Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: My Microsoft account has been suspended by Microsoft without details
311 points by ThoAppelsin on July 27, 2018 | hide | past | web | favorite | 225 comments
My entire Microsoft account has been suspended, due to the violation of the Terms, by Microsoft, and without any further details. At the time of incident, I was not doing with the account or anything digital, and rather was cooking/eating dinner, when my computer received a notification about a problem with my Microsoft account.

I am not given any other options than to Contact Support about it, which I did yesterday and got an answer today that tells me nothing more than the very few that I know:

> Microsoft disabled access to the account due to a serious violation of the Microsoft Services Agreement https://www.microsoft.com/en-us/servicesagreement. As stated in the Microsoft Services Agreement, you will no longer be able to access any Services that require Microsoft account. For any subscriptions associated with the account, Microsoft will immediately cease charging the credit card on file for recurring charges. [...] Pursuant to our terms, we cannot reactivate your account, nor provide details as to why it was closed. This represents Microsoft’s final communication regarding this account.

I hope that I am not violating any other terms by sharing these messages. I do it out of frustration to know what exactly I might have done to deserve this, something more detailed than "you have violated our Terms as you eat your dinner", because without knowing which action of mine caused this, I either;

a) Will be unable to understand my mistake and not repeat it,

b) Will fear out of doing nearly everything and refrain from them, such as using a VPN on Amazon's AWS at Ohio, which I am sincerely suspicious of.

Microsoft's own way of justice is against the legal systems in all the modern countries, which always makes sure that the accused knows their faults, as one of their rights, and for the benefit of the accused not getting involved in such acts for a second time, for that they this time will know.

This is becoming much more common. A YouTube channel I created to poke fun at rap music was brigaded after I submitted it to a popular group on Reddit. They reported so many of my videos so quickly that before I could finish the appeal of a single community guideline I had 3 strikes and my channel was permanently deleted before I ever received any feedback or appeal.

As a network engineer, with 'enable' on a lot of the bare metal devices that actually run the cloud...

This is why I don't put anything that I care about on a service or system I don't control. If I want to host videos I care about staying online, they live on a VM configured for a pretty common LAMP stack which exists on a hypervisor that I own and control down to the bare metal and the contract for the colo rack space and 208VAC power.

Using this example, that same 1RU system has a connection to an ISP that I know and trust. It's not going to go offline unless I were to do something so terribly abusive (in terms of network abuse) or illegal that it would cause them to admin down the 1000BaseT port facing it. Or it could theoretically go offline if I used it for illegal outbound network activity and somebody from the local FBI field office showed up with a warrant to take it (again highly unlikely, because I don't do that shit). Those are just about the only circumstances in which a third party could bring it offline.

There is also dtube / peer tube / ipfs as well if these things continue to get worse we'll see a rise in those technologies.

> Those are just about the only circumstances in which a third party could bring it offline.

This sounds like a challenge. Does the winner get a bottle of scotch?

Well I'm certainly not going to post the IP addresses of its public netblock for anyone to DDoS. Though my upstream, and its upstreams, do have DDoS mitigation services in place.


edit: actually, yes, the winner would get a bottle of scotch. I have had people that I know and trust, with my permission, attempt to gain external access to it, without success. Not claiming I'm any sort of netsec wizard, just that I have a layered defense of most common security precautions for anything that has a public static IP address these days. Nobody has been successful yet. It could theoretically be brought down by:

a) social engineering the ISP it's hosted at (unlikely, they know me, I know them)

b) physical removal (its reverse DNS gives no indication of where it's physically located other than within a major metro area, could be at one of about twenty different datacenters. all of which have reasonably good physical security in place).

c) false legal claims causing some legal authority to bring it down, theoretically possible, but unlikely given the strong EFF/ACLU supporting political stance of the owners of the ISP it's hosted at. They would fight anything short of a court order that they could be held in contempt of.

d) Extensive sustained DDoS. I don't have any enemies that would be interested in wasting a DDoS on this, but its upstreams have a LOT of extra peering and transit capacity to absorb DDoS up to the 150Gbps range.

e) hardware failure, it's not perfectly 1+1 redundant in everything. but I have backups of every VM that can be brought up fairly quickly on a temporary dedicated server in a new, different, geographically diverse location fairly quickly.

f) some terrible unknown zero day exploit on one of the few daemons that listens to the public interface, through which some method of accomplishing a user and then su/sudo root shell might be possible.

> terribly abusive (in terms of network abuse) or illegal that it would cause them to admin down the 1000BaseT port facing it. Or it could theoretically go offline if I used it for illegal outbound network activity and somebody from the local FBI field office showed up with a warrant to take it (again highly unlikely, because I don't do that shit). Thos

It is a mistake to think that consequences that come with other businesses or the government believing you are doing something illegal can only occur if you actually do something illegal. (It's also a mistake to think that the government could o my seize your computer if it thought you did something illegal with it; though if they didn't but thought it had relevant evidence they might ask nicely before getting a warrant, rather than jumping straight to compulsory process. But that's politeness, not a legal mandate.)

I have been on the side of an ISP implementing court orders, search warrants and subpoenas against customer equipment and customers' services, so I'm quite familiar with the process.

Yes, there is also danger in civil lawsuits.

"So, what are you gonna use it for?" "IDK, minecraft server probably."

"Teledildonics over RESTful HTTPS APIs"

One definetely must use HTTPS as opposed to HTTP when teledildonicing.

Crazy. More details please, especially how long between first strike and deletion?

First strike: Mon, Jul 9, 2018 at 8:53 PM

Second strike: Mon, Jul 9, 2018 at 10:36 PM

Third strike: Mon, Jul 9, 2018 at 11:31 PM

The last / third strike came with a "Your YouTube account has been terminated" and any attempts to login or view any of my videos gives a page missing and the Google account associated with it doesn't even appear in any of my menus.

I don't really care that much it was a dumb joke channel I made to poke fun at how often profanity is used in rap music. The part I find pretty perplexing is that I _removed_ the profanity from the music and the channel was flagged for offensive content.

No recourse perma ban within 3 hours?

Sounds like a recipe for griefing.

Its great for griefing. Its also heavily automated, so the griefers can just work the system into doing it whenever they want.

Any chance that was actually a copyright infringement?

No they have a different process for this which prevented my videos from being monetized, which I wad fine with. They clearly break down the strikes and your account status in a page near the creator studio.

Everyone should take some time to go through their online accounts and ask: “if I were to wake up tomorrow banned from this account, would it be a disaster?”

If the answer is “yes” you should take corrective action right away and make that answer “no.” Or at least minimize the number of accounts for which the answer is “yes”.

The reality is that this could happen to anyone, for any or no reason. Don’t pin your life to an online account you have no real right to.

By your logic Apple completely owns me. I have no idea what to do about that. To start with I could run my own email server on my own domain (something I did years ago and have no appetite for in the modern mail deliverability cesspool). That’s just email. If they wanted to disable my phone or apps I rely on I’d be equally screwed. Is there a way to live digitially today that isn’t at the pleasure of some large tech company?

When was the last time you backed up your email? I recently moved off of Gmail to Fastmail just to make it easier to have a backup copy outside of Google's control. I keep most of my photography (500GB) in OneDrive spread across three machines and yet I still have multiple external hard drive copies just incase OneDrive does a complete wipe across all my systems.

For the apps, couldn't you create a new account (sure you'd have to buy the apps again) and be back up and running?

It's funny. I go through great lengths to encrypt and back up most things of mine but the one thing I just realized I was overlooking? Fastmail. It exists on their server and on my phone in their mobile app but I never thought to just setup Thunderbird/IMAP and keep a local copy updated every so often. It's easy to overlook something.

Does Thunderbird keep a local, accessible copy of whole accounts when using IMAP? Since the traditional way of using IMAP is by keeping the mails on the server and interacting with them via the server, I would think it doesn't.

Personally, I'm using nodejs-notify[1] to watch all mailboxes of all accounts via IMAP IDLE, and have it execute mbsync[2] when it receives an event to sync the account with a local Maildir. I got my MUA (mu4e[3]) configured to use those Maildirs without doing any IMAP itself.

[1] https://aur.archlinux.org/packages/nodejs-imapnotify/

[2] https://www.archlinux.org/packages/community/x86_64/isync/

[3] https://www.archlinux.org/packages/community/x86_64/mu/

thunderbird can be configured to store mail locally. look at the folder properties /synchronization. has an option for offline use

I think the idea is to realize if you have data on Apple, is it also synced and available offline on your computer?

I have all my photos on iCloud. But they are also in the Photos library with full resolution on my computer. If apples locks my account, I don’t lose my photos.

Same thing with Dropbox. Synced but still available on my computer.

Same with Gmail. Synced with Mail on Mac. Downloaded regularly.

I simply try to make sure my data is always on my computer and migratable. Not the application itself.

I would start by:

a) buying my own domain

b) ensuring that the authoritative ns1/ns2/ns3 records for that domain are hosted at a diverse set of geographically diverse nameservers, for example an ns1 that you run and then using route53 and another non-route53-service for authoritative slaves.

c) setting the MX records for it to either a mail server that you run, or a third party mail server. This is sort of a compromise approach. You can use office365 or google if you don't want to fully host your own mail. You say you don't want to deal with the hassle of mail deliverability, so use either of those and let them handle the spam filtering, SPF and DKIM. Mail that's hosted by office365 is trusted by just about everything out there, in terms of not having other peoples' SMTP daemons reject or blackhole your mail. If either of those cuts you off for some arbitrary reason in the future, you at least have the ability to change the MX records to another service as you see fit.

I had this same thought when I was heavy into Google/Android. I was running on G Suite, and frankly didn't like the way Google was going. I own my own domain name, run off of Zoho which gives me more features that I use for the same/less money, but the system hasn't been without weirdness. Syncing between all of my different devices doesn't really work right using their ActiveSync option. i.e. my iPhone doesn't sync deleted emails back to the main server and unless I run the sync tool my desktop doesn't either. There are options though, but everything is a privacy/ease of use trade off. Things that give you more privacy and control tend to come with more actions you personally need to take.

Edit: A Plex server is a really easy way to back up photos from multiple devices as it syncs and you can control that entirely in house.

Usually having your own domain and letting someone else run the mail server is enough. In case your provider (Fastmail, Google, etc.) starts acting strange you can just update your DNS records.

If you choose to become completely dependent on a corporation for convenience, as it seems you did with Apple, you should be aware of the tradeoffs you are making for this convenience.

Another bit of food for thought, ask yourself what it would look like if email had the same federal protection as snail mail.

I wish most online accounts didn't require an email address to signup...

This is a stark reminder about the dangers of signing your life over to saas. If you are in the EU you might want invoke your right to an electronic, transferable copy under GDPR

What's especially infuriating is the dark pattern that began with Windows 8 and has become worse in Windows 10: hiding that you can create a local account instead of using a Microsoft clown, er, cloud account.

The more I see things like this happening, the less I want to entrust anything important to MS, Google, Amazon, etc.

Yes, not only does Microsoft push their cloud account for login, they also spam ads in their notification bar. Going from memory, exact words may vary:

- "Install Microsoft Authenticator to log in with your phone"

- "Sign up for OneDrive to protect against ransomware attacks"

- "Do more with Microsoft Edge!" (this one shows up when you change your default browser)

I prefer my operating system to not upsell me.

There is also : "There must be a problem with your Microsoft account. Click here to fix it" alert on the notification bar.

The only problem with my Microsoft account seems to be that I didn't create one. Not a problem to me, but obviously a problem at Microsoft. |But then I'm only the guy who BOUGHT the computer and deliberately avoided creating a MSFT account. What do I know? Funny how there's no "go away and never bother me again" option on that alert.

more and more, Microsoft makes me feel like a visitor in my own home (computer).

> Microsoft makes me feel like a visitor in my own home (computer).

I think it started with XP. If you tried to avoid installing windows genuine advantage (by deselecting it during the update procedure), it would come up again, then come up with increased frequency. Until in my case, it somehow just started installing itself of it's own accord.

But wasn't WGA somewhat a part of verifying a given installation of Windows wasn't pirated?

You mean that Windows installation that you bought (directly or indirectly), that potentially didn't have this WGA feature on it when you bought it?

No clue why am I being downvoted? Maybe it will help to show my point if I say more... Windows didn't always have WGA on it, but people have been paying for Windows for decades. My first Windows license was Windows for Workgroups. 95 and 98 didn't have WGA, and earlier versions of XP didn't have it either. WGA came labeled as a "Critical Security Update."

People paid money and bought computers that came bundled with Windows licenses, and then they paid money for Windows major updates, and then ultimately Microsoft decided to bundle most of the updates for free. But one day in one of the free updates, they added in WGA (how is this not bait and switch of loyal paying customers? My operating system needs to phone home for security reasons?). But you had to opt-in. Then they decided in a later free update that it wasn't such a great idea to allow their users to permanently opt out, and their software got increasingly aggressive about making sure WGA was always enabled. You could opt out, but it tried again. And finally you just couldn't opt out anymore.

Then they used dark patterns to ensure you would think you needed a Microsoft account just to log into their computers. Wait was it your computer? Now this article about someone whose Microsoft account was closed without explanation and they're up shit-creek for it.

Is this not all absolutely part of the same conversation? It's a long history with a lot going on in it. This is not a rant against Microsoft, but a cautionary tale against depending on SaaS and letting it creep into your stack, as that's apparently also what Windows has become now, too.

I was 10 years old in the 1990's and recently I realized that I had actually convinced (or suppressed) in my memory that IE was never really a monopoly, but the historical statistics on browsers tell a very different story. So maybe my memory is not so good about IE, and given that I switched to an Open Source system in my teenage years and didn't look back, perhaps that can be excused, but still most people actually haven't. (Hell, some are still using IE...)

I guess it's true that, with the coming of the Internet, and the possibility that you could easily download and pirate Windows, if everyone knows this and WGA doesn't happen in 2008, then your security is legitimately at risk if Microsoft can't profit off of Windows, because then they won't have any incentive left to provide updates except at cost... and you need updates (we need you to get updates, it's like a vaccine that herd immunity only works to stamp out the disease if most people get innoculated.)

Microsoft is much bigger now than when the internet was new, and I think are not really worried about making a profit off of Windows anymore. But as a Windows user, I think that understanding of the history and assessment of the current state of where we are at with Windows profitability and updates would be troubling, for me.

You have absolutely hit the nail on the head, and the way you describe the WGA update is exactly as I remember. I didn't want it installed. Back then resources were a bit more scarce and both startup programs as well as regular ones seemed to significantly slow the boot times. I also didn't want a piece of software that would use both CPU and network resources that was of absolutely no use to me.

The feeling of being given the option to choose, then being coerced strongly (with my resistance) and then being forced upon my laptop gave a strange sense of having been violated.

In a way I'm glad it happened. I was so annoyed / possibly angry? that it prompted me to find a different OS, and my only regret was not finding it earlier.

8.1 decided tha

If you sign up for a mock microsoft account and break the TOS on purpose, will they leave you alone with the notifications? :O

>my own computer

Have you noticed how on the desktop it says "this PC", not "My PC" ?

In the age of Windows 10, you adopt a PC to ensure that it gets the appropriate updates. Your productive use is a secondary consideration.

Not just the notification bar. I get spammed every time I start a game with little popups telling me various keys I can push to access Windows features while I'm in the game. (_Every_ time. The same notifications). I get spammed _during_ gaming with popups telling me to install Skype or some other Microsoft product. Plus all the spam on the lock screen about using a Windows phone (I haven't even _seen_ anyone with a Windows phone in five years).

Of all the obnoxious things with Windows 10 there was nothing that made my blood boil more than being in the middle of a competitive Overwatch match and have Windows pop up over my screen telling me to install Skype.

(The second place award goes to when I was using one of those early developer builds of Windows 10 and the license expired. Next time I booted the machine it booted into a blue screen telling me that, because it had expired, they went ahead and deleted a system file that made the OS impossible to boot. The exact details are fuzzy now, but that's the gist of it. I'm seriously not making that up. Important system file deleted; OS dead)

> I get spammed every time I start a game with little popups telling me various keys I can push to access Windows features while I'm in the game. (_Every_ time. The same notifications).

you can disable that, and it might actually improve your performance as well!

I think it was in Settings (the windows 10 settings, not the old control panel) / Gaming / Game Bar [disable] && Game DVR [ OFF ]

> I get spammed _during_ gaming with popups telling me to install Skype or some other Microsoft product. Plus all the spam on the lock screen about using a Windows phone (I haven't even _seen_ anyone with a Windows phone in five years).

never experienced that, nor do i use the lock screen @ home, so no clue there

http://www.sediment.uni-goettingen.de/staff/dunkl/zips/The-M... The Murderer, by Ray Bradbury.

It's one of those talking, singing, humming, weather-reporting, poetry-reading, novel-reciting, jingle-jangling, rockaby-crooning-when-you-go-to-bed houses... With stoves that say, 'I'm apricot pie, and I'm done,' or 'I'm prime roast beef, so baste me!' and other nursery gibberish like that... A house that barely tolerates humans, I tell you.

Oof, that feels shockingly prescient. Our smart appliances may not be singing to us, but otherwise...

Alexa does sing https://www.youtube.com/watch?v=wYGN5ocl950 and with a little modification it will play a lullaby if you ask it to https://www.amazon.com/Pretzel-Labs-Baby-Lullaby/dp/B07B7LH8...

> - "Do more with Microsoft Edge!" (this one shows up when you change your default browser)

lol, "do more ..." a browser that doesn't even support basic API like EventTarget or CustomEvent constructors. they learned nothing since IE debacle.

>Add your phone to Microsoft Authenticator to log in

It's not the same but I made the mistake of trying the Microsoft launcher on my Android phone. Maybe I was thinking it was the MS Authenticator app. What a disaster! It took me a while to figure out how to revert back.

For the curious to undo the MS launcher: settings > apps > click dots in top corner > Default Apps > Home Screen > Choose a different launcher

In fairness, this is the way you remove any android launcher, it's not some crap MS cooked up.

Oh I agree with you. I should have phrased it that it was more the way it was phrased by Microsoft that lead me down the garden path. I assumed MS meant something else.

But I do see many other people asking how do undo the MS launcher so it seems like I wasn't the only fool.

The MS launcher does look interesting but it was not what I wanted.

Me either. I wanted the full, exact windows phone start screen and I did not get that

You aren’t the target customer for Windows any longer. People who don’t know any better are.

At least they were forced to offer LTSB for enterprise customers. Though I recently read they are rebranding the name.

Office is no longer supported on LTSB!

Really? Do you have a prove?

I just got a new pc and decided I wanted Office for it. I did not want to rent Office with an online subscription as I flat out do not trust that the pricing and offerings will be stable, and after jumping through many hoops (err, web searches) manage to buy "Office Classic".

But I still ended up needing a Microsoft account for the download. I was surprised to find I already had one (for the email I was using) , but I did and I was able to use it to download/install/validate the software.

Only later did I realize it was an account I created for my son to play Minecraft... hopefully he doesn't manage to get me banned from the Microsoft ecosystem.

Yes! I'm not sure which update it is, but a fresh install of Windows 10, you really have to think outside of the box to not sign up to their account. It's a shame no-one has put it up on the dark UI pattern hall of shame yet...

It's pretty scary that Microsoft and Apple are the only commercial options where it's even possible. With Google's various offerings, from Android to Chrome, it's not even an option.

In the future this can only exist if people pay for it, and clearly ... that's not going to happen.

Protip: Don't connect to WiFi when first setting up Windows. If possible, use an Enterprise, Education, or Pro (in that order) version of Windows.

I didn't even know a Microsoft account was an option when I set up my desktop :)

Could you elaborate on why Enterprise above Pro?

I'm no entirely familiar with the differences and I've been planning on buying a Win10 Pro license, so any advice would be helpful :)

Well first of all, you can't buy an Enterprise license (normally, but there are sketchy sellers who will sell you one).

Enterprise licenses give you full control of the OS via group policy in addition to all the things that Pro gives you. You can effectively turn off anything you want in the editor.

You also have full control of updates, so if that's what was keeping you away from W10 then... there you go.

Uhmm... too bad I can't buy an Enterprise edition. Would love to be able to disable all those things.

Then, does that mean that you can't edit those settings in the Pro version? (I know there are some utilities to do that, but I would prefer to do it natively)

> Then, does that mean that you can't edit those settings in the Pro version?

Unfortunately you can't. The 3rd party utilities work fine though, you just have to run them again after every major update.

Unfortunately this indirectly promotes usage of pirated software. I do believe companies that publish and develop software deserve to get paid, but if licenses can be pulled on such short notice, an individual user might opt to have a hacked version.

This doesn't seem relevant, as the comment you're replying to is talking about SaaS. You can't pirate SaaS. Though I do think your point is "valid" in the context of software licensing. Right or wrong, people _are_ driven to use hacked software when DRM or other arcane licensing technology is used. That'd be a relevant fact if we were talking about, for example, Windows. But this is about a Microsoft online account, not a software license.

A Microsoft account is not about SaaS. It's about logging on to Windows, opening the Office that you installed on your computer, or opening a saved game in Minecraft.

It's also used for putting files on the cloud and renting VPSes, but those uses are much less common.

Wait a minute!

Is OP saying that, with his Microsoft account locked, he can't even use his computer?

Because, you know, there are ways around that. And worst case, you can boot with a Linux LiveCD, and copy all of your stuff to a USB drive. Unless you've used Bitlocker, anyway.

> A Microsoft account is not about SaaS.

Sure it is; Microsoft is very heavily invested in a SaaS model now. Of course, some of it is SaaS that is locally installed or at least has a substantial locally installed component, but it's still a SaaS model as opposed to a physical media with attached no-interaction perpetual license model.

I am still waiting for the circle to come back so I can host everything safely in a Tiny box at my home, with ease, and with convenience.

As an individual, I found the cheapest option on the long run is colocation.

As opposed to the happy and risk-free world of every man operating his own e-mail server, I guess.

I use a hosted email provider, but I didn't sign my life over. I registered a domain and have control of the dns, so they are just a provider, not a master. I could move in a couple hours and retain my email address.

The takeaway for the rest of us is that you should never depend so much on one big company. Put your eggs in multiple baskets, preferably the smaller players (but not too small, as that might mean incompetent).

E.g. my email, calendar and contacts are at FastMail with my own domain, cloud storage is at Dropbox but looking to migrate to pCloud (after their recent fiasco). For notes I use Evernote, but investigating Standard Notes. I also don’t buy DRM-ed books or other products, e.g. I buy DRM-free audio books from Downpour. I have a Spotify account but I regularly buy the music I like. I have an iPhone but I’ll be damned if I’ll let Apple dictate my web browser therefore I use Firefox and apps that play along with it.

My Google and Microsoft accounts are basically unused. I use Docs at times but I regularly back them up automatically. I don’t even use Google’s Search anymore. I have some apps purchased for Android but I stopped using Android for now. If they block me for anything, I couldn’t care less.

These companies that have products in multiple markets are after lock-in of their users by any means necessary. Don’t fall into that trap. The alternatives cost more, but your freedom and privacy are worth it.

> For notes I use Evernote, but investigating Standard Notes.

I am a (former) Evernote employee. Before I joined I didn't use Evernote. After I left I started using Evernote extensively (Hard to use the app when you are constantly messing up your test account doing dev work :-) )

From my experience there I know that:

1) the people there really care about the customers. If there is any sort of problem, the customer support will really go to bat for the customer. There are more than a few times where CS ensured that a bug fix made it in.

2) If there is any sort of data corruption, Evernote will stop the weekly release to get back the data before doing the next release.

3) You can get a hold of a live human being to get support

4) Evernote has a explicit policy of never going to an ad model.

5) User privacy is highly important.

6) User security is highly important - if Evernote had a choice between Evernote as a company getting hacked or a user (not even a customer) getting their account hacked. Evernote errors on the side of protecting the users' security.

Please reward this positive company by paying for the product - that is their only revenue source :-)

I have been rewarding Evernote, I'm a Premium user and I like the service a lot.

But the thing I miss with Evernote is the ability to create end-to-end encrypted notes. I don't necessarily want all notes to be encrypted, just some.

I hope they add this capability.

I don't know current priorities but I do know that such a feature is strongly under consideration.

The major barrier (as I recall) is getting such a feature to play nicely with multiple installed clients and the web client.

I'm not familiar with Fastmail - do you find it comparable in terms of usability to say, Google Calendar?

I'm interested in switching away but nothing I've found beats Gsuite in terms of ease of use, and paying for Gsuite for my domain means I don't have my data pawed over like plain gmail accounts are.

FastMail's Calendar is pretty OK for my needs. Google Calendar is better though. But I don't miss it.

Personally I found it hard to migrate to G Suite after being off for about 3 years and couldn't do it.

For example FastMail is less featured, but the web interface is really responsive and the keyboard shortcuts are better. Whereas Google Admin is a nightmare and GMail has gotten really sluggish in the latest iteration for no good reason.

GMail has labels, many people are addicted to those. But regular IMAP folders play better with desktop email clients and I prefer desktop clients. GMail's labels are cool for classifying stuff (e.g. My Projects), however IMAP folders are good for separating the junk. For example I don't want Mailing Lists in my archive.

G Suite has many limits that bother me that do not apply to FastMail:

- Limits maximum IMAP connections to 15: https://support.google.com/mail/answer/7126229?hl=en

- Limits bandwidth: https://support.google.com/a/answer/2751577?hl=en

- Limits maximum number of user aliases to 30: https://support.google.com/a/answer/33327?hl=en

I have hit all of these limits at some point.

FastMail works with something called "sub-domain aliasing". So if you have `user@domain.com`, you can come up with addresses on the fly, like `google@user.domain.com`. I do that for every online service I use. And the web client is friendly to that too. E.g. you can define "wildcard identities" or you can set certain identities to be used per folder.

Sadly Gmail only supports "plus aliasing". This is weaker because it's easier to remove the alias and because many websites, including big names, do not accept "+" as a valid symbol.

You can configure G Suite to redirect all email via a regular expression, so you sort of have it, however it doesn't work if you want to also send email, which you need to reply for support and stuff. This is because Gmail will not sign your emails with DKIM unless the email is a genuine user alias, no dynamically created email addresses allowed, except for plus aliasing.

Speaking of which, even when you send from a legitimate user alias in GMail, GMail will leak your primary email address via the Return-Path and other email headers. This means that user aliases in GMail do NOT work for maintaining privacy. For example one practice I have is to create a throw-away email address that I put on my blog. I don't want my email to get in the hands of spammers via my website. And I get contacted via it and sometimes I reply. Personally I don't want my primary email address to leak when doing that, but that's what GMail does. And I'm not even mentioning that adding email aliases is freaking painful, as you have to add it once in Google Admin and a second time in GMail's web interface.

Basically GMail is useless if you want to have multiple email aliases.

Another use-case I have for FastMail is to send email from my own VPS. I have two VPSs actually and I want them to send emails on important events. FastMail allows me to set a "SMTP only" password. And in case my VPS gets compromised, theoretically at least the attacker will not have access to my email archive. And FastMail's limits on sending email are pretty relaxed. You can send notification emails from your own VPS without worry. Just don't send spam as they'll probably react to that.

It's ironic, but for all of GMail's praise, it's actually pretty bad at handling email.

Also, not sure what exactly you're using from G Suite, but Google Drive is absolute trash for synchronizing files, including its File Drive Stream, its latest iteration. I've seen it ignore updates, I've seen it generate conflicts, I've seen it corrupt content. Google Drive is good for its web functionality, but you can't rely on it to actually copy your files. If I fear the desktop sync will corrupt my files, then I cannot use it, sorry.

> GMail will leak your primary email address via the Return-Path and other email headers.

Hmm, I just now sent from a Gmail alias to a non-Google account. Don't see my primary address anywhere in the received headers.

Could the circumstances under which you see leakage be specific to some particular use case?

I'm on mobile right now so I can't be bothered looking it up, but the fastmail devs mentioned here a week or two ago that they're working on labels. So if you like that feature it's coming :)

I used to think labels were a great advance.

Now I see a better alternative: Powerful pattern search, with a store of the patterns for later reuse.

Fastmail has this, and reference documentation is excellent:

Minor GUI annoyances: Advanced search not obviously discoverable, list of saved searches scales poorly.

Fastmail sounds alright, but realistically whoever your e-mail provider is you're in trouble if they go away.

Use your own domain at the very least. Preferrably one that is your legal name so that if anyone ever tries to take it (either from just buying it if it lapses, or just attacking it/you) you have some legal protection in the US from the ACPA.

Then it's just a matter of keeping backups of your email.

Agreed. I use my own domain and I use my providers email forwarding to a sass email client. If my email provider pisses me off I just change my forwarding to some other provider. I may lose old mail, if the provider goes away completely, but that's not too big a deal for me and backups could solve it if it was important.

Now, if my domain host goes belly up, I'll probably have a somewhat painful process of porting my domains elsewhere. It's still doable but it would probably mean a few days of downtime.

only use your own domain if you want everything tied to your real name

I have my own domain and I use desktop email clients, so I always have a full copy of my email archive.

It would take me at most 1 hour to move, on the clock. I know because I moved between email provides about 3 times already.

("imapsync" helps)

Its trivial to backup your important emails offline as they come in. Any time you allow a 3rd party to control your data or your property (digital or physical) you are taking a chance. One of many reasons "the cloud" is overrated and overhyped. There may be reasons to use cloud computing, such as the convenience, but shared data-space always remains inherently insecure and anything stores there is, by definition, outside of your control.

The nice thing about a custom domain however is all you have to do is repoint it to a different provider if that happens.

Until your domain gets pulled off by your registar for whatever weird reason. There's no absolute way to escape, sadly.

I agree with that, but the distribution of where you have things makes it a bit more difficult. If I have amazon hosting my domain, email, website, and I shop there, then me getting banned because they didn't like me returning too many things will affect everything else. Having my domain at No-IP, Email at fastmail, website self hosted means that Microsoft banning an account I use won't affect any of that.

If your domain gets stolen then you're similarly out of luck. You now need to change your email on every website you use, which for many requires email confirmation or contacting support.

The chances of losing your domain are lower than your chances of becoming a false-positive of one of these Saas account-banning automations.

The sky is falling :-)

But no, we are not talking about the same degree of risk.

You're comparing car rides with BASE jumping.

That’s why I host my own Email. Maybe after more of these random, unaccountable unappealable accounr bannings happen, people will wise up and stop relying on cloud services for essential things.

Tried hosting my email too. Not worth the hassle. Too much work to set it up, then to keep your domain or your IP out of blacklists, to take care of your reputation, etc.

You can host your own email just like you can generate your own electricity. It's definitely worth it for other people and we definitely need more people that self host to keep email an open standard, but personally I've got better things to do.

I agree that it’s hard. I justify the effort spent because my email access is essentially my single source of failure credential for the rest of my online life. Some things that are important are hard.

> an iPhone but I’ll be damned if I’ll let Apple dictate my web browser therefore I use Firefox and apps that play along with it

AFAIK all iOS web browsers must use WebKit so really are little more than a shell on top of Safari.

Indeed, but I keep my browsing history, bookmarks and everything else in Firefox, which I also use on all my 3 laptops, so it synchronizes between them.

How do you back up your Google account automatically?

A cron job with rclone. Converts and copies Google Docs too.


What was that Dropbox recent fiasco?

What fiasco?

TL;DR: they don't give a shit about privacy.



> Dropbox gave us access to project-folder-related data, which Dropbox had aggregated and anonymized, for all the scientists using its platform over the period from May 2015 to May 2017 — a group that represented 1,000 university departments (from the top 100 universities and their Dropbox collaborators from other anonymized universities of any rank).

This was done without the consent of those involved.

Wired seems to cover the story: https://www.wired.com/story/dropbox-sharing-data-study-ethic...

A few years ago, google tried introducing a real name policy on google plus. Accounts were being banned left and right. Google removed everything including gmail when they decided your name was wrong on plus.

That was when I realized I could not participate in plus: I realized how important my gmail account had become. I am diversifying and backing up today, but gmail stays a single point of failure.

The result: Even if google drive and a lot of their services sound really nice, I simply do not dare using them. I can't even take the risk of paying them: Anything non-gmail is a chance for them to obliterate my digital life.

Opening a second account is probably a bad idea: One day some algorithm will find out and either merge them or simply nuke both.

Not shooting at google specifically, this AskHN proves microsoft is just as bad. But it sounds to me these companies will have to do something or lose user trust.

> Opening a second account is probably a bad idea: One day some algorithm will find out and either merge them or simply nuke both.

Nuking both would be nuts except in extreme edge cases. It could potentially nuke the accounts of all spouses and parents and kids who share a laptop at home. Granted, everyone has their own writing style and computers seem good at identifying text written by people based on the latter, but that's still a big risk for the tech company.

The point is: They are, for all relevant criteria, nuts.

It is cheaper and less risky for them to be completely insane pants-on-head bonkers once in a while than to find out what has happened and tell you. They don't care as they are big, you are small, and unless you annoy them enough to actually notice you, nothing is going to happen.

I've got another thing to become suspicious about, which again involves VPN.

I live in Turkey, I use VPN (on AWS at Ohio) not to circumvent anything else than the imposed restrictions of my own country, and not some other countries' or companies'. Along with countless others, Wikipedia and Imgur are some well-known websites that are made unaccessible from Turkey. With Windows 10's VPN client, you don't even recognize that you are on VPN. The overhead is so low (relative to the basic internet speeds), that I don't even notice that VPN is on most of the time. I usually open it when I want to visit some Wikipedia page, and turn it back off after recognizing delay/lag on the games I'm playing online. Not even videos load recognizably slower, not on my VPN on AWS at least.

Within last 10 days, I had encountered the news about Dragon Ball Z - Season 1 being free on Microsoft Store, one like this I just found searching: https://www.neowin.net/news/first-season-of-dragon-ball-z-no...

I wanted to give both the anime and the Microsoft Store's video section a try, and did nothing more than just opening the Microsoft Store, finding the content, getting it for free and watching the first episode. My guess is that this might have been the problem.

If this really is the case, then I could not possibly know I was fooling Microsoft Store: - I did not and still do not know if the content was not available, free or paid, from Turkey. There were no indications of the content being unavailable to Turkey on the Store page. - Microsoft Store did not ask me if I am from Ohio, I never said I was from Ohio. I regularly use VPN for personal reasons, unrelated to this matter. I did not use VPN to make Microsoft Store think that I am from Ohio. Microsoft Store itself may have falsely assumed that I am from Ohio, and granted me the right to watch a content for free. It is Microsoft Store's fault for immediately assuming my location from the way I connect to the Internet.

If my guesses are true, then Microsoft's Microsoft Store is the culprit for being overly presumptuous about my location, not asking me for approval, hence not putting me responsible, and giving me free access to some content as a result. I may not be put responsible for Microsoft's presumptions that I haven't approved.

> I wanted to give both the anime and the Microsoft Store's video section a try, and did nothing more than just opening the Microsoft Store, finding the content, getting it for free and watching the first episode. My guess is that this might have been the problem.

I agree. It's very likely that, by using a US VPN, you circumvented geo-restriction in the Microsoft Store. You could test that by creating another Microsoft account, under a fake name, using a commercial VPN service with a non-US exit. Then try to get the Dragon Ball Z episode from Microsoft Store. If you need help, feel free to email me.

>"We canno't provide details about why your account is closed and won't reactivate it"

This type of behaviour should be banned by the European Union.

You should be provided with the exact reason of why your account is being closed , regardless of who is the provider of the service.

It's unacceptable that companies like Microsoft, Facebook, Airbnb feel entitle to behave like this knowing how critical the service provided by those companies are for some organization. Plus the fact that those suspensions are usually done automatically by an algorithm powered by Machine Learning or something similar.

This type of mechanism could destroy an entire organization if the account of CEOs , CTOs, CFOs are suddenly locked down without possibility to access their emails , their contacts, their meetings and others business critical information.

This is outrageous.

Often times companies are legally barred from disclosing this information. For example, in the financial services sector, if a person’s account is linked to certain forms of financial crimes, it is strictly illegal for the company to tell the owner why their account was suspended and/or funds frozen.

The intent is to not reveal that the account had been linked to (for example) financing of terrorist organizations, but in reality I think it causes more problems than it solves. A real criminal who has their account shut down is probably going to be pretty aware of what the reason is. On the other hand, many times something like this can happen due to a mistake by a government agency, an account takeover, or some other situation where the owner of the account has no idea what went wrong or how to fix it, and finds themselves blackballed by multiple financial institutions with no recourse.

I’m not a fan of PayPal by any shot, but I would wager a nontrivial number of the customer support nightmare stories we’ve all read actually come down to this, and their hands are completely tied.

> Often times companies are legally barred from disclosing this information.

You are talking specifically about the financial and banking industry. Working in the banking industry , compliance regulation prevents banks from communicating about why your funds are frozen so the SEC can investigate and determine whether are not a fraud or suspicious activity were committed.

Such thing does not exist in the IT Industry. Microsoft ran their in house auditing tools , determined the account was suspiscious , set a flag "is_suspicious" as "true" in their database and the next day a batch ran and suspsended their account.

IT Audit for GAFA is 100% automated , there is no human interaction unlike Banking , Insurance and Finance.

Hence, the fact that BFA must communicate after the investigation about what fraud you committed to properly charge you in court and banned you from the services( You can even be banned in an entire country from owning a bank account depending on the severity ) but they must tell you why.

That is not the case for tech, it is completely unregulated which is why it's making me this upset.

Microsoft is a large company with many services, and some of them may intersect with this type of regulation through law enforcement. The financial sector isn’t the only area of business that have these types of restrictions, and it’s often significantly easier from a business and engineering perspective to block an account entirely than to cherry pick which services can and cannot be used.

This is particularly true when products frequently gain new features or integrations with other company-provided services, as changes in one system might allow an account that’s partially suspended to be able to perform legally-forbidden actions in another (think: something like iMessage gaining Apple Pay support). Yes, you can solve these things with engineering, but not only can that easily cost more than it’s worth, but you also open yourself to massive company risk if you fuck it up and regulators catch wind.

> The financial sector isn’t the only area of business that have these types of restrictions, and it’s often significantly easier from a business and engineering perspective to block an account entirely than to cherry pick which services can and cannot be used.

Yeah, I used to work on a fraud detection team for another company, where some guy got some traction online complaining about how his payment account got shut down. All sorts of bluster about how he scrupulously followed the terms and conditions and how he couldn't possibly be doing anything fraudulent and how we were stealing his money, and lots of bad publicity in threads like this.

Turns out the FBI was investigating the guy for hosting child porn on another service using the same account, and we weren't allowed to respond in any way to his complaining online. So we shut down all his accounts and couldn't really do anything to defend ourselves against his complaints.

In my experience, like 90+% of the loudest complainers of account shutdowns are completely full of it, and are guilty of very obvious violations that they somehow fail to mention when blogging about it. I'm not going to say that false positives from machine learning systems never happen, but people who loudly complain about their accounts being frozen don't have a good track record, and since most companies aren't going to discuss exactly why they got shut down in the open, the prevailing narrative seems to be that the large faceless corporation doesn't care.

How is that justified as compatible with a fair justice system, or have we kind of given up on this when it comes to dealing with modern financial services, or Internet services?

Or is it just as the mentioning of terrorist mean that we leave the confines of modern democracy and enters the territory of fascists policies, as we become what we fight?

the fact that accounts are locked and funds frozen by hacked together system dependent on irrational machine learning algorithms and never heard in open court is the premise for any number of dark dystopian science fiction stories and deeply scary and yet we seem to keep enacting laws and frameworks that rewards companies like Microsoft for arbitrary enforcement by making it impossibly expensive to challenge punishment dished out private enforcers(microsoft/facebook/youtube etc.) who can be punished by the state for not enforcing aggressively enough

> How is that justified as compatible with a fair justice system

It's not. It's also not practiced exactly that way.

There is always a maximum duration for those things, and after that duration secrecy is gone.

Also, before locking somebody's account, the law enforcement people have to get in front of a judge, and make a really good case for why it should happen. Normally judges do not like people asking for unilateral actions (on most places judges are very competent lawyers, and if there is something that lawyers really love is their antagonistic system for decision making).

Money laundering laws are not like anti-terrorism ones.

The problem here is that when it's the banks doing it there really is'nt a court involved, nor police there simply is an algorithm spotting something and usually that's the end of the story.

If the block was followed by mandatory court action by whoever made the block with failure to successfully prosecute resulting in compensation paid to unjustly accused, there would be balance but thats also not how this kind of block works, as the courts are usually not involved when it's the banks/services own mandatory anti-fraud process thats being invoked, and not the police conducting an investigation prior to an actual open court case.

The problem is that private organizations are being asked to police their customers on their own under a framework thats basically outside of the justice systems, under penalty of fines by a justice system, that is not issuing the same fines when the private organization punish the innocent.

Again the problem is we have a mechanism that made some sense when nothing ever happened without sooner or later happening in a court that can/will punish the police for false arrest when/if the resulting prosecution fails, that due to the fact that a false/incorrect negative action no longer have consequences for those making it happen, especially as it happens under the pretense of being done but a free private organization by private organization that are theoretically free to reject customers even if that rejection is practically ordered by the state.

Wait, are you talking from the US? Are banks blocking their customer's money there without the government intervention?

I haven't heard about something like this happening anywhere, but it's not hard to imagine it, unfortunately.

No, situations like described are almost exclusively a result of a governmental request.

Someone who has a) been committing financial crimes and b) finds their funds frozen will probably be able to connect the dots.

If they're barred by law from saying why, fine. If not, they should have to provide at least some reason, and a way to appeal.

In such case, I'd expect the reply to include "unfortunately, we're legally barred from providing any further details".

Well, then, in that case you've basically just told them you closed the account because you suspected it of being involved in {money laundering, funding terrorism, fulfilling the drug trade}.

You don't think the person doing money laundering and finding their accounts frozen won't have figured that out already?

"Gee, it must've been that meme I posted the other day."

It provides a defense -- you can say 'I wasn't laundering money' if that's their claim for what you did, and you can possibly provide evidence that you weren't laundering money; there's no way for you to say that you weren't violating an unknown term because you don't know what that is.

It’s not up to the companies, who (in my experience) largely hate having their hands tied. Legally, saying something like this can be construed as giving information to the target of the investigation, and doing so can result in fines and even jail time.

It’s dumb, and of course a guilty person will know exactly what happened, and of course hearing a response that their account has been closed and they cannot appeal or get any information as to why is going to make it even more blindingly obvious.

"Because terrism" is becoming an all-too-ready and "unassailable" excuse for any action an institution doesn't want to justify nor clarify.

Past a point, this becomes like those building regulations and other points of governance, that are not actually publicly available.

And your democracy fails. Because how can people govern, including themselves, when they don't even know what the rules are? Where the "lines" are?

Maybe, ultimately, it would be more useful to effectively inform the public about such funding, than to hide it away.

Also, there's been another round of conversation in the last some days, about "cashless" payment systems and societies.

What happens, when some initiative or data point -- or someone's personal agenda -- flags you as "suspect"?

When your cards are suddenly deactivated, your accounts frozen, and no one will tell you why? Nor for how long?

This secret behavior -- this secrecy -- needs some serious and effective limitations.

Or we are all going to be at risk of violating society's "terms of service", and made pariah, without explanation nor recourse.

Slippery slope...

> "Because terrism"

Sincere question: what are you conveying by using that spelling of (I assume) "terrorism"?

A colloquialism, plus a hesitation to use the correctly spelled word, what with all the scraping and data aggregation/analysis going on these days.

I don't support it. I also don't want to be flagged for simply discussing it.

Of course, this simple tactic may be futile, on my part.

Which sort of brings us back to the colloquialism.

>This type of behaviour should be banned by the European Union.

It probably already is. Under Article 15 of the GDPR, you have the right to access personal data and to an explanation of how that data will be processed. A database entry saying "this account has breached clause x.y of our ToS" constitutes personal data within the scope of GDPR.

Under article 16, you have the right to correct any inaccurate data. Under Article 22, you have the right to opt-out of any wholly automated decision-making process that "produces legal effects concerning him or her or similarly significantly affects him or her".

Article 23 does impose some restrictions on those rights, e.g. in matters of national security, defence or criminal justice, but those restrictions are narrow and specific. If someone tells you "your account is banned and we can't give you any further information", they're likely in breach of the GDPR.


You can thank American and European governments for that. They extorted money from private companies for "due diligence violations" and now they will ban you and close your account on any smallest suspicion of financial impropriety or connections with sanctioned individuals or countries.

As an example, people lost their money to PayPal and had their accounts banned because their address contained a street named after a sanctioned location.

Corporations are panicking. They spend billions of dollars on due diligence now and this is the result you are seeing. They don't want to spend even more billions of dollars on fines.

Obviously they can't tell you "transferring over 500 USD per month to Africa looked dodgy to us, so we closed your account". They are keeping details secret, which makes sense because next time you'd just circumvent their checks.

> You can thank American and European governments for that. They extorted money from private companies for "due diligence violations" and now they will ban you and close your account on any smallest suspicion of financial impropriety or connections with sanctioned individuals or countries.

> As an example, people lost their money to PayPal and had their accounts banned because their address contained a street named after a sanctioned location.

That is ridiculous. Modern companies have no problem Hoovering up and analyzing vast amounts of intelligence on consumers for marketing purposes. PayPal almost certainly has liasons with any number of three-letter agencies that also feed them intel related to criminal or terrorist activity. Link analysis and graph database software has reached commodity status; it's affordable and available. Directing them to do something to stop transactions between accounts known to be affiliated with terrorism is a reasonable request.

If their solution to money laundering bans accounts based on something so naive as terms found in a street address, their unbounded, colossal incompetence is not the fault of any government. PayPal has never had their shit together-- run-of-the-mill fraudsters have no problem keeping accounts open, but yours will eventually be seized without notice or explanation.

> That is ridiculous. Modern companies have no problem Hoovering up and analyzing vast amounts of intelligence on consumers ...

Meanwhile the EU imposed a 3 billion dollar fine on Google for, and this is sadly not a joke, depreffing incredibly annoying shopping comparison sites, specifically this one [1][2] and a few others. Go on, visit it. And then tell me how much the quality of the internet is lowered by making that site harder to find.

(the real reason: the Kelkoo CEO, and I'm not even joking, convinced a secretary of the EU competition commisioner (the previous one) that they were a viable EU-based competitor to Google. Yes, really, that's the level of intelligence the EU commission had, they believed that Kelkoo would be doing internet search engines better than Google)

What exactly makes you think that when we're talking lesser amounts they'd be more careful ? Doesn't it make more sense that when they want something, like say, imposing sanctions or find someone that may have spied on them, they don't just go "all info on these users or it's a $100 million fine" ?

Because reality is more like "Block this list of users because the police chief's wife's tennis partners' ball producer's 2-year old niece says they stole a teddy from her dog or it's a $1 billion fine. Oh never mind she found it. Did you block em yet ? BLOCK EM !"

[1] http://www.kelkoo.co.uk/

[2] https://www.politico.eu/pro/politico-pro-morning-tech-google... (non-paywalled mirror @ http://blog.digitalmedialicensing.org/?p=3823 )

This is the correct answer.

I agree that companies should provide more transparency, but I think that this should be provided as a remediation process to get an account back into compliance, rather than termination reason. If companies were able to give you actionable steps or why your account was flagged, that would let them have a way forward to retain a customer as well as provide answers.

On the converse, though, termination without reason does serve a purpose. For example, if this was because of illegal content being stored on the service, Microsoft may be complying with law enforcement and doesn’t want to tip off the suspect.

I strongly believe account remediation is better than all out termination, and that termination should only be enacted in the most severe of cases (repeat offenses or potentially criminal conduct).

>Microsoft may be complying with law enforcement and doesn’t want to tip off the suspect.

the suspect is already going to be tipped off by the fact his account is banned

although I can see how this can be abused. Imagine if I create 10000+ spam Facebook accounts and they all get disabled, am I entitled to a written explanation for why each account got disabled?

Sure, why not? An automated form reply stating "Your account was blocked for the following spam posts" with a way to appeal false positives.

You might even require a $5 bond to appeal or something, to prevent spurious appeals.

This just teaches the abusive users which behavior was caught, so they can learn to be better at evading that scrutiny in the future. It is completely counterproductive for a company to provided banned users with a detailed reason for their ban.

Spammers have plenty of ability to A/B test these things to determine which posts trigger and which don't.

Meanwhile, normal users are left totally confused, with zero recourse and potentially a loss of important data and other significant repercussions.

Call them? Escalate, escalate, escalate until you get an answer.


Exactly the same thing happened to me while using Azure free tier. 2-3 y ago. It was a new account which i only used for a few days. Only to make a few test calls to their geo location api (i think). I needed that for a service that i was building. Then i got this same message. No idea why. I did get two phone calls to upgrade my account (!) but they could not explain why this happened, nor get more details. Very, very strange. I switched to Google and never looked back

There are dozens of stories of identical things happening to Google accounts so it's not as if they are any better.

Exactly. These giant companies should really only be used as interchangeable infrastructure. I have my own personal domain. At the moment, I use Google to handle my mail. If they no longer want me as a customer, I'll update my domain's MX records and move to another company.

What happens if your domain registrar bans you? Is it something they can do?

I guess they could, but the domain is mine and I could transfer it to another domain registrar. Some government organization could seize the domain, but that's not something I worry about.

I would be even more worried about DNS/domain hijacking if the HN stories I hear are true. Not only technical issues but social engineering of the domain ownership.

Whatever you do (custom domain or not), you're always exposed.

Yeah but I don't really know what to do about that, except for using a domain provider with 2FA.

And of course you're always exposed, I'm not sure why you'd mention that. It's no reason to just give up and do nothing.

There's forums of people claiming there site/product/business was removed off of Google because it competed in some way with no redemption.

They are too small for anyone to give a mess about.

While this certainly is not exactly a decent way of dealing with people and a less than stellar customer experience, Microsoft isn't the judicial system but a private entity. This being a civil law affair there are no formal charges and you're not accused of anything but merely (and potentially ) in breach of contract.

If you sue them they'll have to reveal what they think you did. Other than that you're probably only entitled to access to your data so you can transfer it to another provider, as well as maybe a prorated refund if applicable (and you'd probably have to hire a lawyer for that, too, because they possibly won't answer any further inquiries on your part).

You mentioned a university licence. Many vendors explicitly prohibit usage of such licences for purposes other than educational ones. This might be the cause of your problem, for example if you used your account for hosting a commercial application on Microsoft Azure.

I did not use my account for any commercial purposes, and I don't have much to say for the rest, read them like "you are a poor customer, who won't be able to afford, and should not afford a lawyer to recover your $100-300 loss, for your own interest". Sad that this is reality, or someone perpetuates this fact in such an acceptant manner.

I don't endorse this behaviour at all I'm merely stating the facts (probably as outlined in the contract you've entered with Microsoft). If you feel you've been wronged you should certainly hire a lawyer. At the very least then you'll know what it is they think you did.

Another option would be talking to a consumer organization (not sure if this is applicable because a university licence might not qualify as a consumer licence).

Other than that: Caveat emptor. I know this sounds trite and doesn't really help in your current situation but when you entered that contract you very likely agreed to the terms Microsoft now uses against you.

> Other than that: Caveat emptor. I know this sounds trite and doesn't really help in your current situation but when you entered that contract you very likely agreed to the terms Microsoft now uses against you.

Yes of course, he should have simply not used e-mail.

Or use an email provider that offers better terms?

Such as?

A few: Autistici, cock.li, CounterMail, ProtonMail, Riseup, ScryptMail, Tutanota, VFEmail.

Don't forget self-hosted

True. But then you may have deliverability issues, right?

Some people say they have that, but I've never experienced it. I even run it out of a residential IP with no issues.

This is probably a good example of YMMV

But for some unusual but binding decisions applying the Fed Arbitration Act against consumers, situations where it's not cost effective to sue as an individual can be cost effective with private attorneys general, i.e., a class action attorney. Lacking that your only recourse may be your state equivalent to my state's division of Agriculture and Consumer Services or the FTC, neither likely to be effective or satisfying.

> If you sue them...

Sue them for what? Surely they reserve the right to deny service to anyone?

They already entered into a contract with him, and then suddenly terminated the contract without notice.

Even if the contract contains language allowing them to do that (worth checking!), if he signed the contract as a consumer (not as a business) this might be against consumer protection laws.

> Microsoft's own way of justice is against the legal systems in all the modern countries, which always makes sure that the accused knows their faults, as one of their rights, and for the benefit of the accused not getting involved in such acts for a second time, for that they this time will know.

Welcome to the modern world.

I read frequently on the /r/androiddev subreddit about Android devs who have had apps suspended or accounts closed for reasons beyond their comprehension.

I frequently read about people wanting tech platforms to start censoring more actively (Twitter, FB, Youtube?) and for them to boot controversial people for using their free speech (even if offensive).

Unfortunately giving "the accused" any sort of recourse doesn't seem to be a priority when the PR machine is going against a tech company - it's easier for them to use the banhammer.

Microsoft isn't a government. They can't arrest you, and they can't seize your property (that you haven't already given them). As a private entity, they can define the terms by which they provide or revoke services, within some broad boundaries such as Civil Rights law.

So that can suck, if you don't know why you've been banned or possibly when you are banned by mistake, but that is the risk of using these kinds of services.

This account had been my oldest digital property, which I had been using for probably over 10 years now. I haven't been using it any differently than before, so now I am left absolutely clueless with a sizeable digital property of mine being lost. I could have kept a copy of everything and not got all-in to the OneDrive with the On-Demand feature, but I don't know what I could have done to not lose 3.5 out of 4 years of pre-paid (required) Office 365 University service, because Microsoft simply does not tell.

Email the office of Attorney General of your state with a grievance - you paid for it, it was yanked from you, no one is picking up the phone. This is what AG is for - protecting consumers from all kinds of snatch-and-run, big and small.

Now you might think the AG won't have time for you, but the AG is not sitting there reading the incoming email and deciding to act. The AG clerk on duty will check that basic facts and dates are present in your email (make sure to include them), and ask the BigCo for their side of the story; all that before anyone even looks at the merit of the case. The BigCo will now face a choice - continue corresponding with the office of AG (which is billable lawyer time plus a drain on management brainpower), or shut you up by giving you back your stuff (which is free).

OP is in Turkey :(

How have you been using it?

Sending/receiving emails from it on Hotmail. As a cloud storage to my files on OneDrive. To prepare documents, tables, presentations on Office. To listen to music when there was Groove. Logging into my two Windows 10 computers. To purchase/download software to my convenience on the Store. While signing in to other websites, either using my email, or via Microsoft sign-in.

Probably just like everybody else.

So what Linux distros are you considering?

Yes. I refuse to go to Windows 10 because of that sort of thing, but some day, Windows 7 will no longer be usable. Running my Android phone without a Google account keeps getting tougher with each update. The jaws are closing.

Of course, Linux has a different set of problems. I just spent most of a day getting audio to work again on Linux after accidentally turning on HDMI audio. This is the 16-step procedure for fixing "no sound" problems in Ubuntu Linux.[1] It's a cut and paste of ten years of hacks for fixing sound problems.

(I took a stab at writing a sane audio troubleshooting procedure.[2] It doesn't have to be that awful.)

[1] https://help.ubuntu.com/community/SoundTroubleshootingProced...

[2] https://ubuntuforums.org/showthread.php?t=2397280

There are other distros out there, I'd take Debian or OpenSuse over Ubuntu any day. Switching audio outputs from HDMI to analog and vice versa isn't a nightmare in normal Gnome (its usually 2 clicks), but it looks like Ubuntu has heavily modified Gnome to match their theme, and perhaps their modified Settings panel didn't bother to include that.

I didn't get to that stage, for now at least. I am still thinking of just starting a new Microsoft account, which unfortunately will not be my namesurname@hotmail.com this time, that was priceless.

Another $80 is still less than many other cloud providers for 4 years, and going down the Linux road is way too rocky for my preferences, though, may change.

> and going down the Linux road is way too rocky for my preferences

The Linux road is pretty smooth for most things. And it has the advantage that it doesn't just disappear into thin air with no explanations....

Was the user name 100% compliant with Microsoft's TOS?

Was the four year prepaid university license to Office 365 100% compliant?

Does anybody know of a MS feature similar to Google Takeout?

I frequently take downloads of my Google content with Google Takeout but haven't been doing the same for Microsoft. Recently started adding important content to my MS account, and probably ought to start doing the same for that service.

edit: yeah, yeah, yeah all the cool kids don't use Microsoft stuff. For some of us, there may reasons we do, and I suggest this MS service might do the trick. I'm still testing what all is included in this export. UPDATE apparently this tool just exports a json file including usage information of each MS service but not the data contained within those usage sessions i.e. a file I've created in OneDrive Excel. Hmmmm.... going to continue the hunt.


I dont think most people have microsoft accounts, or services so there is nothing to take out.

I'd wager a guess that the majority of Windows users use a Microsoft online login. Also, Office 365 and OneDrive are both widely used, and there's Skype, Xbox, and Hotmail/Live Mail/Outlook/whatever.

Thats forced integration, but logging into windows does not imply you store data on windows services. The only thing that I can see resulting in data storage is onedrive because its forced down.

They can claim that they are following the law, but that doesn't mean they actually are... If you have a university based license then I would suggest you complain about the suspension of service with your university. Possibly the person who manages the business relationship with Microsoft has contacts they can talk to.

Also: keep backups outside of the Microsoft ecosystem.

It is my personal over-10-years-old account. I merely bought a university package that is for sale on Microsoft, using this account after getting registered to my university.

I would still see if I could get the university involved. A request from a university will get more attention than from an individual, since a) Microsoft wants to be responsive to education b) they are selling anywhere from several hundred to several thousand of licenses (depending on your university's size).

Are you a current student then?

No, I have graduated by the end of last Spring semester. I purchased the product while I still was a student last year. I will become Master's student once again in within two months.

Could the university have notified Microsoft that you were currently not enrolled, and thats why your account was suspended?

If I know anything about corporations, that's because of a due diligence check. Your name or credit card or face matched someone else, or they thought you have connections to sanctioned countries, or your finances are dodgy.

Even for spam they wouldn't block you like this right weather. It's due diligence.

> "Pursuant to our terms, we cannot reactivate your account, nor provide details as to why it was closed."

Am I correctly interpreting their statement as saying that they're constrained by their own self-imposed policies?

Imagine your Github repos gone because Microsoft thought you violated TOS.

Well now that's just an eventually.

I've been thinking a lot about this (after hearing about the Airbnb guy [1] the other day) as it pertains to the cloud i.e. Azure, GCP. I'd hate to be a company that spends hundreds of thousands moving its infrastructure to the cloud, then suddenly without warning it's all terminated without cause or explanation.

On a side note, as a published author on Amazon, I've heard horror stories in the usual author forums of Amazon doing the same to authors, pulling all their novels off their site without warning and terminating their account. Amazon does have some remediation pathways (unlike the AirBnB guy), and many authors had their accounts restored after weeks or months of perstering support (although the damage is done).

[1] https://news.ycombinator.com/item?id=17523056

My account got suspended and kicked me off a month ago by simply accessing the forwarding section of my Microsoft account. Tried it on another account and same thing. To this day i am confused about that, and how some of these big companies with the toughest entry requirements make the dumbest crap.

Yep. Same thing happened here.

New account banned after changing Hotmail settings.

Did you have pirated material in OneDrive? Did you pirate Windows, Office, or any other Microsoft software?

I'm thinking content scanning or Microsoft Account telemetry.

I don't think that this matters as much unless you've shared it & Microsoft got some sort of DMCA notice.

By any chance, did you have child nudity (ex: photo of child bathing, etc.) on your OneDrive? If so, I wonder if PhotoDNA picked it up (see https://www.neowin.net/news/man-arrested-after-microsoft-fin...).

I have nothing useful that I can say here except that this has happened to me. A few months back, I created a new account on Outlook with a username that I wanted to adopt for my communication. When I tried to login the next day, the account had been suspended by Microsoft with a similar reason given. I didn't do anything further because I had just created the account and had nothing associated with it.

Amazon does the same thing from experience. Google too from what I've read here. This is the dark side of tech companies. In this respect they are all powerful. Makes it impossible to truly rely or trust any of their services when they did things like this. We're seeing more and more of these cases and without proper regulations, what's to stop these companies from abusing their customers? Nothing. It should really make one think twice about depending on such services, especially for running a business.

Yes. Been there, done that.

I was wondering what it was I could have done. I was thinking of all the "grey area" things I may have been up to - then I paused and thought: "why am I concerned they could know so much?" because it's possible.

That was the final week I used Windows.

It will get worse before it gets better, and I'm actually thankful.

I hope someone from Microsoft can adress this problem asap. I have office license + 1 tb of onedrive pictures and important documents which have no other backup. Also other online accounts are tied to the microsoft account. If Microsoft shut people down without reasoning I may plan to "decentralise" my services.

I strongly recommend you just go ahead and do so. This is like saying: if the burglars don't return this guy's stolen property soon, I might just have to start locking my doors when I go out.

Contrary to most of the posters on here, I have had nothing but positive experiences with Windows 10. I don't get served ads in the OS (or don't notice them). I don't see any upsell. I don't get blue screens. Edge is a competent and effective browser, and I often use it over Firefox or chrome, though I still use those for development. I am a happy customer.

I have a paid OneDrive account that stores all my family photos.

Reading this has made me realise it could so easily happen to me. I'm going to make double sure I back up everything locally too, from now on.

MS only has my photos though. Google really has me by the balls. Ten years of emails with friends and customers, and pretty much every login I have is tied to my gmail. If that was taken I away I would be truly boned

Windows 10 has been bombarding me with "start your Office free trial" ads for years. I keep disabling the notification, and it keeps coming back when I get updates.

That's my only complaint, but it isn't a small one. Having advertisements so deeply baked in to an operating system is disgusting.

Where do these appear? I've honestly never seen them

Fastmail has a really smooth import function that lets you migrate your gmail mail easily. They also make it easy to regularly backup your mail offline and if you ever want to quit their service they have a "Download everything" button that gets you a copy of every piece of data in an accessible format.

One of their principles is "Your data is your own".

I migrated from Gmail at the beginning of the year and I haven't looked back once. My Gmail is still active and is forwarding to my fastmail account, but at this point it wouldn't really affect me if they shut it down.

I might do that. I backed up all my gmail using a third party tool last year so it is possible, but my issue is more that I have so many profiles tied to that gmail address that losing it would be a nightmare. If they started charging for gmail tomorrow I would just have to pay whatever it was because it would take weeks to change the address across all my accounts

That is actually why I ended up switching. I didn't like the feeling of knowing that I was bound to Google, plus the whole privacy invasion issues.

While time consuming the process of switching only happens once, and now my data is my own again. If you want you can also buy a domain and set up your fastmail to use that, so in the future you keep your email address(es) regardless of provider.

Were you running any of their cloud servers? If so what were you doing on there?

Were you storing files? If so what kind of files.

You might find there's some kind of activity you've been doing but thought was ok, or you were storing files which got flagged for porn or copyright.

I find these stories really disturbing. Are there any services (I'm thinking mostly of email, cloud storage) that explicitly say they will

- provide a reason if they ban you

- always let you take out your data (unless not legally possible)

- have decent customer service ?

If you use the account on Win10, do they lock you out from your whole computer?

I just tried to see if I am able to log-in using Microsoft account, and I was.

Most EULAs I have been reading clearly state that the service provider can recede from the contract at any time without having to provide any explanation.

This is undoubtedly unfair, but I honestly wonder: if this is even legal?

If they can force you to agree to mandatory arbitration to use their service (and in the US they can, according to the Supreme Court), this kind of stuff is peanuts.

That's the problem we been talking about for years with regards to dependency on the cloud. Take digital games: you don't own then, when you pay roughly the same amount you did for a boxed game a decade ago now you barely get a license, not a right, to play said game on platforms such as valve for as long as they allow you to.

And it's the same problem with software in general these days, no matter if you pay you don't own it so you don't have a right to use it.

Folks, it is high time & rather long enough time that we actually bought domains & setup our own email addresses since now everything is linked with one & random termination of a free-email account & linked data loss is simply unacceptable. But that's what you get when you go with a free service provider.

I highly recommend Fastmail. Not affiliated other than customer since 2002. Best email out there IMHO. Paid, but worth it.

How is search nowadays? I left 8 years ago them because search was so bad compared to Gmail.

Search is great. No issues.

Search for their support number and call them. While stuck on the phone, research making the jump to free software.

Almost makes me wonder if legislation requiring companies to "provide details as to the reason for account closure" is a necessity.

If a company can take everything away from you at the turn of a dime, you should at least be entitled to know why it was done.

This is not first time someone has been kicked out of their MS/Google/Apple/Cloud provider with any explanation. Has anyone tried to sue them in order to get the answer to the question "why"?

This is a bummer, and not customer friendly.

This is one* of the reasons why I never use single sign on for other services.

* other reasons include:

not wanting SSO to know where I'm going, when I'm going to it. It's none of their business!

Not wanting a cascading breach

Once again, this is what happens when you trust some third party organizations for simple things like storing your data, facilitating group communication, or even authenticating your very identity!

Why do we do it?

> Why do we do it?

Because these sort of stories represent probably something like one in a million failure rate. That is ridiculously successful. And those "simple things" you say are really not all that simple.

did you originally open the account using an "alternate email"?......and now they have Temporarily Suspended the account...?

But they give you the option to provide a text able phone number and give you 10 minutes to use the texted Access Code?

I have had that happen 3 times......... they after your cell phone number and holding your account hostage to get it.

They will not respond to any other option nor give evidence of what they claim violated any Terms of Use. They just say "Suspected".

Did you perhaps leak an API key?

MS won‘t tell you, we don‘t know. End of story. What more is there to say?

Generally when someone posts a story like this on HN it's both as a warning to others about what could happen to them, and also in hopes that someone from the source company touches base or clarifies. It's seldom the end of the story.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact