The risk of getting your account locked is just one of the reasons you shouldn't use Google (and the like) to sign in.
But how did we end up in this horrible state of authentication? Why don't we have something as easy to use as the DNS, but for authentication?
Imagine what authentication would look like, if we all started running is the same direction, instead of implementing our own authentication again and again. If we had something open source, that would allow you to sign in to all the sites you use, while completely protecting your privacy, so none of them know who you are.
This dream can come true. Technically at least. I've taken the the first baby steps with https://promiseauthentication.org which proves that this is possible.
But, for this to become a reality, we really need to start running in the same direction. A collective movement towards a sane, privacy-first Single Sign-On provider that's easy to use for everybody.
It's a step in the right direction, but it's still centralized. A lot of the work done by the Indie Web community around IndieAuth[1] is really attractive. Your identity is your domain, and you can change how your domain says you're allowed to authenticate. Now you can even use sign-in with google without getting locked out should you loose your google account.
Aligns really well with using your own domain for email instead of gmail.
I hadn't heard of either Promise or IndieAuth before reading this thread, so apologies if this is a dumb question. But one of the benefits of Promise is that it's pseudonymous:
> You will get a unique identity pr. service you use. This ensures that relying parties have no way to profile you across services.
For me, this is actually the biggest reason that I stopped using social sign-ins. It's not that Google might disable my account one day; it's more that I don't want Google or Facebook tracking me.
How does a decentralized system handle this? If my identity is my domain, doesn't that mean that all these websites now have a unique id which they can use to join together all their separate pieces of data about me?
You're right, all the websites could band together to coordinate and share that the same person logged into each site. They do this today with email addresses and phone numbers explicitly (and implicitly with "advertising IDs" and the like). The Facebook "like" button and Google analytics are both tools to make it easier to track you around the web. Getting away from being able to track you around the web is going to take a lot more than just an anonymous ID as your login credential.
That said, the unique identity is still valuable--Apple offers this with their third party sign in[1]. Practically, if everyone was using self-hosted identity, then the tools would probably make it easy for you to create and track your own new identities for each service you use. This isn't build into something like IndieAuth today, but with the right DNS settings you could have arbitrary subdomains return the same authentication options and act as easy-to-use "sub identities".
Being pseudonymous is one of the main selling points of Promise.
Only by being pseudonymous can it provide the level of privacy that should be expected from the global authentication infrastructure that Promise wants to be.
Isn't that a problem, like "let's get rid of Google and all the evildoers because they know too much about us" then "oh we realize we created another one which knows too much about us"?
I get where you're coming from, and this is something I've been thinking a lot about.
It would be possible to not save the map, and then use some kind of hashing to infer user ids for each site. I chose not to do this, to be able to guarantee no collisions. This might be silly, though. But the thought of people with colliding user ids makes me giddy.
The data stored looks something like this:
{
"ids": {
"example.com": {
"07c5c163-875f-424c-a659-a4f99e74eb12": "default"
},
"other-example.com": {
"ab38b2a6-d560-43d3-b2a3-9148cd91d1b4": "default"
}
}
}
Worth noting is, that there is no personally identifiable information (PII) here.
But we have to have the discussion if this is "too much" data to keep about a user. AFAIK this is the bare minimum of data needed, to be able to guarantee no collisions of user ids. If there is another way to do it, we should do that!
> Self-sovereign
You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.
Why do people assume that is a good thing? I do cybersecurity at work (among other things) and it takes a lot of effort to keep things both available and secure. My home PC, not to mention PCs of my friends, are never going to be as secure.
A system which has a chance will have to be federated, not local-only.
I work in crypto and we sell a hardware device to keep your seed phrase secure and the physical device is required to sign transactions.
But then you should listen to the advice we're given if we use one for personal use.
1. buy two devices
2. Generate a phrase on one then import to the other
3. Put the second one in a safety deposit box in another city or state, or a safe with a family member also out of the city or state.
4. Keep a copy of the phrase on steel seed phrase tool (Steely, etc)
5. Mount the steel seed phrase backup inside of a wall of your house and plaster and paint over it.
6. If your phrase ever gets seen by any electronic means, it's compromised and the process must be redone (note that importing uses a randomly shuffled alphabet on the device to make MITM or keylogging attacks unusable).
So... Security is hard. We should build systems that make it easy. There should be ways to recover from backups of a service goes offline, but we can't expect everyone to make good decisions.
Not to mention having passwords synced between devices and available on demand is really a requirement of you use random passwords for every site and need to log into something (heaven forbid) on someone else's device.
Most people are not trying to stop a determined attacker. Most people just want random people to not get be able to get into their stuff--same as a physical lock.
They carry a physical key on their person. It's not too much to ask them to carry a "digital" key on their key ring.
The problem is that most "digital" keys are a pain in the ass:
1) Mostly because everybody wants to "centralize" authentication so that they can charge you and administrate you.
2) Secondarily because there is no good solution for talking to the key on your person. NFC sucks. USB requires that I plug my key in. WiFi requires that the device be able to hit your network. BLE has no access from web pages.
BLE is probably the best choice, but there is no real money in making it work.
I'm a bit divided on whether or not the "centralized" thing is actually a problem Promise should tackle.
On one hand, I want to tell you that Promise is only centralized by default. Which is good for people that doesn't understand what a OpenID/IndieAuth Provider is. But as Promise is open source and the protocol caters for it, it is possible to have Promise redirect authentication requests to your own instance. Which then redirects you back to the relying party you want to sign in to. So it is possible to decentralize if that is what you want
On the other hand, I'm not sure it's a good idea to do it. Centralizing gives a lot of benefits. User experienc being one, but also being able to roll out eg. security updates quickly. But sure, centralization also creates problems.
But until now, I have a feeling that the problems with centralization, can be solved by other measures than going decentralized. Eg. being a non-profit organisation owned by the relying parties. This would guard against a lot of the problems with being centralized.
And I'm still to encounter a decentralized solution with a reasonable user experience for most people. OpenID, IndieAuth, SQRL, re:claimID, I'm looking at you. Sorry.
You're right that the user experience is a huge blocker, but I think that's something we as authors of tools can improve on. For example, there's a Wordpress plugin that lets your Wordpress site act as an IndieAuth identity[1]. That makes it pretty usable from and end-user perspective.
The challenge with centralized is that it is a single point of failure. The original post was more focused on "If you get locked out of google, you get locked out of everything". In that vein if promise gets hacked/bought/abandoned/changes it's business model etc.. then you lose all your accounts. The anonymous nature of it is great, but this is something Apple already offers with their sign-in with apple which is already widely supported and with the proxy-email solution you can still be contacted by the sites you're signing up with.
I got interested in IndieAuth because of a project of mine[2], trying to make it really easy for everyone to self-host their facebook/twitter equivalent with direct control over who has access. This runs into the problem with wide adoption where you have a separate credential for each of your friends' blogs. With IndieAuth built into the self-hosted platform, then your own self-hosted site becomes the one credential you can use on all your friends' sites. Self-hosted distributed identity for privacy AND ease-of-use.
I'm really happy that you're willing to take this discussion with me.
I totally understand what makes IndieAuth is a good solution. And it seems really easy. For me. But I have no idea how I would go about explaining it to, let's say, my mom.
Apple is offering something very similar to what Promise does. The difference is that Apple is a commercial corporation. Which means they're in the game to make money. Promise will be in the game to make authentication easy, secure and private.
In many ways I compare the goal of Promise, with the goal of DNS. Take a commodity and make it available globally in a reliable way. Yes, it will be a single point of failure. So the job of Promise will in large be, to keep the platform secure and reliable.
The mom-test is a good one, I'll have to think more about it. The truth is the advantages and disadvantages of various authentication systems are subtle, and hard for a lot of technical people to understand, much less care about.
Apple is a commercial corporation, and one of the biggest (by market cap) companies in the world. That gives me confidence that they'll be around for a long time, have sufficient resources to invest in security and reliability, and they have a well-established reputation for a focus on security. They do other things I don't like[1], but I think this is one area where they're setting really good precedent.
In addition, it's going to be difficult getting any sites (outside of maybe the crypto/grey-market) to adopt an auth system that doesn't let them contact their users. This is also I think a big failing of IndieAuth.
Promise is basically challenging the assumption that authentication has anything to do with both personal identity and being able to contact a user.
If a site needs to contact the user, it's reasonable to ask for eg. an email. But now the intent of asking for an email has to be crystal clear, which makes you and them more aware of what data you are actually giving them.
Apple sure is doing some good stuff with their authentication solution and their efforts to help people with healthier passwords habits. I'm still not too fond of having such fundamental infrastructure owned by a private company. Would you be comfortable handing over DNS to Apple?
There is so much fragmentation in authorization and authentication that it is hard to see how we can “run in the same direction”. Facebook, google, etc have zero incentive to change anything.
There is TLS client authentication, unfortunately it never catched on, probably due to not good and uniform UX in browsers. Imagine if web-browsers have automatically generated password-protected self-signed certificates that could be used to authenticate to web services without need of any third-party.
> Imagine if web-browsers have automatically generated password-protected self-signed certificates that could be used to authenticate to web services without need of any third-party.
What should be done when creating a new account is that, in addition to the username and password, the website should allow for uploading a certificate signing request. The web browser should then allow the user to create one and upload it. The website should then return the signed certificate to the client and the browser can then store it to use during subsequent connections.
Doing something like this would allow for two factor authentication without the half-baked solutions like sms or email based 2fa.
>×The web browser should then allow the user to create one and upload it
Your average user is not going to open a command prompt and dig into Openssl. There are (or were, I haven't used them for a decade) browser-specific APIs for generating private keys locally, but they were very flakey, and the whole UX was very confusing for users.
And after this, the user can only sign in on the machine in which the key was created. Your average user will not have a clue how to move certificates and keys around between machines.
I have direct experience with this. Back in 2008 I led a team building an extranet site, and we used X.509 client certificate authentication. We had to build our own tooling for management of the PKI, which was no small task. But ultimately it was key creation and certificate distribution that were the biggest problem - our users absolutely hated the signup process, as well as the fact that they couldn't later signin on another machine.
> Your average user is not going to open a command prompt and dig into Openssl.
That's why I said that the browser should provide that feature.
> There are (or were, I haven't used them for a decade) browser-specific APIs for generating private keys locally, but they were very flakey, and the whole UX was very confusing for users.
That's a UX issue that can be solved if the time was put into it
> And after this, the user can only sign in on the machine in which the key was created. Your average user will not have a clue how to move certificates and keys around between machines.
They shouldn't be moving/sharing keys between machines at all. What could be done is to implement a mechanism to associate an additional device with the account. Perhaps something like sending a CSR from the new device and then using the first device to confirm that it's a legitimate request.
> something like sending a CSR from the new device and then using the first device to confirm that it's a legitimate request
So I can only sign into my account from any new machine if I have access to a previously-signed-in device? What happens if my last login session expires? At that point, I have to sign in with a password, and now I'm back to all the terrible things about managing 500 passwords.
Federated identity / SSO through a trusted provider makes so much more sense, the standards are open and there are dozens of implementations available. Nobody needs to reinvent the wheel, we don't need a 15th standard. You just have to sign in with a provider that you trust not to lock you out for no reason, in a way that gives you no recourse (unless you can get your story on the front page of HN). Obviously that provider is not Google.
> So I can only sign into my account from any new machine if I have access to a previously-signed-in device?
The scenario I'm envisioning is that one creates an account on a website like HN, but with the additional step of generating a CSR, sending it, and receiving a certificate to store locally (with the browser handling the generation of the CSR and storing the resulting certificate with a standard and easy to understand UX workflow).
Once signed into the account, the website could prompt the user to add additional devices if they so wish (e.g., I created the account and signed in on my laptop, now I'll add my smartphone as a trusted device). This step could be done now, or sometime in the future.
If the prompt encourages users to do so right after creating the account, it's likely that they'll have access to the original device to confirm additional CSRs. Even if they choose not to do so right away, I don't think it's an unreasonable requirement to have access to the original device.
> What happens if my last login session expires? At that point, I have to sign in with a password, and now I'm back to all the terrible things about managing 500 passwords.
If the situation was that websites used 2FA via having the username/password as one factor and client-side TLS as the second factor, then password reuse wouldn't be an issue. Even if someone were to guess the username/password combination, the most they could do is send junk CSRs to try to add their device, which can then get rejected or not acknowledged by the original account holder.
> Federated identity / SSO through a trusted provider makes so much more sense
Perhaps, but based on what I've seen for general services out there, they just use either Google and/or Facebook as the trusted provider. I'm not sure how that situation came about, because it was pretty easy to create multiple accounts on those services without having to provide any basic identifying information (which essentially is the antithesis of what should be considered a trusted provider).
SSL/TLS is a standard that has been around for a long time, and given the ubiquitous use of server-side TLS, I don't see why it would be considered re-inventing the wheel to use the client side part of it. With nginx, you could set a HTTP header with proxy_set_header based on the value of the $ssl_client_verify variable value. Then the application could direct the user to the login page. If the client-cert is valid, then allow them to log in normally. If not, then direct them to log in, send a CSR, and go back to a valid device to confirm that CSR.
> You just have to sign in with a provider that you trust not to lock you out for no reason, in a way that gives you no recourse (unless you can get your story on the front page of HN). Obviously that provider is not Google.
Personally, I think we shouldn't have to involve third party providers in the authentication process. One reason is what you've already mentioned about getting locked out of the account. The second is if that account is compromised. With TLS, you don't need a third party involved in the process at all for the client side.
I just find it disappointing that I'm essentially forced to use email or SMS based 2FA where, arguably, those are less secure compared to having a strong password on the original service. By less secure, I mean that those factors could be compromised in a way to access my account that completely bypasses my strong password. It's the same with requiring security questions and allowing access to the account via a well known answer to one or more of those questions.
I've built Promise, to prove (to myself at least), that it would be technically possible to build authentication infrastructure, that can be used across sites, without having to store any data unencrypted, and furthermore, not storing any personal data at all.
And it works.
It's a bold choice of words, I acknowledge that. And the proof is only as strong as my abilities to write software.
This is yet another reason why Promise needs a movement behind it. To strengthen the proof. To strengthen security.
Being a non-profit, collectively owned service, which Promise is, will make it difficult to ban users and relying parties.
Just like the DNS can block users, Promise can ban users and relying parties.
This is not something Promise should take lightly, but the fact that almost everyone has a say in Promise, unlike Google, where almost no one has a say, makes me full of hope that this can be solved in a transparent way.
Cool demo. I couldn’t figure out how to make an account though.
I think this would need serious widespread adoption until we saw benefits too. And you’d need some big names...like Google. Which probably will never happen.
I hate it, when I type my email and password (correct, that is), and get an error saying "You already have an account. You need to sign in". OK. But would you please just sign me in then. Everything you need is there.
So I chose to make it one. This might be more confusing than anything else... And I might be missing some other point for this to make more sense...
Internet identity could maybe be a layered thing where one layer takes care of authentication, which is where Promise lives. The next layer could handle information like name and email. And finally a layer that handles your verified identity by an authority. That last layer is where the danish NemID fits in.
For a smaller company, that doesn't have the ability to dedicate a team of people to authn and authz, OIDC/OAuth/SAML/etc are all extremely complicated tools that take a lot of experience to even begin to understand the terminology. Ask your average engineer to implement logins for an API they'll be able to do it. Ask your average engineer to implement current SSO-like integrations for even the most standard of use cases (website logins) and it's a huge pain. Drift ever so slightly off the beaten path (IoT devices for example) and you're in for a "fun" time.
To add to this: Never use a @gmail.com address, buy your own domain and pay the $6/mo to get a Google GSuite with your name@fullname.com address instead. If Google locks your account, you can now move your email hosting to another provider and won't lose access to your entire digital world.
Be aware that doing this now means your DNS provider and domain registrar become vectors for hackers to take over your email account, so make sure these are companies your trust and your access to these accounts is as secure as possible (ie strong unique passwords and app-based, not SMS-based two-factor authentication)
You can do this without paying as well. If your DNS provider supports email forwarding you can use that (if it doesnt you can use improvmx free tier) and use gmail's inbuilt smtp server to send emails using your own domain.
As long as you don't want to use any Nest products, which now insist that you have a gmail.com address as apparently hosted domains are for business only.
Hmm, thanks, I'll have a look into that. The objection to nest using "Google for Domains" or whatever they changed it to these days seems to be to do with the domain admin having access to everything. Which would be just fine for me, as I'm the only one that uses the domain.
Hopefully signing my address up that way, when it's already a domain account, won't b0rk all sorts of other things :/
There have been a ton of products where Google didn't initially support that but eventually added it. Maybe Nest will one day.
Obviously their sign-in/account infrastructure creates technical impediments against making their products do what they want. They should really fix that.
Related to your warning, the story of that guy who lost his @n Twitter account because of that[1] (even though I think it still reduces the impact radius because until your password gets reset you can still access the service)
Depends on where you are. If you're in the US, sure, there is at least the theoretical possibility of legal protection against misuse. If you're elsewhere, they're not very different, and Yandex at least doesn't already have a million other data points about you to connect with this and build a bigger picture about your life.
The issue here isn't privacy but independence from a specific provider. If privacy is an issue as well then you should be using encryption as emails are not private.
It doesn't have to be fully trusting or not at all, there's different levels. I think using a provider you trust more (In my case Fastmail vs. Google) is a fair tradeoff. Fastmail has a pretty straight forward business model that makes sense to me so I feel like they don't have a reason to scan my emails for ad purposes or else.
Of course if you are worried about some nation state looking into your emails you should encrypt them and use whatever provider.
I have attempted to read two articles on your site. As I am a privacy-focused person the articles were of interest to me. Both times I haven't gotten past reading the opening sentences when an obnoxious pop-up appeared asking for my email address. It seems ironic that someone publishing articles on privacy advocacy would be so keen to collect my email address. This practice also creates a real miserable experience and I have simply closed the page immediately both times. If someone is interested in subscribing to your newsletter why not simply provide a link for them to do so at the end of an article?
Email addresses are not public in general. They are not supplied to every site you visit automatically, and should not be manually supplied to every site you visit either. Whether it's a unique per-site address or not, it only makes sense to give it to people/organisations you want correspondence from. Therefore, sites that ask for it when you start reading an article seem really sketchy.
I'm definitely not a power user, but I see and understand the issues.
But for someone like me, if I take all this advice, there is still the aspect of trusting the domain registrar, maintaining a personal email server, hosting, CloudFlare, etc. etc. I have just shifted some risk of offending Google to some other risks of 3x more companies that I have to remember how to deal with now.
So what difference does it mean to me, average user, that I just stick with Google and don't misbehave, versus open myself up to having to deal with 3 other manual processes and companies to remember? It's turtles all the way down.
Lately I try to avoid submitting my own website, per the HN guidelines discouraging promotion (the one exception is when I find a submission to be time critical). I only link to my own site in threads where it's directly and precisely relevant, such as this one.
If you found it valuable, you should submit it yourself. I'm not interested in the accumulation of updoots, feel free to get 'em. :)
I'd rather other people decide what subset of my writing is relevant to HN, as I'm no good at it: I'm too close to the work. (I only write about things I care a lot about.)
But the article is very well written and would be a shame if we didn't got other opinions here in HN, kudos for you, already added it to Pocket for later
I use different services for different things. I have 3 email accounts at FastMail and 6 at ProtonMail. Also, some of it is inertia: I've hosted the MX for sneak.berlin at FastMail for several years (and have prepaid some time into the future), and have only been using ProtonMail for about one year (and the HOWTO article is recent).
The fact that FastMail might be subject to the new Australian crypto key escrow law[1] is a little bit worrisome, and I may not continue to use them in the future depending on how that plays out.
For things where surveillance is less of an issue, I prefer being able to use a plain IMAP client, which ProtonMail does not support. Their current iOS client is pretty lame, for example (although their web client is better, and I understand that their next major release will improve things a lot across the board). I mention the IMAP issue in the article.
That in short, the A&A bill is about breaking end-to-end encryption, which Fastmail has never had anything to do with. It’s scary-sounding legislation, and I reckon it’s misguided at best, but it honestly doesn’t affect all that many businesses [note I’m saying businesses rather than people; many affected businesses will be among the largest ones, serving consumers], because end-to-end encryption of communications is uncommon, because it’s so frightfully inconvenient for all parties involved, because now the server is necessarily dumb and the client has to do a lot more work, and things like searching are typically just altogether broken because you’ll need the full index on the client to do a search.
(And specifically of the domain of email, I wouldn’t trust first-party encryption; if you care about governments accessing your data, first-party encryption such as ProtonMail offers is almost equivalent to no encryption if you can’t verify the code that is running, since that party may be compelled to backdoor the code to steal your password. This is one of the many reasons that Fastmail has never implemented PGP, ⅌ https://fastmail.blog/2016/12/10/why-we-dont-offer-pgp/.)
There are alternatives to GSuite -- for instance, Fastmail. Or even the old PObox.com service which has been around since the 90s and is really cheap (Fastmail have bought it now, I notice).
Fastmail is very good. The web client is pretty simple, but feels so darned responsive (as in fast) compared to what I was used to from GMail. And spam is so far a non-issue.
Or, host your own on your own metal, to avoid depending on any third party. Alternatively, if you are ok with semi-dependence on a third party, get a $5/mo Linux VPS, and host your E-mail there.
With your own Linux instance, you can host whatever you want, have full control, can host other services too like www, git, whatever, and have the assurance that you're not going to suddenly lose access because AI-BOT-204432 decided you violated some obscure terms of service. I've been doing this for close to a decade now (exim + dovecot for E-mail), and it works great. Back in the 90's, this used to be the default. How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?
> How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?
The same way we ended up in a world where we so utterly rely on 3rd parties for such everyday critical services as growing our food and fixing our cars. There's too many things to do for everyone to do them all on their own.
Well, at least you don't lose everything. Worst case you lose access to a few emails you got in the time between begin locked out of your Google account and when you set up another email provider, and assuming you configured IMAP and use something like Thunderbird or K-9 as an email client (which I highly recommend) you should have a copy of all your email on your device (seriously don't use the Gmail app on Android, they even display ads in your email categories.
I like GMail for their spam filtering power, and I honestly believe spam to be email's biggest weakness, and the reason people don't host their own. It certainly scares me, the thought of being flooded with thousands of spam emails daily, or the chance that my own emails would be falsely marked as spam since I'm not part of the major providers or because I did not configure it correctly. Don't know how this can be solved though, email itself is too permissive, and too "tweakable".
You can export all your email in a single .mbox file.
This might not work if your account is suspended, but if you set up email forwarding to an alternative address (e.g. to protonmail) that might still stay active so you can transition your addresses.
They do now (although you only have 7 days to do so I think).
It also depends on the reason for the block - if for example they suspect you of having illegal content (child porn) in your Gmail, you aren't allowed to takeout it.
The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’. This means that when responding to an access request, the controller should consider the rights of third parties, such as their data protection rights, trade secrets, or intellectual property rights such as copyright. This could arise, for example, where your access request relates to a record containing both your personal data but also the personal data, trade secrets, or intellectual property of others.
A balancing of rights exercise would need to be conducted by the controller to balance your right of access your personal data as against the identified risk to the third party that may be brought about by the disclosure of the information. The GDPR notes that these considerations should not result simply in a refusal to provide all relevant information, but the controller should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.
Google doesn't let you Takeout when you don't allow Google to track your browser. It will give an error to "please use a device you regularly use" even if you can see in your account that there are no other active sessions that you could possibly make use of. I tried a few hours later with the session still open but no dice. Guess I'll have to find a human to talk to at Google in order to get my data pursuant article 15, GDPR.
I have very little hope indeed that they will let you do a takeout without finding a human to talk to when your account is locked.
For what it's worth, Facebook does let you do this. You login, get a message your account was banned for no apparent reason, and that you can download a copy of your data. Unfortunately it's broken (screenshot: https://dro.pm/a.png) but hey, there was an attempt.
There's this thing called principle. It's not that we do something because we believe it's going to work. We do things out of principle because doing the right thing is the only rational alternative; because, if everyone held the same principles, then the problem would be snuffed of oxygen.
Or register a domain with Gandi and they provide a free email service to you. Only two free accounts (with "unlimited" aliases), but that should be sufficient for most personal uses.
I meant using TOTP (app-based) two-factor authentication for securing your DNS provider and domain registrar accounts. The reason for not using SMS-based two-factor authentication is that it is not very secure https://techcrunch.com/2016/07/25/nist-declares-the-age-of-s...
I'm not aware of two-factor authentication for SMTP or IMAP.
I don't understand how that's any more secure than just using a strong password for the account. At some point, you're going to have to make that password accessible to the client. Plus, it's arguably less secure because the account now has multiple valid passwords that will work for authentication, and, based on your description, there's nothing that prevents someone from using the exact same password over a netcat session from accessing the account.
The confusion seems to be about logging into your account on the web versus using a mail client like Outlook or Thunderbird.
Pick a service that lets you use a long password and a security key (like Yubikey) or authenticator (Google, Authy) to log in.
Most services will then let you generate a specific password for an email client. I would assume that behind the scenes that the service is restricting what ports that password can be used on, etc.
> I would assume that behind the scenes that the service is restricting what ports that password can be used on
Assuming it's a device accessing the service over IMAP and SMTP that can access multiple networks, restricting by IP and/or port won't really help. As I noted in my other reply, it's easy enough to script access to the account if have the password and there's no real association between the application and the credentials that are used for access.
My problem with the get your own domain and DNS is its far more likely I become incapacitated and become unable to pay or manage it than getting locked out of gmail or outlook mailboxes.
Is it? You can register for 10 years at a time and then keep that topped up, as well as setup autopay pointed at a bank account with as many years of funds as you'd like. At some point the likely limiting factors shift to other things. Even the most reliable longest lasting registrars could in principle go out of business or get bought, but then again Google could decide to radically alter or discontinue services at some point too (as they indeed frequently have), or get broken up or who knows. 10 years is quite a while. And while nothing about business dealings is completely certain, someone paying for a domain a revenue generator with potential for more, so even if a registrar was acquired they'd have strong incentive to try to roll over existing accounts barring active objection.
I don't know your personal circumstances of course, different people may very reasonably make different calculations. But I have more trust in a quality registrar and my bank then in Google under the most likely scenarios where I'd still care (long comas aren't impossible to come out of, even multi-year, but chances of just partial recovery plummet after even a month or two let alone full recovery). I think Google being capricious or making a mistake is a bigger concern, if only because there is almost zero chance of recovering from it (basically have to know a well placed Googler or manage to go viral or be a big enough presence to get their attention). Domains and finance in contrast are both full of competition and portability.
$6/month doesn't sound like much... Till you realise you'll probably have this setup for 20 years, and suddenly it's $1200. That's a lot to protect against a thing that will probably not happen (account being banned)
> That's a lot to protect against a thing that will probably not happen (account being banned)
$1,200 is a lot of money, but... anyone aged 23+ is older than Google. 17+ is older than GMail.
It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.
This is a problem that is obviously not going to happen in the next 12 months. But if a person don't control their email address, they shouldn't be using it for anything that it would really hurt to lose.
> It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.
Realistically we have little control or have any clue on what's going to happen a few years out in almost every aspect of life.
Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.
Kodak and Google aren't that different as being a company that offers a service that tons of folks use(d). Kodak used to be "the" place to buy film and get photos developed.
I'm all for controlling your own email (even tho I'm guilty of not doing so), but I think even if you controlled your own email, you'll still be victim of the company you're using maybe going out of business in the future. I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.
>Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.
Kodak was well aware of digital photography, arguably one of its pioneers. What killed Kodak was cellphones. Kodak was too dependent and attached to making cameras and camera-related equipment. Most people did not need separate cameras once cellphones came along (even the 'dumb' models have a camera), so Kodak had nothing relevant to sell... Doubtful Google could be so stupid. Maybe if the Feds separate gmail from Search there'll be problems?
>I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.
Keeping all your mails locally is not difficult if you use a mail client rather than a web client. Copying to a local folder every once in a while is a one/two click operation in typical clients.
I pay for gsuite for myself and a couple of my domains. Call it $12/month, because you'll want to setup two accounts:
* The admin-user.
* The daily/real-user.
In my case I have my real account "steve@steve..", and "admin@steve" which is the gsuite administrator. I only login to make changes to the domain setup, never to send/receive email.
It's annoying to have to pay for that second user, but I feel happier with the privilege separation in place.
I registered steve.org.uk in 1999, and steve.fi last year.
(I moved from UK to Finland, so I checked the .fi version on a whim. Luckily it was due to expire a few months after I checked, so I setup a script to register it the moment it became available.)
example.com is good because it is explicitly reserved for this purpose and has no MX records.
Although very occasionally a service will check for MX records, but that is incredibly uncommon. My go-to email for public WiFi is fuckoff@exmaple.com and have only been denied once (<1%)
A fair number of places will deny that, but I like to think it sends a message. I'm not sure how many, if any, domains still have a working webmaster@ address though.
It should be possible to enable Cloud Identity Free on your gsuite tenant. So you can use a free identity account for your admin account and only pay for gsuite on your main email account.
I've been using name@name.tld for a long time now, I realize the repetition reads a little oddly but I've never cared enough to switch to anything else.
I guess I should have started using forname@surname.tld to make it all nice and neat, but I've no desire to change now.
Tbh the biggest benefit I see in such setup is the freedom of directing your email wherever you want. I wanted to quit Google 4 or 5 years ago and just having to redirect my domain to a private host rather than having to change my email address entirely is the one thing that made it possible
There does seem to be a need for Google to clarify their rules for "banning" an email used for sign-in.
It seems like things should be more granular, such that being banned on YouTube doesn't make your thermostat quit working, ruin your phone contacts/photos/etc, or cut you off from your unspent AdWords funds.
It's worse than that : considering the importance that YouTube has taken, for some people being banned from YouTube might be considered to be akin to be banned from exercising their profession, or even just be able to be a full-fledged citizen.
Remember OpenID? Yes, that's what it was for, OAuth wasn't never meant for signing in other websites who just want your mail or something... Of course, all these big tech corps quickly dropped OpenID, they don't want people to control their online credentials or identity...
OpenID hasn't died at all - it's just used in a different context. We implement this now for SSO in corporates to unify fragmented IAM scenarios.
Accepting any domain as an OpenID IdP is not likely to be a feature of publicly facing sites, as they still provide the ability to create / register / use these accounts for spam and other unwanted abusive purposes.
Really, I think OpenID died because it didn’t see significant enough adoption. I remember the user flows being a bit clunky, which certainly didn’t help.
With OpenID, basically everyone used a third party ID provider, and so you were just as dependent on that provider as with OAuth. Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world. If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
If OAuth was never meant for signing in, then putting Auth in the name was a funny choice. You add the qualifier “websites who just want your mail or something”, but I’ve never seen a single mailing list sign up that used OAuth.
> Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world.
You could pay someone to host it with reasonable guarantees they won't delete your account on a whim and no recourse.
Or you can use a free service that you somewhat trust with your own domain, so you can point the domain to another provider if you need to. Almost no technical knowledge required for that.
> If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
Same for email, which is what identity relies on instead of OpenID.
And self-hosting OpenID is much easier than email: you just need domain + LAMP (or equivalent), and don't have to deal with DKIM, SPF, being blacklisted from Gmail/Hotmail, ...
> You could pay someone to host it with reasonable guarantees they won't delete your account on a whim.
Each user having to find a hosting provider and pay them... it seems like a non-starter. Think about the non-technical people in your life. That solution would only help the very few people who both understand the details of OpenID, and care about the possibility of losing account access at a deep level. Most people have other important stuff going on in life, so good luck convincing them to adopt self-hosted OpenID at greater cost (and effort) to themselves.
This is even assuming that the hosting provider also acts as a domain registrar so each person doesn’t also have to figure out how to buy and own a domain name, to truly own their OpenID, because that would either make this solution much less meaningful in terms of control (with no custom domain), or make it that much harder.
> Same for email, which is what identity relies on instead of OpenID.
I’m not here to argue for self hosted email. There are many email hosting providers that make it relatively easy for you to bring your own domain name... but this is irrelevant. Signing in with an email and password continues to work even if the email account has been suspended. So, it’s not the existential threat that the article is concerned about.
I think the more realistic solution for users is the new FIDO2 standard that will hopefully see adoption soon.
I think Google has done a similar thing on Android, but Apple has for sure made every (up to date) iPhone, iPad, and Mac able to act as a FIDO2 Platform Authenticator.
Even if the user signs up via OAUTH, websites can give the user the choice to sign in via FIDO2 on each device. At that point, users could sign in from those devices even if their Google account were suspended, giving the website a chance to help the user migrate their account authentication.
The FIDO2 flows seem very user friendly, but... the standard is so new, broad adoption remains to be seen.
That is why basically every implementation provided a big "Log in with Google" button. It was basically no effort to implement (it just fills in the Google OpenID URL) and solves the problem of the people who don't have enough distrust in Google to self-host.
Has there been any retrospectives or published thoughts around why OpenID failed? Ideally a extensive, impartial report would be nice to read through.
While it's easy to blame big technology companies for the failure of open standards, there might be other reasons behind it (as well as companies trying to prevent it from succeeding)
OpenID failed because you had to sign up to an OpenID provider and then copy and paste some weird URL from there into websites you wanted to use.
Why would anyone bother with that hassle when you can just put in your email address (that you already have & know) and a password.
In contrast, OAuth succeeded because most people already have a Facebook / Gmail / Github account, which meant that sign up just becomes clicking a single button which is easier than email signup.
OpenID was more difficult than email signup, whereas OAuth is easier.
Perhaps the courts could be helpful here. A long-established Google account has significant value to the user. If Google terminates such an account, value is destroyed and damages are incurred. You should be able to demonstrate the value of the lost account to a court and demand restitution from the host.
If successful, this would impose a cost to Google for shutting down accounts capriciously and incentivize them to do better.
This would be a challenging lawsuit to win. You’d probably need support from an organization like EFF to manage it.
Honestly it'd be hard for any 3rd party accounts to make that claim except Google, Facebook, Microsoft, and maybe? Twitter and github?
At one point I was signed up in over 300 places using my Google account. Eventually the thought occurred to me, "what happens if I get locked out of this account?" And I don't really mean shutting it down. I lost a Microsoft account with over $3000 worth of purchases and 10 years of history, because I lost access to the recovery email address it used. So since then I've made sure to "spread the risk" so to speak.
Through 2 years of effort it is now only a handful. Some of them remain because either a) there's no other way to sign up or b) there's no way to convert it to an email based account.
But still - that's 2 years. 2 years of weekly, sometimes daily, moving yet another thing off that login (but it still uses the email! that's the next step -- kill the email).
The level of effort has been gargantuan. For some people, it would simply never ever happen. To lose a Google account would not only be damaging, it would be like your entire life being erased.
The level of damage here is enormous and Google has to take responsibility for the power it has amassed.
If they want to terminate all free accounts, it'd be a wonderful thing. Either people would finally be free of the behemoth, or Google's incentives would change to finally care about users (well.... hopefully).
I doubt it. These lawsuits would be few and far between and Google still derives a ton of value from its free accounts in the aggregate. They might just get better at terminating the right accounts...
I recently got locked out of my Amazon account. While trying to get it unlocked, I faced one of the worst experiences with Amazon customer team. I even reached to Jeff's email, but no reply. Finally, I have to file an official complaint in the consumer court to get my account unlock. All of these event took around 14-15 days. During these days, I was suddenly unable to use my Echo, Prime video, Kindle books, readwise, and prime now services. I never really tried any other competitor service before, and was solely reliant on Amazon's offering. That time I realized the amount of power such single sign-in yielded. I can only imagine what happens when you use it for every service via a third party and use it daily, only to suddenly see it lock you out. I hope there's a better way to login in the future, maybe something like trusona or magic
PS: I did not do anything wrong but still suffered lot of psychological pain due to this mistake by Amazon's internal security.
We also offer multiple third-party signup solutions for our service in addition to "traditional" e-mail based signup. For every service we retrieve and store the users' e-mail address on our server (we also need that to e.g. send out invoices) and enable e-mail based login and password reset/generation by default (you can disable it or add 2FA), so your account will not be lost just because your OAuth provider blocks your credentials.
I think it's to protect against the Identity Provider revoking access to the service you're dealing with rather than them blocking your account.
We saw this recently with "Sign in with Apple" and Epic Games, where Apple denied access to Epic and the accounts that did not share their actual email were effectively lost.
> Apple previously stated they would terminate “Sign In with Apple” support for Epic Games accounts after September 11, 2020, but today provided an indefinite extension.
That's great, but I'd wager that a majority of users that use Google login are doing so @gmail.com, so their email address is also toast if their Google account is suspended.
I suppose you, as a site operator, are doing all you can do, though.
I had a similar problem. I used Google to sign in on digitalocean, then I changed the main domain in google apps and readded the original domain seperately on Google Apps. But probably because some kind of ID mismatch, I was now unable to sign-in on Digitalocean with the original e-mail address recreated in Google Apps. Password recovery didn't work either, for some reason digitalocean doesn't do password reset for accounts that were created using Google sign-in. I was forced to create a support ticket with digitalocean and wait.
They probably put a human to communicate with you, verify some identity and then give you access to your servers again, I'm sure?
Compare that with Google (and Facebook, those are the two I have experience with) who will simply lock you out of your account and if you ask for help, they say they cannot. "But what about the three years of photos I've stored?" I asked. "They have now been deleted since your account was terminated" they told me. "Why?" "We cannot tell you".
For the average user, with poor password hygiene, I'd advise them to use a federated identity option that is more likely to have a decent password - they are more likely to have a good password for an account they care about.
I think the conclusion of the article is flawed. I think the risk of getting locked out is far lower than the odds of any single, or even all of, other (non-major tech co) website you might join getting breached. It's fair to argue the impact might be less also - and I'm happy to have this debate.
In my experience, typical users aren't the ones that get their google accounts banned - they are always banned for doing something significantly more sophisticated.
The truth is you should not use Google login to Google services either. You get the service promise you pay for, none. If their secret algorithms decide that you are in breach of whatever ToS, they will lock you out. Not very likely for the average user. But more likely for HN reader who might experiment with programmatic access to the services or do other atypical stuff.
I'm honestly not sure where we went so wrong as a society so as to reach this point. Whether it's overzealous AI or the AMPification of the web. Google act with impunity and without remorse, every action designed to further their goals and agendas without respect to humans caught in the crossfire.
If Google can, without due process and fair warning, remove your existence then this is a power that should be delegated to the relevant authority, namely the "justice" system to make such considerations.
If your house could be removed at a whim because a bot decided you were a bad person it would likely cause an uproar, it wouldn't be tolerated.
Yet here it is. Google can offer their services and the legal system seemingly doesn't want to be involved.
The speed of technological development is faster than the speed of societal or legal development.
So yes, right now we've woken up in a world that is not so much cyberpunk as it is techno-feudalism: more and more do you need a presence on the Internet to do things in meatspace... And that presence is by the grace of several feudal lords (Google foremost) - woe betide you should you ever displease them. You do not really own your email adres, your phone (number) or (pretty soon) even your computer. You're merely a serf.
On the plus side, the momentum for legal measurements seems to be increasing. Let's hope they do get broken up. Power, like plutonium, is dangerous if too concentrated. Regardless of where that concentration lies.
Techno-feudalism is exactly what cyberpunk novels were describing. They were dystopias. They were warnings about letting corporations control everything.
True, but so far we just get the bad things (corporatocracy and the the gradual hollowing out of individual liberties) and none of the good things (gene-hacking, neural uplinks, and matrix-avatars) that cyberpunk promised. I demand a refund!
This isn't even a tech problem. It's a lack of regulation to give recourse for individuals and lack of ability for them to be treated fairly by businesses.
We need to treat companies that put themselves into a position like utilities as utilities. Give individuals actual transparency of why actions where taken, and an ability to appeal these decisions with transparency.
It will cost more, but that is ok. What we have now is that the actions have caused real harm and the companies are unwilling to justify them. That's an abuse that needs to be removed through law.
I worked at Microsoft for several years about a decade after they lost those famous lawsuits and I can tell you that the company culture around monopoly power and user rights was incredibly well defined. The company was absolutely paranoid about doing anything ever again that would create that set of lawsuits and from what I can tell, in the 8 years since I left MS, that culture is still alive and well. It's probably why MS is the only company I still feel comfortable doing with, among the "tech" companies.
The hard slap they got from the government was enough to apparently permanently change the company culture around treatment of users and other businesses.
I see a lot of the excesses we see coming out of Google, Twitter, FB, to be a consequence of there being, well, zero consequences for their behavior. They're like petulant children who never learned limits and think it's ok to do whatever they want, no matter who they hurt. That's exactly how you teach children -- give them limits. Ironically, the same rule applies to adults.
Laws that provide meaningful mechanisms like this would also be a good signal to keep companies from being in such a powerful position. That is good for everyone.
I like the term "techno-feudalism" - captures the increasing nationalism over things like technology sales to China by the US etc too, the Tik Tok situation...
Kindle books were actually pretty good, back when they could reliably be liberated. Unfortunately, that's no longer the case.
In general, I think that's also a point we can draw from the cyberpunk genre, or maybe from Harry Harrison's old-school prefiguration of it in the Stainless Steel Rat series - the eponymous creature being one well suited to thrive "within the walls" of a society increasingly sclerotized with technocratic bureaucracy, but perhaps equally suited to a life of gnawing through the circumscriptions imposed by competing technofeudalist fiefdoms.
Off-topic, but legitimately purchased Kindle ebooks can still be quickly and easily liberated for the purposes of DRM-free personal backups of owned content. I won't comment on whether Amazon find this acceptable, or if it is legal in any given jurisdiction, but it is definitely possible.
Those discs aren't going to do you much good if you don't have access to or have had access to PSN, since most games ship with a huge day 1 patch to fix all the issues between going gold and the date of sale.
Movies/Music/Books can be displayed and played back on damn near anything. Games, especially modern games, exist in both a variable state (constantly revised/updated), but also with a much more limited ability to access the content.
I lost a small number of games due to PlayStation support not being able to get around the fact that although I purchased some of them via PayPal, I also bought other games with a credit card. They could verify I owned the actual account and I answered all security questions but they still wouldn't fix whatever issue I had (this was at least 5 years ago so I forget particulars).
That experience forever turned me off to relying on digital-only.
To your points, having a PSN account is necessary but I can always create a new one if need be.
Whenever possible, I prioritize non-DRM media for purchase.
I once used to buy digital movies on Amazon and thought it was a great experience. Until my first vacation in Canada where I discovered I couldn't watch my movies. I called them and they said that my movies were region-locked to the United States. To their credit, they did refunded all of my digital purchases. I haven't bought anything digital from them since.
So, not an Amazon account ban, but you quickly learn you are not "buying" a movie, but renting it, sometimes with silly restrictions like "only from these IPs".
I'm having trouble understanding your point. Leaving aside simply googling it, surely you can't be saying that because you haven't heard of something, it doesn't exist or isn't a threat or isn't worth any concern.
Considering I have heard, and regularly hear of Facebook and Google account bans, my sample size seems large enough to conclude that either amazon account bans don’t happen, or nobody cares enough to make angry posts about it.
It’s still a concern because of the mechanics of the thing, but it appears less applicable for amazon at the moment.
That exact "logic" is extremely common in journalism, as well as on most social media platforms including this one.
If you think about it, this shouldn't be all that surprising - after all, this is exactly how intuition works, and the human mind runs very much on intuition, people just don't realize it (at the object level).
It doesn't have to be an account ban. I've recently started playing games on my old Nintendo 3DS again and discovered that I've lost my Nintendo Network ID password and closed the associated email account. That leaves me in a state where I can't log out of the account on the console without losing the associated digital software licenses.
Not that that's Nintendo's fault but I think something like this will be the fate of every account that's not used, closed or deleted for a long time and owning your data and software possessions would protect against it.
Thank you, but none of my ideas are novel in any way[] and there are far better writers than me already expounding the same points, no need to add to the noise. Stallman, Doctorow, et al. pretty much saw these developments coming years ago and warned about them.
[] Every person's thinking and writing is mostly just a pastiche stitched together of thoughts they heard or read from others anyway. (And this is, of course, the meme idea, which is not an original idea itself either)
> I run my own mail server but my VPS provider could be coerced to yank it from me.
I've got two comments on this.
Firstly, you're already doing much better than most people. Make frequent backups, and if it comes down to it, you can always point DNS at a new provider.
Second, don't put anything on a VPS that you aren't willing to let the VPS provider or whatever Gov. has jurisdiction access. Where email falls on that spectrum for you is of course your own decision.
There is one more solution. Use a VPS only as an endpoint bastion server. Keep the data and services in your own home server. We need not trust the VPS provider this way. And we can easily recover as long as the domain name and the home server are under your control.
An idea I've been mulling is getting a baremetal server from Exoscale (based in Switzerland) and running a mailserver on it. Haven't done it yet for many reasons, least of which is laziness...and I want to try and create a JMAP server with an IMAP bridge but that's another story.
I liked the term too. If you are large and powerful, you are the law and whatever you say works. Hopefully as society matures we learn to establish some form of rules/laws that are sane and empower people.
But in every society a small circle of privileged people have always been the norm and despite more wider access to information today it seems like consolidation of power and wealth seems to be trending upward.
Rules aren't worth the piece of paper they're printed on unless there is an equally powerful force that can set terms. The problem right now is there is no counterbalancing force.
> I'm honestly not sure where we went so wrong as a society so as to reach this point... Why?
The answer is actually very simple: spam.
AFAIK pretty much all disabled Google accounts come from Google believing they are part of a spam-sending (or malware-spreading) network.
The ability to sign up for free Google accounts means this is a prime target for spammers to use and abuse -- signing up for free Gmail/Drive accounts, as well as using stolen credit cars to sign up for paid ones.
As to why the legal system doesn't want to be involved, it's because incorrectly disabled Google accounts are actually incredibly rare -- they make the news and cause uproar when they occur, but precisely because it's so unusual -- it's incredibly rare to personally know someone it happened to. So there isn't any kind of democratic movement against it because in the grand scheme of things it isn't common. It's like worrying about being struck by lightning.
it's incredibly rare to personally know someone it happened to
I don't know anyone who has a degree in History but that doesn't mean historians are especially unusual. All it means is that my network is quite small.
The same is true here. The fact few people know someone who has been affected by this problem doesn't mean the problem is unusual. It just means there are hundreds of millions of people who use Google and you know a few thousand at most.
Undergraduate degrees are easy to get. Having a psychology degree doesn’t mean you’re a psychologists, a history degree doesn’t mean you’re a historian, and a math degree doesn’t mean you’re a mathematician.
The extremely large majority of people go on to work regular jobs that have nothing to do with their degree and lose much of the information they learned, if it was even substantial at all.
> incorrectly disabled Google accounts are actually incredibly rare -- they make the news and cause uproar when they occur, but precisely because it's so unusual
Or they rarely make the news because they're so common, and the few that get publicised are because the victim raises a big stink on social media.
I've certainly created Twitter and Microsoft accounts and had them wrongly disabled within days, despite not doing anything at all with them, let alone anything abusive. Perhaps because I decline to use my cell phone number for 2FA?
> had them wrongly disabled within days, despite not doing anything at all with them
That's because that's also a common tactic used by spammers -- to register and then do nothing for days/months, on the hopes that an "older" account will be less suspicious.
Nobody's complaining about that though because it's not a problem. No data is lost. Also, I've had it happen to myself (with Twitter) and it was incredibly easy to re-instate.
To clarify, I was referring to legitimate, in-use (with data to lose) accounts being incorrectly disabled.
I think it more common than you believe, and certainly more common than the ones that make the news.
The ones that make the news are people that are either well known, or have and active way to promote their problems through social media or news site
I.e they are reporters, know a reporter, dev of a popular app, etc etc etc
They are Jane/John Doe that has less than 50 twitter followers and a normal every day uninteresting person, for which there is no recourse at all not even social media
Hm. Lawyers love lawsuits about folks struck by lightning? So I'm not sure that's the reason this issue is not a lawyer's forte.
I'd suggest its because its hard to prove or prosecute. Because its technical and obscure. A single case, Google just has to say "Oh sorry; its turned back on". There's no money in them capitulating. And a class-action suit enters into the details of the issue, which are impenetrable to a judge?
You’d think there’d be a very simple solution to this—one that I believe Google already used for a long time, but just never generalized.
That approach: “proof of human work.” Google owns ReCAPTCHA, and every time you do a ReCAPTCHA for Google, you’re doing a little one-time proof-of-humanity for them. But it’s also a proof-of-work; and proofs-of-work that cannot be automated are aggregatable.
In other words, the fact that someone with Google account X solved a ReCAPTCHA, doesn’t just tell you something about who that account is lately. It should add to a sort of “human-proof credit score” for the account, where Google’s systems are more willing to put faith in the user because of all the times they’ve proven themselves human already.
And, for some scenarios, Google does use the aggregate proof ReCAPTCHA represents this way. This is why you’ll never see the Google Search “stop searching so fast” message when accessing Search through Chrome synced to a well-used Google account; why you’ll get a ReCAPTCHA portal from them instead if you’re not logged in (you’re being asked to build the credit score of your IP/session); and why you’ll be denied upfront if you perform botlike behavior through Tor (where there’s nothing that can be correlated to give you a persistent credit score.)
Now, such a “highly-proven” Google account could still be heuristically detected elsewhere in Google’s systems as being responsible for botlike behavior (e.g. spamming); but, when such a highly-proven account is flagged, it should go in for manual review. Because — as you say — this is incredibly rare! So this process doesn’t need to scale through automation, the way regular Google processes do. It can be high-touch.
But right now, it’s not. (Or they’re just not even using the high-proof-of-humanity metadata on the account during this determination.) Either way, that’s kind of silly.
When I got started programming full time, tons of people in the software industry were getting their rocks off on how simple it is to install an Oauth library, making it easy as pie for people to sign in to a web service, thus encouraging more sign ups and making more money.
Maybe we've forgotten just how much of a hard-on we and the entire world once had for the likes of Google. 8 years ago, we would have trusted Google with our entire future. Politicians were on board, too, and have made many deals with Silicon Valley which ended up giving these firms a certain level of immunity.
Your generation might be guilty. But those that came before and after knew better. This is the generation who thought using their real names online was a good idea. That's where things went wrong.
Never in my life did I see an Oauth libruary and think this is easy as pie. Overcomplicated perhaps.
Because a house is significantly more important than an email address. I get being extremely online but let's not be silly here.
Plus that email/account is hardly even "yours" in a serious way. Anyone on the HN has a very simple fix for all these problems: get an email in your domain and a password manager for all the accounts. There, solved. You could even still use Gmail with their Google Apps, G Suite, Workplace or whatever it's called this month.
Normies are way out of luck but sadly that is true almost everywhere and they are getting fleeced much worse by banks, employers, and even cable companies than Google ever could hope.
Put simply, one's house is literally on their own property, and one's Gmail account is literally on Google's property.
If someone owned a vast amount of land, more than needed for everyone on earth to build a house, and the owner told people they could freely build structures but you lose it if you break the rules and the rules can change any time...
I've had a recruitment consultant suggest I use a gmail e-mail address on my CV, because it looks weird to have an address at a domain (my own, and not anything strange btw) that people haven't heard of. Sounds crazy. But try dictating an e-mail address over the phone to a hotel or whatever and see that if you say 'Fred Bloggs seventy six at gmail dot com' or whatever, you never have to repeat yourself, whereas anything less usual you'll be spelling it out all day.
On the technical side, one hears about individuals' domains being marked (blamelessly) as possible-spammers by the big e-mail services, and finding it hard to get messages through. There is effectively some scarcity in legible, desirable gmail addresses.
I agree that it's not black-and-white. It's also not as dramatic as the land analogy suggests. There are plenty of other email providers that are perfectly socially acceptable to use.
Counter point, I’ve been told by recruiting that my email makes me stand out because it’s not the norm domain name and it’s a little “fun” in the sense that it conveys a little light personality.
I'm 100% certain that a number of opportunities I've been offered have been because I proved a certain level of competence by maintaining my own email and domain; this certainty is largely due to the incidence of comments like the ones you note. It's definitely a way to stand out.
>Because a house is significantly more important than an email address.
If you cant pay your rent because no customer can reach you anymore or loose trust in you (because you don't answer) your house is gone shorter than you think.
Telecom regulators see fit to make sure phone numbers can be ported from one carrier to another. I fail to understand why the same mandate is not required for email addresses and authentication services. They might not look to be as important as a house, but their loss can still have quite a significant impact on someone's livelihood.
Yeah, I don't think there's any meaningful way to "port" a "gmail.com" email address away from Google. The entire internet infrastructure is set up so that can't happen, based on the meaning of "domain".
Seems like there's an opportunity there though. If someone could create a platform that would take your address, create you a custom domain, set it up, get your email flowing there (including porting over all your existing email out of gmail), and then helping you move your sign ins to that new address..
That'd be huge. It would also be very, very hard, the amount of infrastructure it would touch.. but doable.
If your house could be removed at a whim because a bot decided you were a bad person
It can.
it would likely cause an uproar,
It doesn’t.
it wouldn't be tolerated.
It is.
Big fat article in the New York Times some months ago about AI deciding that landlords shouldn’t rent to certain people, and the AI often being wrong. Very wrong. Like tagging someone as a convicted drug dealer, when the reality is that person has never been in trouble with the law, and never been to the state where the alleged offense supposedly happened.
We have to stop calling this “artificial intelligence,” because it simply is not intelligent. Humans put faith in machines because were told they are intelligent. But all the evidence shows that at best “AI” is good at guessing.
If we started calling these “artificial guessing” systems, people would treat them appropriately. But that doesn’t buy investors a boat.
> One party is in bed with the copyright owners, the other doesn’t believe that the government should govern
This political model is dated. Republicans are no longer conservative. And Democrats have an ascendant progressive wing that rejects corporate influence wholesale.
They will milk you for your vote but when power is won you will be excluded. Look at what happened last week on the leaked conference call. Progressives were blamed for losing so many house/senate races.
> Yet here it is. Google can offer their services and the legal system seemingly doesn't want to be involved. Why ?
The real question is why do people use Google to sign in to other services? It never even crossed my mind no matter how long I have had a Google account.
The authentication service should ideally be under the control of the user. At least, the user should be able to choose one that they trust. I doubt it's an accident that current authentication systems lack that choice.
One could even eliminate those same tasks (not wanting to remember a new password, and not wanting to use a password manager) by setting an unmemorable password and doing a password reset using a Gmail address every time they want to log in. "Log in using Google" basically does that same sort of thing but without the tedium of all the clicking/typing. The mechanism is much different but in terms of dependencies it's really the same.
That incident looks like incorrect data in Google Maps but also incorrect behavior by the company tearing down the house. It also was complicated by the fact that this was post-tornado and normal signage was likely not present or reliable.
> If Google can, without due process and fair warning, remove your existence then...
... you have clearly not understood that you should not have trusted them in the first place.
Yes, I have a Google account myself, but I try to use it as little as possible. My main reason for using it is the Play Store and I agree that it is unjust, that Google can remove my access to products I have paid for without really justifying for it in the sense of most people.
So I agree that something should be done. I think the line should be where paid services are offered. So if you just use a free service, Google(or any Company) should be able to stop providing you with that service whenever they like (while still providing you with access to the data you have generated or used with the service).
However, as soon as they have charged you, they should be forced to pay you back the whole amount (or offer some other kind of mediation that is more meaningful than receiving answers like 'Computer says no').
Google is a profit seeking business entity just like many others and hence will do whatever they can to advance the interest of the company and its shareholders. It would be nice if companies had moral responsibility and societal accountability however that’s seldom the case in USA. The role of taking care of the people belongs to the government. Companies have choices but no obligation to do what’s best for you.
If you are using a free e-mail service ran buy one the worlds largest and most powerful marketing companies as the identity / auth provider for your critical services and applications you should seriously reconsider your choice.
To paraphrase your comment: I'm honestly not sure where we went so wrong as a society so as to reach a point that we get mad when a service we do not pay for, ran by a selfish company decides to shutdown our access.
When companies acts too amoral we create laws to stop them.
Edit: The point is that it is usually in companies own interest that we don't create laws restricting them, so they typically don't act too amoral. You wont find many companies which goes after every single legal loophole they can abuse, as negative public sentiment builds up laws will form and the company will be much worse off than if they just did the slightly less amoral thing.
One aspect might be that the part of the legal system that would deal with this is assuming that the parts that deal with fighting with monopolies, lobbying and regulatory capture are working just fine ?
It is already bad, that we need jurisdiction for such things in the web. I think we actually need such things to happen more often, so ppl can finally vote with their fest a long time ago for some freedom against a tiny bit of convenience. I think what we lack is a decent amount of social pressure.
What we need is the largest tech companies broken into smaller pieces.
The de facto monopoly of most of these players exists in their cross-border market share, making enforcement under traditional antitrust law in any one country difficult.
Unfortunately, it's also something of an international zero sum game due to efficiences of scale -- if the US breaks up Amazon, Alibaba gains world market share, and we're back in the same place.
The most effective remedy I can think of offhand is government involvement in a special, independent branch of the company, dedicated to increasing interoperability and exposing services, empowered by legislation.
If we're going to have monopolies, at least they can be open ones. E.g. 18F + Google Takeout, backed up by regulation
The soul of the current internet is intrusive, tracking advertising. In Real Life we have fundamental structures such as identity that have not translated to the internet. In the world of advertising everything can be fake and there is no trust. We need a new soul. :-)
>>I'm honestly not sure where we went so wrong as a society so as to reach this point.
As with all things, Education is where we went wrong as a society.
in this case failing to teach people fully that there is no Free Lunch, and if you are getting something no cost to you, then you are no longer the customer, who ever is paying for the good or service is the customer (people should also pay attention to this truism in other area's of life)
In the case of google, you are the product, you are being sold to advertisers, google gives you a very very very small piece of that revenue in the form of a "free service"
Legal services can get involved just fine if you file suit. You'll just have to establish that Google owed a duty to you (by contract or otherwise) and that you were harmed by their breach of that duty.
The point of the comments here is that $BIGCO is outside of the law from a risk measured standpoint (ie: they’ll bankrupt you if you fight them given their bigger bankroll).
I think that's likely mythical thinking, and not something based in data. It's fairly common for plaintiff-side lawyers to work on contingency when they believe you have a case.
Less likely here, given the somewhat unexplored territory, but still, the history of class-action litigation evolution is largely of lawyers/firms taking a chance such as this.
"It's technically possible for you 30 Spartans to defeat 100,000 Persians so go ahead, good luck" doesn't sound like a winning strategy.
I think the overall point here is to have the support of law that says they DO have a duty to you, by benefit of their hosting your account and authenticating you elsewhere.
Then, WHEN someone goes to sue them, the person has much stronger legs in court rather than lone Peggy Sue trying to defeat Google's 300-strong team of lawyers who exist just to eat little guys for breakfast.
It's not removing your existence. It's removing your access to all of their services.
At every point, google users are asked to acknowledge the EULA and TOS. They're being told that google can stop their service for any reason, including that service not being comercially viable. ( I.E. Any Reason )
Access to google services isn't a right. It never was, unlike the property rights you're drawing a false equivalency with.
Do you not see this as a problem? With the amount of services Google offer, losing them can be devastating; photos, emails, Android backups, contacts and so so much more.
This pandemic has been reliant on emails to access services; it's how I get my payslips, talk to my employer, get current information, engage with legal services, and essentially maintain my access to society.
Losing my emails would be devastating (hence why I don't use a "major" provider, at least less risk that way).
We need to define what "rights" are and weigh that interest in society. If Google wants to be a "one stop shop" it cannot, and must not, be immune to laws and the rights of individuals to challenge decisions.
No, it's not a problem. It's your problem if you become entrenched in their (or Apple's / FB / whatever) services.
I have a google account to test my devices / emulators. Never logged in gmail with that account, never will. If they cut it off, I can make another.
Same with Apple. I have an Apple free ID for running virtual machines with MacOS / iOS and that's all. I tell my customers to create their own Apple ID and I deliver them the sources + dev environment and they make their own binaries and publish on Apple store. My job is done once I make the app run on emulators and I tell them from the start of the project this.
I have a FB account to talk on FB mess with parents from school and that's all. I don't even have them as friends there, I am just in 3 lists and that's all.
Also i use protonmail currently as I've started migrating from yahoo 2 years ago (old e-mails still there, I open that e-mail like once per month).
Do the same, you'll be free. Also you can use an e-mail account outside of google domain to actually create a google account, if you really need one.
Off topic but Facebook’s developer portal has a create test user capability that works pretty well. I don’t use Facebook either but if I need it for work I create a Facebook with my work email.
I do not. Becoming dependent on a large e-mail provider is only because of continued willful ignorance.
Better education for how digital services work and how to properly handle your digital identity is the right way to handle this. Implementing regulation and cementing the "major" e-mail providers who have the resources to comply will only deepen people's dependence on these corporations.
So what do you propose then? How do you "properly handle your digital identity is the right way"?
Do I have 15 emails addresses with 15 different providers? When a form asks for my email address I can only give one, what happens if that provider goes away?
What if a government doesn't like $provider and seizes the business? Now I can't get a reset link/change my password/prove my identity...Many government online services ask for your email these days, so you don't really have much control over that. If you said I am joe@blogs.com and blogs.com dies, you're toast.
You went from dealing with being banned by google to the general case of an e-mail provider disappearing. This is different. In one case you have control ( choosing not to deal with google because of their arbitrary judgments when it comes to account termination ) in the other, you really don't. ( Random calamity that befalls your email provider ).
If your email provider goes away, you're screwed. Nobody accounts for this situation. Doubly so when you used an identity provider that has gone bust.
The question is, how do YOU imagine imposing regulations on mail providers will change anything in a case like this?
Store your credentials, make backups of your emails, don't use identity systems. If things really do go bust, you'll retain access until you can get manual changes made to your accounts.
The other obvious solution is to have identity/e-mail built-in as part of citizenship and be gauranteed by your government.
Register your own domain and point it at your preferred service, if you lose access to that service you still retain the domain and you still have your email address.
If you want to solve this problem you have to spend some money somewhere otherwise you are simply demanding providers give you services, for free, forever, not something that seems realistic?
But can't the same problem happen if you, somehow, lose the ownership of your domain? I mean, I don't know what the actual assurances are, but if there is any chance that you may lose access to your domain (for causes other than forgetting to pay to renew, ofc), even temporarily, that would be the same as being banned from Google.
Or even worse, because having your Google account locked means you can't use it but noone can use it either; however, if somebody now has your domain, they could be able to impersonate you.
I think that is very very uncommon and when it does happen there's usually some kind of legal process involved. In other words I don't think you're going to have your domain yanked away without some reasonable amount of warning and ability to dispute.
In the worst case scenario you'd have time to setup a new domain and move everything over. Annoying yes, but again extraordinarily rare.
Consider that our lives are increasingly complicated. What an adult is expected to know and understand has grown to the point that 16 years of formal education are required.
As email's importance approaches a utility like physical postal service it's reasonable to expect some regulation. So long as the regulation is independently developed and balances the needs of consumers and producers then it shouldn't be too burdensome for competition to exist.
In the worst case taxes could pay out to whichever provider one chooses.
I don’t see what’s lost if Google disabled my account. Yeah, photos, emails and similar but that is not really life changing.
I’m not saying it’s an unworthy cause to advocate a change but I’m just not seeing the moral weight compared to factory farming, and other hard industries that have an effect on societies and the planet.
You're setting a very high bar there, and then claiming that losing access to your gmail account isn't worse than that therefore it's not life changing.
Email ends up being the form of online identity for a lot of people, myself included, so that almost every service that I sign for has my email address as ID. If that email address isn't the ID, it's the preferred way of resetting passwords. I wouldn't be super happy about Facebook being my online ID, nor my cell phone number (see SIM swapping problems).
It's life changing in the same way that losing all your personal documents in a fire sets you up accounting nightmares. Moreover, you're making very light a situation about losing all your pictures. I'm not talking about food pictures, but there's plenty of "me" that's contained in being able to look at pictures of important events of my life (which is why I don't rely only on cloud backups for that).
I do have a lot of stuff that I’d be sad about if lost on Google. And yes, I would be inconvenienced to contact all the services for an email change. But when talking about how our society got to where it is now, I just can’t see the moral weight of these kinds of monopolies in the context of just losing access.
I lose track of things easily. Gmail is my brain dump. Not only does it track all sorts of important email exchanges, but it also acts as a dump of scans of important documents. I have several gmail addresses so it's not completely single point of failure, but if my hub email was disabled, I am in a world of hurt until I sort things out.
Should I diversify? Probably, but that's more things to secure and keep track of.
If anyone honestly believes that Google can "remove their existence"...with or without due process, I think maybe they need to take a step back from the net. I read all the time the arguments over bitcoins value being real or not, but maybe the better discussion should be on wether or not social media and having a digital presence has any actual "real" value.
But how did we end up in this horrible state of authentication? Why don't we have something as easy to use as the DNS, but for authentication?
Imagine what authentication would look like, if we all started running is the same direction, instead of implementing our own authentication again and again. If we had something open source, that would allow you to sign in to all the sites you use, while completely protecting your privacy, so none of them know who you are.
This dream can come true. Technically at least. I've taken the the first baby steps with https://promiseauthentication.org which proves that this is possible.
But, for this to become a reality, we really need to start running in the same direction. A collective movement towards a sane, privacy-first Single Sign-On provider that's easy to use for everybody.