indian women. Between 5 minute holds to "investigate my issue with the team," I was politely informed that I should really contact our webmaster and ask them to remove these compromised links from our site so that we can open a new appeal and get our campaigns running again. 🤦


As of December 5th, I received a support message with a ✨new detail ✨

Repeating "policy violations" that can not be substantiated, 4th communication


Unlike previous messages, this one actually contained a link though, which made it more exciting than the norm: https://www.gitclear.com/help/quick_start_guide_cab. Let's take a look.


linkAnalyzing whether Quick Start: Commit Activity Browser is dangerous

Here is the full list of assets downloaded by the page Google Ads mentions, but almost all of them are just images. Narrowing the page load assets to non-images yields a handful of Javascript files and a handful of XHR requests.


Before we delve into the specifics of these assets, let's get a quick third-party take on the danger level of this page:


A third tool confirming that there is no trace of malfeasance


Let's dig into which Javascript or XHR request Google's automated tool might consider "malicious"?


linkJavascripts

Nothing atypical loaded in Javascript

These are the same scripts that are loaded on pretty much every single GitClear help page, not to mention most of the content pages linked from our header.

linkXHR requests

XHR requests made by the flagged page

Is Google claiming the page is "malicious" because it polls for content updates on a 10-second timer? That would be interesting to know, if they would offer more the broadest of gesturing at what they constitute as a "malicious link"


linkConclusion

I will update this post periodically as I continue to be spun round and round in the washing machine purgatory that is Google Ads Support. If you know of any other comparable options for reaching customers through a company that is driven by humans, please share your ideas in the comments?