It's true that every service has to deal with the same policy and lockout problems, but that doesn't lead to the conclusion that the risk is the same. I pay for FastMail because
1. if something goes wrong, I can reach a human without needing to write a viral blog post first. Other services pay for a customer service department.
2. I trust FastMail more to not shut down their product because they got bored. Sure Gmail will probably not go away, but I'm honestly not as confident about Google Workspaces or whatever it's called now for individuals.
3. I'm tired of acting like using products from an ad company is a good idea. People happily use an email service, browser, OS, and more from the modern DoubleClick without a second thought.
Any company with a business model that takes your money and gives you service is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff. The former companies have a direct incentive to keep giving you service as part of their core business. The latter are really only paying attention to the money they get from advertisers.
>Any company with a business model that takes your money and gives you service is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff.
If anything, companies try to double-dip and serve multiple masters. See: the security and privacy mess in smart TVs. Last I checked, LG wasn't giving their TVs away.
> If anything, companies try to double-dip and serve multiple masters. See: the security and privacy mess in smart TVs. Last I checked, LG wasn't giving their TVs away.
This is true, and you transition from customer to eyeballs once you take delivery of the product, but it is also tempered by the fact that they would like to sell you your next TV as well.
Google has the same incentive to consider users. If your eyeballs go away they have no recourse for tomorrow. This is no doubt why they give their services away. If they thought they could achieve similar market share while also charging you they certainly would. (And they do whenever they see the chance.)
Google certainly could charge a very small fee for existing gmail, youtube, etc, accounts and make a bunch of money.
In fact there is a pretty strong argument that they are leaving money on the table by not doing so.
Imagine you like your gmail and you have had it for the past decade. If Google charges only $1 per year across say a billion users that is a billion dollars.
Even if they lose some users at the margin it may makes sense...
According to wikipedia gmail had 1.5 billion active users in 2019.
As internet services mature and stop growing exponentially it makes sense to charge for them.
Yes it is true that some might switch but what makes more sense from the perspective of most users?
While I agree with your premise, once you charge someone for something, even if it is $1/year, then they start expecting something for that money above and beyond what you provided earlier. In other words, now you've got to budget for real customer support and that will undoubtedly cost you more than the $1/year you're receiving as payment from that customer.
Funny enough advertising was relatively small part of the economy until the last several decades. Now it is an "industry" in the multi-trillion dollar range.
Even funnier, if Google search worked effectively for product discovery the vast majority of advertising would not be necessary.
Good point. Maybe the death of advertising comes when some entity knows us so perfectly well it automagically provides the exact thing we want/need exactly when we want/need it.
Google used to for me at least from around 2010-2015 +/- a few years. It was incredible. Now it is usually very hard to find anything I want via search. I suppose a certain amount of defect in search results is optimal for the ad business.
The amount of nonsense on my LG C1 is nonsense given what I paid for it. Seriously considering getting an Apple TV or Nvidia Shield to run all my stuff on. Their UI is so bloated with crap.
Have you looked into displays built around the raspberry pi compute module? I don't have experience with them but I've heard them mentioned (here iirc but it's been some time). I don't know much about them so I'm sure the implementation varies between manufacturers.
An example from Sharp: https://www.sharpnecdisplays.us/system-on-a-chip
I started with the no wifi plan for my Sony. They would put popups on screen warning me that I wasn't connected to the internet, even when using a streaming device or blu-ray just often enough that they got me to connect it to the internet. I don't use their apps and turned off the data sharing. I haven't noticed an uptick in personalized ads anywhere. If anything, my Facebook ads are worse than they were before. Just a bunch of crap I'm not actually interested in.
Unfortunately, the Nvidia Shield hasn't been the community darling for some time. Ever since there was an OS update that started putting ads on the homescreen.
I stopped using the Shield when I realized that my LG C9 runs the streaming applications much better than the Shield. The Shield has always been slow for me and Hulu on it never worked right. Every time it went to the next episode of a TV show, the screen would be black while the audio played. I don't think it was consistent how long it stayed like that for but it could be up to a few minutes.
I'll just let LG collect my viewing habits if that's what it takes for a good experience. But I did decline all of the agreements that have anything to do with data collection, so hopefully they're not being overly intrusive anyway.
I just hate that I can only download a few apps unless I make an LG account. I don't want an account to log into my tv so I can access my accounts I log in to. That's some Xzibit nonsense.
These days I get better performance out of my $25 Fire stick than the Shield. The ads are a bit worse, especially since I don't even have Prime anymore but I'll stick with it until it gets to be too much or too slow and then probably buy an AppleTV.
gary_0 seems to be using "security" to mean "sureness of their continued existence", as in "food security". I don't think there's any question that Gmail is more secure in the computing sense.
> Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.
Iirc, Google reads your email, but explicitly says they do not use what they read to personalize your ads.
> To provide you features like smart inbox categories, Smart Compose, and spam detection, we use Gmail data to provide a more intelligent email experience and keep you safe. - https://support.google.com/mail/answer/10434152?hl=en
Famously, a while back, at some Google subdomain, you could see a list of all of your payments extracted from your emails, but I'm not sure that still exists.
> I suggest that Google is probably 'more secure' than FastMail
The overused phrase "more secure" doesn't mean anything without context.
To evaluate the security of anything you first need to identify all the threat models that concern you (and perhaps call out the ones you don't care about). Then evaluate each solution against every threat you identified.
For instance for the threat of the vendor itself sabotaging my access to my account, I'll score FastMail far better then gmail.
>> Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.
If you are paying for google apps this is not a trade-off. I dislike how (as a paying) customer they continually push me towards google-only <everything> but they don't require it.
that didnt stop them from having vulnerabilities in gmail that allowed anyone to fake the dkim verification and pretend to be the CEO of google, which they then ignored until someone did in fact do this, to prove it :)
> Any company with a business model that takes your money and gives you service is inherently more secure
I just finished reading Postmail For Dummies. Since I'm charging $5/mo for email accounts, you'll obviously want to migrate your gmail over since my solution is so much more secure.
This comment is so ironic considering that Apple has just lost their lawsuit in the EU for doing exactly the same.
Wherever you paid for the product seems to have little impact, the reality is that all tech giants carelessly invade your privacy with no recourse for the user.
Humans executing security policy (inherently imperfectly) versus ML algorithms executing security policy (deliberately imperfectly) is not the main issue. The real problem is that the industry hasn't purposefully sat down and hammered out the full contours of user verification. Each company just starts off with simple passwords, bolts on a few other arbitrary mechanisms, and then forces that on their customers - residual probabilities and collateral damage be damned.
Strong passwords, hardware security keys, shared secrets meant for offline storage, SMS challenge, other accounts, snail mail address verification, notarization (governmental identity), voiceprints, time delays, etc. Each one represents its own tradeoff of convenience versus reliability versus forgeability versus privacy.
Users should be able to pick their own policies. For an email account where I've already provided my real world governmental identity, I'd most likely prefer snail mail address verification plus notarization (combined with notifications to the account and a waiting period). Whereas for another where I've deliberately avoided spilling my governmental identity, I should be able to express that a password plus hardware security key is the highest level of verification there will ever be.
Furthermore, companies need to make their own rules for falling between everyday access to account recovery explicit, and allow users to express preferences there too. There should be no cases of the wind blowing from the east so we require account recovery today, forcing users to be policed on what IP addresses they're coming from, etc.
I can't find any information on what happens if you stop paying for a Fastmail account. 1Password for example freezes your account in read-only mode. It's documented that Fastmail will re-use addresses for free trials and when a user requests to cancel [1]. It isn't clear what would happen if for some reason your card expired, they stopped accepting it [2], or your bank messed up and blocked the transaction [3].
To me, this introduces a new way to lose your account that isn't there with a free email service like Gmail.
I had an issue with the credit card used to renew a Fastmail account. Fastmail sent me emails about the issue, but it took a couple days to fix everything on my end. Even after the renew date passed my email functioned as normal, so there seems to be, at least, a grace period. Not sure what would have happened if it went on for longer though.
>Not sure what would have happened if it went on for longer though.
When I missed the payment they sent me this:
"You can still use your account for now. If the subscription is not renewed soon, sending and receiving email will be disabled.
If the subscription is still not renewed after a few weeks, access will be disabled. Eventually, the entire account will be deleted, including all stored messages."
Specific timelines would be nice to know, but otherwise this sounds reasonable. If you stop paying, you have a grace period to download all of the messages before they stop you from using their service as a read-only archive. Then you have another grace period to pay before they clear out your data so they're not wasting space holding onto your junk and to avoid maintaining any liabilities that come with having your data stored on their servers.
This is why paying for your own domain is so important. I keep mine prepaid for multiple years and my registrar sends me at least 5 emails before I would ever be at risk of losing it. My email address won't be getting reused until either emails are no longer relevant or I'm dead.
The only time I've been locked out of e-mail is when my credit card company incorrectly labeled the payment to the provided as fraud and the so called company that you can call and reach a human to discuss issues with, was not very sympathetic to my case and I didn't have e-mail access for 4-5 days until the issue was resolved.
Just an interesting data point. It wasn't my intention to label the payment that way. It is what it is, but, just as OP seems to be believe, I would expected the issue to be resolved faster. Though, perhaps if I were to receive a "fraud" label on a non-paid account maybe I would be blocked to this day.
> I pay for FastMail because - if something goes wrong, I can reach a human
You can do that with GMail too, upgrade to the workspace account. I had some issues with it last week, and I was able to reach a human and get it resolved soon.
This is regardless of Google. Reaching humans is impossible with "Outlook" free email accounts, but amazing with Microsoft 365.
Good it's a paid product. I had an account with a free email provider openmailbox.org, which closed down. I lost my mail box and, together with it, a valuable domain I bought in 1995.
I've been on Fastmail for almost a year, and I get spam/obvious phishing attempts in my inbox. Compared to my experience with GMail before switching to Fastmail, I found Gmail to be noticeably better at spotting and filtering both spam and phishing emails.
Having said that, I'm still not going back to Gmail.
What I'm hearing is that PM's spam detection is so poor that you don't feel like you can freely share your PM email address, out of fear that you'll get spammed. That's not a very convincing pitch for their product.
2) Why in the world would Gmail get shut down? The veins of treasure to be mined from within the user's emails are vast and endless. It is quite simply a mother lode. The only bigger source within their direct control is the search input screen.
Your link describes how security lockouts are probabilistic, yes, but it doesn't get into what the probability is. The article we are commenting on does try to get there, by looking at how often ending what scenarios HN users report getting locked out.
Your link is also talking about the no 2FA case, while the article is recommending 2FA with (multiple!) hardware security tokens.
I think they are talking about some change to workspace effectively breaking the service for them. This has some precedent (with the old “dasher” personal accounts having growing pains for some people migrating IIRC) but also seems like a very low risk.
That was the internal name for personal paid gmail - I honestly cannot remember the nondescript word combination they called it publicly, but it was rolled into Gsuite which is now google workspace and google decided they wanted to focus on business users instead.
Anyways, basically agree that gmail isn’t going anywhere, just a gmail-related story of people depending on a new flavor of gmail/ google identity that was being migrated messily.
I used this for 10 years or so before realising they'd moved the backends as they were planning the workspace thing and they were separate - you couldn't share between the two, loads of features missing etc .
OP specifically mentioned Google Workspace for individuals - that's what I used to use so I can use my own domain and so "own" my email address. There's a good chance that gets shutdown. Google Workspace for large orgs or Gmail does not have the same risk.
Having read some 'digital archeology' where people gather data off old MainFrames and Minis, that at some point someone could just buy all of @NetZero.com, netscape.net or ZipLip's email servers and opening up all of the stored email for a fee ($99 per email address). How much would you pay to read your former business partner, ex-girlfriend/boyfriend, or that person you crushed on email?
I agree, but I do worry about it being ruined some other way - forcing me to use Chrome, censoring emails, bundling it with a paid service, ad-blocker-blocker, something else...
This is more the truth of it. It isn't some quantifiable probability
that a big-tech service night disappear. It's that they're such clumsy
lumbering beasts, and so insensitive to humanity they will steamroller
over your rights and needs like crushing an ant. You mean nothing to
them. And in turn their pledges and promises mean nothing. A cow is a
dangerous animal not because it has claws and teeth, but because it's
big, fearful and a basically a bit dumb.
I'll take the limited risk. I've had to contact Fastmail support and it was a breath of fresh air. It's a bit absurd that something so fundamental as email has essentially no support from a company as large as Google; it's not a bug-free product.
I suppose eliminating humans is a security win, but HN is full of stories of AI systems failing and banning accounts for essentially nothing. Not having a human to appeal to is far riskier to me. It's not like these AI systems can't be gamed to knock people offline. I'll take the risk of having humans involved -- it's far less stressful.
> It's a bit absurd that something so fundamental as email has essentially no support from a company as large as Google; it's not a bug-free product.
I'd be willing to bet that gmail has a couple of orders of magnitude more users than fastmail while also providing a substantially bigger inbox (than the cheapest fastmail option), and providing the whole thing for free. I dont think it's surprising that they make trade-offs to support that model. Just think of how many support staff you'd need to support 1.5 billion users!
> HN is full of stories of AI systems failing and banning accounts for essentially nothing. Not having a human to appeal to is far riskier to me. It's not like these AI systems can't be gamed to knock people offline. I'll take the risk of having humans involved -- it's far less stressful.
I don't think the trade off is that simple. There are plenty of stories of support staff getting scammed in to incorrectly providing access to accounts. Is one better than the other? It's not a clear choice imo.
>> I dont think it's surprising that they make trade-offs to support that model. Just think of how many support staff you'd need to support 1.5 billion users!
Google has a shitload of money, they can afford hiring enough staff. Cost is a lame excuse here.
The provide support for users that pay them, and for advertisers. Their business model is to sell things, and it is working pretty well. They can certainly 'afford' it, but they don't want to, and your complaint as a 'free' tier user means little to them.
What is needed is legislation or some practiced standard regarding real-person online-id so that losing access to your email account doesn't nuke your ability to operate online in a way that requires you to verify your identity even pseudonymously.
I've managed a Google Workplace account (~30 paid users) for over a decade and have never had support respond in less than a week. And each time I got a canned response. I just don't even bother anymore, which is likely what they want. I don't think this is a free vs paid thing. It's just the way Google operates.
That's weird, I have a Google Workspace account with less than 10 paid users and had several in-depth conversations with support personnel on SMTP and DNS setup issues. It was outsourced to an overseas call center, but they did respond to my queries.
That said, I have issues with spam being delivered to my organization's group aliases and I can't report the spam because it flags it against my group alias not the original sender (!) I can't turn spam filtering on the group alias because it flagged legitimate emails from our customers. So I'm kind of stuck between a rock and a hard place, with no one at Google to talk to about it.
It depends how much money you spend with them. If you shell out for expensive support in GCP you get guaranteed response times, dedicated account reps and so on.
I'm paying $10 a year for my email and the one time I had an issue I got a response within 8 hours and a follow-up after everything was resolved. It shouldn't require Fortune 500 levels of spending to get basic service.
Not really. It sounds like you don't have a sense of how much it costs to hire people, how many people are needed to provide oncall support, and the scaling cost of managing and training people.
My main email account was through Hotmail in 2000, and it got shut down that year due to a social engineering attack. The guy who did it even told me he was going to do it first. I didn’t get to have it covered in any mainstream news headlines either :P
> AI systems failing and banning accounts for essentially nothing.
The strongest statement you can make about the standard HN Google account outrage post is that the complainant is unaware of or unwilling to admit to the behavior that got their account suspended. Drawing the conclusion that all such complaints are false positives is not warranted by the evidence.
Unless you're implying that the false positive rate is 0%, then it's still a concern for me. I've seen cases where the user obviously did something in error but had no chance to appeal. E.g., they uploaded a photo that got flagged and then lost access to their email, domains, YouTube content, any form of social login, etc. My email account is too important to me to risk with an automated system without an option to appeal to a human. That risk is much higher to me than someone social engineering their way into my Fastmail account.
To me, this is analogous to backing up your BitLocker key with your online Microsoft account. Is it the optimal approach to security? No, but the far more likely risk factor is losing your key locally and then losing access to all of your data. I'll take the peace of mind that comes with knowing I can speak to a human if things go sideways. As an added benefit, I've been able to speak to a human when routine service issues have come up and it's been a pleasant experience.
An extremely underrated (and insightful) point to consider.
More generally, how do you actually get a measure of risk between two providers, when the absolute frequencies of measurable events are very low?
It seems plausible to me that FastMail could have 10x or 100x the level of security incidents as GMail, and it would still net out to an undetectable difference in the number of public complaints.
When I worked in the anti-abuse business, account security was tracked by lurking in organized crime fora and determining the market price for stolen accounts. I don't know what it looks like for FastMail, but I do recall that the range between good and bad platforms was huge. A stolen Google account was like $10, but stolen Yahoo! Mail accounts were more like a nickel per thousand.
(Architect of Fastmail's login/account recovery protocols here.)
Firstly, I will say this incident was unacceptable, and we were deeply sorry about it. However, it is also the only time it has happened in our over 20 year history (to the best of our knowledge of course). We already had several projects underway to improve the security of account recovery at the time, which unfortunately hadn't quite landed yet. Since then we have introduced an automated recovery tool with a very carefully designed flow (more info: https://www.fastmail.com/blog/security-account-recovery/) that securely handles most common cases (e.g., forgotten password, or user's account stolen due to password reuse/phishing). Human support is still available, but any account recovery request can only be handled by senior support agents who have undergone rigorous training, and in the case of any doubt are escalated all the way up to our senior security engineers.
Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account. We provide some flexibility here. If a user has 2FA enabled, we must verify two separate means of verification to grant access, whether via our automated tool or support-assisted recovery. Users can also submit a support ticket to request we add a note to their account to never do human-assisted recovery.
I realise it's very hard to assess the security competence of an organisation from the outside, and for what it's worth, we think the Google security team also do an excellent job. But overall I think we do a very good job of keeping users secure while not locking them out of their own account.
> Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account
Thank you, this is the most important observation.
Service providers should be providing flexible mechanisms to meet different needs, they should absolutely not be imposing a one-size-fits-all policy. That's the fundamental wrongness with google/facebook and their ilk.
Only I know what the security levels I need for any given account I own. I must be able to configure the policy.
Sometimes, I value my access above all else. With some other account I may value preventing access to others even at the risk of losing access myself. Other variants are possible. Only I know what the correct policy is in any given case.
On the contrary, I would argue this is the exact mindset that makes Google so bad at securing their systems. Every single large Google platform is also the leading distributor of its kind of malware, ultimately because computers are stupid and once you understand what they are programmed to handle you can work around them. Humans can become suspicious and can be held accountable, computers do what they're told and nobody is taken to task when something goes wrong.
I would contend that if you cannot reach a person, you cannot trust a system. And that has generally held in the entire history I've been on the Internet. I chose my web hosting by who had phone support, I've had the CEO of Fastmail respond to my support tickets before. I have yet to be betrayed or compromised by a single platform where humans were involved, but automated systems have failed me regularly.
This is true of offline systems as well. If you want a security system to protect your business, you may have keypads and sensors and things, but you also have a monitoring center staffed by people who can see events in real time.
I think our industry has had a fantasy that complex enough math problems can provide real security, but I would hope by now the cryptocurrency market would've put that silliness to bed by now.
I'm not sure how you can make that judgement without extra context (that is almost certainly tightly held within google). For example, what actually is the error rate? How does that compare to improper access that is successfully prevented?
Obviously any real person losing access to their account is a rubbish experience for that person, but an error rate of 0% is not possible with any system (including those with plenty of humans involved) when there are billions of users involved. I think a much more interesting question is "what's the acceptable error rate?"
I highly doubt that Google even tracks the error rate. I mean that you somehow need to make a viral post on HN to get your account back is evidence of that, they don't even know they made a mistake. Also based on the number of posts that we see here it's a nonneglible error rate. How many users does HN have a couple of 10thousand. So 32 posts makes it maybe 1 in a 1000, even if it is a 1 in 10000 or even 1 in 100000 error rate that's a pretty high probability to loose your online identity.
So if there is no way of contacting a human if you have been locked out of your account, how do they determine a false lock out? I am serious, every thread here on HN about being locked out said that the affected person tried all other avenues and did not get anywhere near a real human. So that would make all research flawed wouldn't it? Because it simply checks that the algorithm is consistent. Let's not assume malice. However, that doesn't make it much better because it means the account abuse quality research team is borderline incompetent.
> So that would make all research flawed wouldn't it? Because it simply checks that the algorithm is consistent. Let's not assume malice. However, that doesn't make it much better because it means the account abuse quality research team is borderline incompetent.
I don't think it follows that you need to speak to an affected user to confirm they were improperly locked out of their account. You could have a human review the account history and the steps that led up to the suspension and so on to make a decision about whether it was a good decision or not. No doubt you'd get more info if you spoke to the affected user, but that in itself is not perfect (a scammers whole game is trying to convince google they're someone else, after all.)
I guess what Im getting at is that I think there is a lot of grey areas when you're trying to do account recovery at scale. No doubt there are cut and dry cases where people are locked out of accounts they've used for a long time (and that's shit for the people affected), but there are also plenty of scammers who'd put a lot of effort in to convincing a support person that they should have access to an account. I just don't think having support staff is the panacea it is often portrayed as.
One can easily make that judgment. The absence of extra context is a good reason to make that judgment. Google has a reputation for closing accounts and refusing to communicate. Google does not contest this reputation. They give no numbers and share no rate. "What's the acceptable error rate?" isn't an interesting question if you have no numbers. We do, however, have other companies and service providers.
> How does that compare to improper access that is successfully prevented?
Last year I had an email from immigration services and I had to reply within 10 days. If I lost access to my email, I would be deported right now. They don't call, they just email. Why? I don't know, but that's what it is.
On the contrary, if someone get's access to my email, what can they do? Send random porn to my contacts? No-one will care.
As long as I can call the provider and fix the problem, it is irrelevant.
* For your own security (from theft) we'll hardware lock your phone. Best to throw it in the dumpster if you forget the password.
* Can't allow people to repair their own hardware. What if kids try to do it and end up burning the whole apartment block. Best to forbid it for security.
* You can't film public institution: it's a security issue.
* And now: can't allow humans to operate business decisions. What if they're socially engineered? Best leave everything to automation and fuck you if you slip through the cracks.
It's funny because in the airplane industry, even though planes basically fly themselves, companies still want pilots, because that's what people are best at: solving unique problems as opposed to repetitive issues.
A critical question is what threat models you're worried about:
Are you worried about an individual interested specifically in you, Jeff B, to get something worth many thousands of dollars that they know you have? Don't put a human in the loop, they're going to track you across Facebook/LinkedIn/local government resources, they're going to know more about your car registrations and when you bought your home than you know about yourself, and they're going to be able to very convincingly social engineer a human in the loop if one exists.
Or are you worried about a group of hackers continuously crawling the web for a database dump from some service you and ten thousand other people signed up for, or some flaw in the authentication sequence to automatically sign everyone in the database and all their contacts a spam network for pennies per person? Their scheme falls apart if they have to call a human, because it's just not worth the time to look up your public records and talk to a human about you.
Second, what happens after you get hacked? Are you more concerned whether you no longer have access to something very important to you? For example, if you've distributed business cards or have contacts stretching back decades with jeffb@gmail.com, losing that account might mean an old friend or business contact fails to find you again. Having a human in the loop for the last-resort password reset can prevent completely losing access.
Or are you more worried about someone getting access to the data behind your login? You've presumably got backups, so you'd rather no one ever had access again than some malicious third party got the password to your crypto wallet, SSH keys to your website, or other private data.
Those have very different ideal responses. Unfortunately, most people tie both categories together in their single Google account, or in an Amazon account tied to both shopping and AWS resources.
It is a fantasy that you can have humans adhere to procedures. That's the whole underlying problem of social engineering. Just take the human out of the loop.
"I don't know if you wanna entrust the safety of our email to some silicon diode."
All joking aside:
I mean... we already know that taking the humans out of the loop leads to undesirable consequences (like losing your Google account with no recourse). So the only question is whether or not the consequences of one scenario or the other is particularly worse.
See, that's the fundamental hubris/weakness of the "Silicon Valley current ethos" (well, most tech ethos today) taken to the extreme: taking the human out of the loop. Then who/what does it actually serve?
(or maybe, they perfectly know it, but don't saying out too loud)
Chargebacks can get your Google account locked. If you have a dispute with Google and protect yourself by reversing a credit card charge, Google might lock you entirely out of your account. The Google Pixel subreddit has a bunch of people's stories about that: https://www.reddit.com/r/GooglePixel/search/?q=chargeback
Not sure if this counts as "policy reason" for the article's purposes; he sort of dismisses payment disputes. I could argue either side about whether a suspension like this is reasonable. In the Google Pixel case the chargebacks mostly start because Google outsources hardware support to a bunch of unreliable third parties. Some of whom seem to eitiher lose or just be stealing customers' phones when they are sent in for repair.
My takeaway was that if I was ever in a dispute over a couple of hundred bucks for Google, I would not risk a chargeback for fear of retaliation. My account is one of Google's very first, when I worked there I launched one of the first products to ever use a Google account. I have no faith that as an outsider now I'd ever get a reasonable hearing over an account dispute.
To me, a chargeback is a 'burn the bridges' moment. If a company has wronged me to the point I'm prepared to do a chargeback, then I obviously don't want anything to do with that company anymore, and I welcome them to close my account since I will never do business with them again. Why would you want to continue doing business with a company that has frustrated you to the point of doing a chargeback?
I hear you, but Google is a giant dominant player. Just because their third party cell phone hardware service contractor loses a phone doesn't mean someone doesn't still need to use them for email or cloud computing services.
It's the lack of a central, accountable point of contact for everything under the "Google Account" that's the real problem. Since its very beginning Google has been bad at consumer relationships.
Maybe I'm reading this too negatively, but I just view it as their cost for not having a streamlined process and that it is just part of the transaction. It is one of the main reasons I use a credit card. If a company takes my money and reserves my room at a hotel and I show up at 2am, I expect access to the room. If they don't, I request my money back in person for services not rendered. If they cannot do it right then and there, I just tell them I'm going to chargeback because I don't really trust a company that took my money in the first place to return it in a timely manner. This happened to me in 2022 and I still plan to stay at that hotel chain. Just a rare occurrence for which they paid.
The problem is that Google is a conglomorate. You might be disappointed with their phone service or their phone store or their tv service or whatever and never want to do business again with that section of the company, but still want to keep using other parts. Maybe that sours you on the whole company, maybe not, but even if you don't want to end your ties with them, you probably want to end it on your terms, not immediately as you get your money back.
Google no. I am very very close to being able to kill my google account though I probably will just leave it parked.
Believe it or not Google Voice is the one thing holding me at the moment. Nobody offers the same quality service period, let alone free. Come at me HN, I'm open to alternatives. Google Voice also has one killer feature nobody else has; the ability to make and receive calls using your carrier voice service and not DATA. Generally a higher quality connection that on most plans these days is unlimited, where as a lot of plans still count data usage whether it's a "unlimited" (but throttled) account or not.
OpenPhone is the closest I've found and seems their customer service is horrible, I see people on reddit complaining about them all the time.
Google Voice is the only service I don't have a good replacement for either. I pay for Youtube TV (cable streaming) because it has the best price/value proposition for my viewing habits but there are a half dozen other services I could switch to and be happy.
I still have a shared calendar on Google but only because I can't convince my wife to try something different. I used to be all-in on Google but have spent the past 2 years getting away as much as I can.
Maps was my killer app for google. Early on I started with TomTom on a PDA, but Google maps for years was the absolute best. Until all the blatant ads showed up. First every McDonalds is visible at far zoom levels. Then garbage I don't want starts showing up in search results. Viewing your travel history is mildly disturbing and even if you delete it you just know it's already been data mined.
I hear OSM has some decent map and navigation solutions now, but for me Apple maps long ago passed the touring test. I only trust that Apple with all their positions and statements on privacy will suffer irreparable harm if it is discovered they sell user behavioral data like google blatantly does.
Sometimes you have little choice⁰, sometimes there are convenience¹² issues.
My point is that to avoid even having to consider this choice to make by never doing anything that I might ever want to charge back. Separation of concerns: don't do (significant) money stuff with Google, then money stuff can't affect your other uses of Google.
----
[0] Some have a lot of contacts who know them at their @gmail address, getting people to update your contact info when you deliberately change address can be enough of a faf, imagine having to do it without warning. Some also have other accounts where they login via Google, they need to make sure those are transferred to something else (if possible).
[1] I have nothing irreplaceable in Google's sphere (my phone contacts & other content is backed up there, but not only there) though there are a few shared photo albums and so forth that I interact with using that account.
[2] Even if you intend to move away from Google or other large multi-pie-fingered company, and are actively doing so, you want to do that at your conveniences not with them chucking you out in an automated hissy-fit.
Exactly! Maybe this way we could do something about mail delivery issues too. I think it shouldn't be okay to accept mail and then still drop it, yet Microsoft does it sometimes with new mail servers.
It also really needs to be mentioned that Google’s store was (is) absolutely awful for buying gear.
I wanted to buy 2 pixels from them. Put the order in, no news for 7 days, at the exact 7 day mark my order gets cancelled. Tried talking to customer support with no success because there isn’t any.
So I put the order in the second time and the exact same thing happens: after exactly 7 days, my order gets cancelled. I say f’ it and buy from a local dealer, with next day delivery.
A few days after the fact, I try using my credit card for something and my transaction gets denied (I had a -200 euros limit). I call the bank and they tell me that there’s a hold on my account from Google, for the price of both orders (about 1500 euros I think) and they are waiting for the funds so it can clear. My only two options is to talk to Google to cancel the charge (lol) or wait 30 days.
I simply closed my card and got a new one.
A few months later I started getting notifications that transactions on this card are being rejected - someone was trying to buy stuff for 1-3$ with my card but it was closed so they didn’t go through. Since I mostly use virtual cards for online stuff (which Google doesn’t like), and the physical card rarely, there is a really big chance that my credit card number got leaked from Google, but there is no way for me to prove that.
Googler, opinions are my own. I work on payments, and have dealt with our credit card processing a bunch.
As far as I know, we've never lost control of credit card numbers and had them leaked. We actually work very hard to make sure humans can never see card numbers (our internal controls are more strict than most banks and card networks).
Also, I didn't think we would hold an auth on a card for 30 days (normally it's less than that). For the MCCs we charge payments on, I believe Visa and the others will only hold an auth for 7 days[0]. If the Auth is staying on your card for longer than that, it's likely your bank is holding the funds, not Google. We try to always cancel auth holds before they expire, to make sure we don't have lingering auths like you saw (I've tweaked this previously due to complaints like yours).
I can maybe look into the payments on your account if you'd like (my work email is in my profile), but I wouldn't be able to reply. It would just give us data if we are failing to cancel auths in some cases.
Hey, thanks for the reply. I got the info with the 30 days from my bank alongside with the options I had, so it may as well be from them - I use a VISA card in Europe.
Also thank you for the offer to check my account, but there’s no need for that as I will try to never ever buy anything directly from Google
While it's true that most companies will probably blacklist you at least for a while, you can work around it by using a different card or having a partner make the purchase if you really want to continue doing business with them.
Google knows more about me than the CIA and FBI. If they truly want to blacklist me, I'm not working around that without the aid of operators I'd rather not be associated with.
> For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021).
I think this is a bit dismissive of Fastmail: in all three of the linked reports (2017, 2020, and 2022) Fastmail has apologized and reinstated the account or provided some other mitigation.
Nobody is perfect, any service will have bugs causing lockouts and false-positive fraud claims. But what makes Google untrustworthy is that they don't seem to have any recourse if you are caught in a mess. To the point where engineers in other Google departments can't get human support, and the linked case which made mainstream news did not get his account back despite being proven beyond-doubt innocent.
A good service can make some mistakes, what differentiates them from a bad service that they attempt to correct them. Like how a good company can do layoffs if they provide good severance and also cut top executives' pay.
In cases where someone was able to get their Google account back only after taking their case public (ex: [1][2]) I'm still counting this as a lockout, under the assumption that if they hadn't been able to draw attention to the situation they would have been stuck. Are the Fastmail cases different, or was taking it public and getting noticed a necessary part of the resolution process?
> Nobody is perfect, any service will have bugs causing lockouts and false-positive fraud claims
The HUGE difference is both Fastmail and I assume Protonmail (I only have personal experience with FM) actually have customer service departments, with real people.
This doesn't mention what I think is the most egregious example of Google account risk - viewers of Markiplier's YouTube live stream getting mass banned. That included access to Gmail accounts from some reporting at the time (https://gamerant.com/markiplier-stream-ban-lock-users-out-of...). Combine that with automoderation and you have a recipe for people with no recourse getting hammered. At least when Nick (Trainer Tips) got algorithmically terminated for talking about "CP" in Pokémon Go he was prominent enough to get attention, but what if it happened to some no-name with 100 subscribers? (https://www.reddit.com/r/youtube/comments/armac3/youtube_jus...)
And haven't there been cases where developers who'd had accounts banned in the past got hired somewhere and ended up with an employer dev account linked to the banned personal account and also locked? And of course there's the whole question of phones - banned from Google and the entire Android ecosystem? Not like Google can't figure it out if you create a new account with the same phone number and geolocation.
I'd never heard of that, but it doesn't appear anyone was banned for viewing a stream.
Rather, accounts were banned because he asked people to vote via comments using just single emojis, and the repetitive emoji comments were classified as spamming, so accounts were blocked for spamming. Once Google recognized the error of over-aggressive spam classification, it reinstated all the accounts. [1]
Absolutely correct. What would have happened to those banned accounts had it been a livestreamer with a small number of subscribers and a smaller number of viewers? Would any real human have ever looked at it - and would they have cared or been empowered to do anything?
Obviously proving a negative is a problem, but would anyone be surprised if small bans like that had actually happened and never got fixed? I'd be surprised if they hadn't happened.
Yes, well, Google & all sites also has a right to defend the network against attackers, which these people constitute. They actively degraded the site's quality & looked like & were an attack. Ultimately I think it's the right of these sites to handle matters as they may, and to a large degree caveat emptor us users.
But I also very much want there to be forgiveness somewhere in these systems. The historical, classic, "It was just a joke" doesn't cut it, but I also am not heartless, don't think the punishment here ought to be forever. I want there to be reconciliation, reform, appeals available. I personally am a huge fan of better digital justice efforts. But these efforts need to start & take off as ground roots, voluntary systems, to avoid premature & hardening regulation. I think we need some banner sites to bother trying to do better, which so far no one at all has. Trying to force change at the top seems foolish when we have tried so little, when we still know nothing.
I'd love to see some newspapers build "Digital Juries"[1] for abuse/moderation, or see some transparency floated. Just having more open processes would also be very helpful, versus how close to the chest these things are played today.
My concern is that Google has built a system in which for a large portion of the population it's the one who controls whether individuals are allowed access to the Internet (via Android devices dominating the low-end of the smartphone market and many people now using smartphones as their primary/only access), and in addition it controls one of the dominant online entertainment options. So, control of whether you can get online plus decisions about that which can be based on what you do while online.
Oh, and it's profit-driven so there's strong incentive to reduce costs, needs to do expensive content and comment moderation, has what could be classified as a toxic internal structure and a bunch of techies, which leads to automated moderation (e.g. https://arstechnica.com/gadgets/2022/12/youtube-moderation-b...). Because automated moderation can be scaled cheaply, doesn't need to be paid wages and benefits, doesn't complain about mental health, and if something goes wrong, you just point and say "it was a computer problem" and that blunts most of the complaints because who's even responsible at that point?
And while it has all this control it has limited options for punitive actions - Google can't really levy fines, its punishment options are effectively full or limited bans from some services (e.g. no commenting ability), temporary complete bans and permanent bans. If those bans can be circumvented easily they're kind of toothless, so with the information it has it can easily detect most bypass attempts.
So financial incentives to automate and reduce appeal options, plus limited enforcement options weighted to the heavy end, plus widespread use as an identity provider. There are probably a lot of people out there for whom a week in jail would be less of a long-term life disruption than loss of their Google account.
> My concern is that Google has built a system in which for a large portion of the population it's the one who controls whether individuals are allowed access to the Internet, and in addition it controls one of the dominant online entertainment options. So, control of whether you can get online plus decisions about that which can be based on what you do while online.
Neither Google Search, nor Android, nor Youtube require a Google account.
If you want to follow someone on Youtube, Microsoft Edge will let you do so, without an account. Because it's just a web property & not an app, this sort of thing is trivially easy to do.
> There are probably a lot of people out there for whom a week in jail would be less of a long-term life disruption than loss of their Google account.
This is really a great point, and I totally agree. It makes me wish for two things: as you say, a lot more use of temporary bans. AFAIK Google does not do this anywhere. This is a powerful warning & wake up, with less long term impact. Second, a "strikes" policy that has some forgiveness built in. Someone who is one offense away from a forever-ban is in a miserable spot for their whole life, and they should have some ability to get back into graces. That should be part of the system too.
Ah my apologies, that is ridiculous. I should have read in. I thought it was a case of them being told to go flood another channel.
Right now we don't really have any way to know: was this corrected? Maybe Google doesn't do this anymore! But we have no idea. It would be a more moral & just stance for Google to actually talk about this kind of stuff, but, like most companies, there is little communication or updates on how these things work. The triplines are all invisible, the effect happens at digital speed. I find that to be one of the worst things about where we are; it is a intense info-industrial mechanization.
I still don't see how except automation we expect to build affordable at-scale systems. But the AI deciding your are an enemy & flipping the bit suddenly, like it does, is reckless, cruel, & shoddy.
It still shows it's a good idea to separate your e-mail from your YouTube or whatever account though.
When I still used Gmail I was always worried something like this would get me locked out of everything. I use YouTube much more now that my e-mail is safely stored elsewhere.
My YouTube account used to be independent from my Google account, just using my gmail address as the e-mail address. Then Google bought YouTube. Then Google merged my YouTube account with my Google account against my will.
Even if those comments had truly been spam, it's horrifying that you can get your whole e-mail address locked simply for spamming in a live stream. Having your Google account locked is tantamount to being locked out of your entire digital life for most people, and the fact that Google doesn't take that seriously would have been criminal negligence in any just world.
"Luckily" I had enough identity documents to prove to Google's satisfaction that I was who I said I was. But even after I recovered the account, it was all screwed up.
Since then I've dropped my reliance on Google. I don't use them for sign-in, my mail gets regularly backed up, I use alternative apps where I can.
Google scale only works when people and processes are infallible.
Technosocietal Mechanization is a term I might float here.
I'm in a weird spot. I find myself surprised at how actively I defend these company's right to speech. Section 230 still seems like the bedrock that made it possible to have everyday people put words online to me, and I can't imagine renegotiating a way to preserve that while heaping liability onto those who offer online services.
Yet these completely mechanized processes, with no appeal, no humans, no way to get back into graces if something ever does goes awry, is curdling. I cant imagine mandating change, I can't imagine what we could demand that would be reasonable, but I also think this represents one of the worst possible sides of technology & the world; is most quintessentially de-humanizing.
One option is "the opposite of tort reform". Our legal system has been ratcheted one way that's a bit more anti-consumer, we could ratchet it back the other way: increase legally allowable civil damages again, allow more consumer protections against arbitration clauses in EULAs and Terms of Service agreements, stop limiting individual civil court cases in class action agreements, limit the reasons that class action lawsuits right now are the only lawsuits that major corporations are listening to, etc.
In theory, extremely mechanized companies could have to either fix their customer support operations or face an endless stream of lawsuits. You can let the market (again) decide whether they want to spend more money on customer service labor or lawyer labor.
This was related to Google+ (which is rightfully dead now). I wonder if they have something similar to recover for regular Gmail accounts. From the horror stories, doesn't seem like it.
1. Merely looking at published noise may vastly underestimate the size of the problem. Lots of "normal" people including one close to me have several accounts containing parts of their life history lost for one reason or another, and just accepted it and moved on.
2. "Kids in the bath", ha. Carefully framed photo to avoid sensitive areas, taken with a tablet that happened to be handy that is not usually used for photography. Next thing I know I see them on another device. Darn thing had Google Photos with cloud sync enabled by default! Not for long, and I made sure to purge those photos from the cloud. But it can happen that easily.
> Merely looking at published noise may vastly underestimate the size of the problem.
Exactly so. My rule of thumb is that for every problem/complaint you hear about, there are [at least] 100x that many whose unhappy campers won't/can't bother to do anything about it.
Google is too good not to roll the dice. I use Gmail in my own domain with a different registrar. Push comes to shove, I'll move, restore backups, and carry on.
But damn are non-Google ecosystems bad. At work we use m365 and everything is atrocious compared to Google. Loggin in is a mess, email search is dreadful, OneNote search unhelpfully defaults to searching the current pagwe, integration with Android is weak, Outlook Calendar never seems to do what I want it to and doesn't seem to handle location in any sane way... I could go on but every time I switch to my private machine and Google-first setup, it's like a weight has been lifted.
I had Google hosting my family's email for a long time (I had one of those grandfathered free custom domain setups).
It wasn't bad and it was free (!), but:
- Google threatened to cut me off.
- Wife's account needed attention to keep it under the disk space quotas.
- Google had creepy marketing based on private email content (making you worry about what else they are doing with my private email content).
- It was free. (Yes, I list that as both a positive and a negative, since it means they have no real responsibility to me.)
I migrated to fastmail and it's every bit as good as gmail with none of the downsides, for a small $/month.
Sure, Google backed down from terminating my service, but that reminded me not to rely on "free" services -- free is always limited. So I thought, "Fair enough, time to pay." I considered Google, but they did not make the cut.
> Google had creepy marketing based on private email content (making you worry about what else they are doing with my private email content
As far as I know, email content was never used for ad targeting on any iteration of Workspace/Gsuite/Google Apps for Your Domain/etc. (And it hasn't been used for consumer gmail for many years either.)
Not that the details of how they use a specific information stream are all that important (if they aren't using one it's just because they've got something else better). The fundamental problem is that their interests are fairly heavily misaligned with mine. They want to make money by effectively mining my information and I don't like that and find it creepy.
Because they've made public statements to this effect, including in the privacy policy.
Why trust those statements? Because lying would be a very bad idea. The lies would be revealed very quickly (e.g. via whistleblowers). The outcome would be expensive civil lawsuits, probably billions in fines, and a loss of trust in their $20 billion / year cloud business.
My google inboxes are full of spam. To catch the companies that were causing all of this spam, I setup a catchall email account on a non-google email service and switched every vendor over to a dedicated email address (i.e. hn@foobar.com, homedepot@foobar.com).
I expected to catch a tonne of vendors "red handed" sharing my email address, since spam was so prolific on gmail. Nope, I simply don't see spam anymore. In the last four years I've caught exactly one vendor sharing my email address (TicketMaster gave my email address to Warner Brothers).
Given I haven't changed anything materially with how I share my email address (it's still in my git commits as code@foobar.com, still on my website as website@foobar.com, etc., if anything I share it more freely now since I know I have control over each inbox), I'm lead to strongly believe GMail has a unique spam problem.
Dealing with GMail's spam problem isn't worth my time. That is amplified by the risk of me getting locked out of an email account. I have one Google account with files and emails dating back to grade school I can no longer access and no approach to "recover my account" has worked in the last 5 years - I've even paid Google for support to have someone tell me there was nothing they could do.
Google is a massive liability for me. They are a huge risk trusting them with anything that doesn't have a dedicated customer support team, a large part of their business model is to waste my time instead of charging me $$ for services rendered, and they do a pretty poor job of maintaining a level of quality in their products like GMail.
Whenever I have to deal with Google I get the distinct feeling that they consider their time infinitely more valuable than mine. I don't like doing business with people who are willing to waste my time like that.
I don't doubt your experience, but I've had the same pattern (gmail.com email spammed to hell, custom domain -> no spam) except that I'm in a grandfathered Google Workspaces account. I also do the custom email trick, and I'm very liberal about handing out those (makes remembering accounts easier as well), but no dice.
I'm convinced that companies filter out custom domain email addresses when they share and spam user data.
I do something very similar, and have a similar result - almost no cross-sharing/selling of addresses.
The two sources I have:
- Leaks
- Guesses - eg. webmaster@domain.com
- Kickstarter
Kickstarter gives over your email to projects, and now I get get lots of kickstarter type spam where it's clear projects have shared it out. It's annoying. My fault for using a real email with kickstarter years ago.
I'm pretty sure all the spam I get on my original account (20 year old email, first@firstlast.com) are also more leak related than anything else. That email has been around for so long, and is in a lot of leaked cred dumps. Whenever there's a new dump I get a small spam uptick.
I've been segregating passwords for several years, but nothing like the age of my original one true email.
I recently bought a whole new anonymous domain too, to keep non-personal email off my personal domain (it's firstnamelastname.com). It's fun to have a second domain and totally unique emails per vendor, but doesn't seem to do much. I suspect this is also a volume/value thing for spammers. Everyone has a gmail so search/guess/spam those and it's easy. Individually targeted attacks on domains with very small address lists aren't worth it, and almost worth removing from your spam attack because someone with a small custom domain isn't likely to fall for it. Similar to the delivery typos approach of selecting for people who aren't sensitive/cautious to correct language.
I find Fastmail does a really good job at detecting spam in general too.
> At work we use m365 and everything is atrocious compared to Google.
In my experience the admin side is the opposite. I only have a legacy Google Apps account to judge, so maybe the paid stuff is better, but MS365 has some pretty good tools when it comes to email.
However, both of them have absolutely brain dead policies sometimes. Ex: Google bounces mail sent to accounts locked for suspicious login attempts and MS forces you to give admin privileges to normal users that have to deal with messages that are incorrectly flagged as high confidence phishing.
MS is a double edged sword though. You get access to a lot of tooling on the admin side, but they very obviously don't care about small business users. The Business Basic accounts are more like paid beta testers than anything. You can see it if you look at the release lifecycle for a lot of the products. Ex: Business Basic accounts get app updates before Enterprise accounts.
I currently use MS for everything, but the bloat is starting to get to me. They can't stop adding features and everything there is starting to feel unpolished. They can't even keep their own docs / support up to date and sometimes support will send you links to stale information.
The support is 100% useless from both Google and MS, so I almost never use them and prefer MS because I get more tools to solve my own problems. The "confidently wrong" part of ChatGPT feels like a Microsoft product. Lol. They could literally replace their support with that "AI" and I bet people wouldn't notice the difference. That's not because ChatGPT is good. It's because MS support is so bad.
"My name is ChatGPT. I understand your problem and I'm going to help you fix it." >>> Proceeds to demonstrate a complete lack of understanding and doesn't fix the problem.
I have been pleasantly surprised at the management tools provided by Microsoft to manage 365/Azure/Exchange accounts. Everything seems intuitive and easy.
> OneNote search unhelpfully defaults to searching the current pagwe
If this trivial complaint is the worst you can think of for OneNote then that shows what a good job they've done. I actually hate how good OneNote is because it doesn't work on Linux (as a native application) and there's no good alternative that does. The usual answer I hear is to use a wiki but one of OneNote's killer features is how good its offline capability is when using a notebook on a shared drive, and an online-only wiki is about as far from that as you can get.
(Ctrl+f to search current page, ctrl+e to search everywhere, by the way.)
My list of m365 complaints is virtually endless. It's nothing major but rather death by 1000 cuts.
The focus is almost never where I expect it, the notes overlap each other by defualt, the sync takes enough time to notice every time you make notes on your laptop before a meeting and then try to use them off the phone.
I would tell you that after using Fastmail, Gmail seems positively glacial and slow. Like, it's borderline "why would anyone put up with this, except maybe because they haven't used good email before". And we just got a huge fine for missing a bill here because a family Gmail account spam-binned it, which isn't an issue for my Fastmail, which handles spam better.
It could be a little faster, maybe, but with good indicators of things happening under the hood, which Google offers, reliable results, and the daily comparison to m365, I have no complaints.
And really, the only faster email setup I have ever used was mutt right on the MTA. I haven't used Fastmail but ProtonMail (my backup choice due to their combo mail+VPN+drive offer) certainly doesn't feel faster than Google.
My Fastmail account receives, at most, a handful of spam emails a week. And Fastmail uses a personal spam filter heavily weighted off your own mail and reported spam as opposed to the whole world's emails. Obviously it has weighting rules that are easily understandable and readable in the headers, but my own trained filter has a really strong impact on the spam score.
Whereas I find Gmail both often misclassifies legitimate mail as spam, and fails to catch obvious spam, the biggest issue is it rarely is fixable by my actions, because it's mostly based on Gmail-as-a-whole's perspective on spam. My Gmail is also receives an absolute deluge of junk even though I haven't used it as my primary mail since 2016. I have a somewhat short Gmail address and I strongly suspect it gets dictionary-spammed because the server name is a given, it also gets signed up to random things I never signed up for (including the NRA and Shutterstock, both of whom I had to contact and ask to remove me).
There's another way to "lose" accounts that's a bit more likely depending on
your circumstances. I had set up a google account for my kid, so we could lock
down the old tablet we let him poke at. I was happy that I had managed to get
him his firstname.lastname gmail address in the process.
However recently the family moved to a new country. This basically isn't
something google lets you do with a family group, and until you change your
play store country, your play
store won't have the local variants of a lot of apps, so you can't install them.
You have to delete your family group, change country then recreate it. But you
can't delete a family group with a child account. The only thing you can do is
delete the child account. The help docs mention being able to restore it, but
that didn't work, it just said it couldn't be restored. And since google doesn't allow an email address to ever be
recycled once it's deleted, I forever locked my kid out of possibly having his
firstname.lastname gmail address. Very frustrating.
I had an account from 2005 with a bunch of email with my high-school friends. I then made another account using my real name, which became my primary. A year or two ago I wanted to reach out to one of those old friends, and knowing that I had their email address in the contacts of that old account, tried to log in. Nope, got stuck in an infinite loop of errors and impossible security challenges.
Ultimately I gave up and used another way of contacting that old friend. The experience also made me feel even better than I already did about having migrated to a domain I owned and a non-Google provider for my primary personal email.
I also don't use any 'identity services' because I have no basis of trust in any of them.
I had already begun using my own domain for emails by the time it happened to me, but nothing accelerated that process faster than getting locked out of my Google account. I was lucky it wasn't permanent in my case, at least, but it was a wake up call that I really cannot trust them.
For me, it all happened because I tried to purchase, of all things, Minecraft from the Google Play store and typed my CVV in wrong a couple of times. That locked me out of my email and all Google services for about three days while they did some sort of fraud verification.
While, yes, things can happen to FastMail, etc, the likelihood of having my domain stolen from my registrar (which is very possible) is a lot lower than
something happening to my Google account. And, god forbid it did happen, in my experience, getting in contact with a human at a domain registrar is easier than getting in contact with a human at Google.
A popular reviewer in the headphone/IEM audiophile community, Crinacle, had lost his Google account in early 2022, and thus his 100k+ subscriber Youtube channel.
It was locked, with no explanation, and no recourse other than an appeal (that went unanswered afaik).
Curiously, his old Youtube channel stayed up for most of the year, he just couldn't access it, but it was removed too late last year. He created a new account and rebuilt his following, here's the original video when he lost his account: https://www.youtube.com/watch?v=Jn1b3DztWnc
The biggest issue to me is that Google has a history of not caring about customer service, or any sort of human touch to handle fuzzy situations the algorithms get wrong.
This is the biggest issue. It's not a loss of a single service, but multiple services that are all linked to that account.
It's bad enough when it's all of your Google or Microsoft or Apple services, but it's going to get worse. I'm convinced the whole passwordless movement isn't much more than a strategy for big tech to completely usurp control of identity. People on Hacker News might not get trapped because they understand enough to have some contingencies, but the average person is going to end up with their identity completely depending on having access to an account at one of the big tech companies.
Just wait until they lobby the government and get "Passwordless Login" pushed as a preferred way to access government services. Then they own us.
Consolidated identity and delegated authentication isn’t a conspiracy, it’s a customer driven and infosec driven feature. Managing your own passwords across sites and devices is widely considered to be a security failure with easily guessed reused passwords written in sticky notes or a notebook by the computer or in text files / spreadsheets on that computer.
And governments globally are already doing their own SSO services (the UK has had a version of this for 20 years) and some (Canada) are enabling partnerships with what they feel to be more secure sources of identity eg. online banking.
I think the fundamental problem with Google is that their policies are inscrutable. I wouldn’t rely on any one identity provider for everything I either, and would expect all services have a recourse for resetting your login settings when a particular provider no longer works for you.
Hackernews made me realize manual recovery should never be a thing. My first account was taken over by a scammer even with a unique password. I suspect the admins of this site 'manually recovered' my account and gave it to them.
The last message of my first account, areallygoodname, is spam. I couldn't be bothered getting the admins to recover it back. I just took the lesson that hackernews is really insecure due to allowing manual recovery.
At the end of the day, you either have onerous procedures to recover an account--notarized signatures and the like--or you just don't allow it at all. Or there's always going to be some susceptibility to sophisticated social engineering.
> I'm paying $5/mo. for that to not be that screwed (I have family who got locked out. It does happen.)
But the article precisely addresses that:
For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). Especially given that these are much smaller services I'm not convinced that the risk is lower there. Any system is going to have to handle this sort of problem, and you're not going to find one that never has false positives.
What I'd like to know is : do FM/PM more easily enable to talk to a human ?
Talking to a human doesn't necessarily make anything any easier.
Lots of large companies have a bunch of customer support agents who are easy to get in touch with, but entirely powerless to solve these sorts of problems: "Computer says no". They are just, to be blunt, executing flowcharts, and have no scope to escalate beyond that.
The only reliable ways to get decent customer support are, in my experience:
- The CEO is a friend of yours
- Your account is so large that a significant chunk of the company depends on you for their income
- You have an ironclad support contract
- Regulatory requirements enforce a level of customer service
Unfortunately, none of those are likely to apply to an average person looking for an email provider, and running one is usually impractical due to these large companies blocking small hosts. Next best thing is taking regular backups and having your own domain with a low TTL MX record.
Right. Say you forget your password. Say you get to a customer support agent and they tell you how to get a password reset sent to your alternate email or phone number.
"Um, I don't have an alternate email and my phone number changed when I moved countries last year."
They'll probably (and correctly) maybe make sympathetic noises but basically say too bad. Presumably this wouldn't happen with a (non-trivial) company where there's some level of known identity. But for an individual there would presumably need to be a last-resort process that required real-world identity verification in some form.
I'm a Fastmail customer, and it's pretty easy to talk to a human. They don't always fix my issue quickly, but I can at least get a hold of a human within 24 hours.
I submitted a support request to FastMail about passkeys not working properly (enrollment failure) for 2FA and had a human response in under 15 min on a weekend.
The point of Fastmail and similar is that you get to use your own domain. Then if your account is disabled, you can just change your DNS and use your email with another provider.
If I lose access to my Fastmail and they won’t let me back in, I still own my domain name. If my DNS provider blocks me, I’ll change the DNS provider. My main email domain is a ccTLD with a pretty reliable registrar who requires national ID 2FA. Things can still go wrong, but I have control at so many levels compared to having a free email at someone else’s domain.
I'm paying $10 a year for https://purelymail.com. Yeah, I'm pretty sure there's a hit-by-a-bus factor at play here that could bite me but the one time I had an issue it was resolved within 8 hours with a follow-up to make sure the uptime they were seeing was also my experience. If the bus ever does meet my provider, I can move providers within a day. For my personal email, that is more than sufficient.
> The problem is that security and policy lockouts are something you can find with any service.
This is one of the reasons I don't like or trust SaaS as an end-user, at least for critical failure points.
It's not just about policy lockouts; the company can go out of business or get sold and the product shut down. Data leaks and breaches can be a greater risk since you're too small to target as an individual but all users collectively is another story. Outages, both locally and service-level, can prevent you from having access to your data when you absolutely need it (doctor or legal appointment etc.). Oh and they will track you, make you a perpetual guinea pig for A/B testing purposes and can change critical features that you depend on at any time of their choosing without notice.
There are trade-offs in the other direction, like the mobility and the convenience to access data across multiple devices. For historically expensive products (like Photoshop and Pro Tools), subscription based models make services more accessible. It's just too bad that we can't seem to land on the best of both worlds as the common case. I'd like a subscription model and the ability to sync data across devices automatically (preferably using e2e encryption) without the software being at all "web based."
I got locked out of an account and it would not allow me to recover the account, even though it had a recovery email on file. They didn't think that was enough to prove I owned the account.
What's the purpose of a recovery account, if you can't recover with it?
Fair disclosure: I'm not sure why I lost access to the account, but I had been planning on changing the password. There's a non-zero chance this was self inflicted. But it should have been recoverable.
I feel like this is interesting anecdotal evidence, but its asking the wrong question: what is the risk of losing a google account. if the scope and impact of the loss is significant enough (and in most cases it poses a serious impediment) then you may wish to revisit the google offered service entirely. It is well documented that google accounts can be rescinded for any number of arbitrary reasons, and remediation is either time consuming and cumbersome or entirely impossible.
There is a strong consensus forming in the tech community that core services like email or authentication should be delegated to google only as a last resort.
Really assessing likelihood is just part of a larger risk assessment how you manage, store, and backup your data It's worth segregating out the risk here into:
- What can easily be backed up and restored (eg. email, calendars), and so loss of access is easy to tolerate
Email, Calendars, etc can generally be dumped pretty easily using LDAP, CalDAV, whatever in a cronjob and saved locally. Drive data can obviously be synced off too. The value here is pretty low and it's pretty easy to do.
- The value of the email address itself (ie. if you need to go change a hundred accounts using it for signing in vs just change the MX record and send to a different provider)
This is the argument for a custom domain that you own with a different register, and have different DNS hosting, so you can keep it segregated and send email anywhere. You could move to Apple, Fastmail, etc with a custom domain pretty quickly.
Some sites will also send you an email to both old and new email and require hitting links you might not have access to if you lost email, or use email for 2FA. eg. Steam using SteamGuard which is all email based. Losing a large Steam library after losing a Gmail account would be horrible.
- The value of other account using federated GSuite sign-in. It's horrible to lose Google, but then also lose all the sites using it.
A strong argument not to use federated accounts and always use email/password (2FA obvs). 1Pass FTW.
None the above advocates for a specific provider, but personally I'm a fan of Fastmail. Not only because it's ad-free and paid for, but also because they advocate for stronger privacy practices, eg. random emails for accounts in partnership with 1Pass. I know you can use + addressing in Gmail but some providers and spammers detect and handle it. Truly random forwarding Ala Apple and Fastmail is better. Although, also, harder to move away from as you can't redirect those. I use Fastmail's domain and user forwarding. eg. service@service.mydomain.com forwards to my personal email.
I was once (not long ago) locked out of a Gmail account until I used a VPN to login from the last country I lived and had used the account, then it promptly let me in. But otherwise there was nothing at all I could do to login, as it claimed it wasn't sure I was who I am. Considering how often people move between countries, this surprised me.
This isn't limited to Google. I had a paid for Hotmail account back in the day, someone attacked a domain I held, and as part of that sent multiple abuse reports to every tech provider I used. My Hotmail was listed on the whois - Microsoft removed the email account, didn't refund and provided no human support that I could get a hold of to get the wrongful termination looked at.
It was a nightmare and a good reminder that an attacker with sufficient resources can create more issues than you can possibly dig yourself out of.
I find that owning the email address domain it is safe enough with any decent provider. If you get locked out just change the provider and dns configuration.
Even if you are storing passwords in Google account you should be able to reset all of them since you have access to the email.
Overall good analysis but this one quote is kinda crazy if you think about it
"I put a little effort into avoiding grey areas (not filing chargebacks to Google, not taking pictures of my kids in the bath) but otherwise don't worry about this."
Downright dystopian world we've created for ourselves. Don't anger your corporate overlords, and don't do anything that could even remotely be conceived as not Thinking Of The Children. Or, how to pave the path to hell.
Right!? Not being allowed to take pictures of your own kids as you might anger your land lord as they'll evict you without warning and burn all your stuff.
Actually, in my experience it can also bite the other way around:
I was locked out of my Google account after using it in Italy and coming back to Germany. Unable to login: It would first ask username, password, then send me an a-mail, then ask for the code from the e-mail (which I provided) and then either tell me to enter a phone number (Google is not going to get it from me!) or alternatively:
“You're trying to sign in on a device Google doesn't recognize, and we don't have enough information to verify that it's you. For your protection, you can't sign in here right now.”
If that isn't dystopian.
I interpreted the phone number requirement as a signal that “had I setup 2FA, it would not have asked for the phone number but maybe just the second factor?”. Then I went on an odyssey to setup a Google account without linking it to a phone and with 2FA enabled (also not linked to a phone!). Seems OK so far, but the procedure is highly complicated and partially luck-dependent. I am probably going to publish it, because there are tons of articles about how to setup Google account without phone number, but none of them worked for me at the time :)
I still do not rely on Google for anything but the search engine which still works without any login...
> I interpreted the phone number requirement as a signal that “had I setup 2FA, it would not have asked for the phone number but maybe just the second factor?”. Then I went on an odyssey to setup a Google account without linking it to a phone and with 2FA enabled (also not linked to a phone!). Seems OK so far, but the procedure is highly complicated and partially luck-dependent. I am probably going to publish it, because there are tons of articles about how to setup Google account without phone number, but none of them worked for me at the time :)
I'd be interested, even if it was just a rough guide. My experience has been that some services apparently let you sign up without a phone number, but then try to extort it out of you either at first login (or worse) after you've used the service for awhile.
I've noticed some of my own old accounts (not google anyway) seem to be grandfathered in and do not have a hard requirement here.
You might notice the date on that page being 2021/04/06 -- I had this in draft state for a long time, but newly put it online now. What has worked back then may not work anymore, though.
> My experience has been that some services apparently let you sign up without a phone number, but then try to extort it out of you either at first login (or worse) after you've used the service for awhile.
Yes, that is basically what Google did to me, too. It was not a new account either -- from 2012 (I still have the initial "registration" e-mail).
I just checked: I can still login into that account that I had created around 2021 when I discovered the "trick" as described on the website. It asked for username/password/2FA and that was it. I did not use it much in the meantime, though.
> Even if the risk is low, however, maybe it would still be better to switch to something else that is even lower risk? The problem is that security and policy lockouts are something you can find with any service. For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). Especially given that these are much smaller services I'm not convinced that the risk is lower there. Any system is going to have to handle this sort of problem, and you're not going to find one that never has false positives.
Good breakdown for this person's use case.
I disagree with the conclusion above though. My experience (as a person who handles technical support around these issues, for customers of Gmail and more specifically ATT/Yahoo/SBCGlobal) is that many people that get locked out of their accounts do not understand all the options available to them to regain access. Also it appears, to me, that at least for Fastmail, their security protocols are a bit more friendly, less strict about how the security is applied (I.E not spamming customers to use the security methods, changing the methods willy/nilly without warning). Also Fastmail sends an email to your mail email account if you accidentally trying to use your main account password in an app specific use-case, I.E makes it easier to understand how the security measures are being applied.
Also the security measures implemented by providers that you pay for, appear to me, to be designed to be customer centric, rather than trying to create a blanket one size fits all approach to security that I feel google tries to implement (because they have so many customers). My meaning about this is that the control of the security options appear, to me, to be more in the hands of the customer to implement how they see fit, where as google security measures appear to be implemented from a cover our assess approach and not really designed for the customer per say.
There is a lot of bias at play here. You only hear about the newsworthy lockouts because they are in the news. You don't hear about lockouts that didn't hit the news because, well, they didn't go viral. But they still got locked out...
I guess at one point, I gave them my mobile phone number. I no longer have that phone or phone number.
So now, google keeps sending a security code to that phone number, which I no longer own. There's no way to put in a new mobile, but I don't want to do that anymore, anyways. Nobody gets my personal info if I so choose, and for google, I so choose - they are not getting shit from me if I can help it. They also ask for a backup code, which I am positive I never had one of those for my google account. They never asked for security questions, I always have those copied if they do.
So I'm locked out of my google account.
My new email provider only requires a password. That's what I want.
Plus, as far as email goes, Google or Yahoo or any of those commercial providers can scan through all your email. People would not put up with this if someone scanned their personal mail that came into their physical mailbox, but for some reason, it is ok if google, the largest information gathering company on the face of the earth, gathers all their data and sells it to the highest bidder. Nobody would allow this on physical mail.
So now all my email goes to tutanota, who don't do this. If they did, fine, I know how the world works, but word would get out sooner or later and they would destroy their business. I'd certainly go somewhere else and they would lose my monthly income stream. I pay for email.
Given the low likelihood of this happening (for Google, Fastmail, Outlook, etc.) it's really not worth thinking that much about this. My approach is to have a custom domain and forwarding to another provider.
Gmail -> Outlook forwarding
iCloud Photos -> OneDrive
You seem to be only thinking about Gmail. What about the other Google services that would be lost? Anyone who makes their living making YouTube videos will be devastated by the loss of their YouTube account. It can also be a huge problem for those who log into other websites using their Google account.
> After going through these, it seems to me that the likelihood of a security lockout is low enough not to worry about [...]
I disagree. I've managed to get locked out twice now.
The first time I have no idea what happened. Google just disregarded the correctly completed email-verification and security questions and just said "no". I retried a month later and was able to log in.
The second time, I logged in from an university-owned Android phone. Despite not even being an admin on that phone, Google decided that it would now be my only permitted 2FA method, and so, when I tried to log in away from university, I was locked out.
Don't use single platform sign ons. I used Twitter login for several online services and when my Twitter account got banned for arguing with covidiots it locked me out of all the accounts I used to use Twitter's sign on for. It took 3 months of appeals to get my Twitter account restored so that I could then access the other services. Never again! Don't make my mistake. Use individual account logins with their own passwords so that getting locked out doesn't take everything else with it.
I, on the other hand, have the opposite problem. I want google to delete my old unused Workspace with gmail, as I moved to Protonmail. I tried to figure out how to get rid of it but have up. After a while I got emails from Google saying "x days remaining to set up billing for Google Workspace Business Starter", and "You have until this and this date to set up your billing information, after which your subscription will be suspended", and I thought, "Make my day!".
Since last summer, I have two seperate Youtube PREMIUM accounts blocked for spam and deceptive practices, community violations for content makers. These accounts only view videos, doesn't even comment. Banned youtube account can't even access billing page to cancel, so Google's been robbing me every month until I change credit card no. Since then I've had two more new accounts banned. I don't know what's triggering these bans, but they happen every 3-4 months on a weekend so something is happening to just my hardware but not others in the house.
I'm still holding out for appeal process which can be done ever 2 weeks. But so far pattern seems to be automatic rejection. Also have Google One which should get you live person support, but they basically forwarded me to Youtube support who said they were not trained to resolve issue. lol. Only saving grace is I could take out all my data and intially even that wasn't possible on my main 10+ year old account for some reason. I guess my point is, even if chance of losing account is low, chance of recovering account is even lower.
For reference I've ranted about knowing people who lost Chinese social media access but actually got accounts retored by a person after submitting insincere self criticism. It's not ideal but still much more functional experience than what I'm going through with Google.
This boils down to not having all your eggs in one basket. Instead of relying on Google to provide all these services you could split them up between different parties. These parties will often do a better job for their speciality.
I found that migrating and managing my credentials with Bitwarden has brought a lot of clarity and independence. I can now use these credentials with any browser, any mobile platform, and desktop platform. If I ever need to migrate away from Bitwarden I have the credentials periodically backed-up in JSON format, so they can be transformed into any other format.
Not logging in with Google SSO everywhere and relying on plain old username + password credentials wherever possible (+2fa for important stuff) has also been very liberating. Using a good password manager makes this trivial.
Same with email, having your own domain means you can switch providers in an hour or so if something bad happens. It's also worth keeping a backup of all emails in a common format like Maildir; so they can be restored to the new provider even if you lose access to the old account.
Which brings me to the last point which you've probably figured out by now - backups. Keep backups of everything locally + somewhere remote if you can.
Backup emails, google drive contents, google photos, contacts, email filters, etc. Everything! B2 or S3-compatible storage is cheap.
I'm not convinced there's a problem but only as long as you own your own domain. Using gmail (as in blah@gmail.com) is potentially dangerous, either from "Google decided to lock you out of your account" to "Google has started charging $X a month [more than you can afford] for Gmail".
I was an early Gmail adopter, and have hundreds of logins that use my gmail address. I'm now in the process of getting sensible and moving all my logins across to a domain I own. It's still using Google (as in Gmail / workspace) - the free edition - but once I'm done I won't be beholden to Google if there's a lockout or whatever. Pain in the ass though it'd be to move mail servers and to lose my archive (well, any bits I haven't downloaded / synced via IMAP), I'll be in a much better position to Do Things if I can just repoint the domain to Some New Email Service in the future.
Has anyone else had trouble with Google takeout? I tried to download my GMail history and it just failed with no extra info. (I made a post about this that didn't get any traction... https://news.ycombinator.com/item?id=34456459)
Many people here don't seem to realized how stupid Googles algorithms are. I mean I use 2FA with a security key and still get warnings about having locked into the account from another computer.
On the other hand logins from my phone protected by a much weaker 6 number pin are never questioned.
I am amused by the way HN collectively expresses contradictory opinions on this topic. When presented as getting locked out of Google, a vanishingly small probability of losing access to your account, sometimes only temporarily and often through the fault of the user, is a crime against humanity. When framed as American-style "voter ID", a 15% false positive rate is just the natural price of ballot security. Maybe the sets of commenters on the two categories of articles are disjoint, but I still find it puzzling.
With the government, you have legal recourses for anything. You can eventually get to someone to be able to recover something. You can even take them to court.
With the unregulated private tyrannies that the US tech corporations have become, you have no recourse if some algorithm or someone just nukes your account in some major provider. Your history, your business contacts, even your infra may be gone in seconds.
We still treat the Internet as if its mid-2000s and its still a mostly hobbyist thing with some big business doing their thing elsewhere while the plebs go about their lives in the fringes of some user-run websites and forums. Losing nothing was a problem then. But now everyone's lives, businesses & livelihoods, professional histories are hooked up to the Internet. Its no longer a hobbyist's ground.
Its amazing how corporations that could kill your business within a second have gone unregulated this long. If some company holds the livelihoods of millions of people in its hands, its not a mere business - its infrastructure.
no. whats amazing is that a bunch of people who supposedly care about such basic fundamentals like having open protocols always unanimously agree with "the company has an advanced proprietary risk analytics model to decide whether and how you get to log in. we can't talk about it because of security reasons".
well, the article is just wrong but i don't feel like going into the nuances of how identity works with a bunch of zero attention span web devs but i blame UN*X for this situation by making computers too hard to use (both securely and at all) with contraptions like email and PGP. all authentication should be done with public keys. open protocols require solid foundations which include the user being security-competent. you can layer on the "poor old dumb user" stuff on top of that, for example by letting him have a 3rd party company hold his private key. but again, this article is just wrong and scoped into very specific things people like to "debate" while having no clue about the big picture. it's absurd to even imagine that the web meta (a bunch of dot com boomers who dont give a fuck about anything other than going with the flow and creating solutions looking for problems, and knee jerk solutions to current problems) represents anything about established security engineering literature
Using your own domain with a well-reputed registrar is the way to go IMO. It makes you independent of the email provider used. Registrars don’t run algorithms to lock out domain owners. You can also move between registrars when needed. Domains can be locked ("Client Transfer Prohibited") and set to auto-renew, which nowadays is the default. You can have an actual paper trail proving your domain ownership. Depending on jurisdiction, you have certain rights associated with your domain.
For the 99+% of us who aren't computer savvy, "using your own domain with a well-reputed registrar..." is as achievable as suddenly speaking Sanskrit. Think outside the echo chamber.
While my recommendation was targeting the HN crowd, where I assume some level of computer savviness, buying a domain doesn’t require technical expertise. Wiring it up with an email provider may require some, although providers often provide good instructions, and, more pertinently, you can also buy this as a service, or have a friend or family member take care of it. The important part is that you own the domain.
I fully agree that it should be made easier. But people have to create the demand for that to improve.
>... buying a domain doesn’t require technical expertise.
I respectfully disagree. I succeeded in buying my own domain but it was a VERY painful, confusing, and disagreeable experience, which I wouldn't recommend to anyone who's not amongst the HN techie crowd.
When I bought my domain, granted a decade ago when there were fewer TLDs, it was a typical search bar. Then click Buy then enter payment and user info. It wasn't any more difficult than any other online purchase. The config/DNS steps require a certain level of techiness but buying the domain, the key step, was easy.
I have lost other email accounts before like a Yahoo account or a AOL account since I used them only very sparingly, but I have not lost my Gmail account since I created it in 2004
Regarding security lock-outs, many countries have national strong identity systems set up, and Google or any other "root" identity provider could utilize those.
It is about the expected value, and not the likelihood alone. For some of us, the expected value is so much in the red that using Gmail is not worth it.
This is in denial about how humans work. Everyone makes mistakes. Given enough time, you will do something like get a new phone and fail to update your security settings.
And importantly, Google will change things on you. When I set up my account, all there was was a password. They forced everyone to fill in telephone information or two factor, which is a new unfamiliar security practice, leading to more mistakes.
Separate from any blockchain project, we're using public key auth for account authentication, so our site doesn't have the ability to cancel someone's account for third parties.
It's kind of ironic, the US is often famed for having a great service sector (Germans love to say that we're comparably a "service desert"). Yet all these big tech companies have abysmal customer service. I wonder at what point exactly this disconnect appears.
That point is the point when a company feels like it can make an acceptable amount of money without worrying about satisfying customers. It's often a sign that the company is effectively a monopoly that people feel they have no option but to use.
If anyone can help woththis,please reach out : My father owns a business that has been family owned and operated by my grandpa and my father for nearly 50 years. The name of the business contaibs our last name. The google street view of the business is my fathers home.
Recently my fathers domain registration lapsed and someone bought the domain. We changed the website to a different address and went to change the google listing for his business only to find that someone had also claimed the business. We have tried requesting ownership, we filed a formal 3rd party dispute, and we have requested a domain change. Through all of this we have just been completely ignored by google. I cannot figure out for the life of me how to get someone from google to help us verify his ownership of the business.
Its had a real impact on how many calls he's getting for work and has created financual hardship for my parents and there is seemingly nothing we can do about it.
If anyones been through this or something similar and has advice please leave a comment. Any help is greatly appreciated.
I don't know whether your domains would be locked but it's possible so I wouldn't take the chance. Any registrar where you can call or email someone and get a response would be better than Google. A lot of people recommend NameCheap. I don't recommend GoDaddy at all as their UI is full of traps and pitfalls to trick you into buying additional services.
We need a Let's Encrypt for identity. A nonprofit that does nothing except provide social login without mining your data. It's wild that the de facto identity provider of the planet is an advertising company.
This reminds me, again, that I should look into setting up my own home mail server. Is there an off the shelf solution for this? I don't mind setting up another PC as a server for this, but how hard is it?
If, perhaps, you decide against self-hosting, but still want a reasonably good solution, consider owning your domain but buying a hosted mail service. You own the MX records, so you can point it to a service and change it in the future if you need to (without fiddling with setting up a new mail host). Say you use XYZ mail provider, but they shut down for business. You can buy mail hosting from someone else within a day, and all the undelivered mail (if senders follow spec) will be delivered to the new service. And, in most cases, you can import your whole mailbox if you have it synced locally. I find this to be a good balance between privacy and not fiddling with anything at all. I thoroughly respect someone who selfhosts their mail but for me it's too crucial to worry about an update bringing it down - outsourcing it to an expert with proper fallbacks is more safe to me.
I personally use migadu, $19/yr (they have a student discount as well) for unlimited domains, 200 emails in/20 out daily/5GB storage. That's the lowest plan and I don't think I've ever surpassed it (the limits are soft anyhow). I get surprisingly less actual important email than I thought. (I use my gmail for rewards cards, etc)
But, to actually answer you, mailcow.email seems pretty good :)
Thank you! I've owned my name in domains for over 20 years, it was the first domain purchase I ever made. I want to be able to store the mail etc. locally. OPs post reminded me of the guy who sent a photo of his child to their doctor and was locked out of his gmail account. I've heard of similar incidents with even less evidence and reason and it worries me. Making the switch to my own domain and hosted mail server would hopefully solve that.
Well, yes, it's something you are technically renting. There has to be a balance between cost and convenience. If there was a lifetime fee to own it, think of all the domains that would be already bought up - there'd be barely any left. However, in almost every case, there is nothing that will get your domain taken from you, unless you fail to pay or break the domain registrar's TOS (copyright infringement, etc). Far higher bar than Google's AI deeming you bad.
And regarding failed payments: My registrar at least emails me 30 days in advance, will email in case of failure, and will not put the domain up for sale until after a grace period (IIRC at least a week), during which they will repeatedly attempt to contact you.
Also, even if you can't own it: that's true of self-hosting also and doesn't apply to just purchasing hosting
I ran my own mail server from 2007 until 2021. I would highly recommend that you don't.
It takes little effort to setup a mail server to receive mail.
It takes a TON of effort to setup a mail server to send mail. Most ISPs will block your IP address, through various services you can get your IP unblocked but it's a slow and very time consuming process. And $god help you if your server ever gets exploited by a spammer. Your IP address will be permabanned by everyone.
It takes more effort to filter out spam
It takes more effort to deal with all the various email-related attacks. Like Joe Jobs [1], and DSN attacks [2].
You have to get reverse-dns setup on your IP which depending on ISP can range from impossible (comcast) to a pain in the ass (AWS).
You then have to worry about backups, firewall rules, server maintainance, power outages, and yada yada yada.
Then you'll get into it and have to figure out IMAP, SIEVE, and TLS. You'll spend more time managing your email server than any other thing you do in your life. You mail server will replace your family, your job, and all your hobbies.
Just buy a domain, pay for FastMail or ProtonMail, and setup or MX records. You'll be much happier.
Email is harder than you think mainly because of spam protection. The big four will just bin emails received from you if the server's IP doesn't have some reputation.
Instead use your own domain with whatever email provider suits you.
Much easier to setup and worry-free.
I would split it into two parts. First and most critical, is to set up your own address in a domain you control. As long as you control the address you can move it between providers. Then you can decide whether to self-host (which I would not) or use a commercial service.
The problem with home-hosted email is, as most folks said many times, that an email sent from a non-major provider would be marked as spam at best and dropped at worst.
My personal solution is to use my own domain, but have mail delivered by protonmail. This is an inexpensive option in a Swiss jurisdiction with generally sane laws. I maintain a copy of all emails on my home system, so if I wanted to switch from protonmail to a homegrown solution or another provider I can easily restore the same IMAP state there. And I would obviously keep the same email, so will not need to notify anyone of any email changes.
This is my setup too. One caveat w/ Proton Mail: you have to use their "bridge" software if you don't want to use Proton's client. Seems easy to configure, though I've never done it. Their web client is fine.
I use bridge and it is easy to configure and works great most of the time. And absolutely, completely and totally horribly a small fraction of the time.
Specifically, the bridge + Proton Mail combo reuses UUID. It is a known bug, which proton does not see as a big deal (we will fix it; someday; when we care enough). But what this means is that some messages may be mis-tagged, mis-labeled or mis-deleted between your mail client and the server.
I hit it when I was reorganizing my folder structure, freely adding and deleting subfolders from Thunderbird to create the structure I like. Then, the changes stopped reflecting and a fraction of my messages appeared gone. I finally was able to undo it through the web client, but the experience left me deeply suspicious of anything except the simplest operations with local client. And encouraged more diligence with making local backup copies of my emails.
there's mailinabox - but instead I would recommend just setting up your own domain with MX records, and using IMAP locally to store archives. Worst case scenario you lose a few hours of email if your provider kicks you, and you can flip to another one.
Wouldn't recommend this, you'll spend your life trying to get taken off reputation blocklists, and if someone like Google flags you then good luck ever getting unbanned. Email is the wild west, and hosting a mailserver (even a personal one) is a massive undertaking in time cost alone.
It is not really a good idea to give one of the important things in the hand of google. Choose a local provider, even it cost more, in case of whatever, you can talk to them.
Just last week someone called my shop saying they couldn't get into their Outlook.com account. They had a backup email and had a code sent to it but Outlook.com said the code was bad. I told them to look into FastMail, preferably with their own domain name. It's not free but it's inexpensive and you can contact someone if there is a problem, and worst case, you can re-point your domain. Mailbox.org is another option.
my customer had a corrupted gmail account that took google about 3 weeks to fix.
he could not login for 3 weeks, it was quite a bad but what saved the situation was that hes ipad email was still logged in and working.
after google did som fixing, the login started working
By charging nothing, Google have billions of paying customers.
Requiring a charge would permit upstarts to undercut that fee by other means (e.g., advertising, otherwise selling influence, data gathering to compete with Google or other firms in the area of AI, etc., etc.).
As a research methodology, this article ... leaves much to be desired:
To get a sense of how common lockouts are and how they happen I looked through lockout reports on Hacker News by searching for [google blocked account] and [google locked out]. I looked at top-level stories and the comments on them for cases where people were entirely locked out of an account...
If the goal is to determine some noted classes of account lock-out, then this method might have some merits. It utterly fails however to satisfy answering the headline question itself, that is "how likely is losing a Google account?"
For that case ... you'd need to have some insights into overall Google account creation and destruction, as well as some way of validating outside of Google's own accounts-adjudication process both how and why accounts were locked.
I've had some very rough connection with this by way of looking into statistics concerning Google+ over the years. Given that for a substantial portion of its life, Google were creating accounts on its little-lamented social service for every Google account (Gmail, YouTube, and most especially Android), there were a lot of accounts. About 2.2 billion when I ran the numbers, hitting a high-water mark of about 3--4 billion accounts.
(Again, not active users, for the most part, but registered users.)
I'd measured members and a few other characteristics both in 2015, when the site was still fairly vibrant, and in 2018/2019 after its shutdown was announced.
Among other observations, I noticed that highly active members were among the most likely to not have a valid account when checked later. In particular, I'd found a list of popular profiles and Communities, and found that a large fraction of these were no longer visible at all on the system. That is, one of the highest signifiers for "account will not exist in future" is "account is presently highly active".
I've speculated as to why this is, though I don't know what the specific mechanisms were. Among the options, comparing highly active accounts with little-used or unused ones:
- Highly-active accounts are more likely to cross some red line or trip some automated, or crowdsourced, flagging mechanism.
- Highly-active members are more likely to become discouraged with the platform itself. (That was certainly my own experience, though I never fully deleted my account.)
As to the question raised by TFA: I've been locked out of several Google accounts, though I've succeeded in recovering the ones I cared about. As a result of those events, however, I've also all but entirely curtailed my use of any authenticated Google services.
1. if something goes wrong, I can reach a human without needing to write a viral blog post first. Other services pay for a customer service department.
2. I trust FastMail more to not shut down their product because they got bored. Sure Gmail will probably not go away, but I'm honestly not as confident about Google Workspaces or whatever it's called now for individuals.
3. I'm tired of acting like using products from an ad company is a good idea. People happily use an email service, browser, OS, and more from the modern DoubleClick without a second thought.