Hacker News new | past | comments | ask | show | jobs | submit login
Google Drive may restrict files identified as violating ToS (googleblog.com)
273 points by umvi 30 days ago | hide | past | favorite | 254 comments

I believe this may be due to the popular spamming method lately which is tagging people into a Google Docs and share it so everyone receives a notification (the spam message). It works better than regular email spam since apparently Gmail doesn't treat Google Docs notification email as spam (at least not as often).

The files are not removed or blocked, they just can't be shared publicly:

> When it’s restricted, you may see a flag next to the filename, you won’t be able to share it, and your file will no longer be publicly accessible

So it's probably a combination of things, including piracy. They're not forbidding people from storing or retrieving the files, just not allowing anyone to publicly host whatever they want on Google's servers. Seems reasonable.

I think the opposition is by those which long for the simpler, lawless period of the internet - a time where Google seemed to always be on the side of the user, even overlooking the naughty things the users would get up to. This change for those folk could feel as some kind of betrayal, like Google is complying to "the man", instead of shielding them from the realities.

Of course this point of view is silly - Google have done very well to make users the product. A win:win scenario for those which couldn't afford the pay-for equivalents, but their ceaseless ability to kill useful services proved that they were never benevolent, nor a charity.

The internet has grown up, and so has the ability to scan masses of data for liabilities - Google's change here is not controversial or unexpected, and realistically if people have a problem with the many problems with US copyright laws they need to pick up their pens, change who they vote for and vote with their wallet.

As for the implementation I think it's pretty fair - they aren't stopping the user from their 'backups', they're just preventing their hardware and bandwidth being used as a piracy BBS.

I'm using internet since the simpler, lawless period. Yes, I miss the excitement of a new Netscape Navigator release, or using some new tool, and just being able to explore anything and everything.

OTOH, I welcome this change. Instead of losing my access or getting a strike on my account, I'd rather have my file merely flagged and stopped being shared (not that I share a lot).

I think service providers should be more transparent about problems they see with the users' accounts, so users can take appropriate actions. Of course there can be other mechanisms to prevent abuse, or lawful intercept (which is another can of worms that I want to leave it at the top shelf for now).

So, I've read a Google blog without bad feelings for once. That's good.

Someone was theorizing that this allows Google to not outright suspend accounts for copyright violations. Previous implementations was that you and your businesses will be digitally dead across Googlescape. That was more controversial than this would be.

Similarly: Google Forms being used for phishing, Google Calendar invite spam... I've even heard of Google Photos being used for spam (by "sharing" photos, or by posting photos with text as the target of a spam campaign).

Spammers ruin everything.

They truly do. And it doesn't even have to be many spammers, it only really takes one person to ruin a free service. I've had plenty of personal projects I had to shut down due to some random person who just decided to hammer my servers for no reasons. I block the IP or IP block and they get more. I put Captcha (HN always complains about it but this is why it's often needed...), and users (who pay nothing) complain that it's annoying. Running free services on the internet is truly a PITA.

Same experience here, one spammer DOSing my site, always with similar patterns. I'm already behind Cloudflare and use https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blo... but I still have to identify and block them manually, which is annoying and a waste of time. Some IP-range blocks affected users so it's not fine grained enough. I wish I could identify, expose and sue them into oblivion, but the internet is too international and anonymous for this to be feasible. I also had to limit some site functionality because of this.

If that's true then I'd expect there to be personalized and well-funded counter-measures, for tracking and prosecution coordination with local law-enforcement and court system. Considering that one service could be worth many millions, and that can be destroyed by one person, it would make sense to spend the money.

How do you plan on prosecuting random people on the other side of the world that are sending garbage from a bot net? I can't even fathom the amount of money this would take to do reliably. Even if you did manage to find the person, you need the other government to actually _do_ something about it. It seems pretty intractable to me, given the scale.

As someone who suffered (and complained a lot) about this issue, I kind of fail to understand how this could possibly help fight the spam.

This seems to be more related to DMCA violations to be honest.

Anyways, my spam issue stopped around two months ago. After I complained to Google for those spammy tags with multiple examples forwarded and multiple cases opened, they seem to have solved the issue (or added me to some sort of mention exclude list lol)

there is also a method for sharing pirated media using google drive. TBH I'm surprised they havent started earlier

People have used Google Drive for sharing pirated stuffs since forever. Google usually blocks it by restricting downloading instead of removing the file, but people kept finding out new ways to get around that, like making a copy of the file in your own drive, or selecting that file and another one to download so that Google zips up both into one zip file before downloading.

People have been using password protected archives to get around pirated content restrictions since forever.

Does Google even have to look at the content? I assume most pirated content will also have a massive number of anonymous downloads, and shouldn't that trigger some fair-usage clause somewhere ?

They already rate limit popular files that match these patterns.

They don't actually block the file though, and there were (and still are) ways around the rate limit. (Which presumably they knew about to some extent, given you now cannot make copies of said files.)

They could easily start taking action on obvious copyright violations using Drive, but it's unlikely they would want to, unless actually mandated to legally.

I'm not sure what they would do about massive encrypted collections that have been rcloned onto their servers though. Aside from "please stop breaking our de-duplication".

They block upload even if you're not sharing it.

Same for game mods

So basically: piracy, spam or anything you'd get into legal trouble for doing on your own hardware, Google restricts on their hardware. I can't really see how that's surprising or strange.

If they're using content ID then they're also flagging legitimate fair use without providing a counternotice procedure.

That’s unfortunate. But I’d fully understand if that’s the terms of the service, at least for cheaper tiers. Basically “store all you want but at this price point you are subject to errors in automated blocking”. At enterprise level I’d expect service from humans though, and I expect to pay for it.

>there is also a method for sharing pirated media using google drive

Is anyone surprised by that? Every file sharing tool will invariable be used to share pirated and worse material until the people behind that tool show a willingness to stop that behavior. It is practically a universal law of the internet.

Is it really a service if it doesn’t facilitate infringement?

i was about to suggest that copyright enforcement as a service doesn't but no, really, they do their own special kind of infringement

Nah Google doesn’t care about that. Spammers have been doing it for years on Google Drive/Docs and Microsoft Sharepoint.

You're restating GP comment about why Google may need to do this.

No, I am not. The GP said that it is a popular method lately and I explained that it has been happening for years. What TFA is saying is that there will be more communication about files being blocked, but it doesn't suggest to me this is a response to this kind of spam. What probably happened is a file BigCorp wanted to share was opaquely blocked so now Google feels the need to provide better communication.

If Google were genuinely interested in stopping the spam, they would create a way for recipients to establish which organizations could send files to them.

Except that’s not a real solution at all, is it?

Whitelisting orgs would either be an opt-in or opt-out feature. If it’s opt-in, it won’t prevent 99.999% of spam because nobody will set it up. If it’s opt-out, it will break sharing for 99.999% of users.

These are never easy problems.

>won’t prevent 99.999% of spam because nobody will set it up

I would. And anyone who doesn't want the spam would. Right now we send "550 Too much spam" responses to docs and sharepoint emails. I'd be happy to, as an alternative, use an interface at Google or Microsoft that let me whitelist the organizations who can send files.

That and I'm not sure how different this is from cloud file sharers that disable file shares for reasons like piracy, which is something that I'm pretty sure Google Docs was doing already.

Google says you can request a review if you believe something should not have been flagged as a ToS violation but no mention is given to any rights you have. To me this reads as "You can request whatever you want but it might not mean anything in reality.": https://support.google.com/docs/answer/2463328

Conversely, the information for how to report what you perceive as a ToS violation is far more complete: https://support.google.com/docs/answer/2463296

Considering their history with falsely-flagged videos on YouTube, I assume this to be "you can ask for a review but we're not gonna do anything about it lol".

Not just YouTube, even play store developers who get their apps removed arbitrarily are left with talking to a robot instead of a human unless they can create enough social media storm to get some media attention and then google might finally review it.

The "but you can request a review!" handwaving all these massive tech platforms use to assuage concerns about heavy-handed (and coldly automated) policy application is really long overdue for serious consumer protection regulation.

I like to imagine the AI spits out a line like this:

> Should we ban this user? YES

Then you request a review, and the support person double-checks that the output really does say "YES" and not "NO". Then they tell you they reviewed their decision.

GDPR art 22 might protect against this (https://gdpr-info.eu/art-22-gdpr/).

I wonder if someone has already tried to invoke it against a Google/FB/.. ban hammer.

I used to work at a big co on system like this. The appeal button sent your job for another review. Obviously it doesn’t cost anything to click a button so almost everyone did it. Appeal jobs were split into tiers based on customer size and higher tiers were worked first. Big enough customers got the white glove treatment from their account manager. Small customers could linger for months in the queue, but could usually get the decision reversed if they tried hard enough

Still waiting for my request about my adsense ban for violating not a single ToS to be processed. 15 years. And I'd like my money back, plus interest as well.

"The AI has determined it has done nothing wrong and as punishment has deleted 50% of your files. Do not make that mistake again."

I'm starting to change the way I'm sharing YouTube links to avoid continuing to feed that beast. I replace with the Invidious yewtu.be link. So for example, the above is: https://yewtu.be/watch?v=3D8TEJtQRhw. De-Google Detox.

Request a review from Google? Real human intervention? That's cute... but we know how this actually goes with them.

Google doesn't exactly have a great reputation for customer support.

Note that you can still access your files, they are not blocking that or restricting that. Its the sharing that's blocked.

But seriously how long is it before Google implements a hashing algorithm (not too dissimilar from Apple's) to check if a user has not uploaded content with a copyright on it and taking some form of action on the user.

This feels like a slippery slope to be on.

Apple's CSAM would scan your offline photos.

Google scanning photos you upload to their cloud seems fine to me. Not a slippery slope.

>Apple's CSAM would scan your offline photos.

Apple's plan was to to scan photos that you uploaded to iCloud, only. Even that plan was canceled.

Google, however, still does scan everything in your account and has been doing so for the past decade.

For instance, this article from 2014:

>a man [was] arrested on child pornography charges, after Google tipped off authorities about illegal images found in the Houston suspect's Gmail account


As does Dropbox, Aol, Yahoo, Microsoft, Facebook, etc, etc.

Whether this is good or bad is a topic for fair debate, I think, but it continues to astound me both how little people are aware of this and that, in comparison, Apple's relatively privacy-preserving approach generated so much flak.

Apple iCloud is in that list.

And you still need to scan local photos on the phone?

It's better for a customer to scan images locally, on the phone, prior to upload. By doing this, the device can then encrypt images and store them in the cloud service. In this way the cloud service can be "CSAM sharing free" but never needs the symmetric keys to decrypt private images, period, for any reason.

The only thing this adds to the threat model is mistrust for false positives in scanning engine - but in even the worst case scenario here (forged false positives), you're still ahead of the Google model, where the same forged false positives would be extremely likely to result in a full account review rather than review of specific images. Everything about "the device looking at your photos" is tinfoil hat, because the device is already looking at your photos, they're decrypted in RAM! All of the threat scenarios about "Apple adds a secret government backdoor that downloads your photos and sends them to the FBI" are already equally possible today!

> Apple's plan was to to scan photos that you uploaded to iCloud, only. Even that plan was canceled.

The massive difference being that they would scan photos on my device. Not on the cloud. On my local device. How is that people consider that better?

The important bit is that Google does not currently have any capability to scan stuff on my phone. This is good. It's my stuff. They have no right to look at my stuff.

Apple proposed to implement tech that could scan stuff on my device, with a promise that they'll only do it when I am uploading stuff. Wait a few years, and some pressure from Authorotarian Government/Corporate Overlords and now the promise is just a promise that they can be easily removed and we can scan all stuff to make sure you're not stealing "content"/spreading "propoganda".

Again, nothing except photos you uploaded to iCloud was to be scanned.

Apple's plan was to have your device conduct the scan and encrypt the scan results so not even they could see them until a threshold of ~30 image matches was reached.

This protects the user from false positives.

Once the 30 image threshold was crossed, the plan was to have a human review before turning someone into the authorities.

I think we all know that Google is not ever going to hire expensive human beings to supervise it's algorithms, so a single false positive would likely see you turned in for kiddie porn.

> nothing except photos you uploaded to iCloud was to be scanned.

My point is that the difference between the approach from Google and Apple is that in one case (Google), we have a tech level blockage, it's not currently possible for Google to even do that.

On the other hand (Apple), the "blockage" is policy or "promise". That's far less reliable than the tech just not existing.

> the difference between the approach from Google and Apple is that in one case (Google), we have a tech level blockage

There is nothing stopping Google from inserting code to scan everything on your device. They can stick it into the binary blob of closed source Play Store code, and you would have no way of knowing it is there.

Google still does scan everything in your online account and has been doing so for the last decade.

Apple has backed down from even doing that for iCloud Photos.

> "Apple's CSAM would scan your offline photos."

No it wouldn't. It would only scan photos you upload to their cloud.

"This feature only impacts users who have chosen to use iCloud Photos to store their photos. It does not impact users who have not chosen to use iCloud Photos. There is no impact to any other on-device data."


"Does this mean Apple is going to scan all the photos stored on my iPhone? No. By design, this feature only applies to photos that the user chooses to upload to iCloud Photos, and even then Apple only learns about accounts that are storing collections of known CSAM images, and only the images that match to known CSAM. The system does not work for users who have iCloud Photos disabled. This feature does not work on your private iPhone photo library on the device."

- https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

You're right - I misremembered. Kinda wish HN would let me edit.

You are spreading misinformation. I don’t know if on purpose or ignorance.


They were very much planning to scan all photos on the device independent of iCloud. It was going to be another phase of the rollout. It was going to be in iOS 15.x and they backpedaled.

I think that's just imprecision on the part of noted tech news outlet CBS.

Apple clearly documented that this was only for iCloud uploaded photos, and indeed the technical description makes clear that this is only designed to work with uploaded photos: https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni....

Apple clearly said they scan the photos on your phone not in your cloud account. They say it is designed to work with iCloud photos and they are processed / scanned on your photo before they are uploaded to the cloud.

Not sure why they would need to do that. It does open up your phone for scanning and uses beyond what they initially layout.

Yeah, I think this is what freaked everyone out, but it's pretty clear the intention of on-device scanning was that it would work even if they had client-side encryption of photos before upload .

The whole point of the protocol (as described in the Apple whitepaper) is to allow clients to attest to perceptual hash matches without the server having access to the plaintext.

So, the irony of all of this is that the Apple design is effectively more private than the status quo, but everyone freaks out about it.

I think the ostensible goal was privacy preservation for photos whose perceptual hashes don’t match (i.e. most photos), which would never need to be uploaded without end to end encryption. But I agree it puts them within striking distance of scanning fully offline photos, even if the initial implementation doesn’t.

I am spreading information from the people who designed and built it on purpose to counteract the clickbait sky-is-falling misinformation.

But the default is to upload. On my phone, I had upload off, and then it got turned on again (not by me). The same thing happened with Google Assistant. I had it off, but then it mysteriously tried to start assisting me again.

Very much a slippery slope.

Their cloud doesn't mean its their content. If said content is public, I mostly agree, but not if its private.

When I hire a storage box and put stuff in it, I don't own the storage box. Yet still it cannot be searched by anyone, not the company nor the authorities, unless there is a credible criminal suspicion.

The storage owner can have a terms of service - i.e. you can't store flammable material/liquids. They also probably reserve the right to enter your unit to perform repairs.

Right, and to keep this analogy consistent, do storage owners routinely open all storage units, then open up all your boxes and search through them to check for flammables?

No, but that's primarily due to a lack of interest/manpower. They (probably) reserve the right to ensure that you aren't doing things that are against their TOS. There's (probably) no right to privacy.

They don't give out free storage. If you aren't paying with money you're paying with something else and you have no expectation of privacy when you agree to terms that say as such.

I guess the question is, if someone emails you an archive of jpg files to share on your public website, will you? Without looking at them?

I think that would be crazy. When they end up being CSAM or whatever, you're the one that will go to prison for possessing them, not the person that sent them to you.

So, after Google/YouTube have been aided in growth by the safe harbor clause, they now think that site owner responsibility is not such a bad thing after all?

Sounds more to me that they are pulling up the ladder to impede competitors.

It's very likely you only start getting 'requests' from 3-letter agencies asking you to scan content once you reach some large mass of hosted content, especially since the technology for even doing so is locked up, with NCMEC and Microsoft being the arbitrators for who gets to use it: https://www.microsoft.com/en-us/PhotoDNA/CloudService

I belive this is a really good take on the matter, and somehow you are the first person I see bringing it up.

The EFF has raised this issue repeatedly (that stringent requirements on content filtering will be an advantage to the large players who can afford to do it).

That's why I made the distinction between public hosting and a private album.

For public files, I fully agree with you. For private ones, not at all.

If they implement it, Apple's CSAM would scan your photos as they are being uploaded. Not really “offline”.

Google already scans for CSAM on stuff uploaded to drive. The idea that they'd start using it for copyrighted material is a spurious claim considering they've made no indication of doing so in the past.

Aren't you forgetting that Google already practices this with YouTube? The idea they'd apply it to Google Drive doesn't seem particularly spurious to me. It might end up not being true, but what exactly is farfetched about this?

Yeah, all cloud provides do, this isn't new. The only reason Apple's version was controversial is that they did it on your own device instead of their own server, but scanning files on cloud services is common practice.

What if you actually own the copyrighted content or have permission to have it?

This is an issue that none of the cloud providers have solved. I had 250,000 CD rips from various record labels at one point. I had full authorization from them, but it looks like I'm a massive pirate.

It should look like you're a massive pirate -- if you have hundreds of people downloading those CD rips from your Gdrive. If you're the only one accessing your own files, it shouldn't matter how many rips you have. Don't know how it works in practice.

To clarify, this was not a shared folder.

Of course, that is an edge case which Google would need to figure out and perhaps, one of the many reasons they haven't done it.

Sadly I expect that Google will "handle" those edge cases the same way they handle similar issues on Youtube: have a lot of false positives and tell users to pound sand, except for cases where the outrage goes viral.

> that is an edge case which Google would need to figure out

How do you figure out legality of having a document from the document? Unless it's child porn, where it's implicit, this simply isn't computable.

Maintaining a hash of say music files that are owned by large record label companies or a conglomerate like VeVo, match every audio file uploaded with the hash and if it matches, flag it, get it reviewed and if it matches, delete it?

That does not answer legality.

However, VeVo can say that no one can keep MP3 records if it isn't hosted on iTunes, YouTube Music or Spotify etc

In my country that would be almost certainly illegal. Not even copyright holders can tell you what you can do with your personal copies of copyrighted works, short of distributing them to someone else. By law they're explicitly prevented from doing that.

The cloud is "someone else".

Not necessarily for the purpose of our copyright act. Neither is your personal bank deposit box if you put a book in it. You're not transferring ownership of your belongings to the bank if you put something in it.

Assuming for video content they use their existing YouTube Content ID library, they can exclude/allow their Google accounts to have that content, or host it under the same user as their YT channel.

Is it an edge case? Thanks to copyright's assault on the public domain, almost everything is copyrighted. Is making a backup of your movies, music, and e-books unusual?

What assault on public domain?

Copyright is supposed to be temporary. Instead terms have been extended to essentially infinite durations. The copyright industry has robbed us of our public domain rights.

Well they still haven't figured it out with YouTube.

Still might not have the license to agree to the necessary terms to upload it to a third party cloud storage

it's way too easy to get around that. also, having copyrighted content is not illegal. it is legal to make backup copies of something. google has no way of knowing what kind of external agreements a user may have made regarding sharing. they might ban it anyway, but that makes other services who don't ban legal activity attractive.

Those interested in google's slippery-slopes should look into "keyword warrants" [1] and "geofence" warrants [2]

[1] https://www.cnet.com/tech/services-and-software/google-is-gi...

[2] https://nlsblog.org/2021/01/08/google-data-and-geofence-warr...

They have been doing this since forever. Years ago if you tried to upload obviously pirated movie mp4s (like the most popular torrent for a given major release) it would error out.

They already do the kind of scanning Apple was going to do. Only with far less privacy.

You are assuming they do not already do this.

Considering I have many pictures I took from the latest Spider-Man movie (for my own collection), if they had to do something about it from a legal perspective, they would have done it already.

Yeah, to me this makes this kind of a non-issue. Because I always assumed that any cloud provider like this would be capable and willing to block sharing of files based on their policies.

And they’ve been blocking files exceeding a download quota (common for publicly shared pirated video content) for ages. Basically the quota is zero for certain files now.

The join over {IPR theft, AI, censorship and "think of the children"} is a strong reinforcing superset of all of the motivations here.

CSAM opened the door to a conversation but we're a long way down the road to cloud backed storage being a gatekeeper not just a storage space. In my cloud or on my device, it's being looked at.

What's missing is arbitration via neutral mediator. The contracts are written to favour the provider. Automated reasoning of your breach and the abysmal restitution process is bad, but we're also a lot further down that road than people think. The "help by public shaming" here is not a solution at scale.

I pay for Google "one" and my hope is that excluding frank breach of the terms, paying them gives me one small extra edge in the "why did that happen and how do we fix it" space. I have found with ad spend, being a customer changes the relationship compared to free service. So.. there's hope. Probably misplaced.

There is hope, and there will be fumbles on the way I think. The real solution is for us all to voluntarily run a CSAM scan on our systems that can trigger a notification to a nuetral arbiter (ideally something like an online jury of ones peers, but who don't know you) take a quick glance at the photo, determine it's your kids in the bathtub and not CSAM, and click "It's Fine".

We would subscribe to updates to a CSAM scanning corpus which would parameterize the scan. The whole thing requires "trusting the client" but I bet there are ways to make it work. If it would defuse this movement toward total black box checking of content, then I think it's worth it to voluntarily do this kind of scan. The effectiveness presumes that the intersection of child porn consumers and users sophisticated enough to disable a scan like the one I'm imagining is very small.

Why should we run a scan on ourselves? Why should we be treated as a criminal for doing nothing wrong? The solution is to vote out anyone who thinks this is a good idea. To not support any company who tries to implement this kind of technology. It is absurd to think people will give up their rights to privacy in their homes to accommodate this kind of idea. Encryption is math and won’t be stopped. People will find a way to hide what they need any any of these systems only effects the non criminal user. Also I have hundreds of pictures of my kids in the bath. I always try and not get their private parts in the picture but with my hundreds and millions of people potentially with the same numbers it really is not possible for a human to lay eyes on that many pictures. Also that would itself open up avenues for abuse say it was just an innocent picture of my kids butt their are perverts out there that will get off on this. They are private photos of my family enjoying their youthfulness in a bathtub and never will I consent to someone browsing my private photos. This just seems whack.

Fucking hell, voluntarily running scans on your computers for CSAM? Are you going to voluntarily get a brain wave scan for whether you have anti-patriotic thoughts?

The choice isn't between scans and no scan. It's between voluntary scans (which can be white box and controlled) and involuntary scans (which are black box and totally uncontrolled).

That's silly; voluntary scans aren't voluntary if they're to work, and no scans is always an option. Human decisions to do things one way or another have never been set in stone.

No, the choice is indeed between scans and no scans.

> ideally something like an online jury of ones peers, but who don't know you) take a quick glance at the photo, determine it's your kids in the bathtub and not CSAM, and click "It's Fine".

How does someone who doesn't know me determine that it's my kids in the bathtub? (The answer can't be "you have to submit other pictures of your kids" because if I can get pictures of random kids in a bathtub, I can probably get other pictures of said kids.)

How about no? I don't view CSAM, and I don't need to voluntarily run a scan to prove I don't.

You're modelling the compliance for good people. Threat and risk analysis has to model for bad actors. Your solution won't work because bad actors exist and will exploit it.

What a massively invasive system just to find pre-registered images and not prevent abuse at all...

This ended up being a longer post than I intended, but overall I think your entire idea is fundamentally flawed, requires taking control of a computer away from the owner, and wouldn't even solve the issue.

> to voluntarily run a CSAM scan on our systems

The results of such a scan are meaningless to anybody who doesn't control the computer that performed the scan. If these results are to be trusted by authorities, that implies that we no longer control the computers that you are describing as "our systems".

> nuetral arbiter (ideally something like an online jury of ones peers, but who don't know you) take a quick glance at the photo, determine it's your kids in the bathtub and not CSAM, and click "It's Fine".

Wait, wait, wait. So the response to finding suspected CSAM would be to make a copy of it, then to deliver that copy TO OTHER PEOPLE OVER THE INTERNET!? Every single study about Facebook's CSAM reviewers shows it to be an emotionally damaging job, because you're constantly shown psychologically damaging material. With that in mind, who do you think would volunteer to be on such a review board?

> We would subscribe to updates to a CSAM scanning corpus

This introduces an unnecessary failure mode to devices whose core functionality does not require internet access. If I have a digital camera, a tv, or a picture frame, those fundamentally do not require internet access. Given the prevalence of targeted advertising and surveillance of customers, any device requesting internet access should be viewed with immediate suspicion.

> The whole thing requires "trusting the client" but I bet there are ways to make it work

There aren't. There really, really aren't. You can only trust computers that you control, or that are controlled by people that you trust. Trying to implement these leads to obscenities such as the Clipper Chip, Sony's rootkit, ring-0 DRM, and so on. Every single one takes control of the computer away from the owner and gives it to somebody else.

> defuse this movement toward total black box checking of content

Your suggestions would require implementing a black box checking of content, running on my computer, and not under my control. Calling it "voluntary" in the sales pitch makes it useless, because the person who controls the computer can disable any reports from it.

> presumes that the intersection of child porn consumers and users sophisticated enough to disable a scan like the one I'm imagining is very small

The size of the intersection doesn't matter, because only a single person needs to write a script that disables the scan. In addition, if a scan requires sophistication to disable, that implies that it is an opt-in scan, and that goes against your sales pitch as "voluntary".

>There aren't. There really, really aren't. You can only trust computers that you control, or that are controlled by people that you trust. Trying to implement these leads to obscenities such as the Clipper Chip, Sony's rootkit, ring-0 DRM, and so on. Every single one takes control of the computer away from the owner and gives it to somebody else.

And even then it won't work. Video games are a great example: a lot of annoyance is caused by cheaters. Games have been ruined by cheaters. And yet there exists no solution that gets rid of them. Even LAN tournaments in CSGO have had an aim botter at a high level. The hardware they use is provided on location, but the players bring their own mouse and keyboard. In the case of CSGO the mouse had an aim bot on it.

I don't quite grasp the panic about this: my impression is Google currently restricts ToS violations from sharing (your own access is retained).

The only change here is end-users will be explicitly notified (and can theoretically contest the decision).

The panic is people's fear of the Iron Heel[1]. For most of us, the systems we depend on are controlled by other people. In this chaotic political climate, when these systems start closing in on us, or restricting us in new ways, there's no way of knowing where the tightening will end. Some are incredibly insulated and have no worries about the kind of world we're living in, but others are constantly on edge and feel that we're sleepwalking into a dystopian nightmare. That's what this "panic" is about.

[1]: https://www.gutenberg.org/files/1164/1164-h/1164-h.htm

The only basis we have for panic here is that reading skills and critical thinking are in dangerously short supply among commenters here, who collectively believe themselves to be smart and independent thinkers despite all available evidence.

Big tech has been rolling out censorship all over the place lately. People suspect that ulterior political motives are causing Google to do this. I don't think mistrusting the motives of Google means that the people here lack "reading skills and critical thinking."

One of the terms included in its abuse policies is "hate speech." This is an extraordinarily ambiguous word which can virtually apply to any speech that is critical of anything. It is a term that has come to be known, by some of us, as a tool the political left uses to censor dissent. For example, saying that a man is a man and a woman is a woman can be considered hate speech against the trans community.

This move is part of a larger trend. Some people see it. Others don't.

9/10 with one demerit for omitting the compulsory "wake up, sheeple".

“The British are coming!” -- Paul Revere

"Put a sock in it, ya wanker." -- You in 1775, probably.

>For example, saying that a man is a man and a woman is a woman can be considered hate speech against the trans community.

If you can't understand why this is the case, then I'm sorry for your lack of critical thinking.

To me this isn't as much about reading skills as it is about being aware of and remembering newer history and being able to apply a mental ruler to the observations and see what way it is heading.

That second part I consider close to critical thinking and it seems to be what people does.

What indication is there that any new restrictions are being placed on a user's content? The blog post from Google only mentions the change of sending email notifications to users.

It has something to do with their "abuse program:" https://support.google.com/docs/answer/148505?hl=en. I can't find a date on this, but I assume that this article is about the implementation of this program.

There's snapshots going back to 2014:


Again, none of this is new. People have been abusing Drive to host illegal file for years, and have been getting banned for it. The only change is that now you get a notification and can dispute it. It's a strict improvement.

Otherwise known as the slippery slope logical fallacy

This is deeply disturbing news. It is already a problem that people get their Google accounts closed without any explanation from Google and with no response from Google when they try to contact them. A story about Elin Killie Martinsen, a Norwegian journalist and writer who lost access to her book manuscripts this way, was recently run in the national newspaper Aftenposten (https://www.aftenposten.no/kultur/i/8Qj1lG/uten-forklaring-b...). The article is in Norwegian but to summarize she got this answer from Google; "There appears to be malicious content in your Google Account. This is a serious violation of Google's policy and may be illegal" with a link to this page https://support.google.com/accounts/answer/40695?p=disabled_... .

To the writer this was incomprehensible because she couldn't understand that any of her files could even be close to violating anything.

I am already seriously considering discontinuing my subscriptions of their storage services, and this post about restricting files doesn't give me comfort.

It's really bothering when the account just also happens to be your core email service so suddenly you have no way of recovering other accounts.

Moving off Gmail is likely impossible for most non-technical folks.

There is nothing in the slightest bit technical about opening an email account with protonmail, or fastmail or any number of other much less invasive email services. A protonmail et al account could even be called easier to open since Google lately asks for quite a bit in exchange for the "privilege" of having one of their email addresses. Gmail also constantly screws around with security blocks for blah blah reason that require backup email or phone verification gymnastics if you do any number of tiny things "wrong", like say, trying to log in from a new country.

There are plenty email providers out there. Free and paid. It should not be a problem for anyone to switch. Moving off of Gmail doesn't mean to self host. It is a bit of work to tell anyone about your new address, but that's it.

What about the hundreds of other accounts that use your gmail as either the 2FA target or password reset?

For a non-technical user (like my mom), this is a herculean task.

There's no need to delete the old gmail account, just use the new account for anything new, and change the mail address to the new one for the few frequent and useful accounts.

Over time, the old gmail account will lose its importance, and there'll be no real risk if Google decides to ban it.

If you need a password reset do it and use the reminder to change the email. If your mom signed up for hundreds of accounts she should be saavy enough to handle the account update.

Changing upwards of 200 logins to use a new email address may be troublesome. Do you keep a list?

There's another catch, many services use the email address as an immutable identifier that cannot be changed. For some that doesn't matter, but at the very least it is a lot of time/effort.

A lot of those can be solved by contacting the support of that service. Services that don't allow you to change emails are usually on the smaller side and so you might actually get a response.

When I switched away from Gmail, I used my password manager to track the logins I needed to change. Then, just monitored the Gmail inbox for anything I missed.

Unlike sibling commenters, I used to not use a password manager. (But do now!)

I just keep the old GMail for now, and whenever I receive a valid email there, I visit the sender website to update it.

This depends on you remembering your "low-volume important accounts" like government websites you visit once a year, but otherwise, I would not cry if my imgur account got lost or something eventually.

Would be nice for companies to maintain a standard account management API which password managers could call. Imagine buttons on your password manager: "Set All Emails..." and "Randomize All Passwords..." I didn't find any such standard after a quick search.

Edit: Looks like LastPass does it with a screen scraper https://support.logmeininc.com/lastpass/help/how-do-i-update...

First, I saved every login on Bitwarden and then used that to visit every website and changed login email info there and re-saved on Bitwarden.

The effort is only one time or one day at max. And the rewards are worth the time.

Yes, my password manager

True, they do have a "grip on people". I use gmail for my private email and I use Google Photos and Google disk for storage through a paid family account. I am considering a move to an European email and storage provider to avoid the almost moralistic TOS many US providers have to avoid liability issues, I just haven't decided which I should go for. It will come with a loss of convenience and that irritates me. The way Google have gotten me hooked to their walled garden.

Another benefit you get from using gmail is that it's do much simpler to give someone your email address. You just need to get the part before the @ correct, they won't misspell the Gmail.com. I moved much of my email to Fastmail with my own domain. However, when I rented a car earlier this week I gave them my Gmail address because it's just so much less painful especially since the clerk and I could barely understand each other with nearby noise and masks and plexi glass between us. Happens all the time.

I wonder whether we will see something similar to public utilities in the web.

Companies like Google would be required to provide a basic service to basically everyone and are required to go through a court before suspending accounts (or maybe just some core features).

On one hand it would enshrine their position in the market, on the other hand it would remove some of their ability to make arbitrary decisions with no recourse and no information why it hapended.

Why would they need to go to court to shut you off?

At least in the UK utilities such as electric or gas only need to go to court to get a warrant to access your property to physically disconnect you - I do not believe the court process is about the disconnection itself, but rather the physical access to your home to physically cut you off.

For a digital service they'd just cut you off without needing a warrant to access your home.

But anyway, public utilities need to be paid for - I can't imagine people being too pleased to suddenly need to start paying for things like email or search (Google or otherwise).

Maybe a court isn't needed, but strict effective regulation is in my opinion.

That would probably involve payment but not prevent others from entering the market.

Where I am located there is one designated electricity provider who must service everyone (and is usually more expensive). People are free to switch if they want.

I feel like the free market is not doing particularly well in basic digital services like file storage or communication. While there is some competition on price, all providers reserve themselves the right to cut you off for no reason at all without due process. Their rules are intransparent and are inforced by dependent employees.

That's an interesting idea and it correlates with the idea of "the right to access the internet". Maybe we will see this happen through similar standards we have for bank accounts and money transfers, or even electricity as we have in many countries. I think it at least some of the infrastructural services like storage and email should be regulated in one way or the other

The telecommunications name for this is a "common carrier". The flip side is that they are only liable for damage they do and are held not liable for the things sent through their system.

No need to tie it to any specific company, tie it to user count instead. With increased reach comes increased responsibilities to society.

It's slightly more, but this is why I have stuck with Dropbox. Their only business is storage and it means they are less likely to do things like this. They have't been in the news, that I have seen, about actions like this.

Google is a consumer hostile company at this point. Unless you have a friend with pull there, or make it a big enough news issue, the little things are treated with automated hostility.

Google isn't alone here, it's the result of very large companies being under regulated on the consumer side.

Dropbox has the exact same policies and procedures, they just don't have the same technical abilities that Google has. Quoting from their AUP:

"...you must not even try to do any of the following ...: ...

- publish, share, or store materials that constitute child sexually exploitative material (including material which may not be illegal child sexual abuse material but which nonetheless sexually exploits or promotes the sexual exploitation of minors), unlawful pornography, or are otherwise indecent;

- publish, share, or store content that contains or promotes extreme acts of violence or terrorist activity, including terror propaganda;

- advocate bigotry or hatred against any person or group of people based on their race, religion, ethnicity, sex, gender identity, sexual orientation, disability, or impairment;


We reserve the right to take appropriate action in response to violations of this policy, which could include removing or disabling access to content, suspending a user’s access to the Services, or terminating an account."

Quoting from their privacy FAQ:

"Examples of Dropbox processing your data in furtherance of its legitimate interests in operating our Services and business include:


- Investigating and preventing security issues and abuse of the Dropbox Services or Dropbox users."

It's not the rules, those are common, it's the lack of human after. When the automation goes wrong, how much effort is it to get a human and to fix the issue. Or how many other services are taken down too. Google as an identity provider means that other third parties/devices are down in the mean time.

The point is really, that these companies are so large that they should be much more regulated and treated like any utility. That means it is a legal proceeding when they want to drop customers. This many mean that people, gulp, pay for services, but they have chosen to intertwine themselves into too many places in the consumer landscape.

I wonder how much it used to suck when the power company wasn’t as regulated and would do stuff like “we detected illegal activity so we shut off your power.”

I’d like some balance because I don’t want Google and Dropbox to suck as much as my power and phone company. But do want some regulation around lack of due process and “bundling” where a YouTube comment can result in my GCP account shut down.

I disagree. Google has always been a consumer hostile company. The only "at this point" thing is: they have become worse at hiding it.

The only thing that changed was that there's now a notification sent to the user if the sharing of a file is restricted. Why is that deeply disturbing news? Seems like a strict improvement in usability.

What is disturbing is the reason they give for why they will do it. One thing is if the drive is specifically used for cyber attacks and other malicious operations over the internet, but they refer to these rules; https://support.google.com/docs/answer/148505 and they are extensive to say the least. On top of that this is yet another move from Google to declare their rights to control your content and access to it if you use their service.

sorry, maybe I misread your question. Did you mean to say that they already did this without any notice to users, and the only change now is that they will start to send notifications when they do?

Yes, this is not new. People have abused Drive to host illegal content and spam for years. They have been silently banned and removed. The fact that you rarely hear about it shows that they actually have a fairly low false-positive rate.

The only change now is that the file gets unshared, you get a notification, and can try to dispute the claim. This is a strict improvement.

Yes, that is exactly what the blog post is saying. It has never been the case that you could use Drive to just share files in an unlimited manner. They used to notify about this in the Drive user interface. Now they will also send an email notification in addition to that.

We need “dumb” infrastructure again, that you can simply pay for with few strings attached, where the provider cannot fiddle with things at all, leaving enforcement to other authorities.

We build roads; yes, those roads might be used to transport stolen goods but the road builder doesn’t get to sit there and inspect every vehicle (and accuse the wrong people sometimes and ban them from driving).

It’s just so damned complicated now and I don’t know how it got that way.

If the road builder was held legally liable for everything on their roads you can be sure they would do.

You can store your data encrypted. I use Cryptomator on top of Dropbox for keeping my personal files in the cloud and synced between systems. It works on any online storage that presents itself as a drive to your OS. You lose all of value-added functionality of the cloud storage application, though, like the web interface and the ability to share.

> You can store your data encrypted.

You can, I can (actually, I run my own file servers, even better).

Average person can't (won't even be aware they should). We could say let's educate people (yes, let's). But really, infrastructure should be neutrally available to everyone like roads or the old POTS network.

It can only be achieved through regulation, since these companies will always be self-serving at every step otherwise.

> You lose all of value-added functionality of the cloud storage application, though, like the web interface and the ability to share.

Only because you chose the wrong solution. ;-)

Look at Tresorit[1] instead.


Using "Swiss privacy" gets my hackles up. And what is with the website hijacking my back button? If I click on "Individual" at the top, I can't go back from that page.

Well its a million times better than better than "I'm Dropbox/Google etc. , a US jurisdiction company, with servers in the US, trust me (wink wink) , I will never give Uncle Sam your data"

That's the thing, I'm not so sure that it is that much better.

Not going to happen in a world where linking to illegal content makes you legally liable for it. Instead of grousing about Google or AWS or Cloudflare, you'd be grousing about Comcast. And Cloudlfare, because they'd still be in the picture, with all the same incentives.

Yes, this!

It’s because cloud should have been just custodianship of the data in order to funnel it into their application but it was all too easy for these companies to want to profit further by prying on the data, monetising the data, curating the data and ultimately taking control away from the owner of the data.

That "dumb" infrastructure still exists. You can host your own file server, either on your own hardware, or in the cloud.

Use of these consumer-grade cloud services comes with pitfalls. I see no utility in pretending that alternatives don't exist though, because they're pretty abundant.

> That "dumb" infrastructure still exists. You can host your own file server, either on your own hardware, or in the cloud.

Can you though? I would consider AWS "in the cloud" yet they will give you the boot if they disagree with you morally[0]. Same with Cloudflare[1].

So it seems even infrastructure-level cloud offerings are prone to moral arbitration. Hosting on your own hardware is the only option, but even then... I don't see any reason twitter mobs couldn't pressure Comcast or whoever is connecting your hardware to the internet to cut you off.

[0] https://telecoms.com/508138/aws-banning-of-parler-exposes-th...

[1] https://blog.cloudflare.com/why-we-terminated-daily-stormer/

> they will give you the boot if they disagree with you morally

I don't think this is accurate. They pretty much only ban you if you're exposing them to legal liability.

Comcast already regularly cuts users off for DMCA violations, many of which are supplied automatically by bots watching torrent trackers.


Your best bet is probably to pursue hosting in another country with better freedoms.

You could also declare yourself to be an independent nation and start a hosting company: https://en.wikipedia.org/wiki/HavenCo

But this is probably not your best bet.

The best you're going to get is different freedoms. Russia might have free speech for nazis, but not for Putin critics, for example.

Is there a source that breaks down this sort of stuff on your own hardware in a beginner friendly or at least explicit way? One hesitation I have to exposing something public that may not be secure, compromising my home network. It’s intimidating and holds me back, a bit.

I'll second this. I'm pretty techno-savvy if I do say so myself but I haven't the slightest when it comes to self-hosting and security concerns also prevent me from doing it.

You say this as if it is easy or inexpensive to do well... If it was why would the service even exist in the first place? Surely everyone would just do it themselves.

I also don't think you would be arguing that people bothered about WhatsApp or iOS tracking them should just create their own messaging app or mobile OS. The vast majority of software is not just difficult do yourself, but almost completely infeasible. In fact it's hard to even think of any software I use regularly which I as a experienced software engineer could easily build myself, let alone an average user concerned about this stuff...

Even it if was open source, just deploying something as convenient as google drive is a challenge. i.e. something that works on iOS , Android and Web + has proper access management and has enough storage (including automatic backup).

lol at all the downvoting.

You're totally right. Depending on one's standards and expertise, yes, there are alternatives to the mainstream dumping grounds for your files.

The most basic is to just store files on external drives. This is what I do because, most of the time, I'm not actively sharing or using all my photos and downloads. I've scattered them between drives for well over a decade and only had a problem when one of my magnetic drives began to fail, but I ended up not losing anything. Even if I lost all my photos and stuff I really wouldn't care that much. That's why I can't be arsed to trust The Google or Zuckerborg or whomever with my files or using Dropbox. I'm more likely to wake up one day to be hard locked out of all my Google accounts than to lose anything meaningful because of physical on-premises storage.

There's also network drives, and plenty of off-the-shelf ones exist. My parents have one and it's exactly what you'd think; a device with a ton of storage that's accessible through a Dropbox-like web interface.

And if you're really geeky, you can hack together a way to shove files into S3 or whatever storage service of choice.

Yes, the average person won't have the motivation or wherewithal to do anything besides my first option, but that's really the kind of thing you'll always get by being average.

And obviously those who believe they need all the bells and whistles of Dropbox or Google Drive may also believe there are no practical alternatives outside of Silicon Valley Big Tech, in which case it's entirely up to them how comfortable they are with that. Personally, I would rather rely on services as little as possible.

I've again started using a usb-c thumb drive in place of google drive. It's extremely convenient and safe from big brother eyes.

Note that files can be restricted not just for violating ToS, but also "program policies"[0].

This includes files that are identified as: CSAM, Circumvention, Dangerous and Illegal Activities, Harassment, Bullying, Hate Speech, Misleading Content, Spam, Violent Organizations and Movements, and more.

Google further notes they "may make exceptions based on artistic, educational, documentary, or scientific considerations, or where there are other substantial benefits to the public from not taking action on the content."

[0] https://support.google.com/docs/answer/148505

Honestly surprised they weren't forced to do this earlier, Google likely already hashes files for deduplication or integrity checks, making it rather trivial to keep a database of known pirated movie hashes.

Obviously it can be easily defeated with encryption / changing the metadata, but it's so easy to implement I'm shocked they didn't do it earlier.

Google drive is commonly used for a backup of media or even a host of media when using rclone.

This is, suddenly, a FAQ for us.[1]

Many, many pre-sales conversations are now focused on whether or not we hash files or keep databases of file hashes, etc. Do we collude with other cloud providers to report file incidence. Or, for people who really have no idea who they are talking to "which cloud do (you) run on top of".

This was not the case before. I think the advent of 'rclone'[2] has created a lot of use-cases that very efficiently use (cheap online drives) and all the kids are storing their warez with it.

Yes, trivially easy to defeat with encryption and rclone has a very nice and simple workflow for this.

[1] You know who we are.

[2] https://rclone.org/

Wait for ToS banning 'double encrypted files' aka 'we encrypt your files on google' and user adding rclone or other crypt on top.

They have been doing it since at least 2017. I noticed it on my account with Game of Thrones episode and when I googled it at the time, it was a known issue. They didn't warn you like they do for virus, the files simply wouldn't show up when people opened the shared folder.

This came up on HN a few days ago with a similarly hyperbolic editorialized headline. Google has always restricted objectionable content from being shared on Drive, Docs, or wherever the platform has sharing features. Google is, obviously, not going to act as a free static hosting service for your malware and porn.

What's new is that customers with paid accounts are going to be notified when their content has been restricted from sharing. Before this change it was silent from the user's perspective.

Perhaps one should encrypt files before uploading to cloud services. Sure it destroys the possibility of webview for your data, but then you don't have to worry about situations like this.

Unless they decide that encrypted files violate their TOS.

Which should be a red flag not to use the service because they're collecting your data for any and all reasons.

This is your redflag

That's what steganography is for.

I've been using rclone+restic to back up files to my university-provided Google Drive, which has unlimited storage. Apart from occasional "rate limit exceeded API warnings", I haven't faced any issues so far. Wonder if that'll change with the new policy.

Cryptomator is a great tool for this.

If you use anything on a commercial basis with Google, go to small claims court without hesitation, and pull the answer from them rather than keep paying them to lawyertroll you on your own money.

Depending on your jurisdiction, small claim courts can actually shut down the binding arbitration clause.

In Canada, Google had a long history of losing by defaults in small claims

If you do this though; be prepared to lose access to everything you have in Google.

Yep - here's how to download your Google data https://support.google.com/accounts/answer/3024190?hl=en

> If you use anything on a commercial basis with Google, go to small claims court without hesitation, and pull the answer from them rather than keep paying them to lawyertroll you on your own money.

And be blacklisted from using Google products and services.

Yeah... We should probably have an anti-retaliation law for cloud services like we do for landlords and employers.

When google said they were no longer giving way free storage I bought the cheapest 100GB google one plan for $20/yr. Last night I saw the renewal email and cancelled it. After nearly 10 years of Google usage including drive, email, and pictures (I rarely take videos) I have only ~30GB. Almost 15GB of that is in drive which is a simple "my docks" kind of backup and dumping ground. I'm moving my drive stuff to a cheap VPS running OpenBSD. Then I'm going to remove all photos and video from 2-3+ years ago. Then I'll just use the free plan for photos and email for the time being. My VPS will do the rest.

You might still want to backup to a different location, given VPS's aren't immune to data loss. rclone with encryption works and ensures you are the only one with access to your data.



At home I have an actual server that's a secondary (Xeon w/32GB ECC running FreeBSD w/20TB ZFS). Likely just use rsync between them.

Why in god's name do so many people with even modest IT knowledge keep using this invasive dumpster fire of a cloud service with conditions like this one and others being piled on? There are so many affordable, secure and easy to use options on the web that trusting Google with your data seems absurd, especially considering how easily the company can simply permaban you for no discernible reason and not a human in range to dispute the matter with. At this stage, using any Google service is sort of like trying to expect decent customer service from the DMV and IRS rolled into one.


(A) it's a usable interface accessible by pretty much anyone [with a phone number, as of recent]

(B) it's cheap as you don't pay for bandwidth and storage is either $0 for 15GB or paid storage at a low-priced rate[0]

(C) all of that storage is geo-redundant and thus extremely unlikely to ever be lost, outside of Google terminating accounts (which isn't part of a lot of people's risk models).

0: https://one.google.com/about/plans

Which means:

- google reads all your files

- google judges your files

- google has a set of opaque, arbitrary, ever changing list of things that can turn your files into a reason for locking you out

So, basically: s/your files/their files

If you're not using your own backup solution on your own hardware, located on your own property, you're failing IT 101.

Any cloud service can change their Terms of Service without notice, and those changes are almost always detrimental to customers.

Seriously, move your saved data in-house. Cloud drives are for ignorant consumers.

If you're using your own hardware on your own property you're probably failing resiliency 101.

We need a distributed volunteer backed free replacement. Is IPFS or gnunet ready for that yet?

Right, we need to trade a vanishingly small probability that anti-abuse systems at Google will flag your school photos as Al Qaeda propaganda for the much higher probability that your files hosted on an elaborate scheme operated mostly by 4chan users will be unavailable due to widespread malfunction, malice, and capriciousness.

No. We have to replace a service with incentives which are not always on the user side with something that is a distributed volunteer backed free replacement.

"We need a distributed volunteer backed free replacement. Is IPFS or gnunet ready for that yet?"

Or you could just choose a provider who respected your privacy and had a very long history of standing for freedom of speech and the rights of users.

If only such a provider existed.

If only ...


Very long history of breaking.

There are many replacements for tech savvy people, but few for people who lack the skills or time to futz around with configurations and installs and software updates.

Regular users need something that just works instantly and never needs maintenance. If it doesn’t just work it’s broken.

I hope it's not a violation of the ToS to use a front-end like Cryptomator -- https://cryptomator.org/ -- that encrypts files before uploading to Google Drive.

I never thought I'd consider going back to MS Office or Libre Office... but the thought that my Google Account and all of my files are at risk by a company that has well known poor customer support is very scary.

Based on the comments I thought it was about pirated content. But it seems focused on the spamming issues. It also looks like they have been focusing on document sharing with the new look that shows Guests and Members in Workspace.

- I wonder how long it would take for your Workspace account to get shutdown if you have 10 users sending mass document invitation? - If a file is blocked from sharing, can i duplicate and re-share?

Does anyone use the service MEGA?

Remember, this means Google has already been scanning and collecting the contents of your Google drive. All they’re talking about is applying a filter to certain files they find objectionable. Even without this announcement, this could happen at any time. If one day something you own is found to be illegal or objectionable, Google may delete it without notice. At worst, they may report you to the authorities.

How on earth is this seen as surprising? Its their servers, they can read anything you upload, I thought this was common sense part of the bargain.

Being able to read the fat you upload is different from doing it automatically and en masse, and then applying rules and filters to that data.

As with many topics, this should be self evident to many HN readers, but I doubt it is obvious to most users of Google Drive.

Automatic monitoring should also be obvious at this scale. Also I am sure non-technical users also understand what it means to put up something on someone else's website.

Google is upset because they're using Google services for advertising without paying them :)

Use MEGA for cloud file storage! It's wonderful and easy and zero-knowledge!


Syncthing is also another great option. A little more setup, a little more control, significantly less trusting.

"Available to all Google Workspace customers, as well as G Suite Basic and Business customers"

So this isn't general Drive, only the paid for version? ie to prevent businesses from having employees with these files on their company Drive?

oh they're removing files that violate their rules. my brain initially read this as removing files which download the uploader's tos, which is dystopian but in a much cooler way

same prediction as always, moderation is an ecosystem that requires transparent enforcement and dispute processes.

new moderation norms will bend the economics of social media towards the reddit model: small communities, moderation primarily provided by 'community owner'.

Platforms provide a layer cake of less frequent 'nuclear option' bans on top of that -- platforms deplatforming communities so their host doesn't deplatform them.

Yikes. It's been said several times, don't use Google for anything important. The minute something goes wrong, you're so SOL and they literally could care less.

Next is email, including ML attachment policing

This is great, afaik Google Drive stuff is a nightmare for SoCs as they don't want to block the whole domain.

One easy to block is storage.googleapis.com ...Regularly used to host malware, but legitimate users generally throw their own domain in front of any usage of that service.

No don't do that, this is exactly why IT/opsec is hated in organizations. False positives.

I have so far seen a single instance where a legitimate organization sent someone a storage.googleapis.com URL. I have seen literally hundreds of phishing emails do it.

Which is to say, the problem is organizations using storage.googleapis.com URLs, not organizations blocking them. And probably Google should be doing a better job policing content on their content domains if they don't want them to be blocked by default.

(Similarly, all Chrome Web Store extensions should be blocked by default, with an allowlist for requested and vetted ones... there's simply too much malware to default to anything else.)

I'd love to block Google Drive by default too, but there is enough legitimate use that at present that would cause too many false positives, and it's a balancing act.

> Which is to say, the problem is organizations using storage.googleapis.com URLs, not organizations blocking them.

Blocking this domain definitely isn't common, at least not in large organizations. Several of my company's B2B apps use Google Cloud Storage (it's just Google Cloud's version of S3) and have always used storage.googleapis.com/bucketname rather than bucketname.storage.googleapis.com. (AFAIK it was the default URL format shown in their documentation when I last looked at it years ago.)

We've had to deal with overzealous corporate web filters now and then - comes with the territory of B2B apps - but I've never heard of storage.googleapis.com being blocked. It'd be pretty straightforward for us to change it if a customer had trouble, but we'd probably gently push back and ask them to whitelist the domain before doing so.

I would say in my professional experience, I've only once seen someone legitimately directly need to pull content through storage.googleapis.com (whether bucketname.storage.googleapis.com or not). My assumption is public-facing entities tend to serve content via their own domains to end user clients.

I'd be comfortable whitelisting a bucket subdomain, but as I said, it's only come up once, so we worked around it the one time. And I've blocked a lot of phishing sites this way. I'd highly recommend large organizations follow suit. :)

Why don't you use a vendor that provides the concrete URLs as IOCs to block?

That's fine for blocking malicious content that's already been reported. But if there's no legitimate need to allow the domain, why not block it entirely and prevent even being the ground zero for a new URL?

If my organization is likely enough to be targeted intentionally, the chance of having an attack directly solely at my organization (and hence, likely a URL not found by other parties already) is much higher as well.

so people doing more creative writing will not really be able be able to rely on it for collaborative editing etc. as those are the users more likely to write something that will look like a violation.

What would be a good collaborative platform for creative writing?

Aren't we even scared anymore by the fact that google is inspecting our files?

How is this going to be effective if files are encrypted and with no discernible name?

I’d place bets that >99.9999% of files on Google Drive are not.

Yes, but aren't the abusers now going to do exactly that?

Perhaps it may surprise you to learn that many "bad actors" are rather stupid. This is one of the few large advantages that defense has over offense in security matters.

You could try to express yourself in less condescending ways, it should have a positive outcome, on average, in interactions with people

Meaning Google has access to all of the files stored on Google Drive, including and not limited to:

- your business secrets

- GDPR data that you legitimately have

This is exactly why I do not use Google Drive for anything business critical.

You're right. That's been my argument against trusting "the cloud" (i.e. somebody else who actually own the computers on which you place all your precious trade secrets and personal business) for the past 15 years...ESPECIALLY when there is no clear agreement or customer/vendor relationship, and they're doing it for "free".

Note that client side encryption changes this https://support.google.com/a/answer/10741897?hl=en.

Is that a surprise to anyone? It's literally a service where you upload your data directly to their servers. Businesses have contracts with other businesses to protect them against particular kinds of abuse of this data (e.g. google stealing business secrets, or leaking personal data as defined by GDPR) and google sticks to these because businesses would lost trust very quickly if they didn't respect the contracts they have.

It is a giant surprise to many managing directors and other people who are not that technical.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact