Google has started rolling out its June spam update, its second of the year. It enforces well-written spam policies, and one of those policies now covers more areas than ever before.
Google’s spam rules treat attempts to “manipulate AI-generated answers” in Search as a violation, and that’s one of the policies the update applies.
A Cornell Tech preprint taken by 404 Media finds out why the policy is harder to implement than its words suggest. Public pages that AI research agents rely on may also host third-party comments, and comments may spawn recommendations that the author never wrote.
What Google labels as spam, therefore, goes right back to what those agents rely on. And research finds that apparent protections all come with drawbacks.
For anyone trying to push a product on AI-generated responses, know that the line between good and spam is being redrawn.
Poles
SE Ranking tracking for AI Mode found Google increasingly targeting its properties, citing them up to about a fifth of AI Mode citations in its latest report.
With more citations pointing to Google and fewer to external websites, the pull of generating one increases accordingly.
A gray market has already begun to form, and the Cornell authors point out that vendors are actively exploring ways to leverage AI-generated responses.
Businesses, at the moment, don’t have the data they need to see what’s going on. As our previous installation of agent search was laid out, there is no dashboard that tells the site whether it arrived at an AI response, was cited in a generated report, or passed.
The result is a violation that Google can name but the site involved usually doesn’t see.
Research Findings
The paper, titled “Deep Research Agents Can Be Poisoned by User-Generated Content,” which has yet to be peer-reviewed, investigates a weak spot in the way AI research tools gather their sources. These tools answer a query by firing up a set of related sub-queries, capturing the pages they appear on, and compiling a report with a citation.
The analysis revealed the same social pages that appeared more often in those subqueries. Within a single topic cluster, one user-generated page appeared in up to 48% of queries, and user-generated forums accounted for 17% to 23% of all URLs retrieved. Change one of these pop-up pages, and the change can go into the entire article’s report.
The authors found that approximately 13 words of text embedded in the resulting page was enough to include the attacker’s chosen entity in the completed report 38% to 51% of the time it returned the page.
We spread the same text on a few pages, and the number increased from 42% to 62%. Even buried within a full page, where it made up less than 4% of what the agent read, the embedded text still appeared in 30% to 53% of sessions.
The three open source research agents that took the tests, STORM, Co-STORM, and OmniThink, all work in simulation so that nothing is touched on the live web.
Where Enforcement Is Hard
Google can label fake AI-answers as spam and act on what it catches. Catching it is the hard part. The embedded text reads like real advice, and stays on the same pages the tools used to read, so distinguishing it from regular posts is a big problem.
The research team searched for protection from the planted documents but could not find it. They tried to cut user-generated sources, test them with a language model before use, and compile the finished report to find untenable claims.
None of the three stopped the attack without exacerbating the consequences for the user. Throw out user-generated sources, and you lose the community insights that make AI search tools worth using.
The tools most people use remain outside of that test. ChatGPT Deep Research and Gemini Deep Research are starting to bring back researchers who could not poison without crossing the line of ethics, so they measured only citation practices. Gemini relies on user-generated content 12.1% of the time, which the authors call exposure advice, not a tested result. The OpenAI tool has reached it very slowly.
Why This Matters to Search Professionals
Measures that can help raise the type of AI responses are similar to the deceptive tactics that Google calls “spam,” such as planting mentioned on all the sites these tools study. We don’t know where Google’s line falls between said acquisition and engineering.
For ecommerce and local products, the risk comes from the other side.
The test cases were the usual things people ask themselves, such as what service to call, what product to buy, and where to eat. A competitor or fraudster can insert a strange word into those answers, next to the legitimate options, and the product being released won’t be able to.
For publishers and big brands, the concern is trusting the response their name elicits. A citation from an AI tool is seen as a win, but the citation only shows what the tool pulled, not whether that page was correct, and feedback can be directed at content the product didn’t write.
There is no fix for all of this. AI visibility has become an area you actively monitor, not just a passive channel.
Looking Forward
The authors called user-generated manipulation an open problem that no single platform can address alone. Reddit has flagged its long-running battle against targeted manipulation, and Google has tied context labels to some content found on Reddit in its AI Overview. None of them affect the focus of the retrieval paper it points to.
Google has not yet indicated how it intends to enforce AI fraud, whether through a dedicated review or through its SpamBrain program and the manual reviews it relies on for most breaches.
For now, the policy calls for behavior without limits, and AI’s answers to the test are up to anyone who reads them.
Additional resources:
Featured Image: Enjoy-J-ane/Shutterstock
