Before saying anything else: I’m sorry OP. This is miserable to deal with and I know you’re probably very upset right now.
On the other hand- at every company I’ve worked at, this is why there’s clear onboarding and off boarding policies. Yes- if you have someone on your developer account violating terms of service, they’ll shut down the account. No, it doesn’t matter that it wasn’t you personally.
To put this differently: if you had a bank account shared between your developers, and someone who left the company started using it for money laundering, the entire account would be shut down and you would not be getting that money back. In fact, you might even be investigated by authorities for money laundering since it ran through your account.
As someone who works in FinTech, we deal with tons of people just trying to steal / defraud others on a daily basis, and we’re required but governments across the world to be on the lookout for people doing “fraudy” things and terminate their accounts ASAP. If we just said “oh, it’s fine, you’re not in trouble because your (insert X relative here) was the bad person, not you,” then social engineering fraud would be rampant everywhere.
To me, the Google situation is identical to the bank situation. There’s not a good way to prove the bad account shouldn’t be associated with your Play store account. This is why you have to be diligent about who has access to these things.
> if you had a bank account shared between your developers, and someone who left the company started using it for money laundering, the entire account would be shut down and you would not be getting that money back. In fact, you might even be investigated by authorities for money laundering since it ran through your account.
I don't see how that analogy applies here. It would be more like if someone who had access to the shared bank account was using their own personal bank account for money laundering.
The developer wasn't breaking ToS on the company account, it was their own personal developer account. Quote from the reddit post:
> Our company used to have several employees with access to the business's Play Console, and one of them recently had done something wrong with "his own personal" Google Play Developer account.
Yes, but if you read closely, you'll find that OP never actually said that employee "H" was removed from their Google Play account. Instead, they say that "H [had] all permissions removed except on one game which we were still using H.'s consultation on - The app was unpublished later on". So H was still associated with the company's developer account as part of the unpublished game.
And so what?
Did H violate any rules on that specific game?
If you have an employee doing stupid things on their own personal account on their own personal time, should your company’s Google Play developer account also be terminated?
This is one of the many reasons I personally stay as far as possible from anything to do with Google.
What’s next? Loosing access to all our company’s emails and personal photos because someone former employee’s twice-removed cousin decided to try their hands at phishing?
Sounds like a joke, but if even Google employees' families can permanently lose access to their Google account without any recourse[^1], who’s safe?
Yes? That kind of makes sense if they are still working on something for the company right? Just because they have a side job as a fraud doesn’t make their day job any less legal.
Yes good point. A better analogy would be that an employee you had a few years ago who left the company, started using their personal account for money laundering a few years later, and the bank confiscated/closed the business account, plus their parent's account because dad co-signed on a minor bank account for the person 20 years ago.
This is a bad take - the person who violated ToS hadn't worked at the OP's company for 3 years!
In addition, it hardly seems relevant that a ToS violation from an employee's personal account should result in effectively destroying a business.
Something really has to change with how Google handles this kind of thing. At the very least they need to have a working appeals process handled by people.
That’s exactly my point though. If they hadn’t worked there in 3 years, why were they still associated with the developer account in the first place?
There’s a couple of ways (that are best practices for any company) to avoid this problem:
- Have separate Google accounts for work / personal use
- Remove old employees from the developer account when terminated
I think that's actually the issue. There was no current association with the companies account anymore.
Having separate google accounts for work and personal use does not actually solve this, since google has an algorithm to figure out if the accounts are used by the same person.[0][1]
OP never said that "there was no current association with the companies account". In fact, they say explicitly that there was an association, because H still had permissions on an (unpublished) game that was part of their Play Store account.
I may have misinterpreted the explanation given in the post. It sounded to me like a developer they'd employed violated the TOS on their personal Google dev account. Google then recognised a connection between the dev and another Google account belonging to a company and opted to suspend that as well.
To use your example, that would be like an employee getting their bank account frozen for something they'd done in their personal life, and then the company having their bank frozen too for depositing money into the employee's account.
I’d liken the latter to having a company credit card account. Regardless, in the bank case there’s a high chance adjacent / connected accounts would be frozen (at least for a time) because money laundering tends to happen in rings.
> I’d liken the latter to having a company credit card account.
No, having had a company credit card account 3 years ago. Unless I’m misunderstanding something, the employee had no more relationship to the company for some time.
But would each employee working at a company found to be money laundering have their personal accounts shut down?
Google goes out of their way to associate people's accounts and identities. Even if you have work and personal Google Accounts, you should assume that Google knows they're the same person. For example, Google wants you to login to their Youtube App on Roku. If you choose not to but have it open at the same time someone opens Youtube on their phone, the two communicate and you'll get prompted to login. Even if you choose not to login, the two apps share information and cross pollinate watch histories and suggestions.
Google also makes it difficult/costly to properly lock down their development tools. You can't for example lock down your developer console or cloud account to accounts with specific domains. You also can't take ownership of your domain outside of a Workplaces Subscription in the same way you can with Apple's ABM tool.
At the same time Google requires you to consolidate all of your company assets into one basket. You can't have different developer consoles so an employee or contractor working on Project X might have access to aspects of Project Y because the console permissions aren't granular enough. So there's no plausible deniability for Project Y when a Bad Actor working on Project X is identified.
You can't even insulate projects on Google's tools as there is a 1:1 relationship between their Play Console, Cloud Console, and a singular Cloud Project. So again absolutely no plausible deniability.
What you end up with is a situation where if a user does something Google doesn't like, Google decides how large of a net to cast over that user's network graph when bringing down the ban hammer.
The main difference is that with your bank, in case you get locked out, you can call them or even go to a physical office where they'll attend you, and you, maybe, are able to fix this false positive case, even if from detection point of view is a justified one.
For Google, good luck if you get in contact with a person.
Maybe we work with different banks, but in my experience it’s more of a “1 strike you’re out” type of thing if they detect illegal activity and to me that feels like what happened here. I get what you’re saying though.
Fraud is hard. If you don’t crack down enough, you get in trouble with the government, many legitimate account users, and companies working with you. If you crack down too hard, you might mess up people’s lives who did nothing wrong. Even with an appeals process- its rare to get everything right. I think the reason we had about it with big tech so much is because their userbase is so large, so even with a low false positive rate, you’ll see high numbers of people getting flagged.
Unless your bank account balance is at least $50,000, I doubt the bank will do anything about it besides have a manager tell you "I'm sorry there's nothing we can do" which is little better than an automated email.
You're right. In less regulated countries, they may be more lenient. But in countries with strong anti-fraud and anti-moneylaundering regulations, banks often will take the most risk-adverse course, which is to terminate accounts for very little reason and at the slightest hint of bad behavior.
I'm not against government regulation of these sorts of decisions, but to pretend that the regulations we currently have are consumer-focused in every aspect is just completely burying your head in the sand. Read https://bam.kalzumeus.com/archive/moving-money-international..., and especially the "Tiniest bit of personal opinion" section for a clearer explanation of the problems with the way banking regulation currently works.
In more regulated countries, the state limits what banks can do to their customers. In the EU that means a legal right to a basic bank account, among other things, so "terminating accounts for very little reason" is not going to happen.
“ we’re required but governments across the world to be on the lookout for people doing “fraudy” things and terminate their accounts ASAP.”
And that is the difference. Google is not the Govmnt and there is no legislation supporting them (except their probably murky and possibly ilegal TOS -ilegal because of lack of human oversight).
In this scenario you would have access to due process. There are very specific rules when banks make decisions about credit worthiness, and for the part involving authorities you’d have access to a well developed legal system where you have rights.
Credit worthiness, yes, though that’s typically at approval time and not later on.
Risk bans or bans for suspicious / illegal activity? Totally different story (see the stories of Stripe / PayPal / etc shutting down accounts). The government (at least in the US) will punish banks pretty hard if they don’t crack down on fraud hard, so banks tend to lean more towards over enforcement.
Stripe and Paypal are not banks, last I saw. Which is exactly the reason they have to be so careful. They don’t have to adhere to the same rules as banks, but they don’t have the same protections either.
if you had a bank account shared between your developers, and someone who left the company started using it for money laundering, the entire account would be shut down and you would not be getting that money back
This is more like giving someone a credit card associated with your business account, them leaving, and three years later your business account is closed because they committed a fraud using their personal bank account.
On the other hand- at every company I’ve worked at, this is why there’s clear onboarding and off boarding policies. Yes- if you have someone on your developer account violating terms of service, they’ll shut down the account. No, it doesn’t matter that it wasn’t you personally.
To put this differently: if you had a bank account shared between your developers, and someone who left the company started using it for money laundering, the entire account would be shut down and you would not be getting that money back. In fact, you might even be investigated by authorities for money laundering since it ran through your account.
As someone who works in FinTech, we deal with tons of people just trying to steal / defraud others on a daily basis, and we’re required but governments across the world to be on the lookout for people doing “fraudy” things and terminate their accounts ASAP. If we just said “oh, it’s fine, you’re not in trouble because your (insert X relative here) was the bad person, not you,” then social engineering fraud would be rampant everywhere.
To me, the Google situation is identical to the bank situation. There’s not a good way to prove the bad account shouldn’t be associated with your Play store account. This is why you have to be diligent about who has access to these things.