Just a comment that having Google or another company as a single point of failure is probably a bad idea.
Note that Google can terminate your account with no recourse (it has no customer support to speak of) due to completely unrelated reasons, such as a chargeback on your credit card for a Google product or service. In this case an account @gmail.com for 2FA purposes may no longer be available. One way to mitigate this risk is to have the main email account that is separate from gmail, something like @<domain>.name, registered with a non-Google registrar, and use Google Workplace to manage it. This costs money, but at least you can retarget your name servers if Google gives you the finger, and keep your main email address, though not all the past emails there.
(I’m not including cases where it was a developer account—i.e. an account used to publish apps—that was banned.)
The core issue seems to have two sides:
Google’s automated systems are sometimes too eager about banning accounts, if you in any way happen to stand out as a (false) positive case
Google’s script-following customer support seems pretty bad at then dealing with these cases, giving no information, and worse, taking in no information provided to them, and in general the best customer support avenue seems to be Hacker News or some other news outlet.
This is the visible tip of the iceberg where the accounts do (generally) get reinstated, but we don’t know how large the invisible part of the iceberg is, and what the chances of getting your account back are if you aren’t lucky enough to be in the visible part.
Turns out it can also happen for sending your child’s medical pictures to a doctor (and also send the cops after you).
I think it’s pretty likely that there’s more to the story than we’re hearing: there was a ton of scrutiny on this and Google didn’t change their decision, which makes me think the most likely reason is that the human review on the case really did come up with CSAM concerns beyond those pictures.
(Still, I don’t take pictures of people without clothing, including my kids: CSAM misclassification and escalation is a small risk of something very painful.)
This is the visible tip of the iceberg where the accounts do (generally) get reinstated, but we don’t know how large the invisible part of the iceberg is, and what the chances of getting your account back are if you aren’t lucky enough to be in the visible part.
Yes, but we also don’t know how many of the not reinstated cases were ones were correct.
Companies generally say things like, “out of concern for our user’s privacy we can’t release more information”, but I’d like to see something where someone making a public complaint could waive this and challenge the company to actually release their full case either publicly or to an independent ombud. Tesla does this (pretty sure, can’t find the link now) though they release things publicly even without the customer’s permission which I don’t think makes sense.
Google can terminate your account with no recourse (it has no customer support to speak of) due to completely unrelated reasons, such as a chargeback on your credit card for a Google product or service.
I just did some looking, and I can’t find any examples of this, just people saying this is what happened when actually something different happened (ex). Are you sure that locking people out of their email for a chargeback is a thing?
You are right, you don’t get totally locked out in this case, my bad. Still, there are stories online of people losing access to their gmail accounts. Might not be a source of risk worth considering though.
A large fraction of the stories I’ve been able to find are people who set up 2FA without a spare and then lost it (https://hn.algolia.com/?q=google+account+locked+out, linked in the post). I think this is a serious risk, but it’s also pretty easy to avoid (by always having at least two, ideally three, registered security keys)
Just a comment that having Google or another company as a single point of failure is probably a bad idea.
Note that Google can terminate your account with no recourse (it has no customer support to speak of) due to completely unrelated reasons, such as a chargeback on your credit card for a Google product or service. In this case an account @gmail.com for 2FA purposes may no longer be available. One way to mitigate this risk is to have the main email account that is separate from gmail, something like @<domain>.name, registered with a non-Google registrar, and use Google Workplace to manage it. This costs money, but at least you can retarget your name servers if Google gives you the finger, and keep your main email address, though not all the past emails there.
Wrote up a more detailed response as a separate post: How Likely is Losing a Google Account?
Another example of this that comes to mind is when fans of a YouTube streamer got their entire Google accounts banned for posting too many emojis (as votes, at the streamer’s behest) in YouTube chat.
Turns out it can also happen for sending your child’s medical pictures to a doctor (and also send the cops after you).
Or for storing “educational content on Palestine”. Unverified story, and there’s a few more such stories and links at [1] and [2],
(I’m not including cases where it was a developer account—i.e. an account used to publish apps—that was banned.)
The core issue seems to have two sides:
Google’s automated systems are sometimes too eager about banning accounts, if you in any way happen to stand out as a (false) positive case
Google’s script-following customer support seems pretty bad at then dealing with these cases, giving no information, and worse, taking in no information provided to them, and in general the best customer support avenue seems to be Hacker News or some other news outlet.
This is the visible tip of the iceberg where the accounts do (generally) get reinstated, but we don’t know how large the invisible part of the iceberg is, and what the chances of getting your account back are if you aren’t lucky enough to be in the visible part.
I think it’s pretty likely that there’s more to the story than we’re hearing: there was a ton of scrutiny on this and Google didn’t change their decision, which makes me think the most likely reason is that the human review on the case really did come up with CSAM concerns beyond those pictures.
(Still, I don’t take pictures of people without clothing, including my kids: CSAM misclassification and escalation is a small risk of something very painful.)
Yes, but we also don’t know how many of the not reinstated cases were ones were correct.
Companies generally say things like, “out of concern for our user’s privacy we can’t release more information”, but I’d like to see something where someone making a public complaint could waive this and challenge the company to actually release their full case either publicly or to an independent ombud. Tesla does this (pretty sure, can’t find the link now) though they release things publicly even without the customer’s permission which I don’t think makes sense.
I just did some looking, and I can’t find any examples of this, just people saying this is what happened when actually something different happened (ex). Are you sure that locking people out of their email for a chargeback is a thing?
Actually, I did more looking and maybe this is a thing? https://www.reddit.com/r/tifu/comments/zndbku/tifu_by_accidentally_buying_two_google_pixels_and/
You are right, you don’t get totally locked out in this case, my bad. Still, there are stories online of people losing access to their gmail accounts. Might not be a source of risk worth considering though.
A large fraction of the stories I’ve been able to find are people who set up 2FA without a spare and then lost it (https://hn.algolia.com/?q=google+account+locked+out, linked in the post). I think this is a serious risk, but it’s also pretty easy to avoid (by always having at least two, ideally three, registered security keys)