Greetings. In response to an item I posted a few minutes ago, I've been asked for my take on #Google account suspension policies. This is an area where I have for many years urged changes by Google, and I've written about it many times.
So here's a blog post of mine from 2017 related to this topic. Note that this discusses the general issues of Google account suspensions and bans, not the specific issue of CSAM. The latter immediately invokes specific laws that Google must abide by, but I will note that within the last few days Google announced changes to their account suspension appeal flow relating to suspected CSAM, to help deal with false positives.
Linked to this blog post is another post: The Google Account “Please Help Me!” Flood:
https://lauren.vortex.com/2017/09/12/the-google-account-please-help-me-flood
where I try to explain the situation I've long had (which continues to this day) of being just one guy trying to help people with Google-related issues from outside of Google.
- - -
Protecting Your Google Account from Personal Catastrophes
https://lauren.vortex.com/2017/09/07/protecting-your-google-account-from-personal-catastrophes
In response to many queries, I've written quite a bit about issues that can sometimes go wrong with Google Accounts, and how to proactively help to avoid these situations, e.g.:
"The Saga of a Locked-Out Google User" - https://lauren.vortex.com/2017/09/05/the-saga-of-a-locked-out-google-user
"I've been locked out of my Google account! What can I do? How can I prevent this in the future? HELP!" - https://lauren.vortex.com/archive/001159.html
"Do I really need to bother with Google's 2-Step Verification system? I don't need more hassle and my passwords are pretty good." [link no longer available]
Yet while Google Account problems can sometimes occur despite users' best efforts, proper use of the tools and systems that Google already provides can go a long way toward avoiding these unfortunate events -- with use of recovery addresses/mobile phone numbers, and 2-factor authentication tools among the most important. Unfortunately, many users don't bother to pay attention to these until *after* they're having problems.
There are other extremely useful Google tools for protecting your Google Account as well, and like so many good things Google, the firm (for reasons difficult for many observers to fathom) doesn't always do a particularly good job of publicizing these -- demonstrated by the fact that so many even long-time Google users don't even know that these exist until I mention them. Let's cover a few of these.
A biggie is Google Takeout, at:
This is an incredible resource, providing the capability for you to download virtually all of your data stored at Google -- selectively or en masse -- across the wide range of Google services. This is a world-class tool -- if only every other firm offered something like this. You can download your data to take it elsewhere, or just on general principles if you prefer. It's up to you. The next time that some Google Hater starts ranting the lie that Google somehow locks up your data, you'll know how to respond to them.
One limitation to Takeout is that you must use it while you still have access to your Google Account. If you're locked out or otherwise unable to use the account, you can't access Takeout to reach your data.
So what happens to your data if you're in an accident, or become ill, or worse? Nobody likes to think about these sorts of possibilities, but they're very real.
Google's "Inactive Account Manager" is the tool that lets you proactively plan for such situations:
https://support.google.com/accounts/answer/3036546
This tool lets you designate a Trusted Contact who will have access to the parts of your Google data that you specify, if your Google Account becomes inactive for a period of time that you indicate. With so much of our lives online now, this is an extremely important tool that you've likely never heard of before.
But remember, like with Takeout, you must set it up *before* the need to actually use it arises.
Related to Inactive Account Manager, there is another Google Accounts associated link that none of us ever wants to visit, though realistically many of us may eventually need to.
A Google form to "Submit a request regarding a deceased user's account" exists at:
https://support.google.com/accounts/troubleshooter/6357590
Its purpose is self-explanatory, and as it notes, proactive use of Inactive Account Manager can avoid needing this form in many situations -- but Google has provided this form as a means to communicate with them directly in these circumstances when necessary.
Google has obviously given a lot of thought to these issues, and their teams have put a lot of work into implementations and deployments of associated services and tools.
My primary criticisms in this context are that despite these excellent efforts, too many honest users still fall through the cracks and become trapped in account lockout situations through no faults of their own -- and often with no perceived practical recourse -- and that Google often does a poor job of publicizing the high quality tools that they have already created to deal with a range of user account issues.
Google's technology is always excellent. Their public communications, outreach, and user support -- especially for non-techie users -- can be significantly less so.
One thing is certain. Google and its immensely talented Googlers have the capacity to significantly improve in these latter three areas, given the will to do so and an appropriate allocation of resources to these ends.
I have faith that Google will ultimately accomplish this, in the interests of Google itself, for their vast numbers of users, and toward the betterment of the community at large.
--Lauren--
@lauren I appreciate your nuanced take on the topic.
It is an extremely hard problem to solve, not just for Google, but for large service providers in general that have benefited from the arms reach operation the internet enables. Such services, because they do not have a deeply rooted trust relationship with more than a handful of customers (i.e. no telephone support, no branches, no local presents, certainly never any face-to-face) don't have any kind of magic ground truth to fall back on in determining whether an account is either compromised or owned by a malicious actor. And that's before we add the additional complexity that sometimes previously trusted actors go rogue.
As an engineer, I feel for the problem Google has because account management grew rapidly into a complicated problem, especially as Google started consolidating accounts. It wouldn't make any sense to them, if they identify an account as a spammer in Gmail, to leave that account's YouTube or AdWords branches trusted... Bad behavior in one section is an incredibly strong signal for bad behavior in other sections. But it seems clear that the current status quo is not sufficiently granular and they may oversample that signal and come down too hard on first offenses, especially when policies change.
(... And as a science fiction nerd, this whole situation germinates a seed in my mind for a plot hook in a cyberpunk setting---"speakers," a sort of deeply trusted priest caste that can restore somebody disconnected from the global communications Network for bad behavior by vouching for them. They would be a root of the trust network that takes the form of a village elder being able to vouch for a person by having been there when they were born and watched them grow up. And then, of course, what happens when one of them goes rogue?)
@mtomczak One of my core concerns is the "whose data is it?" problem. This is something I've brought up publicly many times (and internally at G when I've been a TVC) without getting any real traction to speak of except around the edges a tiny bit.
I'm speaking only of non-CSAM cases right now -- obviously CSAM invokes a whole different set of required contingencies.
But the example you noted -- a Gmail spammer -- is a good one for this discussion. Spamming is bad. Phishing is even worse -- often blatantly criminal.
But let's just use the non-phishing spammer for the moment. And let's assume it's a real spammer, not a false positive.
So this spammer's GAIA account is closed for TOS violation of spamming. At that point, they lose all access to all over their data across the Google/YT ecosystem.
The day before they could have used Takeout to download all that data. But today they can't. They've been locked out of everything.
Query: Is this a reasonable penalty for the violation?
Why isn't there a range of penalties, including "your account is locked from further usage except to download your current data, which you must do by XXX date at which point it will become unavailable to you."
The problem in my focus in this instance is not so much losing future access to G services, it's losing access to *existing* data in situations where an account is closed but criminal activity is not alleged.
L