Who’s driving the bus?

Some years back, I had a close friend who drove a bus for Seattle-area Metro Transit. His career came to an end as a result of an incident in which a gun-wielding thug commandeered the bus in the middle of downtown Seattle.

The hijacker allowed other passengers to leave the bus, then ordered my friend to drive on, at gunpoint, without stopping. Metro Transit police were eventually alerted, began following the bus, and after several blocks the hijacker was coaxed out of the bus — without carrying through on his threat to shoot my friend if he stopped the vehicle.

My friend took a few weeks off from work, met with some mental health counselors, then went back to work and suffered a major panic attack the first time he sat in that driver’s seat with his back to a bus full of what were, in his view, potential hijackers. A few months later he retired on disability.

In the past couple of weeks, I’ve been thinking a great deal about how commercial websites, and other small businesses, get hijacked by “bad guys.”

At the first Seattle Lunch 2.0 (organized by Josh Maher and hosted at WetPaint), Rand Fishkin of SEOMoz talked about “black hat” SEO practices that come under the heading of “link spamming” — ways that the bad guys drive traffic to their websites by placing unwanted links on other sites (such as yours) or loading up their sites with inaccurate or redundant keywords to trick search engines into seeing their pages as highly relevant. (You’ll find a link to Rand’s excellent PowerPoint presentation in this SEOMoz blog post.)

The audience voted to hear that presentation (Rand, a prolific presenter, offered a choice!) not because we’re a bunch of link spammers but because many of us are involved in protecting our websites from that sort of predation.

On a personal website or blog, it’s easy to put a stop to link spam. Simply turn off comments. But for a commercial website, that’s not a choice. Web 2.0 pretty much mandates the highest level of reader/customer participation you can handle. Thus a commercial site needs to devote resources (human or technical) to screening comments before they are published. And there needs to be aggressive, legitimate SEO work, including keywording, to make the site as visible as the sleazy sites earning their rankings through the sorts of tactics Rand was describing.

The issue I’m most interested in here is karmic: The danger of getting really, really good at protecting yourself against hijackers is that you start thinking of everyone as a hijacker…and treating them that way. Paranoia may or may not be justified, but no one wants to spend time (online or off) with a paranoid.

The day follow Lunch 2.0 I was shopping at one of my favorite stores in Ballard. The couple who own the store were talking with another local retailer about a skirmish with a professional shoplifter that morning. The shoplifter, a man, appears frequently but unpredictably, always carrying boxes and bags and wearing a bulky jacket. He prowls around the large store for about an hour. One of the owners (the husband) keeps an eye on the suspect. Of course, this ends up diverting him from helping customers, running the cash register, answering the phone, or supervising shipments coming into the store. That morning the husband had relaxed his surveillance to help a woman with a large piece of furniture, only to have the shoplifter grab something small and valuable and waltz out of the store with it. The store can’t afford to hire a security guard to deal with this one criminal, and they were unwilling to cause a big chase scene in the store (generally filled with female customers). “We estimate he’s getting out with about $100 worth of stuff every time,” I heard the wife said, a shrug in her voice. “It’s a cost of doing business.”

I thought sadly about how much less fun the store would be if vases, candlesticks, CDs and such were kept in locked cabinets rather than artistically displayed on tables and shelving. Just as a lot of websites are less fun (and less usable) because of all the security hoops you need to jump through just to leave a comment.

I’ve been giving some thought recently to starting a quasi-commercial website, one that would revolve around reader participation and comments. One of the biggest obstacles I’m grappling with is what to do about the bad guys. I don’t want a hijacking incident, but I don’t want to become a professional security guard, either.