Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Gmail account security
1508 points by caseyf7 on Jan 23, 2022 | hide | past | favorite | 774 comments
I have a gmail account that I rarely use, but I know the password. I enter it correctly and get the following message:

You’re trying to sign in on a device Google doesn’t recognize, and we don’t have enough information to verify that it’s you. For your protection, you can’t sign in here right now. Try again from a device or location where you’ve signed in before.

Even if I get the code from the recovery email account, it won't work. Is this the AI hell Google throws you into if you get a new phone and computer in the same year? Has anyone else on HN run into this and found a solution?

Once upon a time I worked at Google.

I returned to Austin to visit old friends and took the opportunity to visit the Google office there. The Googlers sitting around me were primarily corporate sales.

They weren't getting any corporate sales calls at all as far as I could tell, but there was one extremely irate user who was locked out of their GMail account and was repeatedly calling them because they were the only human beings at Google the user was able to get in touch with, via something like "Press 3 for Corporate Sales." Of course these poor Google corporate sales people had absolutely no way to help this user even if they wanted to. Google literally did not have any GMail account phone support (at least at the time).

I could hear the poor guy screaming through their headsets about how he paid Google something for some service and was entitled to phone support and he demanded someone help him, but they just kept saying, "This is corporate sales. We do not offer consumer account support. If you want support, please visit the Google Support Forums at www dot..."

After they hung up on him 3 or 4 times, eventually a manager got on the phone and told him (between his screams), "Look, you're not getting any phone support because it doesn't exist. There's nowhere for us to transfer you. There's nobody who can call you back about this. Your only option is to search the forums for an answer to your problem. I am going to terminate this call now. Sir, I'm going to terminate this call. No, we can't help you. Nobody at Google can help you. I am terminating this call now. We asked you to stop calling this number. Do not call us again. <click>"

I'd frequently tell my co-workers, "If you're not paying for it, you're the product." That experience underscored that notion for me.

Even when you have paid Google products that come with support, it is really awful. They once asked me to submit a business case justifying how answering my support question benefited Google. Just a simple clarification of something in their documentation. I was already under pressure to migrate to Office360, I stopped fighting after that.

My employer is a huge AWS user and Google is constantly chasing us with a treasure chest of free credit to migrate over, their prices are significantly cheaper, but everyone agrees it’s worth the premium to stay with AWS simply because they answer the phone.

(If you have never used AWS’s enterprise support, those guys are worth every penny.)

I've first hand experience with managing a google workspace (50 users) and an Azure AD (30 users). With google workspace, the chat is two click away and the guys now their stuff. With Azure AD, no support, no chat, except "here is a list of consultant in your area that provide support". And I pay twice as much to microsoft ...

I work at a company with >1000 google workspace users.

That's enough that someone at Google will acknowledge what you're reporting is a bug on their end, and that they can reproduce it. But it's not enough to get the bug fixed.

The support may be good if you're asking questions they've heard before - or if you need something like an account lock reset, which the support folks have a button for. But if the problem you're encountering requires a code change? Not so much.

(If you're wondering, the bug is "in Google Drive, users with third-party cookies disabled get stuck in a redirect loop when downloading files or viewing videos, as the cross-origin request to googleusercontent.com attempts to redirect to get an auth cookie that never arrives" )

I’m sure that in the mind of Google they are doing a favor by letting us give them money, wanting support is just ungrateful. Wanting a bug fix is just obscene. They have 150,000 PhDs, aren’t we bold to question them!

This stems from Google not being a service company. Support for products is mostly like this. You can submit a bug report but that does not mean they will help you.

We have a saying here that goes something like "don't buy pizza at a burger joint"... Don't buy services from a advertising / products company.

>Don't buy services from a advertising / products company.

I will remember this. Thanks.

Turns out, having a PhD is a negative when it comes to closing bugs.

> I work at a company with >1000 google workspace users.

> That's enough that someone at Google will acknowledge what you're reporting is a bug on their end, and that they can reproduce it. But it's not enough to get the bug fixed.

I will try to remember that the next time I deal with an open-source project, either as a user raising an issue, or as a project contributor helping solve such issues.

Often, we do not realize how lucky we are that contributors to open-source projects help fix the bugs which we report.

That must have been fixed. I got a message to enable third party cookies for drive.google.com. Even with a link to docs on how to do it iirc.

I just tested, and it's not fixed.

I hesitated to post this comment, another anecdote with zero recourse... Then realised the fact I hesitated is more concerning.

Google hold too much control over the internet and the majority of internet users lives, to the point where it's almost authoritarian: They can screw with your personal life and potentially your business without any recourse, causing the effects such as the one I just experienced. I'm not suggesting some large conspiracy against those who oppose Google's affect on the web, and many of us will continue to complain openly and loudly about them because that is our culture. But the effect their position has on freedom of speech is still present, it's a natural instinct, it increases the chances of a large portion of the population to remain silent out of personal fear - and that is concerning.

> Even when you have paid Google products that come with support, it is really awful

Once I subscribed to YouTube Music (paid!) family plan, but my wife's account would always say that she is in another country and can not join the plan. I tried everything - the support never even bothered to reply to my emails. I cancelled the plan and since then I keep seeing the same ads for the premium service every time I open the YT mobile app.

FWIW I had the same problem a few months ago, and they did eventually sort me out. This surprised me, given Google's reputation. I was on the 1-month "free trial" membership, and always planned to switch to the single-person membership if they didn't get it sorted out, so I wasn't really out any money during that time.

(And in fact, what actually happened was they hadn't sorted me out by the time the free trial was up, so I cancelled it and switched to the individual membership. They managed to get things sorted out a week or two after that, but I'm still on the individual membership; my wife just shares my account ID.)

I can second that. Lots of G services think I'm in another country (Spain specifically), so the sites load in Spanish by default, along with other minor headaches.

I work for a small company and we used to use AWS. I think their support sucks. Especially since there is no group accounts and the bills went to another persons account that ended his job at the company.

I had to login to both mine and his account in order to complete my support request or they wouldn't help me. When I called them it was like any crappy indian support team which I barely could understand.

Compare that to DigitalOcean for example, there you can actually group resources for an org and their support is actually knowledgeable about their products and can answer questions even about implementation details. Also, you don't need a PhD in order to understand the UI which is a great plus.

> They once asked me to submit a business case justifying how answering my support question benefited Google.

I find that extremely difficult to believe without more context. Google support isn’t that bad. I’ve had a mediocre-to-good experience with it over the years.

With that said, while I agree that aws business and enterprise support is worth the hundreds to thousands of dollars a month, so is the five bucks a month for a google workspace account that includes support.

A few years back I wanted to call then but didn’t find a number. How do you contact Google’s support?

If you have a google workspace account and need google support, you can go in the admin console, help section in the top right, there is a contact form with phone and chat options.

What if you can't log in?

Then there's this magic link: https://support.google.com/a/contact/recovery_form (calling it magic because it's not very obvious how to find it; I had to look it up in the HN comments)

Can confirm. Despite strong reservations about moving from one behemoth to another, the support from Amazon has been light years better (both on the consumer side and AWS). Embarassingly better.

> Google is constantly chasing us with a treasure chest of free credit to migrate

The only item in Google's business playbook...

You are actually pointing out a tremendous opportunity that Google has internally and externally. I work at Google and recently tried to file a bug about the calculator embedded in search. It was dastardly difficult to find how to file the ticket. It took me maybe an hour. A better system for filing tickets internally and for filing and triaging tickets from external users would be a tremendous asset for Google.

I guess this is why Amazon is playing the long game with their obsessive focus on customers. I don't know how that really plays out where the rubber meets the road but that's what Jeff bezos always keeps talking about.

It plays out with Amazon absolutely crushing Google when it tried to be a consumer marketplace, and even trouncing Google at providing web infrastructure services.

If, somehow, an antitrust ruling split ads from the rest of Google the non-ads remainder wouldn't last more than a few years.

Alphabet as a whole is an organization built by the immense money that comes from monopolizing digital advertising (through some very... unscrupulous means) and then run by people deluding themselves into thinking they can do anything else. There's a reason everything is "killed by google" - I'm not exactly sure anyone there knows how to do damn near anything that isn't propped up by investor hype and the money they make from ads and other strictly profitable ventures such as GCP. Alphabet only has the ability to do immensely stupid things because their core business gives them damn near infinite money to play with.

You are 100% correct in that ads are the ONLY thing propping up google as a business. This is probably a very bold prediction, but I think that when money starts getting more expensive, when rich billionaires are more reluctant to just throw money at inane, borderline speculative bullshit, there will be a massive hemorrhaging of unnecessary business. And maybe this is a little out there but... you know how YouTube doesn't actually make any fucking money?

Interesting things to think about for sure.

The YouTube thing is false as of a few years ago. If you have noticed, they've crammed it full of ads.


I think it's projected to earn 20 billion this year.

Thanks for this. I've heard recently that, in its current form, digital advertising is extremely overpriced and propped up by misleading metrics [1] and might take a downturn in the future, but I also don't really know much about it and and that point it's just speculation.

[1] https://hbr.org/2021/02/what-digital-advertising-gets-wrong

Not sure about that... It could be a blessing for the tech community if that happens. Let's consider 3 parts: Ads, Cloud and Labs. Alphabet could fund Labs as research arm (basically what it is anyway, with all the exploratory projects) and could like see a revival of the golden days times of Bell Labs, Xerox Park, etc.


I am locked out of my (10+ years old) account for almost two years, due to "security reasons" (I have valid OTP so I call this BS and my credit card has changed in between so the account is useless for anyone), they want me to call some number in states, but I am not giving my phone number away, which is also the reason why I don't create new account.

I have calculations, in last two years I have bought 4378 EUR online. This could be collected by Amazon - but now it isn't.

I am still waiting when they will come to their senses and figure out that locking out users (especially if they made quite a few purchases) longer than few months is counterproductive.

Meanwhile they are losing money they could earn. Good job.

I'm not sure how you came to be in this unfortunate situation but this is one of the reasons I purposely memorize my passwords rather than store them in a password locker or Auto filler that I could lose access to. I guess if I lose access to my brain I'm not going to be worrying about what I might owe for those instances that I never killed on that cloud service.

Just use a phone number from a service like temp-number.org. After logging in you will be able to remove it from your account.

I worked at both Amazon and Google. It was only at Amazon where I was exposed to the Craft of software development. Personally, I feel there is a nuanced difference to the role at Amazon being SDE ( Software Development Engineer ) whereas Google is SWE ( Software Engineer ). It's almost like Google thinks Software Developers are lower tier than Software Engineers, but I'd like to think of myself as doing more than just engineering and tweaking things which already exist.

The team I was on at Amazon every line of code felt purposeful. At Google it's just Java charades. One time we were propping up a new micro service that received data from one data source, transformed it to another data source. That's it. No other API calls, no algorithms, no design patterns, no filtering, just deserialize/serializing/renaming fields between two data formats 1:1. It's literally a few dozen lines of code. I was the project lead and was likely going to be sole person responsible for it, and I proposed it be written in Go. It took to me 2 days to implement it in Go. Our manager wanted it rewritten in Java, because no one on the team knew Go and in his opinion would want to learn Go. The Java rewrite took a month to get to an MVP "Hello World" state, and another month to calibrate the codebase with the rest of our projects. It takes days to learn Go, less than a month to be well-versed in Go's standard library. Its package management is simple but also sane. Years working with Gradle and there is still weird stuff popping up every so often. The microservice depended on some Google "public" client libraries. At least with the Go libraries it's feasible to read the entire source code and flesh out things on the edge of documentation. Go's limitations also means code tends toward being idiomatic and standard. Besides the Maps API and some GCP products that receive attention, most of the APIs/libraries feel half-baked for external consumption. Documentation is a big piece of it. I'm not sure what the state of AWS documentation is nowadays but, on my Amazon team, we were co-developing documentation and code in unison, like how people iterate between test/code.

At Google, documentation feels like an after the fact dread so that a bunch of suits ( dressed in jeans and t-shirt ) can green light the project and sign off on a laundry list of due diligence of "product excellence". The final product is documentation that centers around a Hello World, but after that you're often not sure how to proceed. You're instructed to run a bunch of commands serially without much context, basically the fish, but you didn't really learn how to fish. Beyond this imperative 'Hello World' style documentation is nuanced callouts and notes for some esoteric cases for exhaustive coverage purposes that is just really distracting for 99% of clients. Basically don't sue us, we made sure to mention is in documentation. I've worked extensively with the Google Cloud documentation org, and they are really problematic. Google is usually too nice ( or maybe it's just the game dynamic of everyone having cushy job ) to fire people, whereas Amazon would go in a "different direction". I don't see this documentation problem going away until there is leadership who isn't afraid to fire people, which is also unlikely to happen as the well intentioned engineers will quickly rally to dispose of this style of leadership. One time the documentation org held a session for internal developers to provide feedback because clearly documentation is not serving the customers. They were shutting down every idea and interrupted in mid-sentence, only agreeing with things that confirmed/supported their agenda. Then working 1:1 with members of the documentation team to launch a product, I realized the individuals also succumbed to selective hearing. They're like recruiters who just scan for buzzwords like 'REST', 'HTTP', and so Google documentation has random sentences explaining to technical clients of a specific technical API what REST, HTTP, gRPC is. The intended audience are paying clients, and I'm not talking about hobbyists, not students who are not familiar with cURL yet, but the documentation writers are effectively the latter. I admit, the documentation staff write more fluid English than I do, but what's the point if they introduce a bunch of superfluous, sometimes even semantically meaningless, sentences wherein readers of documentation can't discern the forest from the trees? It became a second job for me to revise the documentation, and my manager wasn't supportive nor appreciative of me doing this non-engineering work. That's when I started planning my resignation. If Google is serious about cloud and developers, the problem can be solved by paying actual engineers to write documentation.

Code Review at Amazon felt constructive with the user in mind. Code Reviews at Google felt reductive to the pet peeves of the reviewer and minimizing conflict. On that team at Amazon, performance was actually a priority. I actually felt like my Computer Science degree was put to use, but not in a pretentious, ivory tower, scratching your own itch/ego kind of way. The latter opportunities are more common at Google. The Amazon team built their own dependency injector and markup language, not because it was something to brag about, but it was solving an unmet need at the time. HackerNews never forgets about the long list of products Google abandons, but there are also the projects that are dead in the water. At Google, I was adjacent to a team reinventing HTML but defined in YAML, with less functionality and composability than HTML but implicitly requires you to already know HTML. Probably 10,000 humanhours were allocated to this project. The team are exclusively from infrastructure backgrounds. No one wants to say this, but there is a belief, at least based on my impression of Google hiring practices, that backend engineers have higher aptitude, therefore you can train them to be frontend engineers. I don't think this is true. Ironically, when I interviewed at Microsoft they actually asked me interviewing questions requiring browser APIs and interacting directly with the DOM. When I was the technical interviewer at Google, asking candidates such practical questions rather than Leetcode-style problems tripped them up way more. On the Amazon team I worked with, everyone's first programming language is JavaScript. We directly fiddled with the DOM which goes against all the modern web framework abstractions, VanillaJS, native browser APIs, minimal transpiling for compatibility. This was code 1-degree removed from the user and, ironically, as we were fiddling with the DOM and exposing ourselves to all the dangerous state, nothing bad happened. Then again, we sent people to the moon with much less. At Google, I felt n-degrees removed from the user, while standing on top of many more abstractions and yet in many product areas besides things like Search, 99.5% felt good enough, whereas at Amazon I truly believed in 99.999%. On the Amazon team we leaned on Prototypical "inheritance" and embraced JavaScript, rather than trying to fight it, shoe-horning in Java style Classes, because Google ultimately is a Java shop. Angular has singletons, factories, and other symptoms of people exercising their extensive knowledge on the design patterns in Gang of Four. Meanwhile at Google, I saw triply nested for-loops that I refactored to linear time. It wasn't really appreciated, because on the grand scheme of things, Google focuses on being planet scale, which might explain why SMB / hobbyist support for GCP is mediocre. Indeed, Google infra and internal tools are the best. Possibly even over-engineered where there is diminishing returns, possibly inflecting down on productivity because the tools handles too much for you that you are now responsible for knowing its extensive features and capability set. There's always someone who knows, but you gotta make sure you've done your research before you come to them without extensive due diligence. At other places I've worked, including Amazon, I think there is less anxiety in knowing that you don't know and ignorantly reaching out for help because we're all fools anyways. Google has publicly mentioned that they found no correlation between academic GPA and job success, but I'd bet there is a high degree of imposter syndrome. In practice, Google still selects for the academically excellent, where from an academic and school setting you are expected to know the "right answer", but software engineering is an art not a science.

Products, however, are different story. I am back in school, and the school decided to use Google Classroom. This thing has a 1.5/5 rating on the Apple app store. I'm curious how many people work on it. I apologize if it's a lone developer. But I wouldn't be surprised if this was a team of 3-4+ engineers, a product manager, a manager, a UX designer, a UX researcher. Google Classroom, at least in my school's usage, is just a feed of posts. A Facebook group would have sufficed and been much better. I'm imagining there's a sales team for Google Classroom. At least Google's improving on the non-search/Ads business front.

I'm a developer and a school admin, so I can comment on the Classroom point, at least: It is so comically clear that Classroom really was someone's clever idea to simply take existing Google Drive APIs and then create an LMS-like environment using that. Taken like that, it's actually brilliant and super clever.

The not-so-brilliant-and-clever part is that by virtue of being free and Google having so many schools captive with free GoogleEDU + Chromebooks, this is something running millions' of kids' schooling, especially now during COVID. But it seems, at every indication, to continue to be someone's pet Google Drive API project, so you see some insane feature omissions because it is clear it would probably require some sort of actual original development work besides the very minimal UI and overhead that Classroom provides. I need to thread lightly, though, 'cause I've made decent money (and had fun) implementing quite a few of these for my own school, but every single time its been clear to me that EVERY OTHER SCHOOL IN THE UNIVERSE would also want/need things like that.

I'm also a developer and an educator using Classroom for a small class. Your insight makes it crystal clear why I always thought that Classroom was completely insane, to the point where I was wondering why nobody else said anything and maybe I just wasn't "getting it" - no, it's because it's basically a clever hack that's a Googler's side project (that maybe now has a small team around it).

As a fun exercise, I'd encourage you to peruse even their apps script APIs and see how quickly you can actually get something like "google classroom" up and running for yourself, minus some of the UI candy. Truth-be-told their documentation and what they expose to you is pretty rich, and along the way you then start seeing exactly why "Google Classroom" things are the way they are hehehe.

This is enlightening.

I do see they have a marketing / landing page which makes me feel there is a product charter beyond half-a-SWE: https://edu.google.com/products/classroom/

Awesome informative answer. Thank you so much! this is like the kind of nuanced detailed thing would be good to see on Glassdoor

Thanks for the insights! Surprising that Go met resistance internally at Google, considering that Go is created by Google and that Google have been sued by Oracle for using Java in Android.

It's a bit ironic that you're bashing Google and praising Go in the same paragraph, never mentioning that Go is designed and supported by Google.

I think that was part of the point. Google made Go and then when OP wanted to use Go, their bosses said “use Java” (and took a month to do something that could be done in a few days)

I disagree with OP on this. Their boss in my opinion made the right call. I'd say for a few reasons:

1. Why did OP do this without talking through it first

2. Introducing a new language to a team is not some small decision, and IMO typically not a good idea

3. Why would it take a month in Java to do what takes a few days in Go

4. If it made this one task faster, the burden it will put on the team in the future can be bad in the long run

Perhaps the team would benefit a move to Go (I doubt that), but it should be something that is planned. Otherwise, they'll have "that" one thing that is written in a language that no one on the team really knows.

> Their boss in my opinion made the right call. I'd say for a few reasons:

Well you don't have enough context to say it was the right call.

> 1. Why did OP do this without talking through it first

I was tasked to prototype / MVP / "tracer dart" and prove that it was feasible. As proven, it took 2 days in Go. If it was done with Unix commands, the pieces can be jumbled together in a day. The point was having a self-contained "documentation via code" example of the exact business logic in such a program. The same can be achieved with a shell scripting language, but it wouldn't have been as readable. Go is about readibility, which is exactly the reason why it was invented Google, because Google prioritizes readibility. Java is readable if you know what idioms and style it's in, but it's also verbose, which is distracting. One, communicating with the source and sink. Two, get an initial picture of nuances in the Protobufs and data format. It happens to be that the Go prototype was 85-90% close to a final solution. In Java, after being able to actually bundle and consume the libraries had undocumented idiosyncrasies. Java is more powerful and thus more flexible, so a Hello World solution could might be in the wrong direction. You have options, no pun intended, on how you handle async.

> 2. Introducing a new language to a team is not some small decision, and IMO typically not a good idea

There was already half a dozen programming languages on the team's codebase, include a Go server which we inherited. So in effect, we should know Go anyways. As much as Google is Java shop, engineers are polyglot and not hired for a single language, in theory.

> 3. Why would it take a month in Java to do what takes a few days in Go

The language itself. Async code is verbose. Opinionated debates over variables should use the keyword final. Debating whether to use inheritance, delegation, function, or whatever composition / code-reuse pattern. It's been empirically shown Java programs are more verbose than other languages, both in tokens and in LoC. Complexity and entropy doesn't scale linearly, either. This is reflected in both client code and library code, which in the case of Google for many libraries is stale and misleading. One such library is authentication. For Java, Google has multiple competing libraries, or you can carve authentication features out of another feature library, but that is wrapped around and pegged to an older version. Something like JavaScript, there is 3 public sets of documentation on OAuth2 in JavaScript, and like 2.5 clients. With Go, there is a single canonical version, and so just figuring out what library you should use is a fraction of the troubles.

Then there is the ecosystem as a whole. You have options for logging library, and getting Gradle and the building system to pull in the dependencies, especially when you are on internal networks, is one thing. Aligning the Gradle build to be consistent with idiosyncrasies of the team's existing codebase is another. You can do inheritance with Gradle, and that's what was involved to be "consistent", because copy-and-pasting code is a no go.

> 4. If it made this one task faster, the burden it will put on the team in the future can be bad in the long run

That's a strawcut. What you are referring to is taking shortcuts, choosing a suboptimal solution because it saved time. Go was purpose built for middleware and microservices. It was the tool for the job, independent of how long it took to build the MVP. Beyond that, tess code is always better. If there was less code needed to build it, there is less code to maintain.

Google cares about code readability. This is exactly why Go was invented. Go is built readable language. Readability is what engenders low maintenance cost burden.

> Perhaps the team would benefit a move to Go (I doubt that)

No, it was not about a wholesale migration to Go. It was about using the right tool for the job, in one specific microservice, instead of having the Java and turning everything into a nail. Imagine if a company was a PHP shop and said everything had to be written in PHP. Frontends, backends, MapReduce jobs. This is the whole point about federating to microservices instead of monoliths. Or JavaScript, JavaScript everything. Hey, that's not bad, Coinbase was built solely on JavaScript. The argument might make sense if this was an esoteric language or a Lisp, but this is Go, which is, in theory, an official programming language at Google.

Thanks for adding more context.

You do seem to be making assumptions and having expectations on how the team and how Google should operate. Regarding Java, I don't find the claims that Java isn't as good as Go compelling. For you, sure, but to make general claims is silly. There are many successful companies and productive developers using Java.

There are probably companies that are very productive in how you would want to pick and choose languages based on the problem. IMO, the language choice is not all that important, though I do think PHP, JavaScript, and similarly poorly designed languages are probably a hinderance (but again there are many successful companies using these like you said, so I think that's convincing that the language doesn't really matter all that much).

It could be part of the point but it does not sound like it.

It could say - Google is bad in that and that BUT it has Go. Or it could say - Google designed Go and is interested in its adoption BUT its own managers don't think that Google developers want to learn Go.

But instead it says that Google documentation "does not teach you how to fish" and "you're not sure how to proceed" and at the same time Go somehow gets away with it - "At least with the Go libraries it's feasible to read the entire source code and flesh out things on the edge of documentation".

> It could say - Google is bad in that and that BUT it has Go. Or it could say - Google designed Go and is interested in its adoption BUT its own managers don't think that Google developers want to learn Go.

It's implied. In fact, Go is an "officially" supported language, meaning there is a dedicated team to maintain tooling around the Go ecosystem, sweep for security issues, keep "runtimes" (in this case the compiler and binaries) up to date.

> But instead it says that Google documentation "does not teach you how to fish" and "you're not sure how to proceed" and at the same time Go somehow gets away with it - "At least with the Go libraries it's feasible to read the entire source code and flesh out things on the edge of documentation".

If documentation is going to be equally bad either ways ( that's something I've resigned with), then all else being equal the library implementation which is easier to read would be preferred.

That said, Go being idiomatic also means generated documentation is more standardized. Java has JavaDoc, but that's not enforced or culturally as consistent as Go.

Interesting take. It sounds like you really dislike Google. It also sounds like your manager had something to do with it. Perhaps it was a lack of promotion?

Since you’ve worked at both, do you have an opinion on why protocol buffers aren’t more widely adopted than json?

> It sounds like you really dislike Google

Google's a great if you want a high standard of living and being pampered. Not the highest pay, but it's more relaxed.

Also if you have a PhD. Google could be a research playground for you.

Everyone at Google is or appears nice. I had a slightly mean team lead at Google once, but he's been always my favorite. Highly technical, no BS, little patience when I wasn't hyper focused. One of my coworkers at Amazon weren't nice, and just confronted me with feedback that I should show up exactly at 9A.M. I appreciate having honest and direct feedback like this, and this is where I grew the most. I don't think I ever received negative feedback at Google, even though I probably should have. Some people prefer environments where everyone is perfectly nice and happy all the time. I think I would like Google more if we didn't sugar-coat things. That would prune products and people who are deadweight, even if that possibly means me. I respect the Finance industry to the degree that they do not mask their profit motive.

> It also sounds like your manager had something to do with it.

Of course. People leave managers, not companies. That said, the managers are part of a system. I did shop around for other teams before I left, but they were all boilerplate CRUD work. CRUD work's also fine, but the value of these projects to users was not clear to me.

> Perhaps it was a lack of promotion?

I'd say that is a symptom, not the cause. It's about being appreciated and having your work understood.

> do you have an opinion on why protocol buffers aren’t more widely adopted than json?

I think some people dwell on the performance difference. I think adoption boils down to ergonomics, ease of use, and tooling. Within Google, there has been significant investment in internal tools/libraries around Protobuf especially Java. For something like Protobuf, it's not broken, why fix it? People at Google are familiar with Protobuf. The outside world is familiar with JSON. When I was at Google, I launched a gRPC/Protobuf API but our clients had significant hardship onboarding. I think this is within the theme of externalized Google tech being inferior to the internal version solely from the aspect of ease-of-use/documentation.

Until TypeScript came around, I think an argument can be made against JSON as lacking type safety. I used TypeScript when it was still in Beta and felt Google was reluctant to this. It doesn't help that TypeScript was pioneered by MicroSoft. To be fair, at the time people didn't trust Microsoft. I mean, people were trusting Chrome more than IE for good reason. Once people actually give TypeScript, I think it's a no brainer

Thanks for the detailed posts. This can be useful for ppl considering applying there.

I work for Elastic for the last 6y or so and I feel I’ve been lucky to have managers who cared (for customers, also for the team), provided actionable feedback, and put me in projects that lined up with my strengths and interests. I feel a lot of that is encouraged by the company culture, but esp two individuals I have in mind—I think they’d behave like that in any other company (or burn out quickly).

Would you mind sharing if this was SV or some other region? Do you know if this would a “general” culture for Google/AWS, or limited to certain teams or offices?

https://issuetracker.google.com/ is supposed to be it, but if it were completely open and easy to use i'm sure they'd need a dedicated moderation team just for filtering the issues. The knowledge and dedication barrier is a frustrating but mostly effective way to weed out those with non-issues or issues that really don't affect them much (however humane you believe that is).

I mean yeah, then they should put up a dedicated moderation team to do so. It's not like they have not enough money to do so.

You are actually pointing out a tremendous opportunity that Google has internally and externally.

While there isn't a way to report problems, or get help with problems, and problems aren't tracked or measured, every problem is a singular example that can be hand-waved away with an "it's just that particular user being dumb".

Refusing to support customers is a choice Google has made in order to be able to ignore problems the engineers won't (or can't) solve.


If you don't mind sharing, what is the bug?


My comment originally read as follows, 2 people downvoted it.

>I work at Google and recently tried to file a bug about the calculator embedded in search. It was dastardly difficult to find how to file the ticket. It took me maybe an hour. A better system for filing tickets internally and for filing and triaging tickets from external users would be a tremendous asset for Google.

I didn't work for Google directly but I did work via another company (Tech Mahindra) so I am saying this as somewhat of an outsider compared with you.

You mention a bug about the calculator embedded in search: could you give me the details, and I can try to get it solved via my Google contacts.

For context, in my personal experience as a user and engineer, the Google embedded calculator is the best product among all of Google's many offerings and works flawlessly for all inputs. I find it breathtaking. For example, here is how many feet times pounds you can turn 3000 Calories into:


it worked on my first attempt. What does this mean? Well here's a foot-pound: https://ibb.co/N3WCxYV

If you weigh 180 pounds you're not climbing Mt. Everest twice (29,032′) without burning 3000 Calories. (Even at 100% efficiency).

Try getting a result like that from any other calculator (though Wolfram Alpha gets close).

What's the bug you tried to report? (What did you enter, what is the correct output and why is it correct, and what is the returned output and why is it incorrect?)

I've never seen it make a mistake so far, and I use it heavily for all sorts of things. (Sometimes I force Google to show me the calculator by typing = at the end of my Google query.) Since the product works so well for me personally, I'd love to understand what problem you have with it.

You just found a bug in Google Calculator. You wrote "calories" but Google is giving you the answer in "kilocalories". If you change "calories" to "kilocalories" the answer doesn't change.

I wonder how many times in the past has it given you the wrong answer without you noticing?

I agree with the other person who replied to you. By 3000 calories I meant 3000 Calories, which is how people use it. My input is sloppy, Google turns its output into something rigorous.

As the other person replied, it is labelled precisely.

That's what people mean by calories, it's not a bug. It even labels it precisely!

Yes, I agree.

I tired 1000 millicalories, but doesn't look like Google understands that either.

> A better system for filing tickets internally and for filing and triaging tickets from external users would be a tremendous asset for Google.

The problem is not that they don't have a tool; they could easily build one almost overnight. They have a glut of very competent technical labor, lots of capital, infrastructure up the ass.

They don't care.

The tech people are convinced they're geniuses who build stuff that never breaks.

The business people think they've figured out every problem a user could have and are satisfied that the documentation and snippets of help text are sufficient.

The accountants say "it would cost us more to create such a system and staff it than we would lose in business from not addressing it."

If it's about search, you could always use go/bad I think?

Did GUTS not survive? When I left, it was pretty solid. Some very close friends of mine spent years on that system. Haven't thought about it in a while but it was so simple and easy. Then again, that was a decade ago.

GUTS is still used for things like desk moves, but buganizer is where eng tickets live. (at least when I left a few years ago)

The discoverability may not be the best, but its not terrible. There's a "Send Feedback" button on most search result pages (and specific ones per-result if you click the 3-dot menus). The same "Send Feedback" thing is available in Gmail (though its hidden in a (?) menu), Youtube etc.

IME that feedback is generally taken seriously.

Maybe they don't want you to file the bug too easily?

I imagine Google would getting 10,000s bugs per day if it was too easy.

I'd rather know where my ship is burning instead of closing my eyes and just having happy thoughts.

But then, I am an engineer, not some marketing drone...

Rest assured that they fix their AdSense and AdWords bugs very very fast.

Curious but how would you figure out where the ship is burning if you are receiving a larger number of bug reports, e.g. 1 million bug reports per month?

Loads of duplication will also follow etc. Sounds like you need entire teams to figure out what the real bugs are at that point and maintain the bug list? Though I can't think of a workflow from the top of my head.

This very much is a solved problem - it comes down to standardization in tools, categorization of incidents, keyword analysis of incident description, and (probably automatable) correlation with logfiles and identifiers. Preventive maintenance is not a concept that has been around only recently, and a good QA team has a whole toolkit of things to throw at code before it hits the customer. And yes, ultimately, it is a question on whether you invest the resources to deal with the dumpster fire, or just let it burn to ashes. I am also a big believer in "You build it, you run it", and a "no new features as long as there are open bug tickets" approaches, making teams responsible for their own technical debt.

Google with it's "Let's never maintain our products, let the bitrot make them gradually worse and eventually EOL them" approach seems to prefer to avoid that kind of cost.

I used to be a Google fanboy in the early 2000s. Maybe it's coming with age, but these days I prefer boring tech that works well as compared than half-baked moonshots, and Google may have burned me once too many. Other software megacorps (and even some NGOs) do this better than the big G.

> "If you're not paying for it, you're the product."

Xoogler here - actually we used to say "if you are not buying advertising from us, Google can't help you at all".

And just recently I am great example of that. I used to have a Gsuite account at $6/per month for 3 years, then decided to give up on it b/c I wasn't using it. But unfortunately the domain expired before I could properly disconnect it and cancel my account. You can probably already imagine at this point what kind of hell I went thru with "google help". Ultimately I had someone from India called me 3 times to explain - the questionnaire they sent me has to be answer in specific format: each question has to have one paragraph space, then tab (9), then my answer. I kid you not! I spent 3 weeks, been transferred over email ticket about 10 times and every time they told me the same thing. Even if I did exactly how they want it - I guess email was automatically eating up the tabulate key and replacing it with spaces. Eventually a buddy of mine who still works there (different dept) told me customer support forwards your email to some account that parses message automatically, and they cannot even change one single letter in your message. Even when explaining them on the phone that I am following up with their stupid protocol of one new line, then tab, then my answer, then next line must be second question, their program must be messing it up.

Eventually I gave up on their customer support. It took me/them six months of chargeback disputes for $6 each month until my account must have popped out on someones screen and Google employee gave me 3.5 seconds of their time to click "close this account".

Once we were having trouble with GKE hosted in Asia, it was causing out business a major outage and it wasn't something which I had the power to fix, from memory, half way through a cluster upgrade, Google ran out of compute so the upgrade was stuck half and the control plane ended up in a bad state and some how this impacted the networking (it shouldn't but it happened). I was unable to provision a new cluster due to the lack of capacity so we were stuck.

This wasn't the first problem we'd had either.

There was absolutely no one to call, no one to even alert to warn other customers, the status pages were all green.

Instead of bothering with Google, I just opened an account on AWS and migrated whole stack to AWS in ~ 3 hours, pointed DNS at the new load balancers and we never went back and continued doing business without issue for as long as I can remember.

I'm certainly far from finding excuses for Google, but I have strong doubts when reading stories like this. I wonder how is this possible? If you check their support packages at https://cloud.google.com/support/, they provide different options based on how much you are willing to pay. The premium package gives you 15 minute response time and a personal TAM. What am I missing here? They promise a service, but it doesn't work?

AWS seems to also have support packages: https://aws.amazon.com/premiumsupport/plans/, and their response times are also not supposed to be instant.

Have you ever tried to get one of those packages ? You need to have an interview etc.It’s not straight forward or cheap. We tried to sign up and have a TAM assigned but gave up. It was a lot of effort.

Amazon gives great support at an affordable price.

It's pretty crazy to think about the fact that your email is de-facto your online identity, as it is the universal second factor that is used as a fallback if other login mechanisms fail. An email service is two things: a global name user@emailprovider.tld, which is really your online identity, and an email service that hosts the SMTP, IMAP and DNS services required for the identity to function. People are willing to hand over not just the ownership of the service but also their global digital identity (the email address) to a third-party which now assumes total control of it, and which does not have any interest in supporting you. It is a major hassle to move to another provider, even a paid one, because your email address is tied to the service provider.

Because email addresses are practically a requirement to function in society, I think they should be a public service. Everyone should have the right to get an email address controlled by a public service institution which guarantees you that you can move between service providers as you please. There could even be a standardized protocol that service providers could use to easily update DNS entries when the user requests a move, assuming that you can identify yourself via some other means.

I fully agree. Over the years I've been reading about people being locked out of their Gmail accounts, and the YEARS of pain they had to go through to try to regain access to the countless connected services. You don't realise how many hundreds of services require access to your email account until you lose access. The final straw was reading the heartbreaking account of someone who lost decades worth of personal pictures, critical emails, and access to everything that mattered to him. Google's response was worse than "get lost."

So I bought my own domain and have spent the last year slowly migrating everything over. I'm still only ~30% of the way there. My whole life was centered around that Gmail address, and I could have lost it in an instant for any and no reason at all. It's horrifying, and happens to perhaps thousands of people every day. As we continue to SaaSify everything this problem is going to come to the fore sooner rather than later. Our entire lives live in the cloud now and it can be deleted without cause or notice.

At the very least I would like to see governments issue people a free state email address which can be hosted anywhere. Email is now a necessity.

Keep it up though. And encourage a friend.

> Because email addresses are practically a requirement to function in society, I think they should be a public service. Everyone should have the right to get an email address controlled by a public service institution which guarantees you that you can move between service providers as you please.

In some countries it has already been for a long time, for example Estonia gives everyone by default an email address that is tied to their national ID and you can forward mail from that address to any provider you want.

Edit: Anybody barely uses it though because usually there is no need. But it's there in case you want to use it.

In the US, I have long thought the USPS missed several good opportunities to get involved in the internet revolution in the 90s. This is a major one.

The service you propose will either have the same problem as google, be vulnerable to social engineering attacks (like phone number providers), or be tied to extremely expensive infrastructure (e.g. enable post office or DMV offices to validate identity for the purposes of managing access to this account).

Even if google had customer support agents, what do you want them to do in cases like this? They can't actually validate anyone as the owner of an account, they'd simply be the targets of people begging to access accounts.

Edit: the implication being, we probably simply need most people to just not depend on email for anything important. Unless you can maintain multiple 2FA methods, your email account isn't reliable enough to be trusted with important things.

In my country (Denmark) every person and legal entity has a government-issued digital identity (NemID) so the authentication process is trivial and cheap.

Did they fix the security flaws mentioned on https://en.wikipedia.org/wiki/NemID yet?

The provider of the system is being replaced, which means that NemID will be replaced with MitID. This solves some security issues, but brings others. Most importantly, MitID, unlike NemID, does not allow the service provider to embed the login form, but always sends you to the identity provider to log in. On the other hand, you no longer need to input both a password and use a second factor (key card, code generator or phone app). In MitID, it is enough to enter your username and approve in the phone app. This is quite bad, and has led to the comical recommendation that you should pick a username that is hard to guess. Comical because the main argument for not requiring a password is to make the system easier to use, because passwords are hard to remember.

Probably need to call the Estonians

Same in the Netherlands with DigiD. The name is an awful pun. Very Dutch.

Yes, it would be "tied to extremely expensive infrastructure" ... that already exists. So no additional cost.

You’d wonder why they have corporate sales. I’ve worked in enterprise for a long time and we’d laugh at the notion whenever someone suggested we buy any Google service because easy access to phone support when things go wrong is one of the key selling points in enterprise.

It’s why Microsoft has done so well for itself in this area over the decades. Sure Office helps, but the fact that your operations guys can be on the phone with their Seattle based offices, and get hourly updates where Microsoft calls you, when something big goes wrong is pure gold to any IT manager in any enterprise. Not only because it lets you solve issues faster, but also because you can tell the organisation that IT is on the phone with Microsoft’s head offices and you are working on a solution with them.

>about how he paid Google something for some service

>I'd frequently tell my co-workers, "If you're not paying for it, you're the product."

it seems even if he did pay he was the product, which frankly jibes with my experience of paying for things at Google.

If you pay for it, you simply like it like this.

As a normal rule I don't know what customer service is like at a company I'm paying for things at, until I have something go wrong and I realize it sucks.

only tangentially related but that phrase is a pet peeve of mine. You are always the product if you are using software - free or paid. Netflix is sure as hell going to use your data the same way youtube would.

The only exception of course is most but not all FOSS.

I think there’s a difference. “You are the product” means that your usage and data are the primary thing the company develops (with software) so it can be sold to their actual customers, namely, advertisers.

I’ve been involved with many software companies that gather various metrics (analytics, crash logs, user info, etc.) but do not sell that data to anyone. As such, the user is not “the product” but the customer. I think there’s a meaningful difference here.

In those cases the user is an asset for the company. And not "asset" in a good way if you ask me. It's more of an resource than anything noble.

Since it's a pet peeve we share I'll add... I feel it's a bi-directional exchange. A trade. I consume a product (Gmail) and they consume a product (my personal information). At best I'd be "a" product not exclusively "the" product.

Self hosted is the only good future

I kind of agree and would like to try selfhosting stuff for myself, but in the future where should the self hosting lie? Not everyone can self host (your mother, cousin, etc, people with disabilities, etc) So if it is the future, would level of society would host it reliably? Family, government, etc. Everything seems problematic either in terms of practicality and security.

Is that true for Apple?

You are the product Apple sells to app developers for 30% of their income. Notice that you are not allowed to do things that interfere with this.

That's not at all the same thing as the person I was replying to was claiming, though.

One of the biggest problems with surveillance capitalism is how it subtly guides you to the thing the corporation wants by manipulating search ranking or using ML to influence human behavior.

With Apple there is no subtlety because you just can't have what they don't want you to. Apple wants to have a deal with Hollywood so no iOS BitTorrent clients for you. You don't even know that the things you're being deprived of would have been available -- it's the same problem. It's worse. At least with Google if you notice they're removing things you want to see from search results you can switch to another search engine and still use Android. If you want video game ROMs on your iOS device you have to throw it away and buy something else.

And the privacy thing feels like a Trojan horse when they still have all your data on iCloud and have root on your device. Supposedly they don't do anything with it now (except allow iCloud to be subpoenaed by law enforcement without a warrant), and I tend to believe them.

Now suppose we finally get a free hardware phone that isn't a dog. It runs an Android fork with all the privacy invasive stuff stripped out but can still run Android apps and gets OS updates for 10+ years (i.e. indefinitely) because the drivers are in the kernel tree. That would eat a big chunk of Apple's market -- the people who don't want the central control but do want the privacy are going over there. Or just pick whatever scenario you like where Apple's business starts shrinking rather than growing. Nothing lasts forever.

Their executives are under pressure to keep profits up and they have an enormous trove of everyone's data they weren't previously monetizing. Desperate companies do desperate things. Or get acquired by Oracle or AT&T or Huawei.

Since that can happen with non-trivial probability at some future date, you can't put anything on your iPhone you're not willing to have that happen to. And then how is that any better than the alternative? It's even worse if you don't expect it to happen and then it does.


Looking at Apple's latest hardware changes, I think users are once again the customers.

I've subscribed to Google One for a few years. (When I say "pay", I'm using credit from answering surveys from Google a few times a week). It's only a couple of dollars a month, it gives you more online cloud storage, but it also gives you a chat and call service to Google. I have used it a couple of times - once to help me push LG to release updates on a phone (they kept saying it was Google's responsibility), another to one get my wife properly added to be able to use the Home smart speaker. Both times chat was followed up a call to a real person (that was understandable, and willing to chase up and respond to the issue). I feel if I had an account issue it would similarly work out.

I think the issue is that the form is indeed locked behind being logged in[0], so the phone support won't work for login issues when you have no other device logged in.

0: https://support.google.com/googleone/contact/googleone_c2c?h...

I'm trying to use Google One now to fix an issue and it's been a struggle. Hopefully they'll eventually work it out but frankly without G1 I would probably just throw my Nest cameras out and dispute all future nest charges. Google really need to work on customer service if they're going to offer services that need it.

"I'd frequently tell my co-workers, "If you're not paying for it, you're the product.""

But it sounds like this "extremely irate user" was paying for it.

Yeah, fair point. It's been several years, so maybe my memory of all the details is a bit hazy by now. I just recall that at one point one of the salespeople was addressing a point about something or other involving the user having paid for something. I have no idea whether the user was telling the complete truth (were they referring to something they used to subscribe to and don't any more?) or whether at the time whatever they had paid Google for would have entitled the user to phone support for GMail account access issues. Whatever was going on, the user wasn't able to find any avenues to get the support they needed for their issue.

Regardless I agree with other comments to the effect that even if you are paying, you are often still the product!

"Regardless I agree with other comments to the effect that even if you are paying, you are often still the product!"

The anaylsis needs to go further than whether one is paying or not. IMHO.

It is not rare to see HN commenters who appear to believe that the act of paying some "user fee" to a "tech" company that willfully caters to advertising, devotes almost all of its resources toward catering to advertisers, and derives almost all its revenue from advertising services, is somehow meaningful.

Was the screaming guy no paying for some service?

I'm a bit confused as well.

> he paid Google something for some service and was entitled to phone support and he demanded someone help him

This does not support the conclusion about free users being the product, since the customer was paying based on the statement above.

Disclaimer. I'm a new Google play thing, by giving them money. Just registered a website through them and am about to release a game on the playstore. Fully dependant on zero custom service now.

The one thing I've never understood about google. Some sort of law for a trillion dollar company to have customer service or something.

Google should be employing 10's of thousands of customer service employees to take calls to troubleshoot their customers issues.

On a side note.

Here is my.... the simplest website you have seen since 1989.


I'm not running a user data farm. I just want to make stupid games, like...

P.S. Zero advertising for anything including my game. Just a 7 line privacy policy. Don't need much more.

More laws aren’t always the answer. Really, we should just be using a company that gives a shit about its users.

Problem is it all works just fine until you get locked out and have no options. So the market won't ever gradually move over because its only a very small % who get hit with an awful experience while everyone else is perfectly fine.

And now I'm signed up to the system. It's terrifying.

At any point. You're done.

Hence the nothing clause.

I'm sure any game I submit to the play will be wrapped in googs analytics.

No matter what my privacy police says.

I don't think people are informed well enough to know which company gives a shit about its users. Google had pretty good reputation when I started first using GMail via an invite during the beta.

I agree more laws aren't always the answer but I really do think that companies should take some responsibility as far as customers' data and property is concerned. If I take my car to be serviced, they can't just tow it to a junkyard and tell me to fuck off. Even if they advertised free service. If you can't provide a free service and take responsibility for it, then don't.

IMO, if the service includes "borrowing" property (rent, email server), then they can't just cut the customer off without giving them time and the means to move off. (It would be illegal here for my landlord to step in and lock me out tomorrow)

Because that worked so well in the past. There is no "we" - they wouldn't have become a billion dollar company if they hadn't found ways to make people still use them despite those issues.

But that doesn't mean they aren't issues.


The sheer scale of not giving a crap is what is truly impressive. Alphabet has built a monster system meant solely to not have a phone number. That's a scary innovation.

I'd suggest you at the very least transfer the domain to a separate company. If Google mysteriously decides to screw you around it will be impossible to access or transfer your domain.

>I'd frequently tell my co-workers, "If you're not paying for it, you're the product." That experience underscored that notion for me.

But this isn't true for all of us, google provides support through paid programs and sells services to other businesses. This is more of google specific problem.

I submitted security bug to Chrome. It was not very serious or urgent. Somebody looked at it in the first hour, in the first day it was analyzed and in the first week it was resolved. I was kind of surprised, because I was sure that public feedback from nobody is going to be put in a very long queue.

Google makes money on Gmail. That means they can pay for customer support.

> Google office there. The Googlers sitting around

Seriously? You stated that you left the cult.

They also do this thing now where they block [1] smaller browsers (even ones using the latest version of chromium) under the guise of security. According to their docs they're fighting MITMs by generally disallowing any browser they can't identify (so the big few).

If you're not on a whitelisted browser by Google, you can't log in (effectively, use) any of their properties.

This feels very anti-competitive to me. Notably all the whitelisted browsers are either theirs (Chrome) or sell them their search traffic. I'm building a browser for research [2] and have to frequently find workarounds. I'm not quite sure who I'd contact to get on said whitelist either...

[1] https://imgur.com/a/DASVkhl (here is the issue in the Vim browser and Min browser)

[2] https://synth.app

Google sometimes blocks me from searching using Firefox, saying it’s “suspicious activity” and sending me into captcha hell that always rejects my results after several screens for no reason.

It’s incredibly transparent as to what they’re doing. That Google became the most anti-consumer company out there is pretty disgraceful.

I use google constantly— sometimes hundreds of times per day— both logged in and out, almost exclusively in Firefox or Firefox developer edition and I've never encountered this. I'd bank on it being a network thing— VPN, overcrowded proxy, etc.

The beauty of AI is that it's likely no human can say precisely why two similar users might get a different classification.

I'm not saying the browser isn't a factor, or that Google isn't anti-consumer, or anything else. The original comment didn't say they were caught up in some unobservable AI machination. They made a pretty straightforward observation mentioning only two conditions: Google bounces them when using Firefox. From that, they jumped to a pretty straightforward conclusion— Google transparently harasses Firefox users to advance their corporate strategy.

I'm not going to jump through hoops to prove a negative, but correlation does not imply causation.

My empirical observation: For many years I have constantly used Google search on FF with many machines and networks, logged in and not, in private mode and not, with all existing privacy features enabled and no extensions beyond a password manager. Napkin math conservatively estimates I've conducted 200k searches minimum using this combo. I've consistently encountered suspicious activity challenges when using overcrowded proxies, NAT'd networks and VPNs. Removing those factors has never failed to stop the challenges. Ever.

I'm confident the poster's observations are accurate. My observation does not directly contradicts their observation, but it does contradicts their conclusion. I wouldn't be surprised if other factors like JS being enabled, cookie settings, plugins that affected those things, number of other users on their network, or even the public IP range they fall under would affect it.

...and the beauty of the Internet is that there's really no way to be sure people are being genuine...

Which is why it's better to believe people until you have a clear reason not to, in case they are genuine.


It's not that important whether these reports are genuine or not. The important point is that many people are not surprised by these reports. Google has long failed people's trust in them.

Long time Firefox user and HNer here.

I've at least been "captchaed" in Firefox. While being logged in with my Gmail account from 2005.

I've been "captchaed" with Chrome, so I'm not sure the anecdotes amount to much.

That's interesting and useful to know and I decide to believe you.

BTW: Yes, I absolutely noticed that you said this above:

> ...and the beauty of the Internet is that there's really no way to be sure people are being genuine...

My point is, unless the claims of the others are outrageous or we have something very specific to point at, I don't think voicing these kind of thoughts do much good.

tbf, that is the beauty of people in general and not the Internet

I have had the same experience the previous commenter had when I'm on my phone. It would happen quite randomly and sometimes the captcha hell would resolve and I could go back to normal search, while other times it would go into infinite loop. Check back in an hour and you're fine. It's a disaster and at times like these I am so glad there's at least some competition I can go to for search.

I get it ln firefox without a VPN with my own IP owner by a reputable ISP. On a pixel phone with google DNS.

On a VPN I do not get it, so the last couple of weeks I have been making heavy use of my mullvad account.

Edit: however. I only store cookies for fastmail and hacker news and do not allow JS on many sites.

That would make sense, Google can easily track you if you always use the same IP. It's their business, they track you and sell your data so they can provide their product for "free".

> Google sometimes blocks me from searching using Firefox, saying it’s “suspicious activity” and sending me into captcha hell that always rejects my results after several screens for no reason.

That happend to me only when using tor.

Use private mode exclusively. You will start getting into the captcha hell in a day or two.

I configured Firefox to delete all cookies on exit, except few whitelisted sites. So most of the time I have to accept Google privacy policy if I search there. Other than that, I never got into the captcha hell when trying to do a Google Search.

There are some sites I can't login at all unless I change the browser. SoundCloud is one of them.

Could be that IP Address/ISP reputation is also a factor for the variation in results.

that happens to me all the time, i have no idea why. i'm using firefox.

In the same vein, check out what Bing did when I searched for "Firefox" with Edge[1].

[1] https://news.ycombinator.com/item?id=28517187

Any reason as to why they might be doing that? VPN? "resist fingerprint" setting? School/public wifi network?

Usually when they do that its because you are on the same network that a lot of abuse has come from.

Is it possible that your requests are coming from an IP address that google has flagged for previous abuse? I think that the "suspicious activity" captcha hell is triggered by a high request volume from multiple not-logged-in agents on the same IP. At least that's been my experience in the past.

Doesn't have to be not logged-in. Years ago I use Chrome (with myself logged into Google) to search for very specific queries, so I have to use multiple operators (double quotes, "site", "filetype") in one search to narrow the result. I was hit with CAPTCHA as soon as I browse to page 2 of the result. This happens many times, so I have to do this kind of search at different times to make sure it doesn't see me a heavy traffic at any point.

We used to have this happen at an office I worked in where the SEO team was scraping google search rankings by running thousands of queries with different search keywords. Google was blocking the IP address rather than our browsers.

Sounds like your browser (or a plugin) might be blocking some cookie or connection that Google uses for security?

fake your browser header to a chrome variant.

That doesn't get rid of the problem, it only prolongs it.

The header isn't the only thing that identifies a browser.

A faked header might look even more suspicious to their algorithm?

Hanlon's razor applies here, though.

No it doesn't, rockefeller's razor applies - don't attribute to stupidity what could be adequately explained by profit motive.

There is no such razor.

I'd guess that it's because they (incorrectly) think it's an embedded Webview, which get blocked (see https://developers.googleblog.com/2021/06/upcoming-security-... and https://developers.google.com/identity/protocols/oauth2/poli...).

You could try creating an issue in the Cloud Identity issue tracker (Cloud Identity is Google's API for letting websites have a "Login with Google" thing): https://issuetracker.google.com/issues/new?component=522910&...

This is a problem I've encountered too, people are unable to login to a Google account when using insecure Webview browsers... which includes; Messenger, Facebook, Instagram... etc.

But Gmail Webviews allow Google logins though :/

Hey, cool website !, The mailto: hyperlink on your careers button in the footer, has a typo, namely,

"mailto:careers@synth.app&subject=Synth Careers&body=Please attach resume!"

It should be,

"mailto:careers@synth.app?subject=Synth Careers&body=Please attach resume!"

that &subject instead of ?subject is causing that mailto link to not be imported properly by most mail apps, trivial thing, but thought I'd mention it.

Good luck with your app !

And replacing the spaces in the subject with %20 will fix it on more browsers, at least it's at the end :)

And providing no email at all and using form submission with captcha will annoy a bunch people but will save you from a lot of spam ¯\_(ツ)_/¯

You could even power the captcha with Google!

<looks at subject of thread nervously>

Its craziness all the way down. I have a google voice number which is my "default" number with my gmail accounts. All my gmail accounts were automatically migrated to use 2FA with this number which means if I lose all my google devices and I try to log into voice, I'll get 2FA I can't see because of the catch-22 situation of not being able to log into voice.

The only reason I caught this is because they send me a notice about 2FA and I thought, wait what 2FA am I using? Instead of them running a tiny check to see "Wait, is this person using a voice number" they did it anyway. Worse, they know this because if you go into the 2FA page manually it says in bold letters to not use a good voice number.

At this point I'm spooked and I'm just going to port my number into our account at work and have my work phone use this number instead of having a dual number phone with voice. Voice SMS is a mess too. 50% of services can't SMS it a code because Google blocks it. Other services won't accept it for SMS codes because its "not a real phone."

If I didn't catch this then there would have been a day where I'm locked out of my accounts with no apparent way back in.

> Voice SMS is a mess too. 50% of services can't SMS it a code because Google blocks it. Other services won't accept it for SMS codes because its "not a real phone."

The first part of that shouldn't be true. I've used mine to receive all kinds of SMS and it always works fine _except_ for the services that just won't accept the number. Only run across maybe one or two of those, over some years.

For SMS from real people it works fine ofc.

What happens is some organizations run a verifying to see if its a VOIP number, and if it is, considers it invalid for SMS based 2FA, and other authentication, presumably to stop hackers. Some big names use these lists, most notably Zelle to transfer money. Discord as well.

Why Google also seems to block incoming SMS from Microsoft Authentication and others is beyond me. Maybe MS isn't sending because it doesn't consider that number real and just fails silently on their end? Maybe Google's own lists are very aggressive. I suspect the latter because this comes up a lot. No one seems to have a good answer to any of this because there's no laws requiring transparency so they hide their rube-goldberg-esque SMS policies behind obscurity and its up to me, the customer, to somehow navigate this mess.

Yes, from regular people things are fine, but my life isn't dictated by regular people but the mega corporations capitalism creates and how I have to cater to their various technological whims. If my phone can't get messages because these big companies are always feuding in some way, then I'm locked out of essential services I need to live, have a job, do banking, etc. Its a small comfort that my friends can text me when I can't get texts from my bank, money transfers, or for work. As of right now in the USA, having a VOIP number be your primary phone number is unfeasible. I have a work cell with a "real" number that I use for at least 4 different services for SMS because of this issue.

That's really weird. Ya the VOIP thing I've experienced. I don't think I've ever found a company that actually tried to send sms my way and it failed though. Maybe just luck, I don't happen to use any of those companies you mentioned.

Anyway, yeah that's lame. I'm personally abandoning ship from Google Voice myself anyway, but for other reasons.

Just like Microsoft might not want users on cheap VOIP lines because those services tend to be like in the seedy underbelly of the web, Google also doesn't want it to be useful for that purpose, for exactly the same reason.

Discord won't take the numbers, Venmo won't take the numbers.

Interesting how the brand of security companies like Google keep telling us is in our best interests always seems to secure their corporate revenue streams first, while the security and freedom of users are an afterthought.

years ago I interviewed with a startup that was aiming to put their routers in various locations like airports and coffee shops. They would offer free or cheap internet at those locations. The catch: they were going to swap out ads with their own ads on the fly.

Shortly after that, Google started pushing HTTPS. I never believed that was a coincidence.

The great migration to https, even for read-only self-hosted blogs, has been an amazing disservice to the world. Maybe if we had non-expiring ssl certificates with working OCSP or CRL, I’d have a different opinion.

Yeah, they make almost tens of dollars forcing users to use Safari or Edge instead of lynx.

Well, if they could make tens of dollars per user, that would be pretty good.

Yes but they save a lot not paying Firefox to be the search box.

A browser environment designed for researching is something I've been investigating lately. I want to stay with Chromium for convenience (Chrome for work, ungoogled-chromium for personal). Right now I see two paths that might work for me:

- A standalone browser that I use only for research purposes. Currently evaluating Bonsai [1] and am interested in Synth.

- A suite of tools that makes bookmarking and organizing easier when used alongside Chrome. Currently, I pay for Raindrop [2] to manage bookmarks, most likely will pay for Slapdash [3] for indexing, and am evaluating Heyday [4].

For an end-user like me, I would much rather pay for an extension+SaaS for Chrome or Firefox, rather than deal with workarounds for browser incompatibility.

[1] https://bonsaibrowser.com/ [2] https://raindrop.io/ [3] https://slapdash.com/ [4] https://heyday.xyz/

You might also like promnesia


And if you're interested we have a small discord server "awesome knowledge management" come join us!


What makes your discord server unique among the thousands of other knowledge-management organizations out there?

Nothing ¯\_(ツ)_/¯

Although you say "organization"... this isn't centered around a particular tool or anything.

I made it in response to a post about Promnesia on "Who wants to collaborate" https://news.ycombinator.com/item?id=29764928

Awesome. To keep focus on the main topic, feel free to email me to chat more (FWIW I've done the 50 extension patchwork thing and generally find the extension experience to fractured and suboptimal for me).

What OSes are compatible?

I use a proxy service (VPN) and gstatic.com blocks my requests. This breaks reCAPTCHA which defeats its entire purpose. It also breaks every site that uses Firebase. About 50% of sites load their fonts from Google and they appear with all text invisible and finally appear after about 3 seconds. A few sites, even government sites, refuse to display any content at all until they load their JavaScript from Google.

Browsing from this Google-blocked VPN has been an eye-opening experience. Google tech is pervasive and makes the web hostile for everyone practicing online hygiene.

When Google first blocked my proxy, suddenly search in Gmail and Drive stopped working. This was my paid Google business account. I tried to contact Google Support but found I couldn't log in. I carefully wrote down a Google Support PIN several years ago. When I tried to call Google Support, the PIN didn't work. Apparently, Google Support PINs expire after an hour. So I learned that Google provides zero support for login problems, even for paid accounts. That's a massive risk. I switched my business accounts to Zoho. It took about 4 hours to sign up and move over my domain + email + docs + spreadsheets + drive. I've been using Zoho for about 3 weeks now and it's fine. Zoho Email search is good. They let people create support tickets without logging in. And humans respond to the tickets within hours.

Wow, that's awful. I wonder who's idea it was? Is it doing anything more than checking user agent (trivial to spoof), because if not that seems entirely hostile.

It's not just the user-agent, it is definitely doing non-trivial fingerprinting (both linked projects also had UA mitigations before). We don't have an easy workaround (besides a sketchy cookie hack that took hours to reverse engineer) right now and have been trying to get in touch with them.

> it is definitely doing non-trivial fingerprinting

Can confirm.

To generalize and understand why, big corps have to deal with an insane amount of (often automated) abuse, so they build profiles using data collection to assess your risk level. Being in the wrong cohort (say unusual browser, small country, rare language, use a vpn etc) can affect your score. Basically it's these massive bayesian filters that output how suspicious some activity is. Whether you're signing in to Gmail, returning a product, buying something with a credit card or booking an Uber, some form of score is computed and then used to allow/deny/delay/verify. Obviously this is well established in the insurance and finance industries, but make no mistake, it happens everywhere.

This approach is understandable from a business perspective, but imo deeply troubling for an open society. You don't have to squint much in order to see the similarities to social credit systems, EVEN if there is no grand totalitarian state-coordinated behind it.

As usual, the first step is transparency so we can actually discuss these issues based on accurate data, but that's very difficult today. Usually fraud and abuse prevention is among the most secretive departments, they never share anything.

To clarify, these scores can be sanely used to decide what level of trust you have, and when you have none you get a capcha, a SMS check or something heavier to authorize the access you are trying to get.

In my book you’re never supposed to fully block a session because of the score, there needs to be a (potentially burdensome) way to prove the score wrong. Blocking a browser should be out of question.

Even so, we still need to have a debate about what levels of "papieren bitte" we are willing to accept for different functions of society. The currently ubiquitous corporate-centric trend is to "nudge" instead of outright ban, i.e. instead of a bool it's numeric, and I highly doubt that the difference in data type is as significant as people think it is -- "Well you can always create a new account/buy another device/ask your friend to do it/.." and so on.

If these numeric scores are affecting search results, recommendations, when sharing stuff, etc etc, there's no question that it will affect societal discourse. These hidden "algorithms" (as in the popular term) and fraud prevention systems are so far from being understood that it may be too late to reverse it when we realize what's happened.

I agree with you. I think this discussion started around the time shadowbanning was gradually used on forums to reduce moderation workload.

It seemed somewhat legitimate for a small free to use site mods to try to not get their whole life sunk by dealing with trolls, but if the same behavior is applied to giant entities who have much more incentives to do it at scale, it becomes a different issue altogether. Hidden restrictions on search results or other functionalities would be distopian and something I hope doesn’t get accepted as standard.

"Papiere, bitte." (Just fyi. Mangling the German [sic] doesn't detract from your post.)

Not sure being corporate centric makes this problem any worse? If you had other kinds of organisation, you'd still have to deal with abuse and fraud? Any people doing weird, unusual stuff, look inherently more suspicious. That's a fact of life in meatspace, too.

There might be some utopian, ideal way to organise activity so that non-mainstream stuff ain't suspicious.

But I would count that as a great feature of that ideal way; not as a deficiency in the corporate way. Just because this deficiency of the corporate way seems to be a common deficiency of most means of organisation that have been tried.

(Keep in mind, this isn't all or nothing. Softening the tendency might be enough of a relief, without having to eliminate it completely.)

> "Papiere, bitte." (Just fyi. Mangling the German [sic] doesn't detract from your post.)


> Not sure being corporate centric makes this problem any worse? If you had other kinds of organisation, you'd still have to deal with abuse and fraud?

I think it's definitely not unique to big corps, but an emergent property of a distributed and homogenous system of self interested agents, probably. It feels very game theoretical, at least. What's clear is these systems are becoming ubiquitous rapidly.

Anyway, if my Google account gets locked today, for whatever reason, I am very seriously screwed. Google's human appeal process is best-effort at best, I know people personally who have been locked out for life. Now, I have the luxury to blame myself because I should have bought a domain and so on, but society at large doesn't have that foresight/insight.

> I think it's definitely not unique to big corps, but an emergent property of a distributed and homogenous system of self interested agents, probably. It feels very game theoretical, at least. What's clear is these systems are becoming ubiquitous rapidly.

Not sure the homogenity is necessary?

To an extent, the market delivers what people are demanding.

For most people, Google's package of cheap or even free services with minimal hassle in the common case, but almost no recourse in bad cases, is compelling.

And for many it's a step up from having everything locally: I'd bet that more people lose their local data than get locked out of Google?

> Not sure the homogenity is necessary?

Oh, nice catch, I actually meant to write heterogeneous.

> I'd bet that more people lose their local data than get locked out of Google?

Probably. There's definitely some low hanging fruit/middle ground though. We desperately need to have ownership of the address itself, so we can transfer to different providers. Either with your own domain, or a domain provided by a truly neutral party, similar to phone numbers.

Not sure about phone numbers. You can get them hijacked relatively easily, at least temporarily.

Problem is that having an account be breached is catastrophic while getting locked out temporarily ranges from annoying to very annoying but not nearly as bad as having the account be breached. So if the filters have determined that someone is absolutely almost certainly a bot/attacker, it might make sense to do a total block like a bank would lock your account.

Unfortunately google doesn't have the support infrastructure like a bank to do recoveries.

I know cloudflare uses a trick with canvas element to fingerprint the browser. If you disable it, it can be actually impossible to bypass.

It's not so much a social credit score to fear rather than privacy. Any site using cloudflare or Google knows where you're going and what your doing and if they don't then, access denied.

They know so much more than your innocent mind will want to admit.

> Obviously this is well established in the insurance and finance industries, but make no mistake, it happens everywhere.

Speaking from someone in the US--in both insurance and finance I can get a person on the phone to resolve my issue.

Specific to finance, there are a number of consumer laws that protect me.

If I'm denied credit based on my credit history, I'm allowed to know why. If my credit score is not accurate, I'm allowed the ability to fix it.

Lousy customer support is not a tech industry issue--Stripe, Amazon, Apple, to name three all have great support.

> Stripe, Amazon, Apple, to name three all have great support.

True, but they have actual customers. As a user of Gmail, I can hardly be considered a customer.

Google ads has customers though. Their support probably isn't great either, but does it need to be? Where else are you gonna go?

> Google ads has customers though. Their support probably isn't great either, but does it need to be? Where else are you gonna go?

I've not dealt with Google Ad support, but I can say from experience Facebook Ad's customer support is terrible.

Similar to Google, I'd speculate that the majority of customers pay such small amounts, that it's more cost effective for Google and Facebook to not support them, than it is to support them.

I would also speculate, that if you were instead, say Pepsi-Co, you would have white-glove service from both tech giants.

> Similar to Google, I'd speculate that the majority of customers pay such small amounts, that it's more cost effective for Google and Facebook to not support them, than it is to support them.

That's probably how they reason about it but I think it's a cultural thing too (pure tech Co's have a bias towards automation for everything, and a reluctance to staff operations at all). Amazon for instance has many low value customers, yet has much better support across the board.

> I would also speculate, that if you were instead, say Pepsi-Co, you would have white-glove service from both tech giants.

Oh absolutely, that's no secret. I know account managers that had a single big customer at one of these companies. It's part of the sales org basically.

> say unusual browser, small country, rare language, use a vpn etc

> Basically it's these massive bayesian filters that output how suspicious some activity is.

It almost feels like the digital equivalent of racism, xenophobia, homophobia, and other prejudices; people are suspicious of anything that stands out as being somehow "different." Now computers are suspicious and prejudiced because your digital appearance looks out of norm.

> This approach is understandable from a business perspective, but imo deeply troubling for an open society.


> To generalize and understand why, big corps have to deal with an insane amount of (often automated) abuse, so they build profiles using data collection to assess your risk level.

Total coincidence that it's also "you're not being a good little data source", I'm sure.

I use a privacy-oriented browser on my cell phone to load amazon's website to get that stupid whole foods QR code for the checkout, because I'm not installing their fucking app so it can collect more data on me.

Guess what? Every single time, I'm presented with a "we've emailed you a link" error, and that link is difficult to open in my preferred browser because iOS doesn't offer it as a choice for opening links...

> Total coincidence that it's also "you're not being a good little data source", I'm sure.

100% coincidental, of course :)

> that link is difficult to open in my preferred browser because iOS doesn't offer it as a choice for opening links...

Hmm, wasn't that fixed? Perhaps it's the email app that won't let you? I seem to be able to open many links in Firefox on iOS these days, but in some cases Safari is indeed the only option.

"We don't have an easy workaround (besides a sketchy cookie hack that took hours to reverse engineer) right now and have been trying to get in touch with them."

First thing I do when creating a new Gmail account, using a "supported" browser, is to save the required parameters of the cookie in a text file then convert the file to a simple shell script, powered by netcat and TLS proxy. This only takes me takes seconds. Then I close the supported browser without logging out. The word "sketchy" seems applicable because unlike, e.g., a bank website, companies like Google and Facebook will let users stay "logged in" for some ridiculously long period like one year. Yikes.

Two ways to disable the script are 1. log out of that session (://mail.google.com/mail/logout?ec=ABCDEF, ://accounts.google.com/Logout?service=mail&continue=https://mail.google.com/mail/, ://mail.google.com/accounts/ClearOSID) or 2. change the password.

This tiny script can be transferred to any computer and used to check and send mail from the command line. No browser, Javascript or password required.

Netcat, the browser of the future! :)

What did min browser have?

Likely the goal is to protect users from malicious apps, trying to get user to log in on a hosted browser component in order to scrape their data (or perform activities on behalf of user).

I think HN users often severely downplay the threats large companies are facing and frame every anti abuse measure as a coordinated attempt to shut down their indie browser fork.

People are having their lives ruined when their account gets breached which Google prioritizes over avoiding accidentally blocking a few odd users.

At work I use Chrome, and I was once using some more obscure features of Google Search to find Microsoft documentation and it (Google) started asking me to verify I wasn't a bot, over and over.

So there's some evidence that this sort of nonsense can be other than malice.

Huh. I'm using a little-known Chromium fork[0] and I haven't had any trouble logging into Google services.

0: https://github.com/blueboxd/chromium-legacy

It might just pass as Chromium to their browser fingerprinting.

I suppose, but then how would they detect a Chromium build with a keylogger?

Just signed up. Your idea appeals to me. Hope I can take it for a spin soon!

I use qutebrowser[0] which is built on qtwebengine, which is based on Chromium but comes with the caveat that it will likely be blacklisted by Google since it does not follow upstream's release schedule. But it is trivial to get around this by setting the user agent to something not blacklisted.

[0] https://qutebrowser.org/

Kind of unrelated to the whole Google thing, but this Synth browser is a really cool idea. I'll read more into it when I get the chance!

How do we get our embedded webview driven app verified as a secure browser or has the AI already designated the lucky few and we are cast aside?

Godspeed building any browser. I know it's just for research, but I miss options. Palemoon was great until it imploded.

I wonder if that takes long for gogle to create a premium search account product. Paid one.

> Notably all the whitelisted browsers are either theirs (Chrome) or sell them their search traffic.

OK but that also describes pretty much all the Web browsers the vast majority of Web users actually intend to use, right?

Yes, in part thanks to their efforts to make it harder to use other browsers...

I think you are overestimating the inclination anybody has to use those.

How do you know what people 'intend' to use? Making it inconvenient to use alternative browsers especially when they compete with your own is manufactured consent not intention. I use FF on Linux and have to go through that crap every time FF updates even though nothing else has changed.

It seems to me that packaging a malicious browser to look like a familiar one is actually an attack vector

Synth looks cool but why can't it just be an extension?

Well, for one, nonsense like this is why I set out to build a browser in the first place :) More generally, the user experience is, naturally, worlds apart from extensions.

What is a MITM?

Man in the middle

Man in the middle

Please dont post links to programs that arent even publicly available.

AFAIK There's nothing wrong with doing so. The comment was on topic, and the project is interesting.

One of the most discussed projects on HN in the past year or so has been GPT-3 which is (was?) pretty hard to get access to.

GPT-3 is pretty open at this point.

Had this. It was telling me to try again 'later'. Ok, i did 'try later' every day for three weeks, and they didn't let me in. Using the very same IP address as I used to always access it, no less.

Then, I gave up, moved all my services to another email account, and after 2 or 3 months tried logging in, and it suddenly allowed me to log in.

Needless to say, I will never again use gmail for critically important things.

My solution is, buy your own domain. It's cheap and it will cost you only 20$ a year or something like that. I'm not saying run your own email service (I do, but I recognize that it's complex and not worth for most people), but use a public email service (like also GMail) with your own domain.

That way at least if you no longer can access your account, or you get banned, or whatever, you don't loose your address (since you can just move to another provider).

Also, use an email client on your PC (such as Thunderbird) and configure it to keep a copy of all your emails locally (and possibly have the PC backed up). That way if you loose access to your account you don't loose access to your mail, that you can even upload again in the new provider server.

I agree with the advice to get your own domain, and then use a service to manage email for it. But don't use GSuite/Google Workspaces/whatever they're calling it now. Your Google account will be somewhat crippled and will be missing a bunch of features, because Google has just decided GSuite accounts should not have those features.

And you can't convert your account to a regular Google account. I really want to untangle all this, but there's no way to (for example) export your Google Photos sharing settings and import them into a new account. I have hundreds of GPhotos albums, with many of them shared with various people, and if I migrate to a new, regular Google account, I'll have to manually set up all those sharing settings again. And this is just one of many difficulties; I'm assuming I'll also lose all my Hangouts/Chat history as well, with no ability to import the old history.

But I'll be doing all this sometime soon, as Google has decided to finally pull the rug out from under those of us who signed up for GSuite when it was free (well, "Google Apps for Your Domain", as it was known back then), and will start charging later this year.

This is all incredibly frustrating, and the level of lock-in is pretty severe after more than a decade of having this account. If I could do it all over again, knowing what I know now, I would have created a Google account without GMail[0], using my email on my custom domain, and hosted my mail somewhere else. Though, admittedly, back when GMail was first a thing, webmail otherwise universally sucked.

[0] https://accounts.google.com/signupwithoutgmail?hl=en

Yea it is odd that not all Google accounts are the same.

My favorite is that I cannot migrate my Nest account to a Google account because it does not support Google Workspaces accounts. I use it with my own domain and it is my private Google account.

>export your Google Photos sharing settings and import them into a new account. I have hundreds of GPhotos albums, with many of them shared with various people, and if I migrate to a new, regular Google account, I'll have to manually set up all those sharing settings again.

If you think this is bad you should check out iCloud. They're all as scummy as each other about locking in users so the friction to leave is sufficiently high.

> Google has decided to finally pull the rug out from under those of us who signed up for GSuite when it was free…and will start charging later this year.

Do you have a citation for this? I heard last year they were going to start charging for new accounts, but that since I set it up on my domain in 2008 I was grandfathered into the free plan indefinitely.

The email has not been sent to everyone yet, but it mentions "transition all remaining users".


I had this week to transfer a small account of 2.5GB between 2 google workspace accounts. All paid accounts. It took 3 days to transfer the 2.5GB account with Google's data migration process. Downloading and uploading the emails with Thunderbird would have taken maybe 3 hours at most.

That's true about GSuite being crippled compared to Gmail, but I accepted that as the price to pay for having my main email use my own domain.

What features does GSuite lack?

Two that affect me: can't use it with Nest, can't buy family plan YouTube subs.

Family sharing of Youtube TV is another one.

Can't share Google home access with another user.

And if you don't run a local mail client like Thunderbird, make sure to take a Google Takeout backup as frequently as your threshold for losing recent mail. The backup of GMail includes all your mail in a standard .mbox format.

I did this! Kind of. I bought a domain and was lucky enough to get in to a custom domain email (and more) service with a big company years ago when they had a free version.

Unfortunately... it was Google (so kind of hiring the wolf to care for my sheep, as it turns out).

And now they're cutting off all of us free tier folks. Which I can't fault them for, but still blame them for. Because I'm petty and entitled or whatever.

Same here and it's a massive problem because nearly all of my digital presence is associated with, not just that email address, but that Google account specifically.

I'll lose important things like my Google Voice number that I've had for a decade unless I pay for a business account.

You can transfer your Google Voice account to a regular GMail account despite their documentation claiming otherwise. See:


Keep in mind you can port out a Google Voice number, also if you pay for Apple services domain hosting is free for iCloud+ users now, although you don’t get as many addresses.

It is very frustrating. I did a lot with Google Apps on that domain, and migrating that stuff out to a consumer account is a painful process.

You can port your number out. I'm working on doing that myself. I think Google charges like $3 for some reason to do it, but whatever.

Same situation here. Have you done the research yet to decide on a new service, or are you planning on starting to pay?

For me ideally I would like to move to something else (even paid) just because someday Google deciding to block me for whatever reason scares me quite a bit after having everything for the last decade attached to this account. I would like to export my emails, switch my domain to the new service, and import everything - but I have no idea how realistic that will be yet.

I’ve been really happy with ProtonMail. I use their professional account with a catch-all email address on my domain, and I give each vendor I interact with their own dedicated email address (I.e. homedepot@mydomain.com, ticketmaster@mydomain.com, etc.)

It lets me track who is sharing my email address and gives me control over that (set up simple filter to automatically delete any email received at ticketmaster@mydomain.com when I start getting spam on it).

It’s been really effective - such a part of my day-to-day flow now I can’t go back.

The transition was pretty painless. I setup an email forward from gmail to my proton inbox using gmail@mydomain.com, every email I received at that address I’d go update my contact information with. After a bit, I was able to turn off the forwarding. Basically the classic strangulation pattern for microservice migrations applied to email.

That sounds pretty good. I do something similar but use POP and Thunderbird, which I'm looking to move away from. Does ProtonMail automatically set the From address when you start writing an email to a company you have a dedicated address for?

Having had my primary Gmail account blocked twice in the last two months, apparently through VPN usage, I became sufficiently terrified to decide to start to move all my email to my own domain.

I adopted Fastmail for my domain email, and it has been a good experience (I do know that Fastmail is a five-eyes company with all the related issues around privacy, and I researched alternatives for several weeks, but I guess in the end I was willing to trade privacy for ease-of-use, uptime and various other factors).

Now I am looking into getting away from other Cloud-provided backups such as Prime Photos, iCloud, etc., moving to self-hosted NAS storage.

The only alternative I found to Fastmail that was somewhat competitive in terms of tech & security features and not one of those countries was mailbox.org but their webmail is not Fastmail's and Germany isn't far behind those 5.

I've been working on this but my family is pretty hung up on Google Photos so we're migrating most things there trying to preserve as much as possible. We're doing Google One family. As much as Google has annoyed me with the change, the other options weren't any better (O365, iCloud+, random non-FAANG services)

I'm documenting everything here if you're interested:


I switched to Apple's (paid) iCloud+(?) and it was entirely smooth, even though it was still in beta at the time (or alpha: the signup notification I got still had editorial comments in it).

Zoho has a free tier that allows a domain.

whoa! thanks for the heads up :/

I usually do use emails only on my own domains, but in this specific instance I wanted an account that could not be easily traced to me (nothing illegal, just some investigative activity), and this was how I've found out how erratic and merciless our new Google AI overlords are.

https://purelymail.com/ is cheap and great, albeit still in beta.

I looked at Purelyemail recently and it looked attractive for what it does and what it provides for a low price of $10 a year (compared to Fastmail and others, which can be quite expensive for more than one user/mailbox). But the fact that there’s just one person behind it makes me uncomfortable to consider it for any serious use. But that also probably works in favor of the low price.

And be careful not to have your domain recovery procedure tied to the same email account that you might need to recover.

The issue with running your own domain is that it could be blacklisted by google (and Facebook) if you get hacked, and then you're fucked big time. I encountered that because of an outdated Wordpress. Domain was blacklisted everywhere on the internet. Luckily I didn't have email set up on it.

>Domain was blacklisted everywhere on the internet.

Well this is horrifying. Of course, not much worse than Google unilaterally and permanently banning a Gmail account.

I guess one potential downside is if you mess up and forget to renew the domain on time and some jerk (automated system) buys it up and tries to resell it for a ridiculously high price. Happened to me even on my firstnamelastname.com domain.

Honestly i really like Gmail as a client, but I've read too many Google horror stories over the years. Therefore I've always had this setup: own domain & mailbox at a trusty provider, and then just forwarding copies to a gmail account + sending via smtp

that way I've got the comfort of gmails features but always have a "real" mailbox to fall back to if anything happens

The only problem is now you have to make sure you dont get your domain hijacked. This was the reason I went back to gmail (and outlook).

Or get a paid e-mail service where you can have support. I use Fastmail for this exact reason.

Won't work though, big email providers have made it a nightmare to run your own email.

And what email address did you use, when registered your domain?


Not FUD, putting your eggs in the Google basket "considered harmful" - unless you pay (Gmail for your domain). I had a similar lockout but on my paid account, got fixed in about 48h. It's happened to like 10 other folk I know over the last 2-3 years

I don't know if it's FUD, but it's true. It happened to a person I know, and in her case, the resolution was "ask around until a friend of a friend of a friend of a friend works at Google".

She literally had to ask her friend, who asked me, I asked one of my friends to ask one of his friends who works at Google to put in an internal ticket. It was thankfully resolved quickly (she lost access to all her work materials), but the process is insane.

Use your own domain with Fastmail. Yesterday.

Indeed, I only consider myself tangentially in the tech world, but I do have access to a private facebook group with many old co-workers and sometimes this sort of request will go out to current FB or Googlers. Inevitably some will complain that it's inappropriate and should go through official channels and others will point out that this back channel is often the only real resolution.

Google now have support, including phone and chat, via Google One ( basically if you pay for extra storage for Gmail/GDrive/Photos/etc.).

Interesting, I wonder if you can somehow pay after you're locked out.

> It was thankfully resolved quickly (she lost access to all her work materials),

More than your own domain, BACKUPS.

This is exactly my experience too. My Google accounts just randomly decide to stop working from time to time, and if I no longer have the same phone number that I did before (or if I'm traveling overseas and cannot get a "confirmation call"), there is no way at all to get in. Usually after a mysterious and unexplained period of time, my account gets un-flagged again and I can log in as per normal.

The first time this happened I completely lost all access to my Google account. I transferred all of my important email correspondence over to a Microsoft account and I have never looked back. Unfortunately I still need to maintain another Google account for my phone (Android) to work properly, so there are times I still get bitten by it. It's absolutely infuriating when you get a new phone and specifically need to log in with your Google account to be able to do anything, that's exactly the time Google blocks you from being able to get into your account, because it's apparently detected the new phone and decided you're a hacker.

This also happens to me regularly with PayPal, almost always when I am traveling overseas, at exactly the moments that I really need PayPal to work so I can pay for something related to my travel. It's so annoying. Tech support never, ever solve the problem. All you can do is wait and try again later until magically it works. Sometimes weeks later.

The only thing I can say for certain is to never try log into your account over open wifi or over a VPN connection, because somehow Google (and PayPal) seem to flag that as a hack attempt no matter how many times you correctly confirm your identity. And once you've been flagged once, your account gets caught in some kind of loop where even after you get back onto an apparently blessed IP address, you're still locked out for some unspecified period.

Having a VPN back to your home IP really helps with the overseas logins in my experience. If it doesn't work turn on the VPN and it sees you coming from a 'trusted' IP and you're set.

The fact that I've had to learn this through trial & error and spend time & money setting up a personal VPN host is crazy.

I just ran into this yesterday. Tried to log into Paypal and forgot my pwd. I tried to reset it using the "Forgot password?" link. I entered my email address, and the response was "Sorry, we couldn’t confirm it’s you".

They won't let me reset my password.

I just ran into this yesterday. Tried to log into Paypal and forgot my pwd. I tried to reset it using the "Forgot password?" link. I entered my email address, and the response was "Sorry, we couldn’t confirm it’s you".

They won't let me reset my password.

Yeah this sounds like utter bullshit to me. What if you're travelling, all your devices get stolen, and you're logging in from a public computer or friend's computer to contact your family?

This is mindblowingly idiotic. Do they have such a bad vacation policy for their employees that not a single ONE of their engineering managers has experienced the above? Do they just sit in front of their desks for 365 days a year and never leave their country borders?

It's definitely more complicated than that. I travel a lot, sometimes to places where borders are dotted lines, cities use a script I can't read, but every hill is "charlie-5" or somesutch... VPNs, public terminals, government networks on .mil.<country> domains, etc.

I have been quite impressed with the improvement they've made in the last year or so regarding these locks. It's probably a sudden change when you've been more predictable before that gets flagged.

Only trouble I sometimes run into is Google Search (or Books?) locking me out with increasingly difficult captchas if you keep running searches for 18 hours straight.

My guess is they get defrauded more often.

The scenario you present is a really obvious risk as phone thieves often compromise those devices.

No, I think it's a huge risk to be stuck somewhere these days without any means of contacting your family or getting emergency money sent to you. Especially if you're in a place that's politically unstable or where helping strangers isn't the norm.

One of these days someone will not be able to get their heart medications or a flight home because of this damn Gmail policy.

Not just Google, I'm regularly locked out of banks, state resources, and all kinds of other shit because of various combinations of bad decisions producing toxic login flows.

One of my personal favorites -- a bank automatically associated phone numbers you called them from to the account, and later they forced SMS 2FA onto the account regardless of any other security you had in place (and of course made the common mistake of allowing account takeovers with JUST that 2FA and a username). Those automatically registered numbers weren't exempted.

If they need only SMS for a takeover, it's 1fa, not 2fa.

I make a habit of

1. Forwarding everything to my free tier google apps for business on my domain

2. Annually logging into my throwaways. it seems if i login to them once a year from home, they dont pull this.

3. do NOT attempt to login to my throwaways from a proxies connection (SSH/SOCKS on a VPS or something like that, which i frequently use at work)

> my free tier google apps for business on my domain

your habits are going to have to change soon...

Yeah....its unfortunate.

Currently I may just pay the cost. Or move to a more privacy focused service like ProtonMail and at least give my money to a place I support.

Had the same thing happen to me, I know the password, have access to the recovery email but Google won't let me login. Spent months in a support thread with Google and eventually gave up. Still really bummed about it tbh

> Needless to say, I will never again use gmail for critically important things.

That's a hot take. If it was critically important, you'd have 2FA and a recovery phone number associated with it - which would have prevented you from getting stuck in a trust-fail situation to begin with.

Use whatever service you want, but your takeaway from this situation is a bit absurd.

Edit to add: I'm not saying Google's algorithm is perfect here, but relying on heuristic voodoo ("I use the same IP, so I should be fine") for "critically important things" instead of using well-established means of securing access to critically important things (e.g. 2FA, backup mobile number) is a bit insane.

I have 2FA and a recovery email on my Gmail account, yet I have run into this issue. If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code. Only after you finally get back in do you find an email in your inbox explaining that the correct code was entered, but Google blocked it because it was suspicious.

This happens to me from time to time, and the only way I can get back in is through Android. I keep an Android phone on hand at all times for this very reason.

Don’t blame the human for inadequate preparation; I assure you, no amount of preparation will save you from Google’s AI.

I think we need to quit calling it AI, and instead call it AS: Actual Stupidity

Agreed. The moment we allow AI to take the blame for irresponsible decisions made by the humans who designed and maintain said AI, is the moment we stop holding people accountable for real damage done.

Account lockouts are bad enough, but more serious things driven by AI are bound to reveal their fallibility. I sincerely hope tech workers have the integrity to take responsibility, judging by the current political climate and its participants' willingness to venture into thinking (surrounding the value of human life, among other things) that was considered taboo not long ago.

The moral and practical capacities of AI will reflect the limits of those designing them, at best.

Some time ago I used to run a userscript which replaced all occurrences of "Artificial Intelligence" and "AI" with "Artificial Idiocy". Added some charm to buzzword-heavy press releases :D.

Or “Artificial Incompetence”

This is an incredibly harsh and naive take. Authenticating logins at scale is an incredibly hard problem. There are tons of phishing campaigns and attackers seeking to get access to Google accounts all the time.

That they sometimes get it wrong sucks, but calling their attempts to do so "actual stupidity" is pretty rude.

Microsoft & Zoho Mail does the same, and when they do it, they also revoke all of your app specific password for good measure, so SMTP is a toast too.

> If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code.

Seriously! What! The! Hell!

I too have thought before that having 2FA (and linking a phone number, which I hate to do) would avoid tripping in such situations and that the systems would consider a different situation (like a different IP address/location, a different browser) as reliable enough with 2FA. But this irks me a lot.

I don’t really use Gmail much and have other paid alternatives, but I have some old stuff that may be mildly inconvenient if I were to lose them. Need to download the data and dump these accounts.

If you're entering a code, the 2FA method you're using is still susceptible to mitm-style phishing attacks, which is what this kind of location based check is securing against. You'd need a push notification or yubikey based 2fa check to get the same level of security.

AIUI, they do send push notifications if you happen to have a mobile device that's logged in to the same account. Maybe they should do the same for the "suspicious login to an unused 'secondary' account" scenario? They're already sending "recovery" emails, so it wouldn't be that big of a change.

I have several YubiKeys linked to my account. It will decline those as well. It demands that I sign in from Android sometimes, seemingly for no reason.

That's especially weird. I've had Google decline TOTP/Google Authenticator and SMS one time when I was troubleshooting a OAuth issue, but declining U2F? Are you logging in from various different VPN servers daily, or just through the same few ISPs?

No VPNs, just my home network with an IP address that rarely changes. What seems to throw it off is when I log in from "conflicting" platforms, particularly iOS + Android. I also have multiple iPhones for work, and it very much dislikes that.

When it gets in this state, nothing will work besides going to g.co/sc on Android--it can't be any other platform, regardless of how long I've had the device--and approving the code request there. If I approve it from any other device, even with a YubiKey, it'll give me a code on g.co/sc, but I'll be told it's invalid and I'll get one of those emails telling me the code was correct but declined due to suspicious activity.

I appreciate the attention to security, but c'mon, it's a YubiKey, and I'm logging in from my usual residential location.

If we reason from good faith and consider that this is intentional and not a bug, have you considered that Google did not implement "blocking suspicious 2FA" just to mess with you?

That perhaps this deals with a very real threat? Google has no incentive to make it difficult for you to log in, it's the exact opposite.

The problem is not really that they do it, but that they don't adequately inform users about this risk and that they fail to offer proper support and alternatives when it gets triggered. If they offered proper support a whole lot of the user despair and anger would disappear.

I agree to some extent, but also consider that whoever designed this may not be as intelligent or as widely experienced in certain matters as is necessary for the real world.

I have no doubt it deals with a real threat. That doesn’t change the fact that I’m regularly unable to log into my Google account.

Usually it happens when I’m using multiple devices simultaneously—for example, Android and iOS. It’s understandable that Google considers that to be suspicious, but if Google isn’t going to learn on its own, there needs to be some way for me to confirm that nothing is amiss. It’ll ignore everything from TOTP codes to YubiKeys.

I have an opposite anecdote: I moved to iOS but kept my (4-year-old) Android device active, and now I basically hop between a few iOS devices (but just one iPhone) and a Pixel 2 regularly. The only account that appears to dislike that is my work Microsoft 365 account that demanded I reauth all devices a couple times.

Not saying it's not true (I believe you), just that it's not designed to be a suspicious case, at least.

It’s definitely a point that should be made. Typical TOTP tokens are weak MFA in takeover scenarios. Especially considering that people have a bad habit of syncing them between devices.

What a lot of the grumpy posters here probably aren’t mentioning is that many ate probably doing high risk signal stuff like running through public VPNs. Google and Microsoft know a lot about what you are doing and what scammers do. They score risk accordingly.

With Google’s nonexistent customer service I’d be afraid of being locked out for any arbitrary reason and having no recourse no matter what recovery procedures I prepared for.

Contrast that to my bank where I can go to the branch, show ID, and get problems logging in resolved.

A plug from a very satisfied customer: I pay $5/month for Fastmail. I've emailed support before and reached a human within hours. They helped me with my problem, because it was their job and I'm paying them to do it.

Email is too important to rely on a free service which has a history of shutting people out, at any time, for any reason.

I prepay for the 3-year package and it comes out to $3/mo or something. I'm not going to stop using email, and Fastmail is fantastic so I'm not going to switch away, so it's worth prepaying.

Yep, Fastmail is great. Google cannot be trusted. With google you are the product, not the customer. The Fastmail service and features are better than gmail as well.

Still the problem with Fastmail is the same as with Google. Leaning on 3rd party service that you have no control of. There are so many things that could go wrong there, they can be hacked, go bankrupt, closed by authorities, insided. Everyone should have an appropriate personal disaster recovery plan that includes stuff like recovering from loss of service supplier.

This is a false equivalence.

Life on a crowded planet depends on third parties; choosing vendors well is a critical life skill.

Fastmail have a long-standing reputation for treating customers right; certainly not a reputation google shares.

Well, there's always a risk profile no matter what you do. But the risk profile with a company that's obsessed with AI and doesn't believe in having any customer support is much higher than one that you pay and has very good customer support.

Fastmail has been extremely responsive to any random minor issues that have cropped up for me or the several people I got to transition to their service over the last 7 years.

If you have your own domain it doesn't matter much. You can always move your domain to a better host.

Reasonably confident one of my support tickets even got answered by the CEO once. They're a shockingly human-focused company.

Yeah, likely - I've answered a few tickets here and there :)

That's really cool! I'm just now migrating my Gmail-led life (15 years) to Fastmail, and it has been great so far.

So happy to see this. I've started the transition of my 25-year-old .org domain from Gsuite legacy to you tonight :)

Just wanted to +1 this. I've been a happy customer of Fastmail since ~2013, never had a single issue, great service

> never had a single issue

Fastmail was blown offline by a couple of DDoS attacks recently. Both of them impacted my ability to access Fastmail, but I suppose you didn't happen to try to access your account during those attacks.

Fastmail is Australian. That is a nonstarter if you want any amount of privacy.


I'm a satisfied Fastmail paying user for years

Me 2

What do you do if Google buys Fastmail?

Switch to something else ASAP.

FYI, google has customer service if you're paying them. I pay $6 a month for gsuite. I've contacted customer service 3 times. Got them instantly.

I've read stories here on HN about non-existent Google customer support from people who worked at companies that were paying Google millions.

I live in a third world country on little island in the middle of the Pacific Ocean, yet have had Google respond within minutes every time I've had an issue (multiple times over the past decade). They have provided support both by phone and chat. I pay them 2 figures a month.

+1 on this. I’ve actually had them call me back proactively multiple times on a simple case too. Obviously it’s all anecdotal. But I have been happy with them (when paid)

They're supposed to have paid customer service for non-business users too if you pay for Google One, no idea how effective that is.

I was wondering that as well because I have Google One. When I go to the support page it claims 24/7 support for phone and chat in 2-3 minutes and e-mail support within 24 hours.

I have no idea what Google One is, but I get that level of support for the $12/month I pay them for Google Suite and have had great support experiences multiple times over the past decade.

If you have a Pixel, there's also chat + phone support in the help menu, though I'm not sure whether they handle account issues. (I used it a couple times because of, you guessed it, hardware issues)

"With Google’s nonexistent customer service..."

What's needed is enough of these cases to bring a class action against Google.

It's over a decade since I've used a Google account and I was similarly ignored even back then.

I have a few thousand dollars I earned with Adsense a bunch of years ago. They suspended my account and prevented me from getting the money. Every now and then I get a letter from some auditor that says I can claim the money. Just need to login to my google account. Needless to say google customer service hasn’t helped. Definitely need some class action suits to change their behavior, and I hate class action suits.

Exactly. But don't hold your breath waiting.

"With Google’s nonexistent customer service"

Quite. If you play the game then all is well but if you don't then you are given very short shrift and no recourse to a higher power or anything at all.

There is very little oversight. If you fall afoul of the "algorithm" or whatever bollocks is running the show, then you have to fall back on calling them out on the socials. Get enough traction on that and lo: "soz, lol, we failed here but your <whatevs> is important to us ... in this case ... etc ..."

I personally had a great experience with google support when I once stupidly locked myself out of my account. The whole thing was resolved in about 3 days.

However, google customer service is definitely erratic since loads of other people have had bad experiences. The best thing to do if you're using Gmail is to enable 2fa and backup the recovery codes offline and somewhere safe. This could probably get you into your account without needing to talk to support.

I have never heard of anyone anywhere ever being able to access Google support once they were locked out -- you need to be logged in to access what little tech support they offer.

Something can be critically important for a person to access on-demand and not be something they’re especially concerned about an attacker accessing. Two completely unrelated dimensions of access needs.

They are not mutually exclusive. An attacker accessing a service can hinder or even completely stop your ability to access that service (i.e. change your password).

Or do things that trigger the provider to force you to change your password.

See: Apple ID, where failed password attempts (by anyone) causes Apple to force users to change their known password.

Actually, I specifically declined setting up a recovery phone number because I accessed it from the location where receiving codes would be impossible on my phones. I always accessed it from the same IP using my own VPN server, entered the correct password, and still Google decided that they are 'not sure that it is not really me, try again later'. No thanks.

What about downloaded back up codes ? Phone push approval? U2f key? Authenticator app? Can't imagine complaining about being shut out if you didn't have at least one or all of these set up. Google even nags you about setting these up.

Why can't you imagine that? This gatekeeping you're doing is rude and doesn't make sense. 2FA's very purpose is to increase shut outs when enabled.

It might be 2FA's very purpose, but I've found that a 2FA-less account is a lot more distrusting of logins. Some of my relatives don't have 2FA set up and they got more "verify it's really you" prompts compared to my personal MFA'd account.

Because Google is abusing the concept.

I do wonder how many people will be locked out of their lives when they change phone numbers. 2FA across the industry seems to have rolled out this critical dependency without drawing enough (IMHO) awareness.

The only way to avoid getting into a trust-fail situation with Google is to be completely signed into it at all times so they can monitor you 24/7.

You didn’t understand the story. It’s google that’s using heuristic voodoo for critical things.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact