I operate on the realization that google will one day arbitrarily destroy my gmail account for absolutely no reason. At any time. Because. Due to reasons. Those reasons which include the knowledge I will likely never have anything clearly explained. Reasons I cannot appeal. At all.
This is what free gmail means to me. Same goes for youtube. Especially youtube. Videos can be deleted for no reason. Better keep copies.
Famous people have lost content on google and youtube. Blocked emails. Lost videos. etc etc. I'm a nobody. If famous, "important" people have their accounts "accidentally" deleted, what hope do I have? None whatsoever.
I have no idea what google would be like for paid accounts of my own but I was working with a company that did and the support wasn't terribly helpful during a email migration so I'm unimpressed. At least they responded to my emails after a few days.
Google is running a free service and have limited resources for customer support. I think everyone understands that. But why can't they make better use of that support using algorithms and data analysis?
For example, they probably get thousands of requests for account assistance. But they have full access to the emails in the account. And related metadata like age of account, volume of emails, other services used (Android apps released, Youtube videos created), and others. It should be simple to create an algorithm to prioritize the requests. So if an account was created a week ago and doesn't have much history? Low priority. An account is 10+ years old and has regular bank statement emails incoming? Highest priority.
And if that's too much work, just provide a paid option. Tell users that if their issue is really important, then pay some amount (such as $50) to get immediate urgent support. The user with a one week old account won't care enough to pay. The spam scammers obviously won't pay. But the user with all bank accounts, brokerage accounts, other important services going through their gmail account? They will likely pay to get assistance.
Instead every account gets the same shitty treatment. They could easily identify the important accounts to look into first using data analysis and algorithms. They're supposed to be good at this stuff! Or provide a paid option. Or do both. Only explanation I can think of is that it doesn't look good enough for a promotion so nobody at Google cares.
They really don't seem to care. I run a site with AdSense. Google makes about 20k a year in commission from my site. I get zero support.
1. My ad clicks went from a steady 500 a day to 1-5 a day and my revenues plummeted. I contacted Google. After one month of of being passed around they tell me they're not allowed to disclose what's wrong, but I can try labeling my ads as "Advertisements" on my site. One month of waiting for that response.
2. Recently Google started clawing back 50% of my monthly earnings at the end of the month. It's typically 0-10%. However, it just jumped to 50% the last couple of months. So they give me daily reports that I'm earning $150 per day, and then at the end of the month they just say nope, we're actually going to only give you half of that revenue. Oh, and we can't tell you why, that's confidential. I searched online and found lots of people recently reporting 30-80% of their revenues are being taken away. No one can get a reply from Google. What's even worse, I use header bidding. So someone opens my site, Google says they'll pay X to show an advertisement to that user, they outbid my other networks, and then a month later they say they can't actually pay that price. Meanwhile, my other ad networks could have shown an ad, but Google outbid them with a price they're not willing to pay.
3. I tried to setup an in house advertisement the other day using Google DoubleClick. The idea is that I create an ad for my Patreon page, and if none of the ad networks I run can pay more than X for that impression, then it shows my Patreon advertisement. Well, Google says Patreon is malvertising, and they won't let me run a display advertisement on my own site, linking to my own Patreon page. What does that notification say in the ad manager? It says they can't disclose any additional information and not to contact them.
This company is a joke. They've collected at least 100k in commission from me, and I get zero support. I'd like to fix that issue resulting in half of my revenue being taken away each month. Nope, no one I can talk with, and if I do talk with anyone, they can't disclose that information or what ad unit is the source of the issue. I need to try making a change, and then cross my fingers that one month later I don't lose most of my revenue. It would probably take a year to understand the issue with monthly experiments. Anyway, I'm in the process of removing Google from my life now. I have zero respect for that company.
A lot of people have Google horror stories like this.
I’ve had a gmail account since early beta. I upgraded to their $10 per month for 1 tb storage (which they recently increased to 2 tb). I recently got a better deal from Microsoft so want to switch. So over a week ago I deleted my entire Google Drive. Except it put everything into the Google Drive “trash” that still counts against me. I immediately emptied the trash except that literally did nothing that I could tell.
Then, about 100 GB per day has been freeing up from the trash for the last week and a half. I can’t cancel the extra storage until this is complete or I’ll stop receiving email on my gmail account. At the snail’s pace that it’s freeing up storage on my Google Drive from the trash they’ll be charging me another month. It’s ridiculous. And as a paying customer there’s no practical way to contact them.
Support is one of the things you get if you pay for storage, though?
Yes, and it's completely useless. Their user interface is such an anti-pattern that it has to be by design. All I want to do is delete everything in Google Drive and delete everything in Google Photos. For Google Photos, the fastest way to do this is to zoom out ridiculously, hold the shift key down, click the first photo to delete, then the last photo you can see on the screen and then release the shift key, click delete and repeat like 200 times for the number of photos I had on there. Oh and don't scroll out TOO much or your browser will just crash. Seriously, this is their answer to deleting photos.
And Google Drive is no better. 1.2 TB of files from my drive and cleared out the trash at least 75 times but a week and a half later I still have over 100 GB in phantom files. And suddenly all these additional images showed up when I click on Storage in drive.google.com and you guessed it - I have to delete them one page at a time. It's like they're doing anything to make sure you can't get your account under 15 GB so you can stop paying them money. And their support just gives generic advice like what I've typed here.
I've switched entirely to the new Microsoft Edge for browsing, OneDrive for storage and the only thing I have left is an ancient gmail account that I'll likely be switching over to Fastmail.
One time I had a friend send me a few thousand photos on Google Drive. I tried to download those. Oh boy. Do too many at a time and it'll crash, otherwise it's select a few dozen, wait 5min for Google to zip them, then download and repeat.
I finally solved my problem by interfacing directly with their API and writing a Python script to recursively download larger folders. It's sad that I was forced to do that, but it worked.
> It says they can't disclose any additional information and not to contact them.
I think this is the most troubling aspect of Google (free) services. This is why I bit the bullet a couple of years ago and started running my own mail server. The buck stops here :)
Google does actually have a paid option. Buying extra storage space for Gmail and Google Drive (Google One) is theoretically supposed to come with support, as one of their touted features.
I have. Multiple times, both for my personal account as well as the accounts of clients that I manage. In fact I just used support yesterday (a Sunday in Fiji, the weekend everywhere) to help migrate a client from Google to a local Google Reseller (so they could get invoiced in the local currency).
My total monthly spend with Google (between myself and my clients) is relatively tiny (under $100 USD).
In my experience, the support has always been stellar. Starts with chat (which I prefer), but if that isn't enough to resolve the issue, it gets escalated to a higher level and an offer for them to call me.
> In fact I just used support yesterday (a Sunday in Fiji, the weekend everywhere) to help migrate a client from Google to a local Google Reseller (so they could get invoiced in the local currency).
Haha, I last used it for the same reason :) What a dumb system that is…
But overall I've had success with GSuite support yes. I mean, I've not often needed it, but part of it is knowing that it is there in case my account does get fucked with. Huge reassurance.
I admittedly don't have a Nest, but I've encountered extremely few limitations in my day-to-day usage of GSuite as my sole google account. The only one I can think of from the top of my head is, asking "ok google, when is my next meeting" gives me an error about gsuite not being supported (yet).
- No Google Play reviews
- No Google One (can't share storage with family)
- No Google Drive->Photos sync (They have completely removed this feature now)
- A few other limitations I can't remember. I switched to a regular Google account now.
> I operate on the realization that google will one day arbitrarily destroy my gmail account for absolutely no reason.
No! We need to demand more from Google (or, at least our lawmakers). I have a business that relies on a Chrome extension to be on their web store.
Say I accidentally trip off something in their opaque machine learning algorithm that determines my extension (or even a YouTube comment!) breaks their terms of service. They would have the right to completely block my account and remove the extension. Effectively, wiping out how I make a living with a single automated bit flip.
It hasn't happened to me, but the people that share horror stories of how it happened to them scares the $#!7 out of me.
As the Internet gets more privatized and less "open", I just wish there was something that required a fair "trial" of my account being suspended. The balance of power online is slowly shifting and I feel there needs to be something protecting the rights of individuals (the public) online.
> No! We need to demand more from Google (or, at least our lawmakers) [...] a fair "trial" of my account being suspended.
I wouldn't hold my breath. I encourage people to put their money where their mouth is. E.g., I host my email with Fastmail.com. is that free? No, and thank goodness.
Google's core business is selling your eyeballs to people who want to influence you. Their relationship to eyeball owners is statistical; as long as they are providing adequate quantities of wallet-connected eyeballs to the highest bidder, they do fine. This drives a fundamentally different culture than businesses that live and die by customer relationships. And culture is extremely hard to change.
I don't know Google's numbers offhand, but Twitter's revenue is about $1 per eyeball-pair per month, with per-user profit much lower. Think about your salary, and then think about how much work you'd be willing to do for a given account. By my numbers, handling one medium-sized customer service issue could easily wipe out an entire lifetime of profit.
And that's before we even get into the literal millions of scammers, jerks, loons, and mafiosi that would a) happily misuse a Google account, and b) will eagerly waste hours of customer service time lying up a storm. Every extra inch Google gives an actual well-intentioned user means a few hundred miles taken up by that lot. Which is expensive indeed.
So I am entirely grateful that I'm paying Fastmail $50/account/year. That builds a culture of wanting each customer to succeed. Of wanting customers to say good things to potential customers. Which means if that there's some bump in the relationship, they're going to at least hear me out. If you too want that, please pay people money for services.
Provides a perverse incentive to offer bad products and not solve common problems. Unless they had a clear policy to refund the support cost if it was their fault.
Good question! I doubt it. Yahoo launched only 6 months before that comic strip was penned, and the number of daily internet users at the time was small. And their 1995 logo was... different: https://logos.fandom.com/wiki/Yahoo!
My personal email has been the same earthlink.net address for about 25 years now, and it’s been pretty worry-free in that time. My email client keeps all my email locally. I pay for service, I get that service. I guess it’s possible they’ll go out of business someday, but I’ll deal with it then. I don’t lose data over it.
How good is spam catching on those email providers? Because I'm disappointed as heck in my old Hotmail/Outlook account's spam catching, and if MS can't do it right what hope to smaller players have?
So far Fastmail has been quite good. My email address is ancient, so I get a ton of spam. (Over 99%, last I checked.) I see less spam with Fastmail than I did with my layered, carefully-tuned anti-spam filters.
> Their relationship to eyeball owners is statistical; as long as they are providing adequate quantities of wallet-connected eyeballs to the highest bidder, they do fine.
And people will leave Google for another free email service if even a small percent of people begin to lose their accounts.
Google definitely has an incentive to keep email functional.
Again, it's statistical, not personal. I agree that if they get up to the level of, say, accidentally banning 1%, that might be a problem. Maybe not, though, as changing email providers is a giant pain. But if it's 0.1%? Or even 0.01% per year? People will write it off as anomalous and stay with Google. However, that's ~100k-1m people per year who get totally screwed.
But with services this big people don’t look at the percentages, they look at the hard numbers. It doesn’t matter if 1M people are <0.1% of Google’s user base - if they lose their data people will start migrating off, because that’s a scary number, and the media will report “1 MILLION people lost their accounts!”, not “0.1% of people lost their accounts.”
Google has ~ 1.5 billion users. If something happens to 1 in 1000 people, then a) it won't happen to most people, b) most people won't know anybody it happened to, and c) maybe it happens to a friend of a friend. If they hear about it, they will likely say, "Oh, I'm sure there's a reason."
A reporter might hear stories about people who lose their accounts. They might even find those people. But so what? Right here in this discussion we're hearing those stories. Could this be happening to a million people across the globe per year? Sure. Does anybody know the true number? Nope.
So if you could discover the hard number (which you can't), maybe you could get a tech reporter to write about it. Then Google PR would go into action. They'd say correctly that it's a small fraction of their users, that keeping everyone safe is a difficult problem, and that they work hard to make sure everybody who should have access does, but sometimes people get swept up in Google's crime-fighting. All of which is true! Then they'll turn back on the accounts of the people the reporter actually talked to. PR will say that they've made process changes that have solved the problem, the reporter will include the happy endings, and that will be the end of it.
Just for comparison, tobacco kills about a half-million people a year in the US. It's totally unnecessary, but it's profitable for the tobacco companies. As long as it's killing somebody else, people are basically fine with it. If they can be chill about that, they will certainly be chill about you losing your Google account. They'll think you probably did something.
Demand all you want. Remember that you're not a customer, you're a user. Google offers their free services to keep you in their ecosystem, which allows them to collect more of your data and serve you more ads.
Users are much more disposable than paying customers. So what if they piss off a few users? As long as most people keep using Android, Chrome, Google Maps, Google search, YouTube, etc, there is no risk towards their bottom line.
Sure, you could try to go after them with government regulation, but they have tons of lobbying power. On top of that, even laws with the best intentions can often backfire and sometimes do more harm than good.
The only thing you can reasonably do is recognize your position and make sure you are never dependent on Google. You can still use Google services; just make sure you have a plan for when that suddenly stops being an option.
Even being a paying customer has little value. Remember that Jordan Peterson was #15 of Patreon with more than $1m revenue if I’m correct, yet he was removed abruptly, I think in the wake of being referenced in the Christchurch terrorist (together with his book being forbidden in NZ).
Even paying customers can be removed without trial.
Peterson wasn't removed, he left in protest, along with Sam Harris and others, after Carl Benjamin ("Sargon of Akkad") was removed over what Patreon considered to be a policy breach. [1]
I'm not expressing any position on whether or not the Carl Benjamin ban was valid, I'm just wanting to correct the record.
The distinction is that a mostly sane person decided to stock Hot Pockets at the grocery store and will likely continue doing so and if they stop it won't be for a random reason.
The way it works with Android apps is if some random code quality shell script of questionable quality flags your app, the app will be removed and you will get a lifetime developer ban from Google. There is no human in the loop and no appeals process.
Because there's a monopoly for Android apps, there is no reason for them to ever improve customer/developer service.
An excellent analogy would be getting banned for life by a programmers union if anything you write ever fails a valgrind test. Doesn't matter if its a bug in that revision of the valgrind test and there will never be any human contact in the process.
"I've been banned from google and I don't even know why" is a weekly discussion topic on android development forums.
Even funnier is Google implements guilt by association. So if you have a similar email address or ip address to someone who gets banned, the same shell scripts will lifetime ban your account under their ban evasion policy.
Google Play does not have a monopoly on Android apps. It's not even included on phones sold in some countries. Numerous apps, including high profiles one such as Fortnite, have not been distributed in the Play Store and there are several alternatives appstores around.
Google set Project Zero on finding exploits for the Fortnite installer and then engaged in a media campaign to promote how scary installing it was.
I would say in addition to the "scary stuff" warnings Google employs on devices, they went out of their way to harm any serious contender for outside distribution.
Epic also went on a significant campaign to be allowed to distribute through Play, but utilize their own payment provider, but Google's monopoly wouldn't budge:
Google's Play Store demands aren't about security, they're about the 30% taxation.
The “Scary Stuff” warnings are important because anyone competent will ignore them and anyone not competent will be scared away. As they should be, because potential for abuse here is rife.
Every time a banned developer makes the front page of HN, it turned out that the company had hired a contractor or employee who had been previously banned for malware.
Like any other app not from the play store Google Play allows you to install other app marketplaces.
You just got a warning the first time you install the alternative store.
It's just incredibly hard and not worth it to start an alternative legit store unless you are huge with something that customers really want and that is not available somewhere else. (ie: Epic Games with the Epic Store for Fortnite)
>>It's just incredibly hard and not worth it to start an alternative legit store unless you are huge
Even amazon failed at this, so it is not just incredibly hard, the road blokes Google puts in place for people wanting to create another store is defacto impossible. Further they they are more extreme then what Microsoft did in the 1990's with IE that caused an AntiTrust violation and they were forced to easily allow other browsers and allow them to be changed as the default
I am not sure why Google can get way with what they do, even less sure how Apple gets away with it
This also makes me think that it's just too dangerous to use your long-time personal account to host Chrome extensions or Android apps that you financially depend on. The account for that should do absolutely nothing else, to have the minimum risk of it being arbitrarily shut down for something unrelated.
This also means e.g. ensuring that their recovery email address and phone number are separate, as Google has in the past linked accounts via them and shut down all linked accounts.
Agreed. The parent description makes me think of how people used to talk about "justice" before. It was at the whim of others, and only the powerful had certain access to it. But at some point, we nationalized the carriage of justice, and so we could all come to depend on it (on both the giving and receiving end)
I hope we get to the point where something in the commons (government or whatever), can offer comparable assurances about digital things that are becoming critical infrastructure in our lives
I fully support your sentiment, but you're not in opposition with the grandparent you're referring to. He didn't say that that's what he'd like Google to be (ultimately unreliable). He said that that's what it is, which is true. We should demand and expect more, but until the demands are met, well, they're not met. Nit pick.
As noted many, many times. Their walled garden, their rules. If we accept their edicts on speech, acceptable behavior, etc and accept that they can - and will - eject anyone without review, appeal, or even acknowledgement, we need to celebrate our internet overlords and definitely not say anything that might irritate them or get us reported by others we irritate.
If there is any need, it is from your government (wherever it is) to go break the Google self-supporting monopolies.
You can try to demand that a private company offers you high quality service for free, but I wouldn't recommend wasting your time. Alternatively, you can try to use other services, but again, those multiple self-reinforcing monopolies are an issue.
Hey, I too run a business that requires an extension. There are ways to distribute that don't include the chrome webstore, and ways to run them that don't include chrome(like chromium and kiwi on Android). It actually even increases conversion rates in some cases not using their walled garden.
If your extension even gets flagged, they will disable it or uninstall it from all browsers automatically. And it will not return to normal automatically.
Actually I'm wondering if you can use the GDPR for this. It gives you the right to ask for a copy of your data. This counts for places where you don't have an explicit account so presumably o could get a copy of all data from my account even if I lose access?
If you have 100GB+ with Google, takeout doesn't work. Either you have to manually download files 2GB at a time reauthenticating each time, or try a 50GB download the times out on the server side as gets cancelled with auth error. There's no way to but a physical backup or run a long running process to fetch your data reliably over the course of the week.
It might work if you get an GCE VM and crossload your Google takeout to cloud storage and then download using cloud storage APIs.
Looking at the choices on that takeout page, I realized that there were a number of Google services I didn't event know about: "Google Arts & Culture", "Crisis User Reports", "Handsfree", "Textcube".
>I operate on the realization that google will one day arbitrarily destroy my gmail account for absolutely no reason. At any time. Because. Due to reasons. Those reasons which include the knowledge I will likely never have anything clearly explained. Reasons I cannot appeal. At all.
This sounds very much like the old-world Christian conception of "acts of God" re: natural disasters and the like.
The Catholic Church has the concept of saints, highly placed people that intercede with God on behalf of common people. For dealing with Google, modern people petition "influencers"
The idea is old but not exactly old-world: I wouldn't be surprised to find the phrase in some insurance policies even today for example. But the whole concept of chalking things up to a God is interesting -- basically whether you believe in a God or not, it's a stand-in for anything that exists apart from us, wasn't created by us, certainly doesn't exist FOR us or do our bidding, and might do things with indifference to us that either help or hurt us. Pretty good antidote to hubris if you asked me. But yeah that does happen to be a pretty good description of Google for most people, not to mention something like COVID-19.
I operate on the realization that google will one day arbitrarily destroy my gmail account for absolutely no reason. At any time. Because. Due to reasons. Those reasons which include the knowledge I will likely never have anything clearly explained. Reasons I cannot appeal. At all.
You're dead right. So now, in addition to trying to exercise every day, and unpack another box from moving every day, I'm committing to moving one account email to Fastmail every day.
Famous people have lost content on google and youtube. Blocked emails. Lost videos. etc etc. I'm a nobody. If famous, "important" people have their accounts "accidentally" deleted
There have been far too many incidents where people who become virally infamous immediately have their accounts blocked or deleted mysteriously, followed by having them restored with no explanation. This indicates that Google/YouTube employs people who will arbitrarily abuse their power in the control of these valuable and highly private information resources, over whom Google/YouTube has too little actual control of oversight.
When you have something from the government like an ID card. They can't just turn it off. You have due process rights and right to appeal them turning off your ID card, etc. With private companies you don't have that. That's the danger of privatization of everything, due process rights go out the window.
Downvotable Material: There's a certain billionaire who wants to privatize the right to travel through a certain "passport" he's advocating. Will they just be able to turn you off and there will only be non-existent or unresponsive customer service that will just tell you that there are "reasons" why you're not in the system any more and they are a private company and can do whatever they want and buying their product is optional, when it really isn't. Hopefully, if this ever comes to pass, there will be extensive regulatory legislation like the Fair Credit Reporting Act to keep this sort of thing subject to due process and transparency. The global nature of this "passport" means that when in foreign countries with weak judicial systems they might still be able to arbitrarily terminate your account.
For those wondering how: just replace .git suffix with .wiki.git suffix to the repository URI and you can access the Wiki (assuming it is enabled for the given repo)
Why is that? Is private business obligated to follow host country's foreign policy? My instinct is to hold the business responsible for these decisions.
Censorship is a law in US now? Or, are you saying that it's law to follow its foreign policy? In that case you sure have a round-about way of saying that.
The Trading with the Enemy Act empowers the Office of Foreign Asset Control to come down very hard (million-dollar fines and years of jail time) on anyone dealing with a sanctioned nation (N.Korea, Iran, Cuba) or anyone on the list of Specially Designated Persons and Nationals. This is absolutely the law, yes.
The accounts were closed because they were business accounts from sanctioned countries? I didn't realise that. I had misunderstood that Github was enforcing the said countries' censorship.
My point is that it sucks to discriminate against people just based on where they live. One day you're in Sevastopol working remotely for some company that uses GitHub. The next day some politicians decided your in a "bad" place and your permanently banned. It sucks, and hopefully it won't happen to you or me, but it totally could.
You act like this is arbitrary.
"Politicians" with radically opposed worldviews, and from multiple countries, have endorsed this policy, including all recent presidents.
If you live in Iran, not having GitHub is a problem, but not your biggest one.
Sure, but that's a consequence of international war.
The war (and the warmongers) is your main problem. The rest are a large pile of details. When the tanks roll in I'm not worried about my GitHub issues.
This comment, perhaps unintentionally, does imply that the people in those countries deserve less, are less than, us. That's a morally reprehensible position to take, imo. Is that your position? Are you aware of that implication behind your comment?
No, the comment implies that risks that only apply to people in two countries don't apply to people not in those countries. This doesn't in any way suggest they deserve less or that their risk is morally irrelevant. Simply that the risk to them is not something I need to factor into the risk assessment of my own account.
GitHub is also much newer. Microsoft, its parent company, isn’t all that better as well.
I think there were OneDrive-triggered killing spree at some point when they made backup to it more or less silent and offended by what people were “uploading to website”
It seems like a pretty safe default policy for any service you get for free, or where the company is under no contractual obligation to you to do, well, pretty much anything.
Has anyone done a social science research study to estimate the chances of losing a Google account?
This is an important number. 1% annual chance? bad deal. 0.01% annual chance? Maybe worth the risk. 0.0001%? Sure, I'm more likely to get hit by lightning.
I lost one of my (two) Google accounts. Still had username/password, but IIRC, they demanded text confirmation from a phone I no longer had. Tried absolutely everything, but they wouldn't budge.
Not sure how to judge the annual risk, but there seem to be a lot of other stories like this.
I prefer to think of it in terms of "nines" of reliability. My account was "up" pretty continuously for maybe eight years. It's been "down" continuously for four years plus the next thirty-plus that I might need it. So, a total downtime of 0.81. Being charitable, I'll call that one "nine".
Nowhere in tech would that be considered acceptable.
Let's go even more general: I would be unable to download PlayStore apps without violating the EULA. Did you know my apartment building's washing machines are literally inoperable without an app? For every app, you need access to the app-store platform. I wouldn't care so much if it's optional. However, we are at the point where we can't use basic household appliances without apps...
This is exactly the argument that android/ios apps, google accounts etc, is it optional or not. I couldn't go to the gym where I paid in advance because I didn't have supported phone (latest android or ios). You'll always have a choice right, now it's the choice to wash your clothes by hand. Who knows next time you might not get an apartment without a gov approved android/ios app on your phone, it's a brave good old world again.
I lost mine a few years ago, since then Google is an absolute no go for me.
Had it for a few years back then and never did anything bad or oblique with it, just used it as my secondary email account and also for deploying a small, harmless Chrome extension to the Chrome store.
So one day my wife bought a tablet and also registered a mandatory account. 1-2 days later my and her Google account was terminated. I mailed support and they told me they couldn't tell me the reason for terminating both accounts. No kidding. Tablet suddenly obsolete. All my emails gone.
Since then Google is a big red flag for me.
Addendum to clarify: They said they won't tell me the reason for terminating my account. I'm sure they could have told me if they wanted to.
Somebody (presumed ex- or current-employee) took handful of iOS devices from our office a few months ago. Changed the password to the Apple ID, added 2FA phone number.
The account isn't even deleted, and we can't get back into it.
We have a dozen other devices logged into that Apple ID, all prompting for the password. You cannot install updates, you cannot roll back, you cannot log out, you cannot factory reset.
Apple have been no help at all.
The devices we have that are logged into this account are bricks. Apparently if we have original proof of purchase, we can take them into an Apple store and have it reset. But a lot of our devices are older or were acquired refurb/used - they're used as testing devices.
The accounts are locked, they just won't help us get back in, we've tried several times and channels. We've offered to do anything, sign anything, they won't do it. I once went through password/2FA recovery with an Amazon AWS account, and it really wasn't that painless (sign some legal paperwork, show a bunch of documents).
We are an unknown startup, but we have generated millions of dollars for Apple over the past decade in App Store cuts. If we can't get back in, I don't know how it'd go for grandma's iPhone.
> If we can't get back in, I don't know how it'd go for grandma's iPhone.
I can tell you about grandpa's iPad. We couldn't find the proof of purchase after he locked his iCloud account (memory isn't great at that age). It's now a paperweight.
I would say the lesson is call your congressman and pass some laws.
Landlords in the USA can't kick people out instantly AFAIK. Banks I'm guessing have regulations that prevent then closing your account and throwing your money in the trash. I'm pretty sure the electric company can't shut off your electricity on a whim.
People are dependent on Google and Apple and their devices and services to similar levels. email and messaging services are similar to phone service which is regulated. Apple and Google both provide payment services (Apple Pay, Google Pay) so are providing some of the services a bank offers.
Sure they should be able to close problem accounts at some point but IMO they can't just walk away from responsibility based on a one sided TOS.
Many of those laws you speak of were created in a different era. The last 2 decades have been the time of increased corporate power and reduced individual power. Citizens United, for one.
Good idea, but the lesson there would likely be that the $ trillion corporation owns the politicians, or would have more representation than average person, so recourse through that path is out as well.
Neither... maybe Biden simply to shakeup and push further towards an "accelerationist" change of the system (because he won't improve things either).
I voted for Trump in '16 to increase manufacturing, close the trade deficit in the midwest, and end neocon wars in the middle east (I fought in Iraq and Afghanistan).
I also support restricting immigration, though I know that's controversial around here. In any case, Trump has failed miserably on all counts. He's more concerned with the stock market than almost anything else, and has stacked his administration with neocon retreads, not pulled troops out etc.
Unless and until some sort of massive restructuring of our political and monetary system, the whole thing will continue to be controlled by banking and finance. No party serves my interests (a more nationalistic economic and industrial policy, and a more socialistic yet conservative social/cultural policy). We have left wing social culture, and market/finance dominated economic policy. Worst combination in my opinion.
Not sure if you have tried, but iTunes allows one to do a Device Firmware Update (DFU) of any Apple device with an IPSW file (basically ios firmware) practically making them a brand new device.
Although it is a bit of an overkill, because technically you would be overwriting the iOS firmware with a stock one. It does help. I had to use it on my aging iPad 2, a couple of times and haven't face any issues thus far.
I lost an Apple device once (several years ago) in a public place. A couple of days later I got a customer service mail from Apple asking for feedback on a recovery service for the device. So clearly whoever found my device was able to get it unlocked by Apple, or at least get it reset by them to the point they could use it.
That was a disappointing experience. Mailed Apple, but no reply. Fortunately not much personal data on the device. Hopefully things are stricter now.
Although this points to how it's always something of a tradeoff. Absolutely require people to have certain specific information and those who don't have it are pretty much SOL. Perhaps you can make exceptions that require showing up somewhere and present physical ID. But the easier you make it to tell a sob story over the phone/email to get an exception to policy, the easier you make it for unauthorized people to take advantage.
Those were cheap tablets from Aldi / Medion one could buy in Germany back then and they required a mandatory Google account to use them. Can't remember their name; they cost about 150 Euros back then.
I found it unapologetic to get my account, which I then have used for years, cancelled without any explanation or sign of wrongdoing.
But what should I say. I didn't pay for it so it was well within Googles rights and discretion. At least this made me aware that such behaviour exists.
that was forced on some cheap androids between version 3 and 4.
after 4.4 they dialled it back to instead of required now they only apply some seven dark patterns to try to trick users into thinking it is mandatory.
same effect to most users, zero regulatory consequences
the tablet part makes no sense, you can always create new Google account or just use tablet without google account, installing apps through aurora store or apkmirror would be minor annoyance though
After you sign into an Android device with a Google account then factory reset it, you have to sign in with the same account before you can use a new account. It's an anti theft precaution.
AIUI that's only if you "factory reset" from outside the installed OS. You can explicitly remove the existing account from your device, and I think the OS-level "factory reset" function actually does this for you.
Sorry if you don't believe it, but I tell the truth here. No need to make things up. The tablet required one to have a Google account connected in order to use it, plain and simple.
A funny one: I am locked out of a former Gmail that forwards every email to my currently active address. This "forward everything" is not throughout IMAP/Pop but some Gmail feature.
One day I couldn't login anymore to the old account (maybe I typed the wrong password 3 times or maybe it was deemed inactive because I would never login?)
I try the recovery process once in a while with everything (code by SMS, code by recovery email, etc). Never works.
But I still receive every email sent to that account through the "forward everything" setup from XX years ago.
NB forwarding does NOT include "spam" email... i have all my Gmail accounts funnel into one and i check the spam buckets of all, every 4 weeks (otherwise Google turfs em). i usually find a few (rather important) false positives in that monthly sweep.
Further note that gMail filters at every step, eg this includes a downstream "archive" account. So there are false positives coming from a "known" [single source] good account and of already vetted emails...
i do wish there was a way to forward everything ... where everything meant everything ... filtering optional.
You can do this by setting up a filter that matches all messages that don’t contain something like “thisrandomstringwillneveroccurinthewild”. You can have the filter forward the message AND day “never send to spam”.
Ha I'm in the same boat as well. Locked out of my first ever Gmail account and thank the stars that I had this forward everything set up.
Every few months, I try the recovery process again to no avail. "Sign-in with Google" is very convenient so it'll be a pain to move to proton + outlook but c'est la vie
Are you me? I also don't have access to my first Google account but it forwards all of its emails to my current one.
I can confirm it works as well since someone sometimes fat fingers whatever email address they use for car repair and I get the invoice for it due to Google not respecting the dots in the email address.
My master plan is to get hired at gmail just so I can click the admin reset password button and get access to that account directly so I can finally see the very first emails I ever received.
Similar thing happened to me. Lost access to a perfectly set-up forwarding account. The account recovery process is impossible because I nolonger have the same phone number from 10 years ago.
Hey me too! Changed my phone number like 12-14 years ago so can no longer access the account.
And same as everyone else, already had forwarding in place so it's just kind of... there in an uncomfortable limbo. I don't really use it for much so it's not a big loss but it would be nice to resolve one way or another.
I stopped using "Sign in with Google" about a year ago and moved to storing all my passwords in my Firefox account and in Bitwarden (and sometimes in iCloud for good measure).
I never use Google to login anywhere anymore. I create an email and an (autogenerated secure) password everywhere. If they don't see fit to support this, they don't get my business.
Then I just let Bitwarden/Firefox take care of everything. Logins, etc. I have 500? passwords stored. Don't know any of them. I prefer it this way.
The same thing happened to me, I happened to notice and set up the forwarding the day I lost access to the account. I feel pretty lucky for that, it made leaving much easier.
I wouldn't be surprised if forwarding is a "This account is compromised" indicator and is unintentionally short circuiting and causing accounts to be locked out.
That makes sense in my scenario... im in this scenario, but if true, that just means the owner loses the account and the alleged infiltrator(s) keep the forwarding.
I've got an old gmail address with pop3 enabled that my main gmail account pulls emails out of. Hadn't logged into the old address in a couple years because everything was working. One day I decided to rotate all of my passwords, got to that old gmail account and it refused to let me log in and wouldn't say why.
"No big deal" I thought, I use a password manager, have all historical passwords, have the 2fa device, same phone number, same address, I have access to the recovery email address, and pop3 still works so I know I have the current credentials. I'll just reset the password.
Nope, wrong. Even though I have every possible form of identification the account will not let me log in via the web interface and will not let me reset the password. I get stuck in a loop that eventually ends with "Thanks for verifying your email. Google couldn't verify that example@gmail.com belongs to you."
The pop3 functionality still works, but the password can never be reset and the web interface can never be logged into. I suppose this will continue until the day google decides to ax pop3 and imap, no doubt accompanied by a blog post with comments disabled explaining it's for our own good, at which point that address will be lost to the sands of time.
Thanks for that anecdote. I was planning on using the lockdown home office situation to finally buy some domain and set up my own email server.
I wasn't sure whether I should set up forwarding on my Gmail account or have the server fetch mail from it regularly. Was leaning towards the second option but I think now it's settled which option to choose.
Edit: Ok there's one more stupid scenario. Let's assume I do lose access to the Gmail account but forwarding still works. Now I'm in an accident and stay at a hospital and totally forget to pay the renewal fee for my domain. Boom, some domain squatter gets all my mails. Actually, that would even apply without Gmail in the mix. Sure I'd set up automatic payment for renewal but still, can I be a little paranoid here? ;-)
You can even automate that, for up to 100 total years of domain ownership, if you are willing to deal with Network Solutions.
They offer terms of 20 years and 100 years, which are longer than the standard maximum 10 years. The way it is implemented is that they register the domain for you for the maximum allowed time (10 years for most TLDs), and then each year the extend it by a year keeping the expiration as far out as allowed for that TLD.
I looked at this a while ago, when contemplating moving my domain in .net from there to Namecheap (where I already had a .us domain), because they gave a big enough discount on 100 years that it brought the price per year to $9.99, which is pretty good for a .net.
Then I realized that even if I lived long enough to become the oldest living human I'd still only get about halfway through the 100 years making the cost per year effectively $20, which is a crappy price for .net.
Now it is even worse. They have doubled the price for 100 years, making it a crappy deal. Even if annual .net renewal went up 10% a year, it would take 29 years before you would have been better off going with 100 year NS over year to year Namecheap. (They NS 20 year plan would be better off after 16 years).
At 5% annual increase, NS 20 is about the same cost as Namecheap, and NS 100 beats Namecheap after 44 years.
(This is all assuming that in the Namecheap case the money that would have been spent upgrade on NS 20 or NS 100 is just sitting around. If you assume it is invested in some safe long term investment, NS 100 and to a lesser extent NS 20 makes even less sense. Also there is the risk that at some point NS will no longer be around and their demise happens in a way that kills these long term registration programs).
If your payment method can be auto charged each year, and is paid for out of something like investment income, your domain is essentially perpetual (I do this).
"Thanks for that anecdote. I was planning on using the lockdown home office situation to finally buy some domain and set up my own email server."
Don't do this. Buy an email with a domain that offers email. e.g. gandi.net or infomaniak.com
They do have phone numbers if things go wrong. Hosting your email is easy. Having you emails delivered and not blocked is an art.
This also happened to me. I have a second email address I set up and set all forwarding to another Gmail. I've lost the password to the second account, but still receive all of the messages. it's not that I need to get into the account or use that email address. mostly I just want to make sure it's secure and nobody else can get into it.
Who knows... maybe someone else recovered it that he's using it as their primary address and I'm just getting copies of all their messages?
What troubles me about this is how casually we've moved everything to e-mail, on the assumption that everybody can get a "free" e-mail account, even tho the account isn't actually "free" and can be taken away from you without you doing much of anything wrong.
Very similar to how a phone-sim has kinda become the de-facto digital ID of most people.
In the long term, where does that leave people who can't afford a mobile phone/a paid e-mail account?
This is already somewhat of an issue with certain digital services that won't accept e-mail accounts from free providers that are too abused for spam.
What happens to the people who can't afford a paid e-mail account when billing and so many other services are moving to digital heavily depending on the availability of e-mail?
In contrast to that, I don't have to pay a monthly fee to have a physical mailbox at my door, but that won't get me far with most digital services.
> In contrast to that, I don't have to pay a monthly fee to have a physical mailbox at my door
Sure you do: it's either rent or city taxes. The fact that the mailbox comes bundled shouldn't blind you to the reality that you (1) do pay for it, and (2) many people lose access to that address due to inability to keep paying, and it heavily harms them.
An email address is comparatively way more easy to maintain, even with the occasional Gmail account closure (which are rare).
My patient base includes a fairly large homeless cohort. They maintain email addresses; some of them maintain phones. But a physical mailing address is basically unattainable.
> What troubles me about this is how casually we've moved everything to e-mail, on the assumption that everybody can get a "free" e-mail account, even tho the account isn't actually "free" and can be taken away from you without you doing much of anything wrong.
As far as standards go, E-Mail is pretty much one of the more, if not most, open ones out there. You can easily host your own server. The RFCs are free to read and there are many open source solutions doing the hard work for you. Sure, there are problems with spam defenses and acceptance from residential IPs, but overall it's one of the few meshed standards left. And it's nearly impossible to get it any more free; after all, there are many privacy-focused GMail alternatives (i.e. Protonmail) which work just as well.
And let's be honest - if we'd be replacing mails, we wouldn't get something better. It would be more like "login via Google/Facebook". I'm really happy E-Mail is still alive.
This is also very problematic for people who disagree with the terms of free email providers (like you already mentioned ""free" isn't really free"). Of course, if one is in financial trouble, then they probably have larger problems but it's still worrying to me how privacy is becoming a luxury good instead of the default.
It should be seen as a "hidden cost" to any digital service that requires an email address (either monetary for a trustworthy enough email account or in the form of privacy).
As an aside, this sort of forcing people into using digital services with terms they don't agree with has become widespread during the pandemic and it kinda makes me angry how no one is thinking about any of this.
I'd like to think the reason developers/companies require you have an email address is simply because the availability of free email has been a thing for 20 years. If that changes sometime in the future, I'm sure companies will rethink their sign-up flows to allow other forms of [free] communication to be used.
> What happens to the people who can't afford a paid e-mail account when billing and so many other services are moving to digital heavily depending on the availability of e-mail?
Unless things change a lot, any company that wants the general public's business will accept free email accounts.
The same goes for why every company already requires an email address at all - their target market is anyone with internet (excludes 10% +-1% [0] of the United States) that can create an account with Apple, Google, Yahoo, or Microsoft.
This is very similar to bureaucracies assuming that everyone has a "permanent address". This is most definitely not true for folks who own property, and the overhead of updating changes on the bureaucratic database can be exhausting. Further, homeless people are largely illegible in this setup. As a society we don't seem to give enough of a damn about these issues.
Email addresses are just the internet avatar of the problem.
It might be a reference to "seeing like a state", in which the author broadens the word "legible" to mean "readable by the state".
For example, a nice organised tree farm, where you chop down trees on 1/30 of the land each year, and loop around every 30 years has nice clear inputs and outputs, and is easier to assess than a old growth forest in which the local village has rights to some wood, but no one really measures what they cut or anything.
Under this meaning of the word, homeless people are invisible, or illegible to the state, as they don't have a fixed address.
This happened to me. I managed to log in to my childhood Email account (or rather, have it recreated since my dad owned the domain) and open the link from a password recovery email and google still refused to let me in even though I had been logged in on the same computer just minutes ago.
So because their authentication used some stupid heuristic combined with the “no reusing old passwords” thing I was forcibly deplatformed. I’m not making another account, I already wasn’t happy with google and that was enough to make me give them up.
You can self-host. Don't use cheap VPS providers, spammers like cheap VPS too. I can't give US specific advice, but in EU business Internet connection with static IP is good enough. If your finances allow, reputable colocation provider is good way to go. Now you can make your own little digital home; file storage, mail, homepage and so on.
That is worked for me over 15 years, over 5 ISP-s.
Additional bonus: instead well known "+" trick in gmail address you can make real throwaway addresses.
Unfortunately, this may not be enough. I used to self-host, and ended up moving to Fastmail because of deliverability problems to GMail. This was on a physical server hosted at a reputable colo in San Jose. Nobody could ever figure out why I'd often end up in the Spam folder. Not the HN commentariat, not even my SRE friends at Google.
Honestly, it's a huge relief. Self-hosting has gotten much more complicated over the years. It's very nice to know that there's a round-the-clock staff of professionals taking care of security, deliverability, and fighting spam. And software upgrades, of course!
> Nobody could ever figure out why I'd often end up in the Spam folder. Not the HN commentariat, not even my SRE friends at Google.
I had this exact same problem 3ish years ago and bailed out to Fastmail for the same reason. The thing that made me throw in the towel completely was what I found out from someone who looked into it for me after I shook the tree of my professional and social contacts. This person was involved in Gmail but not directly in anti-spam, but told me that my domain had "limited reputation."
That domain, which predates the existence of Google by at least a year, had been hosted on the same IP address (IPv4 and IPv6) for almost a decade, with the same MX, A, and PTR records for the entire time. Nothing at all changed about how that domain was configured. Yet it was intermittently being flagged as "limited reputation" and either dumped in the spam folder or simply accepted for delivery and silently dropped.
I took that domain and moved it to Fastmail 3 years and 3 months ago--I know the exact date because I paid for three years of e-mail service at the time and recently renewed it--and haven't had a problem since because, unlike my single-server operation that used to be considered an equal peer on the Internet but not any more, Fastmail has enough pull and reputation to not have messages from its subscribers blocked by other e-mail hosts.
That makes total sense to me, and my situation was similar. I have often suspected that the problem was just that my mail volume was too low. Which totally fits with my impression of Google as being entirely ok with bad outcome for individuals as long as the percentage is low enough: https://news.ycombinator.com/item?id=23059071
It is notoriously impossible to host your own email. Large email providers have created an oligopoly of email "quality" acceptance, and there's effectively no way to get your deliverability to a reasonable rate unless you use one of them.
I don't think it's necessarily malicious in nature - more the product of spam filtering.
I wonder if email authentication methods like DKIM/SPF/etc.. help this problem these days.
So, You point out that gmail was opaque and unpredictable in thread about google being dangerous? Seems fitting.
Sadly, that is on google, you aren't really safe anywhere, if gmail is involved. You think that using big provider protects you, but in reality some people are complaining about spam marking issues even gmail to gmail communication.
+1 for self-hosting. Doing that for nearly 10 years now, by far the most difficult part is setting up a mail server, but after that you can put on your resume that you know how to configure Postfix (which I am quite certain is one of the most difficult Linux server applications to configure). Backups, webmail, file storage, calendar etc. are quite easy to set up.
Postfix has flexible configuration system with many knobs. I would say though, that official documentation is nice and detailed. Last time I checked Debian defaults looked pretty good, so you don't need fiddle too much to get reasonably useful and secure setup.
I saw migadu in a recent thread on HN and am now a paying customer. But even the free tier is impressive (unlimited domains!) and support is human & very quick so it won't delete your account for non-payment (looking at you mailbox.org)
It's been few years. I am on Mailbox's 12 Euro/year plan which has "forum" only support (I am not sure it changed after I became a customer). My emails suddenly stopped working once and I received email response after a week (which just had an irrelevant link). I had reset the mail setup by then after backing up email from local client. I replied to the email asking what went wrong and never received a reply. They seem very aloof and high-handed about customer support if I may say so.
I am looking at moving my mail provider. I have stopped using @mailbox.org mail for online a/c signups etc (which I did a lot earlier) and have started removing it from wherever it is used already.
Is Migadu stable and been around? How's their service and privacy track record? Did you evaluate any other provider in Euro 12-20/year budget range? My email usage is extremely low volume.
Migadu fan here. They recently overhauled their admin interface and have updated the SPF/DKIM setup. Its $4/month and certainly good. They’re based in Swiss so GDPR compliant. Data stored in France though in a ISO/IEC 27001 compliant datacenter.
Their privacy policy is well written (I have read 100s if not thousands of them in grad school, I can tell you they’re not vague)
Support is human!!! It’s really good to know there’s a human on the other side.
The problem this article touches on is huge, because everybody who has a computer is affected and almost nobody takes the necessary precautions. Especially non-technical computer users can easily lose years worth of important data.
I've tried to set up contingency plans for the cases that I lose access to my:
- phone (which contains Google Authenticator with plenty of important logins; unfortunately some of my 2FA is still based on SMS)
- my laptop
- my Yubikey
- my wallet (with ids and a credit card)
due to theft, damage (house burns down) or simply loss.
Another under-appreciated risk: losing my memory (my master passwords are only in my mind - what happens if suffer a head injury and forget?)
Redundancy is one countermeasure: Have more than one bank account + stock portfolio, more than one credit card (servers might go down if a credit card is blocked) and physical devices (phone, laptop) in store to stay operational in case of an emergency.
Full machine backups + regular uploads "to the cloud" for raw data; occasional transfers to (multiple) external hard drives.
I don't think there is a way around a safe physical space with printed backup codes on it. Ideally not in the same house - maybe with a bank?
A list of instructions for numbers to call for account recovery or blocking. Which information will I have to provide?
In a similar vein: what happens to my data after I die? How would my (non-technical) family be able to access my pictures and writings? A digital inheritance would be prevented in my security set if I don't prepare.
This space is fascinating to explore, the zeros and ones people have stored on their devices are incredibly valuable to them and this treasure is poorly protected. Generally speaking: No backups, weak passwords, outdated software, old hard drives ... risks abound
Google surely has very capable security people, but right now my account there is the central vector of attack, most of my passwords can be reset through my email, a huge portion of my communication runs through Gmail, Whatsapp is backed up to my Drive, most of my pictures are on Google. It's probably a good idea to disentangle the situation a bit to be prepared for the case that Google's fortress gets breached one day.
Without compromising your security - I'd love to know how others approach their personal IT security challenges?
> Without compromising your security - I'd love to know how others approach their personal IT security challenges?
Most of my security is based on OpenPGP keys stored on a Yubikey. In case the first one is broken/lost I've got another one. If both are lost there is a master copy on an offline computer that can be used to provision more Yubikeys.
The key unlocks access to passwords stored in pass. Because pass is based on git and gpg can be used to access SSH then the same yubikey is used to pull/push changes to pass and read encrypted passwords. On both the laptop and the phone (Password Store).
Data on the computer is LUKS-encrypted, unlocked by the Yubikey. Full backup of my laptop's SSD is done via btrfs send/receive to a raid1 array of 3 disks (raid1c3) on a regular intervals. A small subset if very important data (documents) is also backed up via restic to S3 and Backblaze.
I try to "backup" as much of my work as possible by releasing it as open-source (where it's preserved by the Github etc.) or publishing it on a web-site (where it's preserved by archive.org).
> In a similar vein: what happens to my data after I die? How would my (non-technical) family be able to access my pictures and writings? A digital inheritance would be prevented in my security set if I don't prepare.
I've been thinking about this lately and maybe it's not a popular opinion but... would people really need your data when you die? I get access to photos (my SO has the PIN code) but everything else? Maybe this is just digital junk? Who would enjoy browsing terabytes of my data looking for... what exactly?
This sounds like my dream setup. Have you written about it somewhere in more detail or could you recommend some resources that you've used for implementing the solution?
> Most of my security is based on OpenPGP keys stored on a Yubikey. In case the first one is broken/lost I've got another one. If both are lost there is a master copy on an offline computer that can be used to provision more Yubikeys.
Sounds like a good start, I'm going to have to do much more reading on this, I use my YubiKey just as a browser 2nd factor for a few 2FA apps.
In general I'm not sure how the YubiKey stores keys and till now I had no idea you can backup YubiKey
> The key unlocks access to passwords stored in pass. Because pass is based on git and gpg can be used to access SSH then the same yubikey is used to pull/push changes to pass and read encrypted passwords. On both the laptop and the phone (Password Store).
I'm not sure about storing the master keychein file in Git, but the workflow sounds interesting (I didn't fully understand the paragraph though).
> Data on the computer is LUKS-encrypted, unlocked by the Yubikey. Full backup of my laptop's SSD is done via btrfs send/receive to a raid1 array of 3 disks (raid1c3) on a regular intervals. A small subset if very important data (documents) is also backed up via restic to S3 and Backblaze.
This is next level and not of immediate interest to me. I was looking at something simpler like: https://cryptomator.org/
> In general I'm not sure how the YubiKey stores keys and till now I had no idea you can backup YubiKey
Well, actually you can't. You can backup keys if you create them in software and then just copy then to YubiKeys instead of moving them there. If you do that in an offline computer there is no risk of any malware stealing your keys in mid-process: https://news.ycombinator.com/item?id=21701488
Setting up Yubikey and OpenPGP took me some time reading all resources on the net but once done this is just working without any hiccups.
> I'm not sure about storing the master keychein file in Git, but the workflow sounds interesting (I didn't fully understand the paragraph though).
If it's encrypted there is no much harm to be done here. The only leaking info is that by default pass uses filenames based on domain names so if you have credentials for news.ycombinator.com they'd be in "news.ycombinator.com.gpg" file. For me a private repo for this use case is OK.
> This is next level and not of immediate interest to me. I was looking at something simpler like: https://cryptomator.org/
Yep, I do store external disk passwords in pass too. Udiskie can use a decryption command so when I put something like this in the config: `password_prompt: ["pass", "devices/{id_uuid}"]` it will grab the password from password store. This has an added benefit that I won't forget the password (it's stored alongside all others) and it's always valid (it's checked on each boot by udiskie).
I wonder if you push your Password Store to GitHub? Its encryption is based on RSA with around 128 bits of security with current keys. It's unclear if it's going to stand beyond 2 decades.
I might be paranoid but with clouds I would be more comfortable with AES-256. If RSA is a must, maybe RSA 7680.
For the record there are quite a few new algos in GPG, most notably ed25519. While RSA 7680 offers 192 bits of security [0] ed25519 on the other hand is offering 128 bits of security. GnuPG 2.3 will have ed448/goldilocks available [2] and that should offer 224 bits of security [3] so in theory it should be better than RSA 7680.
I don't mind putting my encrypted passwords in a private GitHub repo but I understand the concern.
> losing my memory (my master passwords are only in my mind - what happens if suffer a head injury and forget?)
Not just a head injury, this can easily happen if you find your keychain 10 or 20 years later. I don't think that there is a good solution to it. Maybe biometric data, but then again, I want to have a control over when my data is accessed and in many countries it's legal for law enforcement to make you use your finger or face..
Physical safes don't lock things the way cryptography does. You can always get in, especially if you're the legitimate owner because that way you don't need to worry about doing it in secret and not making a lot of noise.
Start by not using Google Authenticator. It's outdated and has security vulnerabilities allowing malicious apps to extract your code. And it's impossible to backup without a rooted device. Anything that supports "Google Authenticator" really means any TOTP app is supprted, so for example andOTP on Android may be a good choice. Or you can use Authy or 1Password if you trust them.
Phone broke and I must have typo while doing a regular password change - now I have no way to again log into my account as i can't provide the 2FA and none of the other options work (providing old contact emails, phone code, backup email, ... All doesn't matter just because I don't have the authenticator).
and closely related: the "digital graveyard", there's this Wired article of a guy who recorded his father and trained a voice model on his written communication [0]. A place to go if we want to be reminded of the voice, handwriting, face or attitude of a loved one. Faraway stone plates on crowded graveyards don't seem appealing to me in a world where families are often dispersed over the globe.
something like aegis is much better than googles authenticator. you can backup your keys and store them somewhere secure (veracrypt or whatever) and it also lets you choose a custom icons which makes it a bit easier to see what is what at a glance
I would first write down the master passwords, and store them somewhere safe.
It does not have to be fort knox safe, enough if stored at a trusted place which has no direct relation with you (in my case it is my best friend I trust with my life)
The article seems only to focus on what happens if you lose your ways to authenticate, but another possibility is getting caught in some weird ban wave like spamming emotes on a youtube stream when the streamer asks you to (https://9to5google.com/2019/11/09/google-account-bans-youtub...) (most of these bans seem to have been reversed, but I don't know if that would have happened without the publicity that came from a popular youtuber calling out google for banning his fans ...)
It's still absurd to me that you can get a full account ban for anything, no matter how big or small. Why aren't these bans more fine-grained? Is it so difficult?
Don’t use Google. Most third party sites that give you an option to use Google, Facebook, etc. also have the option of just creating an account on their site.
As far as email, create a domain name and use your own email address.
Free will is great isn’t it? Everything doesn’t require the nanny state to step in and solve all of your problems.
You're not thinking of the typical consumer, who won't have a clue about why using a proprietary service could be bad until the shit hits the fan.
It's all well and good for you - someone who's aware of the risks and issues - to say "just don't use Google/Facebook", but laws would protect the average person who just wants the quickest/easiest way to get an email account or to sign in to websites.
Also even if consumers were all highly educated in the pitfalls of Google etc., major websites still force you to use Google technologies whether you like it or not. Google Recaptcha is everywhere; eBay forces you to use it to sign in to your account. Are people now supposed "just don't use eBay" now as well?
So now we need laws instead of education? Are you also okay with Apple’s “walled garden” because it protects people?
Yes, if you don’t like the tradeoffs that eBay gives you - don’t use EBay. You can use Amazon, Facebook marketplace, Craigslist, etc. to sell and buy stuff.
I’m sure it would be much more efficient if we passed laws stripping everyone’s freedom of choice and entrust the government with enforcing “The One True Way”. What next? Have a centralized authority to guide the economy using “Five Year Plans”?
Optional technologies or services are optional until they aren't.
Dependencies create defacto requirements with the alternative of severe disadvantageous if opting out.
Corporations answer to shareholders, creditors, business partners, and management long before they do individual users. Who, in the case of Google aren't even direct customers (advertisers are). Representative governments answer, however imperfectly, to the governed.
Email self-provisioning has significant hurdles for even technically-competent individuals let alone the general public.
Your suggested alternatives ignore the problem and create more.
Optional technologies or services are optional until they aren't.
So now we are going to go down the whole “Minority Report* rabbithole and make laws just in case? You don’t tie your login infrastructure with Google, you use Oauth 2 and plugin any third party you wish.
Representative governments answer, however imperfectly, to the governed.
How well is that working out in the US between gerrymandering, the electoral vote having an opposite outcome than the popular vote, and how it is almost impossible to get rid of an incumbent?
Email self-provisioning has significant hurdles for even technically-competent individuals let alone the general public.
I didn’t say set up your own email server. I said create your own domain. You can create your own domain with your own email address with a few clicks on Godaddy. If you don’t like GoDaddy, there a dozens on other places that will transfer your MX record to them and you keep your own email address.
Depending on your jurisdiction, there are numerous laws and regulations governing private busines-individual services and relationships, including those concening employment, housing, transport, communications, lending, banking, data services, healthcare, barber and cosmetologist services, food, drink, lodging, gambling, theatre, insurance, brokerage servises, funeral and burial services,and others.
Regulations serve to create a common and uniform floor of service levels.
The problem with a strictly voluntaryist, free-market, laissez-faire approach is that it tends strongly to a Gresham's law "bad terms drive out good" race-to-the-bottm dynamic, particularly unfortunate when there is but one monopoly provider on the market.
This occurs well before reaching the far end of the slippery slope on which you seem to be perched.
Several of my earlier comments have been badly misapprehended, I'll not belabour them though I'll note the fact.
Gresham's law doesn't work in strictly free market economy. By definition, debased coins will drive out regular coins only if you force the acceptance of both coins at face value. It only works under legal tender laws.
If people read the conditions of the free google account they realize that the service can be terminated at any time for any reason without warning, and there's absolutely nothing there about any corrective mechanisms.
Contrast this with terms of [especially national] domain name ownership.
Anyway, given the number of people who will give their data to such a service under such conditions, you may well be right that some regulation would be useful, especially around getting your data out in some short time period after account termination. (But only to holders of the valid authentication credentials.) Forced email address portability would be also nice (provider would have to forward incomming emails for a reasonable fee or for free), for some limited time, maybe a year.
You have to remember: politicians are the geezers that gave Zucc softball questions on FB violates their users (0), wanted to ask Bill Gates how to lock down our internet (1), nevermind the countless nanny state bills they have proposed over the years to censor the entire internet like they do for their grandkids. Please don't ever, ever forget that these people have not a clue how any of this works and will take an axe to the security and open-ness of our beloved series of tubes.
Yeah that was snarky. But are you actually saying there is no alternative in your country besides Google? Yes you can get to google.com from almost anywhere in the world. That’s kind of how the internet works.
You can also get to another website just as easily.
1. The average tenure of Senator or Representative in the US is steadily increasing.
(https://www.termlimits.com/new-research-congressional-tenure...) and because of how much money it takes to win an election, it’s really hard to get rid of a member of Congress.
2. Because of how both the Electoral College was designed and the design of the Senate with 2 senators per state regardless of population, if you live in a more populous state, you have less voting power.
3. The more tenured Senators have more power and they have the power to block legislation. The people of the state where the leaders live are the only ones that can oust the Senate leaders.
4. Most rules aren’t done by legislators they are done by committees led by Presidential appointees who are approved by the Senate - again appointments can be blocked by the leaders of the Senate. Many of their policies are approved and struck down by unelected judges.
5. Then there is always gerrymandering.
6. You really don’t believe politicians - many of whom basically did insider trading pre-Covid - are greedy rich people? The President himself is a billionaire.
“I trust elected politicians, controlled by checks and balances, more than unelected greedy billionaires only supervised by themselves.”
So the alternative between trusting greedy rich people who both don’t have the power of the state, and I can choose to use alternatives, is to trust greedy rich people with the power of the state - most of which I have no power to get rid of because a) they aren’t in my district, b) the alternatives don’t have the money to get elected, and c) get elected by the flyover states because they have two senators just like the more populous states
I agree, but come on. Let's be honest about the scope and magnitude of this bucket. I have a business that relies on a Chrome extension to be on their web store.
Say I accidentally trip off something in their opaque machine learning algorithm that determines my extension (or even a YouTube comment!) breaks their terms of service. They would have the right to completely block my account and remove the extension. Effectively, wiping out how I make a living with a single automated bit flip.
It hasn't happened to me, but the people that share horror stories of how it happened to them scares the $#!7 out of me.
As the Internet gets more privatized and less "open", I just wish there was something that required a fair "trial" of my account being suspended. The balance of power online is slowly shifting and I feel there needs to be something protecting the rights of individuals (the public) online.
Congratulations on being a better Internet user that the rest of the world! You are clearly very proud.
For the vast majority of people, their SaaS email (in most cases probably a Gmail account) is in fact their primary identity on the Internet, and that's not going to change because they wouldn't even know where to start looking for other options.
Before you say "that's their own fault for not knowing better", I would ask you: did you get your own medical degree so that you can handle all your own medical problems? What about a car? Did you build your own car? Do you have a law degree? Do you grow all your own food? Are you a licensed electrician? How about a food safety engineer? An architect? No? So you rely on established and proven products, systems and service providers for these things? Of course you do, because that's how society works.
Technology folks often forget that we happen to have specialized in a field that is now dominant and pervasive in everyday life, so we "get it" more than most, but that's not the case, sometimes not even an option, for most people..
You seem helpfuless in the era self help. Informationless in the information age.
Did you build your own car? Are you asking us to compare building a car to using a gmail account. The comparison is did you build your own google mail provider. Very few have.
But most of us went to different dealships test drove different cars, looked up tech details and reviews. Reviewed recalls and decided for ourselves.
What kind of special degree do you feel you need to pick a different email provider?
And most people don't uses a sass. I would expect a slightly more tech enabled person to be using a sass (not too many grandmothers or average internet need a sass). Can those people figure out how to signed up without google if they want to? I would hope so. If your sass doesn't offer any other way to sign up it won't be around for too long anyhow.
If you are going to put everything under your google services for your saas pay a few dollars and get a business account if it's important to your business.
> their SaaS email (in most cases probably a Gmail account) is in fact their primary identity on the Internet
In which case they are in luck. There are a multitude of email-providers worldwide, and email is 100% transferable.
Many people for instance use Office 365. A similar SaaS, not Google, allowing you to digitally separate who you are from what you do.
> did you get your own medical degree so that you can handle all your own medical problems?
No. Absolutely not.
Nor did I once sign up for a medical check, pledging that I would for the rest of my life use this one medical facility only.
Do you know anyone who has ever done so? Ofcourse not, because that makes no sense.
And it should similarly make no sense to make such a move in the digital world, maybe there even less.
If you separate email (identity) from what you do (like using Google services), the worst Google can do is ban your ability to do business with Google, not your ability to do business at all.
As a business, why would anyone be stupid enough to take the risk and let Google have that ability?
Edit: As for being the most HN comment ever, how goes conflating email for Gmail and seemingly being unaware of there being other email-providers than Google? I mean, really?
> In which case they are in luck. There are a multitude of email-providers worldwide, and email is 100% transferable.
Really? You think the average person can navigate changing all the services they signed up for with a Google account they've lost access to, and update it to a new account at a new provider?
Having helped a few non-technical but still very smart people do this over the years, I can tell you that for most people this would be way more daunting and painful than you believe.
> If you separate email (identity) from what you do (like using Google services), the worst Google can do is ban your ability to do business with Google, not your ability to do business at all.
You say this so casually, and that's my whole point. Most people wouldn't understand this distinction or even know where to start to actually do this.
You rely on your technical knowledge without even realizing it, to even understand the need or option to do this. Again, most people do not have this level of technical acumen. These are unknown unknowns for them.
I chose cars, health care, food and housing in my examples because they are day-to-day things for everyone that we all take for granted and don't deeply understand, and rely on experts to handle for us, but can't really live without. That's the Internet for most people.
You missed the point by splitting hairs and nit-picking the comparisons.
> As for being the most HN comment ever, how goes conflating email for Gmail and seemingly being unaware of there being other email-providers than Google? I mean, really?
Why should they be, from Google’s perspective (which obviously skews towards “our algorithm is perfect”)? If you’ve done something banworthy on one of their properties you’re obviously not worth keeping around anyway as you’re likely to violate policies elsewhere.
That's the horrible part about it. You're spamming smileys on a Fortnite stream? No more access to your email, which you require to manage access to five dozen online services including PayPal, probably also stuff like insurance and whatnot.
Considering how vital ones email account is today, it's time for laws that prevent providers from pulling stunts like this on your mail account, no matter whether it's free tier or not.
Why do you need a law if you already have all tools available to prevent a provider lock-in?
Anybody can buy a domain for the price of two coffees and have full control over their email addresses. There is no excuse for being locked in by google. Even if somebody wants to use google's UI, the emails can be forwarded to google, and at the same time backed up somewhere else in case google shuts down the account.
If you consider how vital one's email account is today, it's time to put down some money.
*edit: Buying a domain often comes with an email service. There is no need to run a mailserver.
> Anybody can buy a domain for the price of two coffees and have full control over their email addresses
the only control you have if you go the "own mail server" route is the control on your tears when you see that your mails are rejected by every other mail server in existence because you made it in some random blacklist
Don't have to run your own mail server, nor would your mails be rejected necessarily... There are a lot of providers around which let you use your own domain.
And if you're using your own domain, you're always able to switch providers by updating your mx records.
But I wouldn't ask my family to do that either, that's just something for tech enthusiasts and people that make their actual living by being reachable through mail (contractors etc)
Why do you equate "own domain" with "run your own mail server"? There are reputable mail providers that allow you to use your own domain through their setup, many webhosting places do a decent job of it, ...
Fair enough, but I'd argue being able to move said addresses, without needing cooperation of the mail hoster, at any point is pretty good along the control axis. (Don't forget to have an independent backup of your inbox though if you want to be safe!)
You can start by using the mail service of the domain provider.
[edit:] On the other hand, if one wants to run his own mail server:
From the last hn discussions about blacklists, I got the impression that [running your own mail server] is not an issue as long as you correctly navigate the anti-spam mechanisms. It's not obvious, but also not a black art.
I would rather be bothered by server security. Since email is so vital, how do you secure your server against recent vulnerabilities if you are offline, e.g. if you are on a vacation.
Sorry, I reshuffled my comment too much. This should have been:
>You can start by using the mail service of the domain provider.
>From the last hn discussions about blacklists, I got the impression that ~this~ [running your own mail server] is not an issue as long as
I absolutely expect my doctor to be able to register his own domain in the same vein that my doctor expects me to not lick Corona infested door handles right now.
Registering a domain is like taking medicine. We expect everybody to be able to do it.
It's the building of domain management infrastructure, the software that sells domains to the users, that is out of reach for the doctor.
Similarly, I expect a barista to register a domain. It's not magic. If he has made his own Amazon, Netflix and Spotify account then he can make one more.
They don't have to understand those words. My comment was written for hn, not for them.
Non-technical people still understand accounts: bank accounts, email accounts, netflix accounts, etc.
Those among the technical illiterate, who absolutely have no idea, have gotten their mail account with the help of somebody. Chances are that they are not stupid and understand the concept of accounts by now. If not, they can get a domain account with equal help.
The key concept is ownership. Whoever rents a property understands that he can be evicted. And most people who have bought a house also know that at first the bank owns it and that they could be evicted if they don't come up with their down payments. In other words: almost everybody understands that he can lose something if he doesn't own it.
So it is not a great leap to understand ownership of email addresses. Calling it difficult just allows people to safe face when in fact they just couldn't be bothered.
I'm sure money is a real argument for some people, but it's probably also as much an argument to hide for the fact that many (non-Hacker News visitors) don't really have any idea... about how to properly make their online life "redundant", or even the need for it.
I wonder if domain email can look pretentious or confusing to non technical people. I own a few domains, including <firstname><lastname>.com and <initial><lastname>.com but I don't work in IT (I'm an accountant), and don't have a business, blog or website. I bought the domains to keep them from bulk squatters.
I set up email with fastmail but I don't use it much. I assume people will look on them as some sort of vanity address.
I probably should migrate my most important logins to my domain email, though.
I can relate. I don't work in IT, and I've been using <firstname><lastname>.com as my main email for years. But in practice I have another email address that I can give around when I feel that using my own domain would look pretentious.
I've pondered buying a domain that's not my name just to make it look like it's a normal email service, so it wouldn't look pretentious. But now it seems to me that a better solution would be to migrate all to Fastmail or Mailbox.org and have an alias ready for that use.
Don't sweat it. Some people will find anything pretentious. I was eating a Shawarma some time ago and a colleague asked me what I was eating. I answered "Shawarma" and this was enough for him to think I was some kind of elitist or whatnot. Bonkers, really.
I work in a non-technical field and ask around about this. It definitely looks gaudy and pretentious to some people. You’re not immune to the occasional eyeroll. It concerned me enough to remove it from my resume.
Not sure if there might not be a legal recourse if they ban access to your email, at least if they don't give you the possibility of downloading an archive of its contents. Because, unless they have deleted it, they have your data in that email.
So, under a GDPR reasoning https://gdpr-info.eu/art-15-gdpr/ do you have a right to a copy of your emails even if they have blocked your account? Unless they have deleted all your data I think it would be a yes.
Have you tried downloading your data from Google? If you have a large data set (for being a loyal user for years) and a slow (non-business-class) internet connection, the server just expires your auth token before you can complete the download.
This has happened to me. I have been able to get it to work by retrying the download until it works, it took me three tries. If that still doesn't work, Google Takeout supports splitting the download into smaller 1 gigabyte chunks which should hopefully be downloadable fast enough. Still annoying though.
If it was decided you had a valid GDPR claim but Google doesn't give you a decent way to download it that's Google's problem.
The question is if they have to give you your emails if they still have them. I think it would be decided they would have to. It might be worth getting ready to be blocked, get blocked, and then demand the data to set the precedent actually. But I am lazy; the virtue of a programmer, the vice of a concerned citizenry.
Because eradicating every last possibility of TOS violations is not what Google's business is about.
These horror stories of banned Google accounts destroy trust. They have lost my company's cloud business for that reason and I'm sure we're not the only ones.
Also, Google's sprawling empire is already in the crosshairs of regulators. Destroying people's livelihoods by applying draconian bans across personal and professional domains doesn't help.
What's weird to me is that they do the exact opposite for SEO spam/scams. They will (maybe) put a penalty on one domain, but they will not touch your other domains. And as soon as you stop doing the spam/scam thing and pinky-promise to not do it again, even the original penalty will be lifted.
> If you’ve done something banworthy on one of their properties you’re obviously not worth keeping around anyway as you’re likely to violate policies elsewhere.
That's a violation of that "assume stupidity instead of malice for as long as possible" rule.
There is talk of implementing per-service bans. They already exist for adsense and google pay. You can today be banned from adsense but allowed to use all other google services.
Customers seem, if anything, more angry about that though...
They're angry about that because the "per service" bans are even more capricious. You can get permabanned from something like YouTube for something as fickle as people being unhappy with your videos and mass-flagging them. And of course that's a "per service" ban, but it would turn into a site-wide permaban as soon as Google thought you were trying to evade it and join YT with another account. I won't even get into the whole copyright enforcement stuff which is just as badly implemented, but at least Google has plausible deniability there since the law requires them to ban "repeat" offenders. No, it's everything else that's real crazy and scares a lot of sensible people away.
Most people I speak to about the adsense bans claim their ban was totally unjustified, but then later reveal that they might have clicked on ads on their own webpage "just once or twice to test it"...
There's maybe a small proportion of people falling into this category but since the bans are automated and triggered on obscure rules outside of the account's owner knowledge, I would argue a that a good proportion of bans are just random. The fact that support is close to non-existent just makes it worse for sure.
I had myself an account banned and I can assure you it's really totally random.
Google doesn't ban itself when they violate their own terms of service (Notification spam, mass WiFi network collection, Google Buzz) "just once or twice to test it"
If you spend some time on the other side of it, it'll make more sense. I've done anti-abuse work before and you would not believe the number of people who due to greed, malice, or some sort of perverse glee will spend massive amounts of time working to abuse your service.
Especially when that service is free and effectively anonymous, it's just not possible to give each case a full and fair hearing. You know that you'll get false negatives and false positives. You can try to minimize them, but actual justice is expensive. Too expensive to pay for with ad sales, that's for sure.
This just reminded me how dangerous and foolish it is to use Google as an OAuth sign-in method.
I’ve idiotically done this for a bunch of major services, including freaking medium.com, among many others. Can’t believe I’ve been so careless. Now I worry and wonder how hard it will be get back to regular email & password.
Depends on the service. Sometimes you have to delete your account and start again unfortunately. But if you can, a password manager is a much better solution that generally doesn’t leak information about all systems an account uses to the account provider for the purposes of targeted advertising.
That screenshot of Google saying that in a short amount of time they’d be deleting all your data, plus the email where their “ban review” system just rejected them and said any further replies would be ignored, are really really worrisome and highlight to me the critical importance of minimizing my reliance on Google services (as much as possible).
Google can at any time decide to require you to provide additional authentication. What year and month did you create your account? What previous addresses have you logged with google. There are about a dozen prompts to prove yourself to them.
Finally, spinning busy icon and... red text says you are denied. You are properly screwed.
I assume all ways of recovery by google failed. I would go the physical route. Take a megaphone, a big sign and go to one of the google offices in Zürich. First stand there and then slowly ramp up to attract more attention. At one point one googler must be willing to help or must be annoyed enough by me. It sounds extreme but it is my Plan B. My personal data includes all my pictures which are extremly valueable to me. I do pay for many google services including Google Drive and I expect them to support me.
Not working at google but we are frequently getting security warnings to not leave the office building with swag that shows our company name because some customers weren’t happy with cs and stand angrily in front of our office ready to confront anyone.
Don’t do this. It won’t do anything good and I also doubt some random googler has the privileges to restore your account. There are likely policies in place similar to how I am not allowed (or able) to touch our customers accounts
Random Googler can't restore your account, but can file a ticket that might actually get looked at.
Source: firsthand experience. I had problems with Google Fi when it was pretty new. I tried to work through the issue with their normal support, unsuccessfully. I worked at Google back then, and eventually point filed a ticket with (or maybe emailed? I don't remember) the Project Fi team. Lo and behold, my issue got resolved almost immediately.
They mean that in case they would lose their Google account, they'd try to get the story of losing it on the HN front page so that someone from Google sees it.
"There is one more option for super paranoid people. Backup all your data."
I would argue that this should apply to everyone, not just the paranoid! The fact that most companies make this easier nowadays, like the linked Google Takeout, is actually a real, useful improvement.
If you backup regularly, you should also restore to test it works properly, and the reality is there is no decent way to restore a google takeout archive to another google account, or any competing service. The closest you'll find is a hodgepodge of scripts to incompletely restore some data...
It feels weird to see this called super paranoid, I've been backing up my data ever since my first PC went belly up on me. Didn't have much on it but lost some photos, so now I keep everything backed up and still break out into a sweat the moment my laptop starts making any unusual noise.
Technology isn't perfect so a backup is a must for anything of value: whether financial or sentimental. For a good example of why backups matter, look at the history of Doctor Who. They didn't leave any backups of parts of the original show because they figured those were pointless, re-recording on the physical copies instead. Now the old episodes of the show are being searched for across the Globe, I believe some were even found at some man's home in Brazil. Backups and archiving stuff is essential.
For me it would be an annoyance for sure, but I've been not-using Google stuff long enough that I wouldn't really care.
This is how I did that:
1. I self-host my email and most of my emails are exchanged via my self-hosted domain.
2. I use nextcloud for cloud storage with automatic upload of pictures, videos and call recordings from my phone.
3. I use ZFS for snapshotting and replication.
------
Regarding my google account... I took the habit of taking notes of my previous password when I change it with a new one. I also took note of my backup codes.
------
Regarding self-hosting email... It's surprisingly low-maintenance. My current mailserver was set up in 2014 and I've touched very little since then (considering it's been on for six years).
It does require some learning in the beginning, but a) email is so old that's very, very, very well documented and b) time spent learning is never wasted.
Nextcloud is just awesome. It does have its quirks and an SSD would definitely help, but I've been running it off a cheap machine (~115€ dell optiplex 7010, 2nd gen i5, 8gb ram, 250gb HDD system disk + 2TB HDD data disk) and only had occasional problems (don't try and push too much stuff at the same time or postgress will basically kill itself if it can't keep up -- upload files to the data folder instead and let nextcloud rescan such folder).
ZFS is the real game changer. Hourly snapshots are extremely fast and cheap and make it easy to sync your precious data to another location (in case something goes wrong).
------
Sometimes I stop and think about how exploitative and predatory modern internet services providers are.
Most TOSes clearly state that they can terminate your service for any reason. Which is generally understandable but also mean that all of your data could be gone so fast...
The cloud isn't really the safest thing to put your stuff into.
> 1. I self-host my email and most of my emails are exchanged via my self-hosted domain.
>Regarding self-hosting email... It's surprisingly low-maintenance. My current mailserver was set up in 2014 and I've touched very little since then (considering it's been on for six years).
What will you do when you're email server's OS goes out of support? (or if VPS, they upgrade from ovz6 to 7, or worse) Or if you can upgrade but the packages for your original install are slightly changed or not available on the new version? How did you store the email? Virtual users on disk with dovecot or the like? How will you port to a new OS environment when required?
It's isn't trivial. I'm in the same position having set up my personal mailserver in 2013 with very little maintenance since. But now the bill has come due with the need to upgrade OSes.
Not a big deal, a full reinstall every 5-6 years is okay.
I'm planning full OS update and mailserver reinstall (I'll probably be switching to CentOS 8).
Regarding the downtime... Not a big deal either. I already have an mx backup host in place, along with (semi-automated) procedures to imports mails delivered to the mx-backup host into the mx-primary.
> It isn't trivial.
Well, it isn't super complicated either. It really depends on the degree/detail of your configuration. For the most parts you should be able to copy the old configuration files into the new postfix/dovecot installation and fix errors as they come up.
Problems may arise if you have non standard features and/or if you interface with other services.
When I set up my corporation, a couple of years ago, I set up a Google account for it.
For some reason, it won't let me in. I am pretty sure that I have the correct password (I use a very well-known wallet app), but it's entirely possible that I borked the process.
Google won't help me to unlock it. I have to use a gmail account (the one I set up) to get reminder links, and I can't figure out why it isn't honoring my secondary email account (my corporate email, which works fine).
It really isn't a big deal (to me). It prevents someone else from registering as my company. It does mean that I won't be doing any corporate business with Google, but that's fine. I don't write the kind of software that uses their services.
"One of my other Google accounts actually have been inactive for so long that Google doesn’t trust me when I enter the password and there’s no way to recover."
Hm. That probably means I have lost my Google account. The last time I logged in was in 2013.
The funny thing about giant tech companies and your personal data is they do their best to convince you they are a great place to store your intimate details and secrets. They can be trusted.
But on the flip side, these companies are incredibly paranoid and secretive with their own data. They all run their own mail internally and do not (in general) store sensitive data on each other's clouds.
I think this is super important for companies like, for example, Facebook and Uber, to maintain utter secrecy of their internal data, because they know they have a lot to hide.
Anyways, the vibe is "Trust us, but we won't trust you". Yuck.
I'm not sure what your point is. Most big companies use gsuite or Ms office suite, or don't because they consider Google or Ms a competitor and don't want to pay them money.
There's very few big companies that are concerned about MS or Google stealing their data. That's a concern held mostly by random hackernews commenters.
Copying the data to an external drive and keeping it in the same location as the original is even worse. Where do it put it? The bank only has so many safe-deposit boxes - mine doesn't have any available atm.
Giving the drive to friends or family isn't viable either because I need to encrypt the data and need to store the keys somewhere. So the cloud, i.e. AWS, Azure, Backblaze, etc. is actually a pretty good place.
It is not either or. There is a reason why it is 3-2-1.
> Giving the drive to friends or family isn't viable either because I need to encrypt the data and need to store the keys somewhere.
? You don't need to store the keys anywhere, just a password. And even if you can't remember passwords, the threat model "friends and family" allows for easy passphrases or even sticky notes with password hints.
Depends on the "Cloud".. cloud is and will always be "someone else's computer, somewhere else". Google Drive is not a backup. Carbonite (or Crashplan) is a backup solution.
Of course a successful backup needs to be at least "3-2-1". Not "1" (Google Drive).
One thing I'm excited for is when syncthing implements encrypted devices, so that I and a family member can have syncthing folders that we share with each of them for each of our respective backups.
They share data with me and my computer holds it safely for them even though I can't read it myself, and vice versa.
their house burns down or is flooded? They have their data ready to download from my machine. Same for me. No cloud provider necessary.
I want more redundancy? Add more encrypted devices somewhere else, whether it be the family member living out west, the former coworker living in Japan, or the vps I bought for $5 on sale one day.
It's reached the point where five or so agencies have a de-facto oligopoly over our digital life and the t&c are written almost totally in their favour. I took a .zip of my digital life last year, and I intend renewing it periodically.
If you don't already, you can set Google Takeout [0] to create an export of all your Google data every two months for 1 year and it'll email you when it's ready. I download my data and move it to an archive drive, it would be cool if there was a way to automate the process of downloading and storing x latest archives but I haven't looked into it.
What's the point of removing old addresses? I mean I'm all for privacy, but forward all your old accounts to one funnel account and ensure you never lose that data.
Not keeeping your account is a security hazard.
If someone else would be able to use it, he now has access to some password resets. Or just call a support agent to restore the old email address.
Not on Gmail, but there certainly are email providers that allow a username to be recycled after a certain period of time. Notable example is Yahoo, which recycles usernames that haven't been active for a year: https://yahoo.tumblr.com/post/52805929240/yournameyahoocom-c...
Google does not allow anyone else to register the name ever again, so there's no risk of identity theft. The main reason is to remove cruft I don't need or use.
That is good to know, thanks. Someone in Google gave me an invite three years before GMail was formally released publicly, so I have my name. There might be a point when I cancel my account and it would be great to be protected from someone claiming my old email address.
I like paid for Google services like GCP, Play movies and books, etc., but I want my online identity and all communications to be through my domain.
Apart from email, which can be hosted in a myriad of places, I tend to use etherpad/calc and nextcloud. I guess I was not a heavy user of Googles services for quite some time.
Unfortunately, it's not available for GSuite accounts. I suppose the rationale is that organizations don't have the same requirements as individuals, but that's not the only use case for GSuite : any individual (like me) who set up legacy GSuite to use GMail with a custom domain is out of luck.
Serious question: how? I had been a google avoider for years already when I upgraded to a smartphone, and a mandatory part of the setup was creating an @gmail for it, that I couldn't steer around or find an alternative to. I only use that account to "forward stuff to my phone" but I did still need to create it, afaik.
At least a while ago you could skip setting up an account. But that means you need to use an alternate app store.
Or you get a device that is supported by lineage. Then you're even freed from all the Google related services that would otherwise still run in the background and do who knows what. You'd still need an alternate way of getting apps, and even if you sideload them, some might not work since they rely on Google play services.
Or you get a Chinese phone, since Google is banned there they all have alternate app stores, plus a crap load of shovelware that spams your notifications with ads and you share all your personal data with a different government agency than you would with the Google variant.
I think you can create an account without using Gmail as the email. For example, you could create a Google Account with joe.smith@outlook.com if you wanted to. At least, that was possible some years ago.
There are great phones being sold right now which run Android and which have zero Google integration whatsoever. The parent post was implying that it's literally impossible to use an Android phone without a Google account, which is straight up not true. What's so strange about that?
For example the latest Huawei phones - the P40 Pro has an insane spec, fantastic camera, latest Android.....and no Google integration at all. Whether that's good or bad you have to decide for yourself, but it's not just some cheap knock-off garbage phones.
> One of my other Google accounts actually have been inactive for so long that Google doesn’t trust me when I enter the password and there’s no way to recover.
What you should really worry about is leaving your phone in an Uber. I did it once, and had no way of contacting Uber or the driver. I tried logging into Uber from a computer, but they sent a code to my phone - which of course I didn't have. The only thing that saved me - after trying to talk to someone at Uber for 4 hours - was the driver found my phone and brought it back to me after his shift ended. I had resigned to buying a new phone, I thought it'd be gone forever.
When I lived and traveled on a boat, I'd often be within wifi range but have no cell service. This was back when SMS 2fa was the only option. It was really annoying to be logged out of Google.
These days, I doubt it would be as big of an issue to lack cell phone service, for me anyway. I can imagine lots of scenarios where cell service would stop working, and imagining those people effectively locked out of their account until the towers could be rebuilt or repaired makes me sad for them.
I’d love to hear more about the boat, living like that is a personal dream of mine. I know I’m romanticizing it but that’s they way dreams work I guess.
Their account recovery (which only needs answers to one or two of their questions, not all) seems to be used for account highjacking. I lost one that way, and searching around I found many people with a similar story.
If they just stuck to requiring a very strong password and not letting anyone in without it, no exceptions, no ifs, no buts, I would still have that account.
Fortunately it was an old account I wasn't using anymore.
Just use one Google account per Google service, it's the safest way haha.
> One of my other Google accounts actually have been inactive for so long that Google doesn’t trust me when I enter the password and there’s no way to recover.
This is problematic if a system relies on your using it enough to be a proof of authentication.
I've been planning to ditch Google for a long time. Besides mail, the only other service I use is Drive. 200 GB, 2.99€/mo.
I don't need desktop sync. I only use cloud storage to archive old files that I like to have around but never really access, such as rare CDs or records that I've ripped.
Any suggestions for an alternative? Hetzner storage box? Glacier? rsync.net? If only Dropbox had an intermediate tier...
Does it have to be cloud based? I have a FreeNAS machine (they sell them pre-configured) that I bought which I use for holding tons of data - including old photos/videos, important documents, Movies/TV shows, and a few VMs for fun.
To derail, I want to know what to do if google marks emails from my mail server as spam. I honestly cannot figure out how to get them to not do that and I’ve sent a total of 20 emails from my otherwise virgin domain.
You can go to Gmail, open the email from your mail server, click on the three dots menu, "Show Original".
There you can find some hints, e.g.:
SPF: PASS
DKIM: PASS
DMARC: PASS
If any of those are not in 'PASS', you need to fix it and retry.
Yes, setting all of these up is not trivial, but it's also not the monster people usually claim it is and I think we should all do our part that this knowledge doesn't appear so unobtainable, as we're already centralized more of the internet than we should have.
Just out of curiosity, does anyone have similar experience or have seen reports from people being banned from outlook.com in a similar fashion (random bans for no reason)?
"I’ve been using the same Google account for the last 12 years. And to be honest, I’ve never changed the password and never turned on the 2-Step Verification because I was afraid that I’ll lose my phone or forget my password and I won’t be able to access my account any more."
It's a decision I'm sure the author deeply regrets. The author has another post on their blog promoting security practices[1]. Just going to the settings pane to enable 2FA shows your backup options: backup codes, sms, webauthn, etc.
I only remember one password, and that's the password to my password manager. The rest are arbitrary random strings. Always use MFA. I employ efforts to make it difficult for an attacker to port my phone number, too.
At this point in the maturity of the internet these measures should be a no brainer, but it's a good reminder of how far we have to go.
I'm glad I made the choice to migrate off of Google's products about a year ago. Having control of your own domain and identity is super important in a world where one company can effectively delete you from the internet when they want and there's no legal recourse.
> But if I lose my phone my number is gone too since I always use prepaid.
Writee is obviously NOT in Europe, where even to get a prepaid you need ID/passport. That way you can keep the same number forever (if you abide to the "add funds even X months). I have phone numbers in 4 countries (that I tend to visit 'often' and all I need to do is add €$£10 every six months to keep them alive.
So one solution for that is to go to that ISP of yours and ask them to bind your number with your ID. And if you lose the SIM one way or another, you show up with your ID/passport and in 10mins you walk out with the same number.
That's not really true. Every SIM I ever got, no one ever asked me for actual ID. Yeah, some required me to fill in a page with my info, I could've written anything there.
Doesn't that cause the opposite problem - for example, someone with access to your prepaid account could change that data and go clone your SIM?
I have a domain name that I can’t get too through google. I don’t use it but would like to start again.
The registrar is go daddy and i tried to access it through them the told me to go through google. It’s part of their g-suite now which I can’t seem to access, since I have an individual account.
The help pages are Ridiculously obtuse.
We use google maps for a non profit and they require a credit card. It’s was near impossible to figure out where to update. (Why not send a link in the email to where I needed to go?)
They really could Be so much more profitable If they could get there ui ducks in a row.
I registered it through google and it ended up "administered by" go daddy which I didn't realize when I signed up. I can't access it through goDaddy directly. I was hoping to move it to where I register my other domains....
In 2016 I was in the middle of China when my phone got stolen. Obviously I had backup codes saved in a text file so I was good.
Then my moment of dread came: the codes didn't work. I still don't know why but from that moment on the laptop I brought with me that had Google logged in was my only gateway to my personal info.
I mailed account support and after explaining the situation and providing proof they reset my 2FA, after which I could set it up again on my new phone.
Even though Google support was pretty quick and helped me out (in my own language, mailing from China) I have since moved to GMail with my own domain for more control, have printed out backup codes that I test every 3 months, have multiple phones with Google logged in for 2FA and periodically use the GDPR method to download stuff Google has on me, just to be safe.
It was an eye opener how vulnerable I was using Google's "one account to rule them all".
This is a relevant issue but I haven't seen this discuss here so:
If you want to minimize or practically eliminate the Google account lock-out risk and also eliminate any hijacking risks, register multiple hardware security keys (FIDO keys), remove all phone-based 2nd factor or backup, and make sure your password is something you won't forget (it doesn't have to be very strong - as long as it's unique), and register for Google's Advanced Protection.
Because there is no known attack against hardware security keys, there has been no broad attack - which means heuristic-based defense is not necessary. The heuristic based defense is a necessary evil - it's the source of false positive lockouts, but necessary since otherwise credential stuffing attacks can't be controlled / reduced.
You want at least two security keys, preferably 3 (one with your primary device like laptop, one personally with you e.g. in your key ring, and one stored at home, preferably in a fire-proof safe - alternatively you can leave your security key at work if you're ok with that exposure). You really want redundancy - as much as you fear lock-out, you should never lose access to at least one of your security keys. If any of the security keys get stolen, you can immediately de-register and get a new one to replace it.
You want to get rid of SMS or phone-based 2nd factor, since phone hijacking is a realistic threat. You also don't want OTP as it's phishable, and is more difficult to maintain high availability (you lose one device you registered as OTP and you're doomed).
related...I had an old google account stolen from me a few weeks ago.
this happened on April 8th while I was sleeping (I received recovery emails etc -- everything was changed by the time I woke up)
this old account had an auto-forward for all emails to another email so for the first week whomever stole it was not aware everything was copied to my other account. I tried going through googles account recovery and unfortunately it appears that I will not be receiving this account back, I am sad because I did not copy all email locally and have lost some very old emails -- trhis account was made when gmail was still beta with an actual 'invite'.
what is surprising is how obviously it is fraud based on the emails I received over the next few days the owner had different names for a handful of people i.e. 'Hi Chinh' or 'hello Hau' (many others as well)
I kept these because apparently google is investigating and I've been told to be patient due to covid-19 delays but I suspect I got lost in the pile of other work. it is not a big deal in the long run just makes me sad that clearly I did not do enough to protect this account and there is not a human on my behalf looking... any person looking at this (if google admins can) would come to the very quick conclusion it is clear that it was stolen.
A while ago I switched to creating an email account tied to my domain for every new service.
Of course now I need to not lose control of the domain, but that's something that can be solved with a calendar app or... a calendar.
I think this is a reliable approach, because if I ever lose control over the hosting service account, I can prove my identity through invoices that were generated along the way.
Imagine backing up those 50-100 gigabites of actually essential data you have and using google normally. They even allow you to backup your email via outlook or whatever and just download your photos and drive. You don't really need RAW images of your birthday from 15 years ago. Google's Photos compression seems perfect to me for all "memories" photos
The ripples are bigger than just losing your Google account, but all the third party services you use that use Google authentication. That convenience just locked you out of X amount of accounts - I recorded I used 15+ accounts before switching out. That is why I advise my coworkers and myself to always sign up with an email and password stored in a password manager.
I have a grandfathered free Google apps for Domains account that is use for all my google things, if I lose it then i move my custom domain to another provider and move on with my life
All data on Google is backed up, and can easily be transitioned to another provider
I learned long ago to avoid vendor lockin, I go to great pains to ensure that in all aspects of my life
Late to this conversation, but I (and many co-workers) use a number of SAAS tools from Asana to Trello and everything between.
Has anyone reading HN developed a process/policy to cover disaster recovery in the event of SAAS (insolvency|malfeasance|ransomware|data center breach|corrupt backups|identity theft|ad nauseum)?
Even if there were a one-size-fits-all export automation platform (maybe there is, or there's Zapier ... please weigh in if there's a quality one stop shop), the format you get from most providers (IME) bears little resemblance to the ecosystem you exported it from.
You can't get back there from here, so to speak: a csv (or series of csvs) are missing the relationships needed to reconstruct complex data on the platform, assuming you'd risk returning.
My personal email is not on Gmail. My documents are not in Google Docs, my data is not in Google Drive. I upload my videos elsewhere. My browser history isn't in Chrome, etc.
While I understand the individual value of some of these services, personally I don't understand how people can put all of their eggs in one basket.
If you're afraid of Google banning you for no reason, and you should be, move to alternatives and I don't mean moving to another monopoly that can as easily disallow access to all of your data and online persona.
And make backups, for sure, but I don't think backups are sufficient, because it's costly and recovery from backups often fails, being a last resort hail marry solution.
What if you lost your 'XXXXX' account? In my very humble opinion, anything stored on the 'cloud' is lost already.
I got burned very early on, back in 2011, with 'cloud storage' while using a DropBox account. I then proceeded to be my own on-line storage server. I use my server (that's already running 24/7 anyway) to serve SSHFS, SSH, SHTML and FTP to myself and just SHTML to anybody else who may chance along. The server is UPS-protected.
And I don't have to pay out those everlasting monthly fees to some faceless company who doesn't care at all whether or not they happen to lose my stuff.
I do a few things to try to mitigate this definite risk:
* utilize a known unique password + non-SMS based MFA and document the password and backup codes in my password manager
* pay for G Suite instead of free. I have been through “lost credential” scenarios with other Google customers and, though painful, you can regain access via proof of domain ownership
perhaps most importantly, I use my own domain
* I sync my photos with both iCloud and Google
* my files in Google Drive are backed up locally
There’s no way I’d rely on a free account or domain with anyone at this point for the majority of my digital life. There’s just too much pain involved with losing it and it’s too easy to prevent.
This is one area where diversification is a good risk strategy. I was forced to think about this carefully when moving to China. After 12 years I was happily and safely a mixed user of yahoo and Outlook for email.
I'm interested in tech, software and, making things so an awful lot of the Google-prison is as uninviting as the Apple-prison. I only use the tools that give me the choice to use for no other reason than fit for purpose. So I had no YouTube, instagram, tumble, Facebook and a whole lot more. No loss and nothing missed whatsoever.
My advice is for all free services assume random removal. Prepare for that.
Outlook is known for silently discarding emails it considers "spam" and returning a 200 OK to the sender, assuring them that their email was delivered, but it won't show up even in the spam folder.
If I lose my account I open another one and tell my customers to revoke every permission to the old account and grant them to the new one. I don't keep anything valuable in Google because I don't trust them: I'm not paying so I'm not a customer and I'm disposable, then there is too much automation going on and I could be banned for reasons no human being will ever understand.
I wonder what happens with my Android devices. Reset to factory settings or is it possible to switch accounts? And what if they ban my phone number, is that even possible?
I would make a new one and carry on as if nothing ever happened.
I have my email at my own domain for which I pay about $10/year, my phone runs LineageOS, and I back up all my important data between my various devices with Syncthing. I try my best to avoid giving up too much control over my life, especially when it's as easy as purchasing a domain, installing an operating system, or setting up an application. Altogether, these actions took about an hour or two to complete, and they'll likely save me so much more in the long run.
Answer is simple - do not trust all your digital life to Google. I would say, trust them as few as possible. Most of the content you created and saved under their account - your documents, spreadsheets, and photos can be accessed, modified and redistributed according to Terms Of Service.
Apply common sense and diversification. Use different services for your email, cloud storage, photos and videos. Have a backup of your every service - mirror of your cloud drive, reserve email, locally stored credentials in any offline password manager.
While I’d be sad to lose my Google Voice number in use since 2010; I’ve been using my iCloud account since the day it was launched as iTools. I have had my @mac.com email for 20 years.
Contemplating this question is what caused me to switch to Fastmail. Next step would be operating my own mail server, but I would be too lazy to maintain it, keep it patched, up-to-date LTS OS, etc. Easier to outsource to a company that actually has customer service and would care about losing the revenue I bring as a customer if they did me wrong. The custom domain is great for reducing spam too, though I suppose you can get that with Google Docs.
I would not be able to login to my phones, I guess. And then losing my contacts and calendar entries. Bug most of them are synced to my Mac, so I'm OK. On Linux I'm using evolution for this, but never cared to use it much.
Email is not much of a problem.
The various email aliases all point to gmail, but this can be changed easily. sync's are done to thunderbird on Linux and Mac email. POP, not IMAP. IMAP alone would be a problem.
I dumped my Google 'account' long ago, when I signed up for Plus and they wouldn't let me back into my (4-year-old) Blogspot blog without verifying my name.
What I did then was to block most everything Google (less Youtube) and find working substitutes. It didn't hurt me for long, I routed-around it. After that, I was never hurt by any of their service-shutdowns, and they've earned my scorn in many new ways.
I moved everything important off Google years ago. I figure trusting the world’s largest advertising company with private data was sub-optimal.
The cases we’ve seen since, where people get their Google accounts terminated without reason or appeal options, have only made me more adamant in my position of not entrusting Google with anything important.
So the only thing I’d lose that would bother me would be my YouTube subscriptions and watch-later list.
I have moved to enterprise email. As long as I can prove the ownership of my domain I believe Google will try to restore my access as a paying customer.
Unfortunately, there are stories on this very forum of organisations having their entire GSuite accounts locked because of a user committing a TOS violation on their personal account. Google proceeded to lock all linked accounts too. Including the entire org (the users employer).
So, at least for phone numbers, Canada has a Wireless Number Portability policy. Would a similar policy for email addresses be completely unreasonable? I understand that there would be significant technical difficulties, but it would at least prevent folks from getting locked out of their lives because of an arbitrary decision by Google or other large email providers.
Not much. I guess at some point you realize how much you depend on things and how a single point of failure could greatly perturb your life. Unfortunately diversifying your identity is not as easy as diversifying, say, your stock portfolio. Are people willing to lose parts of their identity in the same way they're willing to lose parts of their assets?
To the people who talk about devices becoming bricks: why do you pay more than a small fee if you effectively only rent them?
if you "buy" something you are not root on or cannot change the bootloader (and everything) on, you must expect it to stop working from day 1. To me, it would not make sense to pay for that.
I have several Google accounts, all for different purposes, but I don't use any of them much, and not for anything that is really important. Google can probably all trace them back to me if they want, but I like to separate the identities. I don't check the email for any of them.
My previous job had all its accounts via Google. It felt icky.
I only use my Google login for Youtube. Without it and assuming I could not make another, it just means I can't leave any comments or view anything flagged as mature. I could do without it really. It's just as easy to bookmark the channels I find interesting and very rarely do youtubers respond to my comments.
I moved to a paid email provider two years ago and keep local backups. At this point the only Google service I'd be remiss to lose is my list of Youtube subscribed channels. I never really got into the ecosystem. I've been wanting to try Google Calendar but I could never stick to it.
It seems there's a simple solution for this, paid customer support. Why doesn't Google have an option where someone can pay $50 (or some other set amount) to get assistance? This would immediately filter it to only legitimate and serious cases.
Why do people trust anything with untrustworthy organizations? Sure I have a google account. Is anything I value maintained there? Absolutely not. They are untrustworthy, and have demonstrated as such numerous times. Mom didn't raise no fool.
I would have to make a new one if you wanted to look at some age-rated YouTube videos. That's all. I never did go near the Google ecosystem, having had a taste of them early only for support on a real, "we paid for it" product.
I would lose access to analytics - the only Google service I use. I don’t use chrome, I don’t “sign in with Google” on any sites, I’ve never used Gmail, and I’ve been generally very cautious about anything they have their hands in.
It'd be a headache at first for logins and losing things in my Drive, but I would honestly feel a whole lot more freed up without it as I'm not v good at maintaining all my accounts, history, files, etc.
While we're on it, what's the best way to back up all my google photos? I'm on a paid plan, but nonetheless, that has some important memories I'd like redundancy on.
Get an external hard drive or NAS (Synology makes well-supported devices), go to takeout.google.com, request an archive of your photos, wait a couple days, and then download the archive.
Note that the takeout archive will most likely not contain your original images. Google photos deletes, and in some cases rewrites, the metadata in your files. It's much better to back up your photos and videos directly from your devices. I use Resilio Sync or SyncThing to do this automatically, and then use PhotoStructure to manage and view my photo and video library on my own hardware.
I decided it was worth it to pay adobe $10/month for a terabyte of storage. I really like the integration with Lightroom, where I can give it a budget of how many gigabytes its allowed to use locally and it handles swapping out high resolution for 'ok' resolution so my whole collection fits on my laptop.
I also appreciate that they gave me a checkbox for "please don't use my family photos to train your algorithms" so I can opt out, Google does not give you the option, all your photos are theirs to train with.
I wonder if we will eventually have laws regarding the most essential online services and Service guarantees in the same way we eventually got gdpr
Right now I can think of email and password managers, although email could be further split into the mailing service and the mailing address
If your bank collapses your money is insured to an amount of X.
If your password manager or mailing service collapses you are relying on their goodwill to announce early.
I don’t know but is there a legal basis to inherit email addresses? I doubt it except if you also own the domain
I would also appreciate some kind of officially vetted recommendation for what to do to keep risk low. Something easy to read that can be forwarded to friends and Family.
Internet Service Access has become such an important part of the economy and yet we rely on blogs or the occasional newspaper article telling us what to do.
One day something big might break and it will hurt the unprepared
but if I lost my Outlook account which I use for exchange calendar, contacts and email sync, calendar and contacts would be no problem since they are at any time offline in phone, so just need to be backed up and moved elsewhere, email would be bigger issue, I would need to notify my client company about using my new address and then somehow try to change email address and many services I used this email
I'd have to find a replacement for Google Maps and YouTube, but I guess I could just create a new account for that.
I use ProtonMail and iCloud for email and calendar respectively. DockDuckGo for search, Firefox for rendering web content.
I backup everything to multiple locations/services, so I'm not too worried about loosing access to things in general.
Guess the most annoying thing to loose access to would be Facebook as I have a few contacts on there that I wouldn't immediately know how else to contact, but I'm sure I'd find a way if I really had to.
I'd create a new one right away. And be more mindful of backups and following a ToS. Sure it's popular to hate on Google here. But the value they provide undeniable
This my method: one account for the phone, one for Google Drive/Google Docs only used in a special purpose Firefox container. Email and calendar are with Outlook.com - they are good enough, work fine with Android, and are worth the reduction of entanglement with Google in my life.
I operate on the realization that google will one day arbitrarily destroy my gmail account for absolutely no reason. At any time. Because. Due to reasons. Those reasons which include the knowledge I will likely never have anything clearly explained. Reasons I cannot appeal. At all.
This is what free gmail means to me. Same goes for youtube. Especially youtube. Videos can be deleted for no reason. Better keep copies.
Famous people have lost content on google and youtube. Blocked emails. Lost videos. etc etc. I'm a nobody. If famous, "important" people have their accounts "accidentally" deleted, what hope do I have? None whatsoever.
I have no idea what google would be like for paid accounts of my own but I was working with a company that did and the support wasn't terribly helpful during a email migration so I'm unimpressed. At least they responded to my emails after a few days.