
Google Docs Is Randomly Flagging Files for Violating Its Terms of Service - gridscomputing
https://motherboard.vice.com/en_us/article/zmz3yw/why-is-my-google-doc-locked-terms-of-service-bug
======
djsumdog
It was nice when everything was saved in your PC .. unless you forgot to back
things up.

I think services like Dropbox/Mega are the happy medium. All the files are
actually on your computer. If they go away, you don't lose your files, they
just stop syncing. When you put all your crap "in the cloud" (rolls eyes), it
means the services you like may stop working, or they could release a new
crappy version with no ability to revert to the previous one.

~~~
MrMember
I use an encrypted container in Dropbox. I retain complete control over my
files but they are still backed up, and Dropbox is smart enough to only upload
the diff if something in the container changes. It's a little inconvenient in
that I can't for example access individual files on my phone without a lot of
hassle but overall it's an adequate solution for my needs.

~~~
SugoiDev
A delta of changes in an encrypted container should be very close to the size
of the full container, shouldn't?

It seems this will only be feasible when we have homorphic encryption ready.

If someone is interested on that kind of encryption, see "A FULLY HOMOMORPHIC
ENCRYPTION SCHEME"[1] and "Fully Homomorphic Encryption without Bootstrapping
"[2]

[1] [https://crypto.stanford.edu/craig/craig-
thesis.pdf](https://crypto.stanford.edu/craig/craig-thesis.pdf)

[2]
[https://eprint.iacr.org/2011/277.pdf](https://eprint.iacr.org/2011/277.pdf)

~~~
RasputinsBro
No. AES encrypts blocks (I think 256kb?). So that's the only thing you have to
sync.

~~~
syrrim
If you use plain AES ECB, then little penguins will show up in your encrypted
data. You would want to use a disk encryption scheme, like XTS, where the
encryption is not just based on the data of the block, but also on the index
of the block, to prevent identical blocks at different locations from looking
identical. You also want it to be based on a nonce of some sort, to prevent
attackers from reverting a block to an older copy.

~~~
RasputinsBro
Penguins? What are you talking about?

I don't care about low-level encryption details. That's why I use encryption
software instead of coding my own.

~~~
kevin_thibedeau
ECB has issues:

[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation...](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_%28ECB%29)

------
s3r3nity
I don't know if it's fair to say that they are "randomly" flagging items - I'm
guessing they're using a similar set of tools that they use to algorithmically
determine if, say, Youtube videos violate their TOS.

Probably a recent update / bug increased the number of false positives more
than expected.

Not that I'm sympathizing with Google - just seeing if there's a less click-
baity reason for what's going on.

~~~
mikeash
I think “randomly” is being used here in the sense of “without a good reason.”
Regardless of how the content gets classified, they shouldn’t be policing
_private_ files.

~~~
duality
The anecdata from Twitter were stories about shared docs getting flagged as a
ToS violation. Did anyone see the false ToS violation on a totally private,
unshared file?

~~~
mikeash
Where do you get that from? I randomly checked a few of the tweets and didn't
see anything about shared. Nothing about private, either, but that seems like
a reasonable default assumption.

------
Nilef
Scary stuff and can only hurt Google's move to become your go-to office suite.
Imagine your PC decided which files it did and didn't like and removed them
without your permission? Sounds like the reality now if you own a Chromebook.

~~~
jasonkostempski
I wouldn't be surprised if it ever started happening with Windows/Office, they
already have tools that scan for unlicensed media.

~~~
adventured
Microsoft has an extremely long history of doing business with companies from
small to very large enterprises in size. Google as a productivity software
company that deals with business clients, is still using training wheels by
comparison. Why does that matter? Microsoft is less likely to make mistakes
like this around any of their productivity tools businesses (including
storage).

Besides that, Google is currently on a fanatical binge about censoring content
they disagree with. Microsoft is not, which vastly reduces the likelihood of
such a mistake in the first place.

------
j_s
Article provides a good chunk of insight beyond the original tweet currently
with less discussion on the front page:

Draft of a story about wildlife crime was frozen for violating Google Docs'
TOS |
[https://news.ycombinator.com/item?id=15593750](https://news.ycombinator.com/item?id=15593750)

------
cft
When will they start flagging Gmail accounts and locking you out from Android
phones?

~~~
5ilv3r
That happens to me often. When my home ip changes and k9 mail connects for the
first time to gmail, they always lock my account out until I log in from a
desktop they recognize. Freaky freaky.

~~~
duality
I actually like it when services that host my data have some protection
against unrecognized devices accessing it.

~~~
RasputinsBro
I disagree. It should treat unrecognized devices as any device. In other
words, it shouldn't remember devices. Because you know, privacy.

The only thing I ask these services is that they won't let anyone in who
doesn't have the right password. I think it's not too much to ask.

~~~
shallot_router
In terms of user security, that's just not a good idea. Google has likely
prevented an absurd number of account compromises (and therefore identity
theft, fraud, personal information leakage, espionage...) by recognizing
logins from new devices and unfamiliar locations. Google's user account
security practices are pretty much the best in the business.

It's silly to think Google doesn't _already_ know everything about every
device you log in from, so that horse is already out of the barn and running
on the highway privacy-wise. They might as well use that information to
actually protect their users since they're already using it for advertising.

~~~
yorwba
I'm sure that Google's decision has improved the account security of the
average user, but I'd really like it if there were some way I could signal
them that I'm not an average user. My password likely has more entropy than
the hash they check it against; if that gets compromised, the attacker also
has access to any other information Google would use to identify me. Which is
a joke anyway, since "which city do you usually log in from" is hard to answer
when you've been using a VPN for more than a year. I dread the day when they
make 2FA mandatory and my account security becomes vulnerable to a social-
engineering attack hijacking my phone number.

~~~
RasputinsBro
I thought I had a way around that, but no.

You CAN add a phone number, then ask you use FreeOTP token, then delete the
phone number. Great, right?

No. Because if you click that "I forgot my password / don't have access to my
2FA" button, they do let you use your phone number to identify yourself, even
though you've deleted your number from your google account.

Fuck these people.

------
Animats
This is something you'd expect in China, not the US. It raises real questions
about whether Chromebooks are viable for business.

 _All your data are belong to us._

------
mrweasel
When stuff like this happens at Google it's tempting to think that it is in
fact random, and Google uses complaints as feedback for their derp-learning
algorithms in order to become better at finding content that is truly
violating their terms of service.

~~~
photojosh
> Google ... derp-learning algorithms

Probably a typo, but I laughed pretty hard. You're not wrong.

------
mankash666
Regardless of the bug, we need a service that cannot read your
docs/email/data.

GSuite has to be the most paradoxical Google product - you pay Google and
"trust" them to not go through your company data!

~~~
kevin_thibedeau
As opposed to Office 365?

~~~
mankash666
Office 365 reads your data. They just don't advertise against it because their
ad business isn't significant

~~~
danso
Why would their ad strategy, or lack thereof, prevent them from enforcing TOS
in their document tools as Google apparently does?

------
monksy
This is what happens when you tolerate walled gardens.

------
lightedman
This means Google is scanning your stuff one way or another. How much would
one like to bet that they're surreptitiously stealing secrets to use to make
money?

~~~
lightedman
"Google Drive Terms of Service [google.com]

We may review your conduct and content in Google Drive for compliance with the
Terms and our Program Policies.

When you upload, submit, store, send or receive content to or through Google
Drive, you give Google a worldwide license to use, host, store, reproduce,
modify, create derivative works (such as those resulting from translations,
adaptations or other changes we make so that your content works better with
our services), communicate, publish, publicly perform, publicly display and
distribute such content. The rights you grant in this license are for the
limited purpose of operating, promoting, and improving our services, and to
develop new ones. This license continues even if you stop using our services
unless you delete your content. Make sure you have the necessary rights to
grant us this license for any content that you submit to Google Drive."

Oh, look, right there it says they can use your stuff for pretty much
anything. Funny how many of the people having their file access suspended are
people in the middle of very large important projects or journalism reports.

Oh, would you look at that! One of my accounts which is used for my energy
efficiency research is suspended. And my LED lighting. That's pretty
suspicious.

