Hacker News new | past | comments | ask | show | jobs | submit login

Be very careful about combining Inactive Account Manager with telling Google not to store activity data. I started getting countdown to deletion warnings telling me I needed to log in to show I wasn't inactive, but no matter how often I did it was ignored completely until I turned on activity tracking. I'm not sure if this is a rare bug or working as intended, but it could go badly. In the end I turned off Inactive account management and activity tracking, but it was a bit disturbing.



This sounds like The Monkey's Paw. They granted you your wish of tracking no personal data, now they can't even verify your account's identity, and their inactive account cleanup job has scheduled you for deletion. Very interesting! The line between necessary data and personal data is a finer one than I thought.


What counts as logging in? Do you check Gmail or drive weekly? Backup and Sync?

Can you set up an API key app that pings an API weekly?


If I recall correctly their documentation suggests that a single login to the Gmail web app or several other properties should count as well as the official Gmail apps, but no web logins I tested had any effect for me. Sadly I can't retest this without setting a new timer on an account.

If you end up in a position to tet this you'll want to keep an eye on multiple account logins as well since the link they send you in the warning doesn't go to a specific account. If you're logged in to more than one account and the first one isn't the one you got the warning about you'll end up looking at the manager for the wrong one and need to either log out entirely or find it manually. A minor design issue, but it can be confusing for a few minutes.


Sounds like a gdpr violation


Or an edge case they didn't consider, and will likely fix.


My bet was on a mix of just a predictable edge case and Google not prioritizing testing when users have stopped activity. I don't think they sat down and decided the kind of people who care about the inactive account manager were especially good targets for manipulation. I'm sort of surprised that they didn't use the info that they have on last logins instead of the web activity tracking, but there's probably some architectural reason it was easier.


Logins can occur without user interaction by a logged-in device, so it's not as meaningful as user activity.


That's true for apps & devices, but generally I think they can assume that a human is doing the logging in for one of their websites. If they can't assure themselves that it's mostly true they have a serious issue.


There are plenty of passwords managers that will do an auto-login. Anyway, the last time I've logged into my Google account is months ago - I only access it on trusted devices with long-lived sessions, and I suspect this is the case for most users.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: