342 comments

[ 2.6 ms ] story [ 255 ms ] thread
Alternative title: Today I realised why going all-in on Google's platform is maybe not a great business decision.

Also note: this isn't me personally.

The idea that one dude on his phone can torch your entire company with no apparent recourse is borderline insane. The fact that an issue with Google service x can cause you to lose access to Google services y and z is absolutely obscene.

I don't understand why anyone could possibly take this sort of risk with their company. As long as Google remains the irresponsible company that it is, they simply cannot be engaged with for any business purpose whatsoever.

It's possible, of course, this guy isn't actually what triggered the lockout, but it really wouldn't change the issue: That 150 Google accounts can get banned, including both personal and work accounts, and that Google can refuse to explain why.

The OP's bosses should be looking for a good law firm, because there's money in this case.

I work with G Suite and this story 100% did not happen.
Absolutely. The guy taking the blame on himself really is amazing to me. He has completely accepted the crazy automated rules google decided for their service, and thought he was the culprit.

Guys, just because something is anounced and written in an EULA , doesn't mean you're actually to blame. Sometimes rules are insane and created by people for really bad reasons (such as not wanting to spend a correct amount of money on customer support for your services, in order to be even more profitable).

These stories pop up on a regular basis. Someone from Google eventually reaches out and fixes it because of all the publicity. Meanwhile, the policy (which is insane, and compounded by the difficulty of reaching a human at Google support) never changes.
As long as people still sign up to put their data and their businesses futures in Google's hands, they have no reason to get better. Money is flowing in, and fixing their problems would cost them a lot of that money.
If this blows up enough I can believe it changes. Not because Google wants to, but because suddenly people getting fired realize that they can cause significant damage that way.. If this suddenly happens a few hundred times within a week, Google will have to act or will lose a lot of clients.
Standard practice when someone is fired is to remove all their access credentials during or before they're told they are being fired.
How do you un-verify a recovery email address from outwith the account to be recovered?
You disable the account, which means it isn't active and therefore any employee action won't affect the company.
G-suite accounts have very responsive tech support (phone and email). Either they're not using G-suite or they're clueless about their tech-support contacts.
Have to distinguish from G-Suite accounts. Google has customer support that is actually very good in my experience.

Kind of surprised people expect different for something that is free.

So on the last day at my shit job in the shit office, I should just go ahead and abuse the refund policy? Sounds crazy to me..
First, you need to make your company rely on 200 consumer Gmail accounts for their business. I mean, if you can get them to that level of idiocy, nothing really helps, right?
Do you know there is a thing called Gsuite for business? Let me change your sentence to "First you need to make your company rely on 200 nodes on AWS for their busineess". I am not sure who looks really stupid here?
Except they didn't use Gsuite and this would never happen if they did.
Uh, didn't they say they were paying for the service? Sounds like they are using Gsuite...
I don't see them saying that. If they were paying, they'd get support.
Said support is instantly worthless the moment you find yourself on the “you’re banned” wagon. That’s what this sounds like they’re stuck on.
I understood it as if they used GSuite as well. How would 200 independent Google accounts be shut down, if one of them violated the terms. That sounds like an even bigger problem then..
AWS shit down a business account for consumer policy violation? Example?
It is not about whether they have done it before. It is about whether that could, and they could.
(comment deleted)
this is core to the story...

If the company was using consumer accounts, then this is exactly the behaviour that is expected (very easy to create a bunch of accounts that are all associated with each other). Both the company leadership and IT team/vendor should hang their heads in shame.

If the company was a paying gsuite customer then this type of action towards a corporate customer seems odd but not unusual. The OP committed TOS violations but may have no awareness of what TOS violations other customers were committing (if you allow that sort of culture, you reap the rewards... etc).

I find it hard to believe it is the latter scenario because the admins of the account would have been notified multiple times before any adverse action was taken (there have been many stories of individuals / companies getting banned after ignoring emails to change behavior / actions that violate TOS).

Fun fact: The entire UK government relies on Google Suite internally.

Fuck knows how that works with PATRIOT.

It’s probably not hosted in the US, likely the UK. It could also be on the UK’s own servers.
I wonder how long a student who didn't finish his assignment does the same and locks an entire school out, including their Chromebooks. A lot of schools seem to be migrating to google services.
And people wonder why I don't want to use Google products... The fact that you might be locked of all your accounts for a random bullshit reason (with no support either) is completely insane. People reading this here on HN, please don't use Google products for any important matter or it might bite you back one day (basically only what you can afford to lose).
I still love GMail, the interface works better for me than for others. Just use your own domain (with a third party registrar) and you can just swap the front-end if Google decides to ban you.

Same with a small company, as long as you have control of your domains and regular backups of the emails, having a fail-over isn't that hard. In this case the real damage is personal accounts, the business accounts could probably be up within a few hours at another provider (plus some more hours until backups are restored).

That's a good advice, always have a backup plan for that (and custom domains + email backups are working great as a backup plan).
My personal recommendation is that your domain registrar, web host, and email service should all be different parties. Segregate your risk of losing control of all of these at once, it makes recovery drastically easier.

Bear in mind, if someone's all in with Google, they might have their domain controlled by Google Domains.

This I agree with. I even run my nameservers different to my registrar, meaning that if my registrar has technical issues I can still control the domain routing. If the nameserver company has issues, I can still change nameservers.
I strongly agree with this, but I'd go slightly further and say your domain registrar should be entirely independent of any other services.

At one point I had my domain registered through my ISP, which was run rather eccentrically by a gentleman I eventually had a dispute with. He then (probably illegally) disabled all my DNS records, leaving me without my main email account for a week at a particularly vulnerable point in my life. It was horrific.

Also a rookie mistake to avoid: the contact email address that you provide your email hosting shouldn’t be the domain hosted on that service. If there is a technical problem with a loss of access to emails and you need to contact them,... ask me how I found out!
Ok. How did you find out? :P
Not GP, but I'm guessing something happened with either email delivery or login, which broke either receiving support emails or being able to login to see any email.
This reminds me to download and remove all my emails from Google’s GMail servers. Does anyone know of a good automated solution to do this on a regular basis?
Maybe not what you want, but you could do this using a regular pop3 client and set it to delete copies from the server.
That was the standard de facto way of accessing mail before web interfaces ruined it all: a lot faster than using a browser and you get full access to all your mail for complex searches etc.

Any offline client will do; I use Claws Mail since ages where I migrated all my email also from past clients such as Eudora under Windows XP. http://www.claws-mail.org/

It's multiplatform, very fast and stable and can keep, index and search huge datasets of emails (mine is over 60K messages since mid 90s) in seconds. Backing up/exporting the email database needs only saving the Mail directory in the user's home; I've successfully moved mail directories between Linux and Windows installations of Claws Mail without a hitch. It made Outlook users drop their jaws when they realized how fast it is and they no longer needed to delete years of mails because the client became slow as molasses.

All you have to do is configure it to access Google servers like any other client then check the option to delete the mail on the server once it has been downloaded. IIRC this option is checked by default.

I therefore created a icloud and outlook account. Google allows you to forward all emails to anywhere. That way all three companies have to block you... Hope not
POP3? You can use the gmail pop3 server via your mail retriever program, and set it to not keep mail on the server (which is generally the default). All mail suite software (Thunderbird, Outlook, Evolution, etc.) and individual mail retrieval programs (e.g. mpop, fetchmail, getmail, etc) support it.
Agree entirely.

This should apply to all cloud services. If you use them for anything critical, total migration and DR should be part of your exit strategy for if anything like this happens. Everything you have in the cloud should be backed up in neutral formats off line on your property.

I’ve had a couple of run ins with google and personal accounts a few years back. Once my sign in was broken for two weeks. I couldn’t sign in with it showing a non descript error. I couldn’t find or get anyone to help. If this was anything business critical then it would have been pack up and go home.

Google apps support is notoriously crap as well. Been there, done that, left quickly.

Not that everyone can afford such things but a few companies I have worked for in the past have mirrored their entire cloud infrastructure across more than one provider (aws, google, azure, etc).

One was co-located at one data center that had connectivity issues and they had all traffic automatically rerouted to their development stack in the office which operated as production while their colo sorted out issues.

As a Google Apps/For work admin I also have experienced really hostile policies and support in the past. Its really shortsighted of Google because now they want companies to use their GCP platform which I find insane.
One thing that makes me always wonder is that Google can get away without proper Customer Service. Usually if that kind of thing happens and an employee refuses to disclose the details, you talk to their manager and so on, and if the company still refuses to restore the service, you get it to the court for illegal termination of the contract. I mean, you can't terminate the contract with another company without explaining why (and no, "you violated the terms but we can't tell you exactly what" is not an explanation.)
Except this story doesn't add up, because Google's customer service for even small companies on Google Apps is pretty good.
The story is it's Google Payments that triggered the shutdown. The friend of the writer would have been the Google Apps user.
Google Payments is ridiculous. They escheated my merchant money to Delaware government, but their supports referse to provide the merchantment ID to me so that I can't find back the merchantment from Delaware goverment. It is like threw my money into the ocean. They said Delaware government didn't give them the ID. Who know.
I'm guessing that the company isn't using G-Suite, but rather a bunch of gmail accounts set up as 'work' accounts. If they were on G-suite, they'd have a support line to call.
(comment deleted)
Having been a G Suite customer at a school district...their customer service is not great. It's fixable but I wouldn't rely on them. Please understand G Suite for schools is free. You get what you pay for.
I've been in the same boat (gsuite for education, for free) and have had top notch customer support on the couple of occasions something has gone wrong.
Suspect what is happening. G-Suite support is actually pretty good for a tech company.
I used them previously and I would say their support was OK .. I would never call it good.
We have platinum support for gcloud, it's terrible.
"We have the right to disable your account at anytime, for any reason and without notice" is pretty standard for anything cloud based. IME the business leaders in charge of decisions to move to cloud infrastructure are even less likely to read the terms of service than a general user is.
Suggested alternatives? Anyone ever had a similar / bad experience with Microsoft?
I've had nothing but horrible experiences with Microsoft. Frequent down times, high latency, surprise licensing fee increases, vendor lock-in, software that gets worse every year. I wouldn't wish Outlook or Skype on my worse enemy.

Also if you don't pay up, they might raid your office and take your computers.

https://torrentfreak.com/microsoft-sued-over-mafia-like-anti...

I always recommend fastmail. I’ve used them for decades with no issues. On the rare occasion they have an issue, they go all out to fix it quickly and keep the user community informed. I once asked them to trace a delivery problem through their server logs, which they did in less than an hour - they politely showed me where I screwed up! I can be logged in and making changes from multiple platforms simultaneously and everything works flawlessly. In addition, I think they are honest when they claim they don’t scan or sell my data.

Their web app is very good. (Previously, I was using Gnus.) I also use iOS Mail to access fastmail via IMAP, because the VIP “folder” feature is great for cherrypicking.

Reliance on google is dangerous for sure. A couple months ago my startup’s popular Chrome extension was unceremoniously yanked from the Chrome store. It took weeks to get the situation resolved, and even then it was only because I live in Silicon Valley and know people at Google who could ping the Chrome team until it was fixed. In the meantime, our most popular product was sidelined.

We have since ported to Firefox Quantum to be less reliant on Google.

https://medium.com/@BeeLineReader/google-yanked-my-chrome-ex...

> Reliance on google is dangerous for sure.

It is also unnecessary. While I understand the convenience, there are plenty of better solutions to use over Google, especially for a software company.

I’m curious to know how a company like mine [1] might offer the same value to users while avoiding google.

When we first launched (on HN, I should note), we checked the browsers that people used to come to our site. It was roughly 90/10 Chrome/Firefox. That’s why we built our first extension for Chrome (and later built for Firefox also). Don’t we have to meet our users where they are?

Would love to hear your ideas!

1: http://www.BeeLineReader.com/individual

> http://www.BeeLineReader.com/individual

Completely off topic but do you receive feedback from some users that your color gradients actually make it harder to read? I was struggling to read your landing page, my eyes kept were involuntarily flitting all over the page. My eyes kept jumping around scanning like they would at a traffic intersection or a pool (I was a lifeguard) for activity. It was kind of weird and stressful.

We do occasionally hear that. Did you try the more subtle color schemes, or just the default (which is the brightest)?
I didn't, I'll go back and give it a try. It seems like a really interesting idea.
> and know people at Google

That seems to be how a lot of these stories (and stories like these aren't really uncommon on reddit or HN) of getting locked out of Google stuff are resolved.

If you don't know someone, you're hosed. How many times have people without inside contacts or reddit/HN accounts gone through this? We'll never know.

This is exactly right. Amazon or Microsoft would never do this to you if you were using one of their services. And if, for some reason they had to, you could talk to them about it.

I really hope someone for Google is listening ... I WANT you guys to be successful so that we have more competition in the market. But honestly, you just keep shooting yourselves in the feet.

If you treat Consumers like crap, then you must expect Enterprise customers to be concerned that you are going to do the same thing to them.

It's not like this is an isolated story either ... Google dropping the ban hammer on someone is a recurring theme and it makes me question whether I should be looking at alternatives.

> Amazon or Microsoft would never do this to you if you were using one of their services. And if, for some reason they had to, you could talk to them about it.

Do you seriously believe this?

You understand people get locked out of the cloud accounts with Amazon and Microsoft all the time. And with Amazon and Microsoft they lose much more than access to their (free!) email account, they lose access to Kindle Books and Software Licenses that they've paid for with real money. That's a much bigger deal.

The moral of this story is that US citizens and businesses have zero recourse when they run afoul of web-based services. They have no real legal rights to their digital property. If the US had some kind of GDPR-like law that allowed customers an irrevocable right to their own data then this wouldn't be such a big deal. Indeed it might even spur some competition. But today you've got absolutely nothing. Today the onus is completely on each person to protect their own digital assets.

> Do you seriously believe this?

I know that even on a pretty small spend AWS had assigned us an account rep who would have moved heaven and earth if this had happened to us. I know Amazon retail has real humans in Ireland who will take my calls and take me seriously when I have problems.

I got an email recently from Google saying they were required to inform me they’d hired another gigantic Indian outsourcing company to do ... some kind of customer support work.

Google and Amazon use mostly the exact same outsourcing companies for their 1st and 2nd level support.
AWS support is not outsourced but knowledgable US people who can and do page anyone including the engineers for help. There is a reason the top level of support costs an extra 3-10% of spending.
If this is true AWS either demands more or pays them more because AWS high tier support vs GCloud "platinum" support is a joke.

I can usually get even a very hairy ticket resolved on AWS in a manner of hours, every gcloud ticket we open takes days. Sure the respond in 24 hours but it's usually just a response that says "We'll get back to you eventually". If google actually wants to compete in cloud services they need to step up their game.

There's a regional Amazon support hub (for South America) a few floors down from where I'm sitting. Microsoft has stellar support in this region (I even interviewed once). As far as I know, Google has no equivalent.

If I had to rate them, I'd say Microsoft has by far the best support, followed by Amazon, and Google's is (almost?) non-existent.

Greetings google user. Were sorry that you're having problems at this time. Please check into the forums and go get support from other sorry sods who also need help. Maybe if you can run enough brain cells together, you might be able to solve an issue.

-your favorite google tech support (NONE!)

I am guessing the giantic Indian outsourcing company is filled with AIs, they probably couldn't afford "real humans"
>who would have moved heaven and earth if this had happened to us

Baseless assumption.

>hired another gigantic Indian outsourcing company

How is this confidence inspiring?

> I know Amazon retail has real humans in Ireland who will take my calls and take me seriously when I have problems.

Curious how you know that?

I've seen it happen as well to friends who have had previously stellar AWS reps that fall off the face of the earth when the ban hammer falls.

His was for "too many returns" when there was a huge scammer ring buying the type of items he was selling and returning bricks in the boxes. Took many weeks to get resolved, and the ban of course shut down everything including his personal accounts, AWS accounts, etc.

Amazon, Google, etc. seem to have decent "happy path" support - but if you fall into either an outlier or stuck into a "bad actor" group you may as well effectively not exist if you can't get traction on social media from the few cases of this I've seen.

(comment deleted)
I should have been more specific - I was mainly thinking about AWS or Azure.
I believe for all of Microsoft's business services, you can submit a real ticket to real support people. Completely possible with my organization. It better be too, given that we pay them maybe $15,000/year for Office 365 licenses.
My experience is that this is true for my company's corporate Azure/Office365 type services and ALSO for my personal Office365 Home subscription.

I had an issue sending an email from my personal microsoft account and I submitted a case via the support tool and I had a response from a helpful representative within 12 hours.

Microsoft offers free phone support on free services. I had an issue with parental settings in Microsoft Accounts and Xbox Live. I was able to chat with a person online, receive call backs from 2 different people, spent hours on the phone, and a received a up email many months later from Microsoft notifying me that the issue had been resolved.

It wasn't a pleasant experience but I did get to talk to real people and they did eventually resolve the issue.

I'm curious - how are time-sensitive and potentially irreplaceable emails and documents upon which your company's existence or your job may depend, less important than a collection of software licenses that, while expensive, are re-purchasable and not going away anytime soon?
I absolutely do believe this, I have people from Microsoft reaching out to me constantly regarding our Azure account here. If there was abuse on it or something of that sort, I would not only get an email, I would get a phone call. We don't even spend that much. We don't pay for their upper tier support plans either. At my last job, Microsoft worked very actively to help the corporation (much larger than my current job) move over thousands of emails over to Office 365.
> Microsoft worked very actively to help the corporation (much larger than my current job) move over thousands of emails over to Office 365.

Of course they did. All smart businesses would. Do you think they would also help you to move your mails out of Office 365, to a competitor maybe? That'd be noteworthy.

Just a reminder that a guy was locked out of his Amazon services, plus $140,000 of cash and inventory from his shipping business, because he changed the name of the profile on his Kindle Fire to "baba". He was stuck in autoreply hell and wasn't able to get resolution until he made a huge stink on social media as is happening here.

https://www.reddit.com/r/amazon/comments/5gvgdl/using_a_amaz...

This makes me wonder if there should be laws enshrining corporate responsibility and perhaps a mandatory appeals process.
"But companies are people too, and they should be able to decide whom to do business with at a whim!"

Freedom of speech is meaningless, when you have no voice.

The same Amazon who have had publicity for shutting down your entire account, along with associated services, if you have the "wrong" profile of returns?

Sure I know some will abuse returns policies, just as some buy an outfit in the high street, go out, and return it after the weekend. With the amount of defective by design, counterfeit and plain iffy product in Amazon's co-mingled marketplace inventory I expect there's been false positives just by being unlucky in product choices.

What's a good gmail alternative?
lycos!

No, really. even though free accounts ending. Actually not even sure if you can sign up at the moment. Has basically 'just worked' for years though, hopefully they stay in business. :/

Doesn't look like there's anymore active signup :/
Zoho is excellent and fills almost all the gaps of GSuite.
Your own email account on a VPS or other web hosting? I've been doing this for my work email for years, moved my personal email over at the start of the year and so far it's worked perfectly. Thunderbird's support for long email threads isn't as good as Gmail's but that's about the only downside I've seen (and that's a downside of Thunderbird, not of the approach to email).
Exact same thing happened to our previous startup cohort. To top it off the dev already had a banned account before he joined the startup and had a "poisoned" banned play account. He logged in via google multi-login account to the startup and in a few days google banned the entire startup. The whole seed funding, adsense, docs everything gone up in smoke. Funny thing; only adwords was not banned and they kept siphoning off funds for non existential apps. The Founders found everything banned and didn't bother to check if adwords was also banned; and it wasn't. Sneaky google. Sneaky
How did you resolve it? Did anything happen to the employee?
If all he did was multi-login without otherwise doing anything inappropriate, and the company generally allows signing in to personal accounts, I hope nothing happened to him. That's no reason to discipline or fire someone, even if that was what triggered Google's algorithms.
Sounds like a nice way to sink a competitor.
It was a story like this years ago that prompted me to switch to FastMail. Have never looked back.
Question for those with a bit more knowledge in this area: How large does the company have to be so that you're excluded from those kind of enforcement actions? With most companies (e.g. Microsoft), large enterprise customers get very different terms and are excluded from all the usual "customer service". Is that the same with Google? Otherwise I couldn't imagine that this would make it into any large companies.
It is not about size. Google has horrible customer support.
I read recently that this is only the case if you don't pay for any of the products?
(you mean pay with money and not only with your data, I assume)
I don't like the notion of paying with your data. You pay with your attention (ad views) and your money (purchases off ads). Data helps making this more efficient but you don't pay Google at all. I also don't pay a TV station that shows me ads or a free newspaper.
And I don't like the notion of google offering free services, when they are a commercial company and not a charity.

And "helps making this more efficient" ... well, a tiny bit more. Knowledge is power. Google posesses a lot of knowledge.

But even "only the ads". There are worlds between showing someone random ads, or a highly tailored custom one, made out of all the online and much offline activity of that person.

And knowing allmost all about what a company is doing and controlling their communication is potential valuable in various ways as well.

Yeah, personally the few times I've talked to google (once for a gift card issues and once for some phone help they've both been easy to contact and helpful.) I've never really tried to reach Google for help with Gmail so no idea how hard that is. But if I was desperate I would contact Google via one of the other contact points and get a redirect to the correct, hopefully, that would work.
Nah its just stupid programming from Google. You will spook GMail if you try to access from different country. It will lock you out. Good luck trying to remember details about your decade old email account.

You thought knowing and maintaing strong password is enough to guarantee access. Well Google disagrees with you.

It is nothing stupid/spooky. Remember Google develops for mainstream. They are happy. Just enable 2FA all your issues will go away. Oh, try not to use shady VPNs.
But if you enable 2FA and lose, factory-reset (or shock, migrate away from) your Android device...

Getting access to anything is suddenly hell. I explicitly disabled 2FA after encountering this bullshit once. Won’t risk losing my account again.

It's a good thing that using a single factor doesn't put you at any increased risk of "losing my account again" as a result of it being easily stolen...
Ive never had issues with losing my Google-password nor having my long, complex password guessed over a more than 10 year period of having that account.

I’ve almost lost my Google account twice in less than a year due to Google’s terrible 2FA implementation.

I’ll take my chances thank you.

Damn and I downloaded a picture of the 2FA thing. Now you are spooking me about 2FA, maybe I should disable it on my googly accounts.
The trick with Google's 2FA is to keep a copy of the setup code and/or QR picture somewhere -- preferably printed and in your fire safe.

Personally I've also got it floating around one of my Linux devices with a small program I can run against it to display the codes, which came in handy when I switched phones and forgot to reload the GA app. (Yes, I know that this defeats some of the security of the second factor, with it supposedly being "something you have" that can't be easily reproduced).

> Just enable 2FA all your issues will go away.

If migrate to a different country and dont have access to your old number you will be in world of pain.

A company I work for does have personal support from Google. They get invited to private Google presentations for new products as well.

This company employs about 1000 people and is active in half of Europe, with somewhere around 20 million users of their software. (rough estimates here) The company switched from Google to Microsoft before, and back to Google.

Currently, they also use Google Cloud for hosting, including their proprietary APIs/services like their entity storage.

We even have all kinds of "Google"-branded goodies from these events :)

And this is why I have my own domain, specifically for my email address. It doesn't have a website or anything, just a single email address, for my personal use.

That way I have full control of my domain name, right up until the point where I forget to renew it, and a domain squatter takes it from me.

There really must be something better than either of these systems. Being at the whims of Google isn't good, but having your own domain name has its own set of problems.

This also highlights why companies need to ensure that their systems are platform agnostic. This is why I don't trust things like Slack for business critical applications. Once you're locked in, it's bloody hard to get out.

How do you know the OP wasn't using his own domain? It's pretty much standard fare for G Suite.
Think GSuite only works on your own domain. If you want gmail.com that's just regular Gmail.
I was meaning more for individuals, rather than businesses.

If your business is in G Suite, it is possible to migrate off as you do have your own domain name, just point your DNS records to your new server, and generate new mail accounts.

I was meaning more for personal use. I don't want my personal email address to be at the whim of Google, which it would be if I used an @gmail.com email address.

Obviously my email hosting is still at the whim of the host, who, like Google, can just cut my service if they want, but that's always a risk. I could host my email on DigitalOcean, but DO could cut my service. So I could host it on my home computer, but (ignoring spam filtering problems and uptime) my ISP could cut my service.

I also think am own domain and email is the better option and I cannot understand why a company of 100-150 employees would use google mail. Is it because of searching, sorting options or something else that is much better with gmail?
A company I worked for (about this size) did it because cloud and gdocs and supposedly cheaper than buying exchange and office licenses and paying someone to admin it.

As much as I dislike MS, that still seems better than having your data held hostage.

I find being an admin for office 365 is about the same work as being a GApps admin. The main difference is MS have more licence options.
If you manage to forget to renew a domain on GoDaddy, you have only yourself to blame. Even if you have auto renew on, they start nagging you about it months in advance. Downright annoying, but I am always acutely aware of when a domain is expiring any time in the next... Year or two.
I build a small personal email backup solution. This is exactly what I suggest the users to do. If you have a profession that has a lot to do with the internet, having an own domain is almost compulsory.

https://thehorcrux.com/about/

I've been doing that for years. Unfortunately, there's a fly in the ointment that seems to have been triggered by moving to a different virtual host on the same provider. AT&T has my new IP address on its own private RBL for some reason, even though a multi-RBL check at mail-abuse.org shows zero hits. SPF+DKIM apparently isn't good enough for them.

I have no problems sending mail to people on Comcast, Yahoo, GMail, or anywhere else - just AT&T domains.

I don't send out large volumes of email, nobody else is abusing my server, and attempts to resolve this go nowhere.

My web host leaves all IPs they own, including statics, on an RBL that lists and blocks dynamic IPs until you explicitly request they remove your IP from it. Essentially it ensures they don't have to worry about 99% of their IPs being used by spammers.
> That way I have full control of my domain name, right up until the point where I forget to renew it, and a domain squatter takes it from me.

This is why i renew my domain for nine (9) years at the time. Currently, my passport expires earlier than my main domain. Yup, I got my priorities straight.

Any particular reason why nine years instead of the 10 years dommain registrars allow?
My registrar allows 9-year renewals at most. I should check, as I renewed my main domain five years ago (four to go!).
having unrelated personal accounts locked because they're set as the recovery account for an account that was tangentially related to a ToS violation is absolutely unacceptable. there's no plausible reason for that other than to inconvenience as many people as possible.
I read that and got genuinely preoccupied.

I immediately started reviewing the recovery options of my corporate account and de-linked all my personal information (personal email address, personal phone number for two-factor authentication, etc). I prefer to have my corporate account hacked for not having 2FA enabled than to risk my personal Google account to be locked. I went ahead and created a non-personal account with another email provider for the recovery options and tomorrow morning I will request my employer for a corporate phone number to set-up 2FA.

Don't worry. even if you don't have any recovery emails set up, Google's anti-abuse systems still link accounts that it believes are related (same cookies, same Chrome SafeSearch / phone-home headers and IDs, etc).
This seems pretty outrageous. Do you have any source for this?
I had an interesting problem with my gmail account - I had a backup email address and my phone linked to it. Then I needed to reset my gmail password, but I no longer had access to my backup email (was at an organization I left).

So, even though I still had access to my phone and even though I was still logged in to the gmail account, and even though I had many archived emails, I could never log in to it again and had to abandon it. Automated recovery didn't work and of course they wouldn't say why.

Having a backup seems like a trap or catch-22 when it becomes the single point of failure.

Similar here, except the phone number ran out (prepaid numbers run out after 6 months unused here).

I tried everything, messaged friends at Google, nothing.

In the end the only solution that worked was waiting until a new person by random chance got allocated the same phone number, calling them, and getting them to send me my reset code they got via SMS.

What's funny about you mentioning this recovery strategy is that it is now a common scam/way to trick people into giving up their 2FA codes.
(comment deleted)
It's insane that a mere ToS violation (not even anything criminal or large scale) on a different Google product got not only his account banned, but all related accounts across all Google products banned also.

It makes me really worry about things I have done that are truly against their ToS. For example after Google Cloud Platform announced a $300 credit promo for new users, I made another gmail account just to try them out. I don't think what I did is unethical or even against the spirit of their promo so I didn't bother to hide the connection back to my real gmail. Will google use this to ban my real google account one day? Probably not, but before this story I naively believed the answer was definitely no.

They should offer it as a feature.
> It's insane . . .

Yes. So insane one suspects it may not be true.

> not even anything criminal or large scale

Yeah, engaging in corporate piracy, just a minor violation.

Wait, are we sure that this really happened? Seems very unlikely, and even the OP did not present any evidence. I would be really surprised if Google would be scanning emails, and using that to ban the gsuite account of the entire company.

A red flag for me is the claim that Google also blocked accounts that were set for recovery which seems almost close to impossible (or insane).

This is not the first case like this:

https://plus.google.com/+RichWarren/posts/QkKTxAbKGdq

Personal gmail (which is used in your example) != gsuite (which is used in company settings)
I think the post that you linked to describes a much simpler case: One Google account violated the policies and could land Google in bad water (privacy laws around children as well as COPPA), so they blocked access to that specific account. It can be argued that it is reasonable. It can also be argued that Google should put more engineering effort in collecting less information especially when account holder is minor.

However, blocking access of other co-workers as well as blocking access to personal accounts (which are simply set as recovery accounts, and could as well be accounts of spouses/partners) because of some other account holder's mistake is completely different. So, I would argue that the incident described in Reddit is indeed the first case.

"A red flag for me is the claim that Google also blocked accounts that were set for recovery which seems almost close to impossible (or insane)."

Why should that be impossible? They are clearly linked (you have to own to other account, to accept it beeing used as the recovery account of the first one).

And the intention of google is probably to fight scammers etc. - and I can imagine it disrupts them a bit, if all associated accounts get banned. So I can imagine that it is a real case ... of collateral damage

Edit: stating of how I see the situation from the perspective of google, does not mean I approve it, and neither collateral damage in general

Because the implication when you set up a recovery account is that it will only be used for recovering your account. It never says anything like "do you want to link these accounts". It is totally implied that you could use a friend's account for example and banning them for something you did is insane.
Yeah, it is a insane practice. I never declined that. But it is apparently also quite insane to rely so much on one company and especially when that company avoids human support.
> especially when that company avoids human support.

If I understand correctly, that's not true for paid gsuite customers.

Google is not scanning emails, he used his work google account to "abuse" the refund policy.
Of course Google scans emails for illegal content. See for example https://www.theguardian.com/technology/2014/aug/04/google-ch...
Afaik they can scan gmail users, but are not doing this for gsuite users.
I wouldn’t make that assumption. Any content aware service will flag that content.
Google's ToS state otherwise.

> Our automated systems analyse your content (including emails) to provide you with personally relevant product features, such as customised search results, tailored advertising and spam and malware detection. This analysis occurs as the content is sent, received and when it is stored.

https://policies.google.com/terms

That's the consumer Gmail tos. The gsuite tos is different.
All Gmail content is scanned. If you get spam filtered, it means your email is scanned. They certainly aren't going to opt their paying customers out of looking for child porn either. And I'm pretty sure their Smart Compose/Smart Reply features are also trained on everyone's mail, G Suite included.

The only thing Gmail has ever said they won't scan G Suite customers' email for is ads, and they don't do that with consumer email anymore either.

I'd really like to hear Google's side of this story, since the story as-written doesn't seem plausible.
Everybody wants to hear it, but Google can't tell it. One part of the fight with the bad guys is never to tell them how they got caught, so they never know how to protect themselves.
There's a difference between telling someone what they did wrong and telling them how they got caught.

The former should be a legal requirement. But I'm not sure what actually happened in this particular case. We don't even know if it concerns a G Suite account and what the company was or wasn't told about why they got banned.

Non-expert here, but I wonder if the obscurity actually points to an machine learning-based solution at Google's end.

Let's say that Google has developed a deep learning paradigm to identify -- and ban -- low-value users who violate their ToS. The low-value group would probably include all non-paying users, as well as small G Suite accounts. Let's also say that the paradigm was deployed as an automated solution, since it was 99% accurate during testing at picking out ToS violators, though the exact percentage doesn't really matter. I would imagine that the relevant Google execs did a cost-benefit analysis, and figured that the PR hit and revenue loss associated with a liberal and fully automated use of the banhammer against all supposed ToS violators -- including the 1% that were false positives -- was justified by the benefits to Google's bottom line.

Based on this possibility, it seems likely that Google employees would not _know_ why the banhammer fell in any particular instance -- nor would they care to know, since that would involve digging through the data to figure out which events triggered a positive hit in their machine learning implementation. It presumably wouldn't be worth Google's time and effort on behalf of users already classified as "low-value".

This might also explain why, as mentioned in another post, it took a few days for the banhammer to fall on a start-up, after a dev with a "poisoned" Google account joined the team. Presumably it took those few days worth of traffic and usage data for ToS-Hammer(tm) to figure that the dev had spawned new accounts elsewhere.

Again, I'm not an expert, so pardon any flaws in the relevant logic.

This seems realistic, if it's not like that today it may soon be. But I think this is exactly the sort of scenario that doesn't go together with all the claims of responsible use of AI powers.

Given the oligopolistic structure of the industry, throwing an unlucky minority under the bus without recourse just because it's statistically "rational" will not hold up.

I think Google knows that and there will be some sort of more systematic fix (compared to reddit posts and friends at Google).

Some AI algorithms can explain how they came to the conclusion they came to and why not have a paid support option as well.

Sure. Let's go ahead and turn the world into a Kafkaesque nightmare where you are prosecuted but has no right to know why. Justice system is perfect so if the man says you are guilty it's because you are. /S
> Sure. Let's go ahead and turn the world into a Kafkaesque nightmare where you are prosecuted but has no right to know why. Justice system is perfect so if the man says you are guilty it's because you are. /S

The great virtue of private industry over government is the ease with which you can opt out.

Have you tried to opt out of Google services, especially if you got in early on? It's not easy, let me tell you.
I completely agree, it's extremely hard. I can do without Google on my servers at all, and I'm happy about it. On my notebook, it's much harder. On a phone, it's almost impossible, if you have and Android phone. Google is bending over backwards to make you turn on more sensors and gather more data. I recently discovered it's enough to use the Gmail app once with a given e-mail address and it will happily turn on the location service (.i.e. phone tracking) for these accounts, even though you use a completely different account for your phone set up, including Google Play. They want to lay their hands on everything, it's so annoying.
Yes, changing to another cloud provider may be less annoying than moving to another country but for how long it will be the case?
Isn't Google a private company?
The fact that a private company can essentially execute you or your business from the Internet is exactly what's so terrifying.
How is that terrifying? I can access the web, use all the base protocols (email, etc) and store all my documents without having to rely upon Google. If I don't like/trust Google, I can easily migrate away. And, if enough people don't like it to make this "Kafka-esque nightmare" more than hyperbole, then the laws of private organizations will catch up and Google will either shape up or be no more.

This is almost the polar opposite of Kafka-esque.

> I can access the web, use all the base protocols (email, etc)

Well, sort-of, and still. If you use the web, you are constantly being tracked by Google as people mindlessly put GA code on all their websites. As for e-mail, it's more and more difficult to set up an e-mail server these days because of anti-spam measures, and Google/MS are dictating the terms here - but MS has a much more relaxed policy. Each time I set up a new mail server, I have to go through the same set of rituals, only to discover Google came up with another requirement and will not deliver my mail if I don't do it.

Only if you give them that power. The popular wisdom not to put all your eggs in one basket is still relevant.

You generally can't opt-out from your government, you definitely don't have to opt-in Google services.

You can opt-out from your government by moving to another country - you have more choice than you have on mobile where there is only Google or Apple... :-)
No, Google is a publicly traded company.
Yes, of course, but they're not part of government. They're a company...

These Kafka-esque arguments are way over the top when applied to a private, profit seeking organization.

So are you arguing that this behavior is acceptable from private companies but not from governments?

You can't argue both 1) companies are allowed to do anything they want and 2) they can grow unlimited monopolies.

If you do, sooner or later they will surpass national states in power and you have an even worst distopia.

>Their policy is to not share any information about what caused this and they will not reverse these actions.

There's their side of the story.

I don't remember of Google providing a PR response to any moderately controversial mistake they made.

They most likely don't have anyone to speak for the company except on bigger issues. Even their product forums are staffed with "community experts" who no one knows if they're Google, community or a 3rd party service and no one with enough authority and knowledge to properly manage things.

>"except on bigger issues"

Internet: You're accused of not caring about any but the very largest of corporate customers, nor individual customers, and damaging companies that use your products.

Google: We don't respond to such minor issues.

?

It's a massive issue IMO. They know what they're doing, they just don't want to be overt with it as that will damage their rep.

Hi jimrandomh

Alex here from G Suite Cloud Support at Google. We're limited on what we're able to share in public forums related to specific customer situations.

From a post higher up:

TL;DR: After extensive investigation, case review and working with a variety of internal teams, we’ve have not found any supporting evidence to corroborate these claims.

Greetings. This is Alex Diacre again from Google’s G Suite Support team with a followup. In order to protect the privacy of all our customers and users, it is our policy not to disclose information relating to specific customer accounts in public forums. But given the amount of attention this post received, I’d like to offer some insight on the results of our investigation on this matter:

-The original poster on Reddit (OP) did not identify him/herself or the customer account. We have made several attempts to reach out to the OP through PM, but have yet to receive a response. (If the OP or someone from his/her company is reading this, please get in touch with me).

- We have tried to identify the customer based on the information in the original post, including an extensive review of recent support cases, but have not found any cases resembling the description.

To note, Technical Support is available to G Suite customers 24/7 via chat, phone and email. We’re happy to work with the OP to investigate this matter further; until then, we have not found any supporting evidence to corroborate these claims. Technical Support can be accessed at https://gsuite.google.com/support/*

Things like these can happen with any service provider. The key difference is that no other company has so many popular services linked together. Using Google this way basically means putting all one's eggs in one basket. We all know it's an unwise thing to do. An yet, people do it every day, for convenience.

Personally, I set up separate Gmail accounts for their different services. First, I don't want them to profile me automatically (they do it through correlation anyway, but let's not make it too easy), and second, in situations like these, only some of the eggs are broken.

That's unlikely to work. You are still putting all your eggs in one basket. This seems to be a variation of the setup this company has/had.

Unless you are using different browser profiles or installations, and IP addresses for each account every single time you use them, it's very easy for Google to see that requests are coming from the same computer. If you were shut down, they would be able to do it as in the example, all accounts closed at once.

> different browser profiles or installations, and IP addresses for each account

People underestimate power of IP tracking. Use VPN. Plus, a must, have uBlock Origin in medium blocking mode (3p-scripts and 3p-frames blocked). Today EVERY website makes several google*.com API calls.

Well, it works somewhat. I keep my main email account separate from adwords, adsense, GA (although I now replaced it by Matomo, there is no reason whatsoever to use GA now), and Google Play. Ditto for their other services. I had a problem with one of the accounts a while ago - Google didn't "recognize the device" (this often happens as I have strict browser cleanup policies) and I lost access to the account because it was linked to a phone number I lost 10 years ago and forgot to change the number in the account settings. In this case, I lost access to just one account and I didn't care that much. If I used one account for everything I'd have gone mad.
The key difference is that Google's customer support sucks. I can't think of any other service where a client with 150 accounts can't get on the phone with a human being and get things sorted out pronto.
If they're a client (with a G-suite account) then they can definitely get on the phone to tech support (I've done that numerous times). If they have 150 personal gmail accounts for free then that's something different. You get what you pay for.
The moment your GSuite account is banned your access to premium GSuite support is also cut off.
SkyNet, you signed up voluntarily.

> and our boss is looking to migrate away from Google

only if it is not too late. 'Don't be evil' was removed from the code of conduct's preface in 2018.

I commented 2 days ago on other thread:

Your kids share their assignments to it, your company uses it for all comms, you use it for private messages, you tell it your secret desires via searches, it knows who you're with at any point of time with android location ... Google Home? My home? SkyNet must be destroyed now.

It's funny how GMaps is insisting to have me set a 'home and work' location as of lately.

Thanks but no thanks. Of course they already might have an idea, but seems it's not enough for it to be certain.

If it prompts you to set it, it means your browser is Already logged in in some tab (Auth cookie set). That is Bad idea.

Login only when necessary and Always use private browser windows and tabs, it kills all sorts of cookies/storages.

> only if it is not too late. 'Don't be evil' was removed from the code of conduct's preface in 2018.

That is technically true but leaves the wrong impression. The code of conduct got reworded, leaving "Don't be evil" in a single prominent mention at the very end.

"Removed" is only accurate for the preface; for the whole document, "deemphasized" is more correct (and that's only because many people don't read to the end where they'd now be left with "don't be evil" visible after doing so).

Did I left wrong impression ? Compare:

1) "Don't be evil." Googlers generally apply those words to how we serve our users. But "Don't be evil" is much more than that... The Google Code of Conduct is one of the ways we put "Don't be evil" into practice... - at the very beginning.

This whole section in now gone, as if never happened ... web.archive.org/web/20180121070136/abc.xyz/investor/other/google-code-of-conduct.html

2) "And remember… don't be evil, and if you see something that you think isn't right – speak up!" - at the end of lengthy document, After the Conclusion section. abc.xyz/investor/other/google-code-of-conduct.html

Your original comment is poor. Google deemphasized the "don't be evil" clause, but they did not remove it from the document.
But it is correct, they removed it from Preface, did they not?

It is not just 'deemphasised', the meaning has changed, It is now Not directly applied to Google:

"And remember… don't be evil, and if you see something that you think isn't right – speak up!" - it applies to reader of the doc.

And it got reduced from top 12 lines to 1 line at the end. Have you seen the original ?

No, you are wrong. The meaning nor target have not changed. The document is still Google's Code of Conduct and it is still prefaced with the admonishment that not following this could lead to termination.

The new Code of Conduct is prefaced with the paragraphs:

"The Google Code of Conduct is one of the ways we put Google’s values into practice. It’s built around the recognition that everything we do in connection with our work at Google will be, and should be, measured against the highest possible standards of ethical business conduct. We set the bar that high for practical as well as aspirational reasons: Our commitment to the highest standards helps us hire great people, build great products, and attract loyal users. Respect for our users, for the opportunity, and for each other are foundational to our success, and are something we need to support every day.

So please do read the Code and Google’s values, and follow both in spirit and letter, always bearing in mind that each of us has a personal responsibility to incorporate, and to encourage other Googlers to incorporate, the principles of the Code and values into our work. And if you have a question or ever think that one of your fellow Googlers or the company as a whole may be falling short of our commitment, don’t be silent. We want – and need – to hear from you."

The meaning is the same. One ugly, truly unwieldy paragraph was removed. The rest is significantly better as a result. And it applies to the exact same people as the original codes of conduct. Sorry bud, but you're wrong.

I got my google account banned several times.

Several years ago I had my account payment features banned with no explanation. That in turn basically banned me from most of Google services because I could not pay for them or use them because payments were banned. No adwords, adsense, no google cloud services, no buying android apps, nothing... With no explanation, no support, and I tried hard just to find out what I did wrong.

After that I come to terms that I have to leave my email that I used for like 10 years and make a new one. But, this time I first bought a domain name and then started paying for google apps. This way if they ban me for whatever reason I could at least take my email address to some other email provider. Anyhow, sometime later youtube enabled Adsense on videos for my country. I enabled it out of curiosity, just to see what is the process of doing and using it. I don`t have videos on my channel except one random from the gym that I uploaded 1-2 years ago. So, I just enabled adsense poked at that for 1 day and left it unused. Sometime after that I got an email that my adsense and adword account is banned for violating policy (not saying which one). No explanation why, nothing!!! I tried to get an explanation like REALLY hard, but could not. You are just stuck in an endless loop of robot answers, or not getting answers at all. They even have google forms for complaints which point me to some URL that I am banned from viewing, lol. And there is some other form that no one answers when you fill it and I filled it 10 times.

Long story short, I slowly started migrating from Google services. This is really maddening and scary that they can just cut you off from your data without explanation. I use Google Photos heavily and even a possibility that they could cut me off from my photos at any time is sickening. That is why I bought NAS which backups my Google Photos to physical drives in my apartment. Now I just need to find something comparable to Google Photos and leave that service for good...

Where to begin with this.. hmm..

First you:

"I have a friend who creates Android apps on the side. I do something similar to this, but instead my apps revolve around cloning .apk files and restoring them". Why not be clear and just admit you're pirating software off an App Store? Ok, not the smartest activity in the world BUT did you have to do it at work?

Then Google:

"We were all freaking out, our IT guys were trying to get a hold of Google but couldn't get in touch with anyone." - So yea, unless you're one of Google's 'poster' customers, good luck trying to get help when something goes wrong!

"Their policy is to not share any information about what caused this and they will not reverse these actions." - Yup, that's Google. Unless you're one of the customers on this list: https://gsuite.google.com/customers/ you are totally screwed when something goes wrong.

I introduce the world to the ToS-DoS Attack - only a matter of time before this now gets exploited:

- Hack into a companies GSuite account and create a new account.

- Use the new account to commit a range of ToS violations.

- Wait for Google to suspend the entire GSuite account.

I got the impression that step 1 isn't needed, it was more:

1. Create a google account and set your recovery email to the victims.

2. Use the new account to commit a range of ToS violations.

3. Wait for Google to suspend the entire GSuite account and every linked account.

For step 1 I don't think there is (or at least wasn't) any validation, I found out a family member had me as their recovery address when they changed passwords.

A "victim" would need to approve being used as a recovery account. (click link in mail etc.)
No. Ironically, this is opt-out, not opt-in.

That is, you (as recovery email holder) would need click the link ONLY if you want to unlink. The URL is in the footer of the email and it is easy to miss.

No. It is opt-in. You need to type the 6 digit code from recovery email id into your settings.
Having to actually type in a code sounds like a smart move on Google's part, to avoid spear-phishing and XSS attacks.
I just now added my personal email as a recovery to my work email to test this. It is opt-out.

> Subject: "Someone added you as their recovery email"

> Someone added <mypersonalemail>@gmail.com as their recovery email

> <myworkemail>@<myworkdomain>.com wants your email address to be their recovery email.

> If you don’t recognize this account, it’s likely your email address was added in error. You can remove your email address from that account. Disconnect email

The "Disconnect email" at the end is an opt-out link.

Wow. Well this just keeps getting better.

No wonder Google don't want to discuss their suspension practices - just another form of '(in)security through obscurity'.

If the hearsay is correct then this appears to be a hole the size of a galaxy!

They recently started to notify the other email, they wouldn't stop emailing me to verify on my new recovery email after I added it in.
" So yea, unless you're one of Google's 'poster' customers, good luck trying to get help when something goes wrong!"

This is just plain wrong. I contact Google for tiny, insignificant clients on a routine basis. This claim has no basis in reality if you're using paid G Suite.

I am involved with paid GSuite at 3 organisations (one of which is a big fish customer) and I can tell you the difference in experience is night and day.
You might be right, however I've never had trouble making contact, or having my issue resolved even for small fish.
Any incidents where Google terminated the paid account? No longer a paying customer at that point.
This is when I really wish Amazon had a free email service to compete. Their customer service always rocks!
When mission critical parts, tools, or infrastructure is moved to "the cloud" (aka computers owned by someone else that you do not control) - often replacing in-house tools with a SaaSS[1] - a second source[2] is rarely discussed as a requirement. The "cloud" doesn't magically solve path dependency.

[1] https://www.gnu.org/philosophy/who-does-that-server-really-s...

[2] https://en.wikipedia.org/wiki/Second_source

edit: my father once mentioned that when he was working at Honneywell in Minneapolis (making home automation in the 80s), some of the engineers frequented a local bar called literally "The Second Source". "Sorry boss, I'm busy this afternoon - I have a meeting at the second source!"

Not the point of this post, but man... the new Reddit design is so bad.

It's like someone new to HTML tried to re-create a Facebook page using a scan of a screenshot, and just changed it enough to try and say it wasn't a total knock off.

In greasemonkey or tampermonkey:

  if (window.location.host.indexOf('old') === -1) {

   window.location.host = window.location.host.replace('www', 'old');

  }
But what is account association? Do my accounts associate when I log into one and then into another via google’s log in form (the one with stupid login/password separation)? Or did they connect all the accounts by hand via something like backup email?

What if my buddy logs into gmail on my laptop, logs out, and then one of us violates ToS?

Similar thing happened to me. Google randomly disabled my account for no reason. There was absolutely no way to contact them. From that day onward, I do not trust Google or anyone to keep my data.

At least, I got a small product out of the experience: https://thehorcrux.com/why-i-built-horcrux-app/

> As a joke, every time my friend releases an app (usually paid), I buy the app and clone it with my software, and then refund it. After that, I send him an e-mail with the cloned version through Gmail with something along the lines of: "Look at this cool app I found on the store, it was completely free! Try it out!", or stupid shit like that. It was a bit of a stupid inside joke that kind of stuck for a while and was only between us.

This sounds so strange, and surely it wouldn't get you banned. Why would someone keep doing the same joke.

Why not? You never had a family member or a friend who never lets you live down some silly thing that happened at a Christmas party?
Stories like these document how immature Google is for the B2B market.

No sane company can risk being obliterated by Google's bully ToS and ignorant support.

Just call customer service ...
Time to

1) grab/download the entire mailbox from Gmail 2) delete the mailbox at Gmail 3) export all gdrive data, use the export function 4) delete the gdrive data

5) register with fastmail, yandex or protonmail 6) start mailpile on your raspberry pi or similar 7) use mailpile as frontend for yandex/protonmail/other-imap account.

8) nextcloud as good enough but shitty replacement for gdrive

Self-hosted ftw.

yesterday was too late to make backups...
I'm still surprised there's no better alternatives to Nextcloud out there yet.
There are. I use Sandstorm.io and Cloudron is also out there. They're modern containerized platforms you can run any number of other open source web apps on.
But how is that an alternative to Nextcloud? An example for that would be Seafile.
In Sandstorm.io's case, I use an app called Davros to store files (which is even compatible with some ownCloud sync clients, actually), and Cloudron.io has a few other options you can use to work with your files, including, actually just hosting Nextcloud or ownCloud on it.

Where these sorts of platforms really excel is in the realm of other features, which Nextcloud tacks onto the existing platform, but a larger app platform can allow you to use a variety of alternatives which are more tailor-made to other specific types of web apps.

>including, actually just hosting Nextcloud or ownCloud on it.

But that's not an alternative anymore, just the same.

Not really the same either, just inclusive. The rest of the ecosystem could potentially have more features altogether.
I am surprised as you. Perhaps people who get started working on it quickly end up working on distributed file systems in general, and disappear in that hole.
Nextcloud could be better in some areas, but I don't see how it's bad. I'm very happy with it for personal cloud storage I can trust.
Not up to date on Google Play developer terms but doesn't a customer requesting a refund makes the developer still liable for Google fees ? If so that's a very shitty thing to do to your friend.