268 comments

[ 0.26 ms ] story [ 299 ms ] thread
Google says you can request a review if you believe something should not have been flagged as a ToS violation but no mention is given to any rights you have. To me this reads as "You can request whatever you want but it might not mean anything in reality.": https://support.google.com/docs/answer/2463328

Conversely, the information for how to report what you perceive as a ToS violation is far more complete: https://support.google.com/docs/answer/2463296

The "but you can request a review!" handwaving all these massive tech platforms use to assuage concerns about heavy-handed (and coldly automated) policy application is really long overdue for serious consumer protection regulation.
I like to imagine the AI spits out a line like this:

> Should we ban this user? YES

Then you request a review, and the support person double-checks that the output really does say "YES" and not "NO". Then they tell you they reviewed their decision.

I used to work at a big co on system like this. The appeal button sent your job for another review. Obviously it doesn’t cost anything to click a button so almost everyone did it. Appeal jobs were split into tiers based on customer size and higher tiers were worked first. Big enough customers got the white glove treatment from their account manager. Small customers could linger for months in the queue, but could usually get the decision reversed if they tried hard enough
Still waiting for my request about my adsense ban for violating not a single ToS to be processed. 15 years. And I'd like my money back, plus interest as well.
Considering their history with falsely-flagged videos on YouTube, I assume this to be "you can ask for a review but we're not gonna do anything about it lol".
(comment deleted)
Not just YouTube, even play store developers who get their apps removed arbitrarily are left with talking to a robot instead of a human unless they can create enough social media storm to get some media attention and then google might finally review it.
Request a review from Google? Real human intervention? That's cute... but we know how this actually goes with them.
Google doesn't exactly have a great reputation for customer support.
(comment deleted)
Next is email, including ML attachment policing
If you're not using your own backup solution on your own hardware, located on your own property, you're failing IT 101.

Any cloud service can change their Terms of Service without notice, and those changes are almost always detrimental to customers.

Seriously, move your saved data in-house. Cloud drives are for ignorant consumers.

If you're using your own hardware on your own property you're probably failing resiliency 101.
If you use anything on a commercial basis with Google, go to small claims court without hesitation, and pull the answer from them rather than keep paying them to lawyertroll you on your own money.

Depending on your jurisdiction, small claim courts can actually shut down the binding arbitration clause.

In Canada, Google had a long history of losing by defaults in small claims

> If you use anything on a commercial basis with Google, go to small claims court without hesitation, and pull the answer from them rather than keep paying them to lawyertroll you on your own money.

And be blacklisted from using Google products and services.

Yeah... We should probably have an anti-retaliation law for cloud services like we do for landlords and employers.
Note that you can still access your files, they are not blocking that or restricting that. Its the sharing that's blocked.
Yeah, to me this makes this kind of a non-issue. Because I always assumed that any cloud provider like this would be capable and willing to block sharing of files based on their policies.
But seriously how long is it before Google implements a hashing algorithm (not too dissimilar from Apple's) to check if a user has not uploaded content with a copyright on it and taking some form of action on the user.

This feels like a slippery slope to be on.

What if you actually own the copyrighted content or have permission to have it?
Of course, that is an edge case which Google would need to figure out and perhaps, one of the many reasons they haven't done it.
Sadly I expect that Google will "handle" those edge cases the same way they handle similar issues on Youtube: have a lot of false positives and tell users to pound sand, except for cases where the outrage goes viral.
> that is an edge case which Google would need to figure out

How do you figure out legality of having a document from the document? Unless it's child porn, where it's implicit, this simply isn't computable.

Maintaining a hash of say music files that are owned by large record label companies or a conglomerate like VeVo, match every audio file uploaded with the hash and if it matches, flag it, get it reviewed and if it matches, delete it?
That does not answer legality.
However, VeVo can say that no one can keep MP3 records if it isn't hosted on iTunes, YouTube Music or Spotify etc
In my country that would be almost certainly illegal. Not even copyright holders can tell you what you can do with your personal copies of copyrighted works, short of distributing them to someone else. By law they're explicitly prevented from doing that.
The cloud is "someone else".
Not necessarily for the purpose of our copyright act. Neither is your personal bank deposit box if you put a book in it. You're not transferring ownership of your belongings to the bank if you put something in it.
Assuming for video content they use their existing YouTube Content ID library, they can exclude/allow their Google accounts to have that content, or host it under the same user as their YT channel.
Is it an edge case? Thanks to copyright's assault on the public domain, almost everything is copyrighted. Is making a backup of your movies, music, and e-books unusual?
What assault on public domain?
Copyright is supposed to be temporary. Instead terms have been extended to essentially infinite durations. The copyright industry has robbed us of our public domain rights.
Well they still haven't figured it out with YouTube.
Still might not have the license to agree to the necessary terms to upload it to a third party cloud storage
This is an issue that none of the cloud providers have solved. I had 250,000 CD rips from various record labels at one point. I had full authorization from them, but it looks like I'm a massive pirate.
It should look like you're a massive pirate -- if you have hundreds of people downloading those CD rips from your Gdrive. If you're the only one accessing your own files, it shouldn't matter how many rips you have. Don't know how it works in practice.
To clarify, this was not a shared folder.
You are assuming they do not already do this.
Considering I have many pictures I took from the latest Spider-Man movie (for my own collection), if they had to do something about it from a legal perspective, they would have done it already.
it's way too easy to get around that. also, having copyrighted content is not illegal. it is legal to make backup copies of something. google has no way of knowing what kind of external agreements a user may have made regarding sharing. they might ban it anyway, but that makes other services who don't ban legal activity attractive.

Those interested in google's slippery-slopes should look into "keyword warrants" [1] and "geofence" warrants [2]

[1] https://www.cnet.com/tech/services-and-software/google-is-gi...

[2] https://nlsblog.org/2021/01/08/google-data-and-geofence-warr...

Apple's CSAM would scan your offline photos.

Google scanning photos you upload to their cloud seems fine to me. Not a slippery slope.

Very much a slippery slope.

Their cloud doesn't mean its their content. If said content is public, I mostly agree, but not if its private.

When I hire a storage box and put stuff in it, I don't own the storage box. Yet still it cannot be searched by anyone, not the company nor the authorities, unless there is a credible criminal suspicion.

I guess the question is, if someone emails you an archive of jpg files to share on your public website, will you? Without looking at them?

I think that would be crazy. When they end up being CSAM or whatever, you're the one that will go to prison for possessing them, not the person that sent them to you.

So, after Google/YouTube have been aided in growth by the safe harbor clause, they now think that site owner responsibility is not such a bad thing after all?

Sounds more to me that they are pulling up the ladder to impede competitors.

I belive this is a really good take on the matter, and somehow you are the first person I see bringing it up.
The EFF has raised this issue repeatedly (that stringent requirements on content filtering will be an advantage to the large players who can afford to do it).
It's very likely you only start getting 'requests' from 3-letter agencies asking you to scan content once you reach some large mass of hosted content, especially since the technology for even doing so is locked up, with NCMEC and Microsoft being the arbitrators for who gets to use it: https://www.microsoft.com/en-us/PhotoDNA/CloudService
That's why I made the distinction between public hosting and a private album.

For public files, I fully agree with you. For private ones, not at all.

The storage owner can have a terms of service - i.e. you can't store flammable material/liquids. They also probably reserve the right to enter your unit to perform repairs.
Right, and to keep this analogy consistent, do storage owners routinely open all storage units, then open up all your boxes and search through them to check for flammables?
No, but that's primarily due to a lack of interest/manpower. They (probably) reserve the right to ensure that you aren't doing things that are against their TOS. There's (probably) no right to privacy.
They don't give out free storage. If you aren't paying with money you're paying with something else and you have no expectation of privacy when you agree to terms that say as such.
> "Apple's CSAM would scan your offline photos."

No it wouldn't. It would only scan photos you upload to their cloud.

"This feature only impacts users who have chosen to use iCloud Photos to store their photos. It does not impact users who have not chosen to use iCloud Photos. There is no impact to any other on-device data."

and

"Does this mean Apple is going to scan all the photos stored on my iPhone? No. By design, this feature only applies to photos that the user chooses to upload to iCloud Photos, and even then Apple only learns about accounts that are storing collections of known CSAM images, and only the images that match to known CSAM. The system does not work for users who have iCloud Photos disabled. This feature does not work on your private iPhone photo library on the device."

- https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

You're right - I misremembered. Kinda wish HN would let me edit.
You are spreading misinformation. I don’t know if on purpose or ignorance.

https://www.cbsnews.com/news/child-sexual-abuse-scans-apple-...

They were very much planning to scan all photos on the device independent of iCloud. It was going to be another phase of the rollout. It was going to be in iOS 15.x and they backpedaled.

I think that's just imprecision on the part of noted tech news outlet CBS.

Apple clearly documented that this was only for iCloud uploaded photos, and indeed the technical description makes clear that this is only designed to work with uploaded photos: https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni....

Apple clearly said they scan the photos on your phone not in your cloud account. They say it is designed to work with iCloud photos and they are processed / scanned on your photo before they are uploaded to the cloud.

Not sure why they would need to do that. It does open up your phone for scanning and uses beyond what they initially layout.

Yeah, I think this is what freaked everyone out, but it's pretty clear the intention of on-device scanning was that it would work even if they had client-side encryption of photos before upload .

The whole point of the protocol (as described in the Apple whitepaper) is to allow clients to attest to perceptual hash matches without the server having access to the plaintext.

So, the irony of all of this is that the Apple design is effectively more private than the status quo, but everyone freaks out about it.

I think the ostensible goal was privacy preservation for photos whose perceptual hashes don’t match (i.e. most photos), which would never need to be uploaded without end to end encryption. But I agree it puts them within striking distance of scanning fully offline photos, even if the initial implementation doesn’t.
I am spreading information from the people who designed and built it on purpose to counteract the clickbait sky-is-falling misinformation.
If they implement it, Apple's CSAM would scan your photos as they are being uploaded. Not really “offline”.
>Apple's CSAM would scan your offline photos.

Apple's plan was to to scan photos that you uploaded to iCloud, only. Even that plan was canceled.

Google, however, still does scan everything in your account and has been doing so for the past decade.

For instance, this article from 2014:

>a man [was] arrested on child pornography charges, after Google tipped off authorities about illegal images found in the Houston suspect's Gmail account

https://techcrunch.com/2014/08/06/why-the-gmail-scan-that-le...

As does Dropbox, Aol, Yahoo, Microsoft, Facebook, etc, etc.

Whether this is good or bad is a topic for fair debate, I think, but it continues to astound me both how little people are aware of this and that, in comparison, Apple's relatively privacy-preserving approach generated so much flak.

Apple iCloud is in that list.

And you still need to scan local photos on the phone?

It's better for a customer to scan images locally, on the phone, prior to upload. By doing this, the device can then encrypt images and store them in the cloud service. In this way the cloud service can be "CSAM sharing free" but never needs the symmetric keys to decrypt private images, period, for any reason.

The only thing this adds to the threat model is mistrust for false positives in scanning engine - but in even the worst case scenario here (forged false positives), you're still ahead of the Google model, where the same forged false positives would be extremely likely to result in a full account review rather than review of specific images. Everything about "the device looking at your photos" is tinfoil hat, because the device is already looking at your photos, they're decrypted in RAM! All of the threat scenarios about "Apple adds a secret government backdoor that downloads your photos and sends them to the FBI" are already equally possible today!

> Apple's plan was to to scan photos that you uploaded to iCloud, only. Even that plan was canceled.

The massive difference being that they would scan photos on my device. Not on the cloud. On my local device. How is that people consider that better?

The important bit is that Google does not currently have any capability to scan stuff on my phone. This is good. It's my stuff. They have no right to look at my stuff.

Apple proposed to implement tech that could scan stuff on my device, with a promise that they'll only do it when I am uploading stuff. Wait a few years, and some pressure from Authorotarian Government/Corporate Overlords and now the promise is just a promise that they can be easily removed and we can scan all stuff to make sure you're not stealing "content"/spreading "propoganda".

Again, nothing except photos you uploaded to iCloud was to be scanned.

Apple's plan was to have your device conduct the scan and encrypt the scan results so not even they could see them until a threshold of ~30 image matches was reached.

This protects the user from false positives.

Once the 30 image threshold was crossed, the plan was to have a human review before turning someone into the authorities.

I think we all know that Google is not ever going to hire expensive human beings to supervise it's algorithms, so a single false positive would likely see you turned in for kiddie porn.

> nothing except photos you uploaded to iCloud was to be scanned.

My point is that the difference between the approach from Google and Apple is that in one case (Google), we have a tech level blockage, it's not currently possible for Google to even do that.

On the other hand (Apple), the "blockage" is policy or "promise". That's far less reliable than the tech just not existing.

> the difference between the approach from Google and Apple is that in one case (Google), we have a tech level blockage

There is nothing stopping Google from inserting code to scan everything on your device. They can stick it into the binary blob of closed source Play Store code, and you would have no way of knowing it is there.

Google still does scan everything in your online account and has been doing so for the last decade.

Apple has backed down from even doing that for iCloud Photos.

But the default is to upload. On my phone, I had upload off, and then it got turned on again (not by me). The same thing happened with Google Assistant. I had it off, but then it mysteriously tried to start assisting me again.
They already do the kind of scanning Apple was going to do. Only with far less privacy.
Google already scans for CSAM on stuff uploaded to drive. The idea that they'd start using it for copyrighted material is a spurious claim considering they've made no indication of doing so in the past.
Yeah, all cloud provides do, this isn't new. The only reason Apple's version was controversial is that they did it on your own device instead of their own server, but scanning files on cloud services is common practice.
Aren't you forgetting that Google already practices this with YouTube? The idea they'd apply it to Google Drive doesn't seem particularly spurious to me. It might end up not being true, but what exactly is farfetched about this?
They have been doing this since forever. Years ago if you tried to upload obviously pirated movie mp4s (like the most popular torrent for a given major release) it would error out.
And they’ve been blocking files exceeding a download quota (common for publicly shared pirated video content) for ages. Basically the quota is zero for certain files now.
I don't quite grasp the panic about this: my impression is Google currently restricts ToS violations from sharing (your own access is retained).

The only change here is end-users will be explicitly notified (and can theoretically contest the decision).

The panic is people's fear of the Iron Heel[1]. For most of us, the systems we depend on are controlled by other people. In this chaotic political climate, when these systems start closing in on us, or restricting us in new ways, there's no way of knowing where the tightening will end. Some are incredibly insulated and have no worries about the kind of world we're living in, but others are constantly on edge and feel that we're sleepwalking into a dystopian nightmare. That's what this "panic" is about.

[1]: https://www.gutenberg.org/files/1164/1164-h/1164-h.htm

The only basis we have for panic here is that reading skills and critical thinking are in dangerously short supply among commenters here, who collectively believe themselves to be smart and independent thinkers despite all available evidence.
Big tech has been rolling out censorship all over the place lately. People suspect that ulterior political motives are causing Google to do this. I don't think mistrusting the motives of Google means that the people here lack "reading skills and critical thinking."

One of the terms included in its abuse policies is "hate speech." This is an extraordinarily ambiguous word which can virtually apply to any speech that is critical of anything. It is a term that has come to be known, by some of us, as a tool the political left uses to censor dissent. For example, saying that a man is a man and a woman is a woman can be considered hate speech against the trans community.

This move is part of a larger trend. Some people see it. Others don't.

9/10 with one demerit for omitting the compulsory "wake up, sheeple".
“The British are coming!” -- Paul Revere

"Put a sock in it, ya wanker." -- You in 1775, probably.

>For example, saying that a man is a man and a woman is a woman can be considered hate speech against the trans community.

If you can't understand why this is the case, then I'm sorry for your lack of critical thinking.

To me this isn't as much about reading skills as it is about being aware of and remembering newer history and being able to apply a mental ruler to the observations and see what way it is heading.

That second part I consider close to critical thinking and it seems to be what people does.

What indication is there that any new restrictions are being placed on a user's content? The blog post from Google only mentions the change of sending email notifications to users.
It has something to do with their "abuse program:" https://support.google.com/docs/answer/148505?hl=en. I can't find a date on this, but I assume that this article is about the implementation of this program.
I believe this may be due to the popular spamming method lately which is tagging people into a Google Docs and share it so everyone receives a notification (the spam message). It works better than regular email spam since apparently Gmail doesn't treat Google Docs notification email as spam (at least not as often).
there is also a method for sharing pirated media using google drive. TBH I'm surprised they havent started earlier
People have used Google Drive for sharing pirated stuffs since forever. Google usually blocks it by restricting downloading instead of removing the file, but people kept finding out new ways to get around that, like making a copy of the file in your own drive, or selecting that file and another one to download so that Google zips up both into one zip file before downloading.
People have been using password protected archives to get around pirated content restrictions since forever.
Does Google even have to look at the content? I assume most pirated content will also have a massive number of anonymous downloads, and shouldn't that trigger some fair-usage clause somewhere ?
They block upload even if you're not sharing it.
They already rate limit popular files that match these patterns.

They don't actually block the file though, and there were (and still are) ways around the rate limit. (Which presumably they knew about to some extent, given you now cannot make copies of said files.)

They could easily start taking action on obvious copyright violations using Drive, but it's unlikely they would want to, unless actually mandated to legally.

I'm not sure what they would do about massive encrypted collections that have been rcloned onto their servers though. Aside from "please stop breaking our de-duplication".

>there is also a method for sharing pirated media using google drive

Is anyone surprised by that? Every file sharing tool will invariable be used to share pirated and worse material until the people behind that tool show a willingness to stop that behavior. It is practically a universal law of the internet.

Is it really a service if it doesn’t facilitate infringement?
i was about to suggest that copyright enforcement as a service doesn't but no, really, they do their own special kind of infringement
So basically: piracy, spam or anything you'd get into legal trouble for doing on your own hardware, Google restricts on their hardware. I can't really see how that's surprising or strange.
If they're using content ID then they're also flagging legitimate fair use without providing a counternotice procedure.
That’s unfortunate. But I’d fully understand if that’s the terms of the service, at least for cheaper tiers. Basically “store all you want but at this price point you are subject to errors in automated blocking”. At enterprise level I’d expect service from humans though, and I expect to pay for it.
That and I'm not sure how different this is from cloud file sharers that disable file shares for reasons like piracy, which is something that I'm pretty sure Google Docs was doing already.
Nah Google doesn’t care about that. Spammers have been doing it for years on Google Drive/Docs and Microsoft Sharepoint.
You're restating GP comment about why Google may need to do this.
No, I am not. The GP said that it is a popular method lately and I explained that it has been happening for years. What TFA is saying is that there will be more communication about files being blocked, but it doesn't suggest to me this is a response to this kind of spam. What probably happened is a file BigCorp wanted to share was opaquely blocked so now Google feels the need to provide better communication.

If Google were genuinely interested in stopping the spam, they would create a way for recipients to establish which organizations could send files to them.

Except that’s not a real solution at all, is it?

Whitelisting orgs would either be an opt-in or opt-out feature. If it’s opt-in, it won’t prevent 99.999% of spam because nobody will set it up. If it’s opt-out, it will break sharing for 99.999% of users.

These are never easy problems.

>won’t prevent 99.999% of spam because nobody will set it up

I would. And anyone who doesn't want the spam would. Right now we send "550 Too much spam" responses to docs and sharepoint emails. I'd be happy to, as an alternative, use an interface at Google or Microsoft that let me whitelist the organizations who can send files.

Similarly: Google Forms being used for phishing, Google Calendar invite spam... I've even heard of Google Photos being used for spam (by "sharing" photos, or by posting photos with text as the target of a spam campaign).

Spammers ruin everything.

They truly do. And it doesn't even have to be many spammers, it only really takes one person to ruin a free service. I've had plenty of personal projects I had to shut down due to some random person who just decided to hammer my servers for no reasons. I block the IP or IP block and they get more. I put Captcha (HN always complains about it but this is why it's often needed...), and users (who pay nothing) complain that it's annoying. Running free services on the internet is truly a PITA.
If that's true then I'd expect there to be personalized and well-funded counter-measures, for tracking and prosecution coordination with local law-enforcement and court system. Considering that one service could be worth many millions, and that can be destroyed by one person, it would make sense to spend the money.
How do you plan on prosecuting random people on the other side of the world that are sending garbage from a bot net? I can't even fathom the amount of money this would take to do reliably. Even if you did manage to find the person, you need the other government to actually _do_ something about it. It seems pretty intractable to me, given the scale.
Yeah that's not going to happen unless you can convince everyone to implement a 1 world government.
Same experience here, one spammer DOSing my site, always with similar patterns. I'm already behind Cloudflare and use https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blo... but I still have to identify and block them manually, which is annoying and a waste of time. Some IP-range blocks affected users so it's not fine grained enough. I wish I could identify, expose and sue them into oblivion, but the internet is too international and anonymous for this to be feasible. I also had to limit some site functionality because of this.
The files are not removed or blocked, they just can't be shared publicly:

> When it’s restricted, you may see a flag next to the filename, you won’t be able to share it, and your file will no longer be publicly accessible

So it's probably a combination of things, including piracy. They're not forbidding people from storing or retrieving the files, just not allowing anyone to publicly host whatever they want on Google's servers. Seems reasonable.

(comment deleted)
I think the opposition is by those which long for the simpler, lawless period of the internet - a time where Google seemed to always be on the side of the user, even overlooking the naughty things the users would get up to. This change for those folk could feel as some kind of betrayal, like Google is complying to "the man", instead of shielding them from the realities.

Of course this point of view is silly - Google have done very well to make users the product. A win:win scenario for those which couldn't afford the pay-for equivalents, but their ceaseless ability to kill useful services proved that they were never benevolent, nor a charity.

The internet has grown up, and so has the ability to scan masses of data for liabilities - Google's change here is not controversial or unexpected, and realistically if people have a problem with the many problems with US copyright laws they need to pick up their pens, change who they vote for and vote with their wallet.

As for the implementation I think it's pretty fair - they aren't stopping the user from their 'backups', they're just preventing their hardware and bandwidth being used as a piracy BBS.

I'm using internet since the simpler, lawless period. Yes, I miss the excitement of a new Netscape Navigator release, or using some new tool, and just being able to explore anything and everything.

OTOH, I welcome this change. Instead of losing my access or getting a strike on my account, I'd rather have my file merely flagged and stopped being shared (not that I share a lot).

I think service providers should be more transparent about problems they see with the users' accounts, so users can take appropriate actions. Of course there can be other mechanisms to prevent abuse, or lawful intercept (which is another can of worms that I want to leave it at the top shelf for now).

So, I've read a Google blog without bad feelings for once. That's good.

Someone was theorizing that this allows Google to not outright suspend accounts for copyright violations. Previous implementations was that you and your businesses will be digitally dead across Googlescape. That was more controversial than this would be.
(comment deleted)
As someone who suffered (and complained a lot) about this issue, I kind of fail to understand how this could possibly help fight the spam.

This seems to be more related to DMCA violations to be honest.

Anyways, my spam issue stopped around two months ago. After I complained to Google for those spammy tags with multiple examples forwarded and multiple cases opened, they seem to have solved the issue (or added me to some sort of mention exclude list lol)

Note that files can be restricted not just for violating ToS, but also "program policies"[0].

This includes files that are identified as: CSAM, Circumvention, Dangerous and Illegal Activities, Harassment, Bullying, Hate Speech, Misleading Content, Spam, Violent Organizations and Movements, and more.

Google further notes they "may make exceptions based on artistic, educational, documentary, or scientific considerations, or where there are other substantial benefits to the public from not taking action on the content."

[0] https://support.google.com/docs/answer/148505

I hope it's not a violation of the ToS to use a front-end like Cryptomator -- https://cryptomator.org/ -- that encrypts files before uploading to Google Drive.
Meaning Google has access to all of the files stored on Google Drive, including and not limited to:

- your business secrets

- GDPR data that you legitimately have

This is exactly why I do not use Google Drive for anything business critical.

Is that a surprise to anyone? It's literally a service where you upload your data directly to their servers. Businesses have contracts with other businesses to protect them against particular kinds of abuse of this data (e.g. google stealing business secrets, or leaking personal data as defined by GDPR) and google sticks to these because businesses would lost trust very quickly if they didn't respect the contracts they have.
It is a giant surprise to many managing directors and other people who are not that technical.
You're right. That's been my argument against trusting "the cloud" (i.e. somebody else who actually own the computers on which you place all your precious trade secrets and personal business) for the past 15 years...ESPECIALLY when there is no clear agreement or customer/vendor relationship, and they're doing it for "free".
This is great, afaik Google Drive stuff is a nightmare for SoCs as they don't want to block the whole domain.
One easy to block is storage.googleapis.com ...Regularly used to host malware, but legitimate users generally throw their own domain in front of any usage of that service.
No don't do that, this is exactly why IT/opsec is hated in organizations. False positives.
I have so far seen a single instance where a legitimate organization sent someone a storage.googleapis.com URL. I have seen literally hundreds of phishing emails do it.

Which is to say, the problem is organizations using storage.googleapis.com URLs, not organizations blocking them. And probably Google should be doing a better job policing content on their content domains if they don't want them to be blocked by default.

(Similarly, all Chrome Web Store extensions should be blocked by default, with an allowlist for requested and vetted ones... there's simply too much malware to default to anything else.)

I'd love to block Google Drive by default too, but there is enough legitimate use that at present that would cause too many false positives, and it's a balancing act.

> Which is to say, the problem is organizations using storage.googleapis.com URLs, not organizations blocking them.

Blocking this domain definitely isn't common, at least not in large organizations. Several of my company's B2B apps use Google Cloud Storage (it's just Google Cloud's version of S3) and have always used storage.googleapis.com/bucketname rather than bucketname.storage.googleapis.com. (AFAIK it was the default URL format shown in their documentation when I last looked at it years ago.)

We've had to deal with overzealous corporate web filters now and then - comes with the territory of B2B apps - but I've never heard of storage.googleapis.com being blocked. It'd be pretty straightforward for us to change it if a customer had trouble, but we'd probably gently push back and ask them to whitelist the domain before doing so.

I would say in my professional experience, I've only once seen someone legitimately directly need to pull content through storage.googleapis.com (whether bucketname.storage.googleapis.com or not). My assumption is public-facing entities tend to serve content via their own domains to end user clients.

I'd be comfortable whitelisting a bucket subdomain, but as I said, it's only come up once, so we worked around it the one time. And I've blocked a lot of phishing sites this way. I'd highly recommend large organizations follow suit. :)

Why don't you use a vendor that provides the concrete URLs as IOCs to block?
That's fine for blocking malicious content that's already been reported. But if there's no legitimate need to allow the domain, why not block it entirely and prevent even being the ground zero for a new URL?

If my organization is likely enough to be targeted intentionally, the chance of having an attack directly solely at my organization (and hence, likely a URL not found by other parties already) is much higher as well.

Yikes. It's been said several times, don't use Google for anything important. The minute something goes wrong, you're so SOL and they literally could care less.
We need a distributed volunteer backed free replacement. Is IPFS or gnunet ready for that yet?
There are many replacements for tech savvy people, but few for people who lack the skills or time to futz around with configurations and installs and software updates.

Regular users need something that just works instantly and never needs maintenance. If it doesn’t just work it’s broken.

Right, we need to trade a vanishingly small probability that anti-abuse systems at Google will flag your school photos as Al Qaeda propaganda for the much higher probability that your files hosted on an elaborate scheme operated mostly by 4chan users will be unavailable due to widespread malfunction, malice, and capriciousness.
No. We have to replace a service with incentives which are not always on the user side with something that is a distributed volunteer backed free replacement.
"We need a distributed volunteer backed free replacement. Is IPFS or gnunet ready for that yet?"

Or you could just choose a provider who respected your privacy and had a very long history of standing for freedom of speech and the rights of users.

If only such a provider existed.

If only ...

This came up on HN a few days ago with a similarly hyperbolic editorialized headline. Google has always restricted objectionable content from being shared on Drive, Docs, or wherever the platform has sharing features. Google is, obviously, not going to act as a free static hosting service for your malware and porn.

What's new is that customers with paid accounts are going to be notified when their content has been restricted from sharing. Before this change it was silent from the user's perspective.

This is deeply disturbing news. It is already a problem that people get their Google accounts closed without any explanation from Google and with no response from Google when they try to contact them. A story about Elin Killie Martinsen, a Norwegian journalist and writer who lost access to her book manuscripts this way, was recently run in the national newspaper Aftenposten (https://www.aftenposten.no/kultur/i/8Qj1lG/uten-forklaring-b...). The article is in Norwegian but to summarize she got this answer from Google; "There appears to be malicious content in your Google Account. This is a serious violation of Google's policy and may be illegal" with a link to this page https://support.google.com/accounts/answer/40695?p=disabled_... .

To the writer this was incomprehensible because she couldn't understand that any of her files could even be close to violating anything.

I am already seriously considering discontinuing my subscriptions of their storage services, and this post about restricting files doesn't give me comfort.

It's really bothering when the account just also happens to be your core email service so suddenly you have no way of recovering other accounts.

Moving off Gmail is likely impossible for most non-technical folks.

There are plenty email providers out there. Free and paid. It should not be a problem for anyone to switch. Moving off of Gmail doesn't mean to self host. It is a bit of work to tell anyone about your new address, but that's it.
Changing upwards of 200 logins to use a new email address may be troublesome. Do you keep a list?
When I switched away from Gmail, I used my password manager to track the logins I needed to change. Then, just monitored the Gmail inbox for anything I missed.
First, I saved every login on Bitwarden and then used that to visit every website and changed login email info there and re-saved on Bitwarden.

The effort is only one time or one day at max. And the rewards are worth the time.

There's another catch, many services use the email address as an immutable identifier that cannot be changed. For some that doesn't matter, but at the very least it is a lot of time/effort.
A lot of those can be solved by contacting the support of that service. Services that don't allow you to change emails are usually on the smaller side and so you might actually get a response.
Yes, my password manager
Unlike sibling commenters, I used to not use a password manager. (But do now!)

I just keep the old GMail for now, and whenever I receive a valid email there, I visit the sender website to update it.

This depends on you remembering your "low-volume important accounts" like government websites you visit once a year, but otherwise, I would not cry if my imgur account got lost or something eventually.

Would be nice for companies to maintain a standard account management API which password managers could call. Imagine buttons on your password manager: "Set All Emails..." and "Randomize All Passwords..." I didn't find any such standard after a quick search.

Edit: Looks like LastPass does it with a screen scraper https://support.logmeininc.com/lastpass/help/how-do-i-update...

What about the hundreds of other accounts that use your gmail as either the 2FA target or password reset?

For a non-technical user (like my mom), this is a herculean task.

If you need a password reset do it and use the reminder to change the email. If your mom signed up for hundreds of accounts she should be saavy enough to handle the account update.
There's no need to delete the old gmail account, just use the new account for anything new, and change the mail address to the new one for the few frequent and useful accounts.

Over time, the old gmail account will lose its importance, and there'll be no real risk if Google decides to ban it.

True, they do have a "grip on people". I use gmail for my private email and I use Google Photos and Google disk for storage through a paid family account. I am considering a move to an European email and storage provider to avoid the almost moralistic TOS many US providers have to avoid liability issues, I just haven't decided which I should go for. It will come with a loss of convenience and that irritates me. The way Google have gotten me hooked to their walled garden.
Another benefit you get from using gmail is that it's do much simpler to give someone your email address. You just need to get the part before the @ correct, they won't misspell the Gmail.com. I moved much of my email to Fastmail with my own domain. However, when I rented a car earlier this week I gave them my Gmail address because it's just so much less painful especially since the clerk and I could barely understand each other with nearby noise and masks and plexi glass between us. Happens all the time.
There is nothing in the slightest bit technical about opening an email account with protonmail, or fastmail or any number of other much less invasive email services. A protonmail et al account could even be called easier to open since Google lately asks for quite a bit in exchange for the "privilege" of having one of their email addresses. Gmail also constantly screws around with security blocks for blah blah reason that require backup email or phone verification gymnastics if you do any number of tiny things "wrong", like say, trying to log in from a new country.
I wonder whether we will see something similar to public utilities in the web.

Companies like Google would be required to provide a basic service to basically everyone and are required to go through a court before suspending accounts (or maybe just some core features).

On one hand it would enshrine their position in the market, on the other hand it would remove some of their ability to make arbitrary decisions with no recourse and no information why it hapended.

That's an interesting idea and it correlates with the idea of "the right to access the internet". Maybe we will see this happen through similar standards we have for bank accounts and money transfers, or even electricity as we have in many countries. I think it at least some of the infrastructural services like storage and email should be regulated in one way or the other
No need to tie it to any specific company, tie it to user count instead. With increased reach comes increased responsibilities to society.
The telecommunications name for this is a "common carrier". The flip side is that they are only liable for damage they do and are held not liable for the things sent through their system.
Why would they need to go to court to shut you off?

At least in the UK utilities such as electric or gas only need to go to court to get a warrant to access your property to physically disconnect you - I do not believe the court process is about the disconnection itself, but rather the physical access to your home to physically cut you off.

For a digital service they'd just cut you off without needing a warrant to access your home.

But anyway, public utilities need to be paid for - I can't imagine people being too pleased to suddenly need to start paying for things like email or search (Google or otherwise).

Maybe a court isn't needed, but strict effective regulation is in my opinion.

That would probably involve payment but not prevent others from entering the market.

Where I am located there is one designated electricity provider who must service everyone (and is usually more expensive). People are free to switch if they want.

I feel like the free market is not doing particularly well in basic digital services like file storage or communication. While there is some competition on price, all providers reserve themselves the right to cut you off for no reason at all without due process. Their rules are intransparent and are inforced by dependent employees.

The only thing that changed was that there's now a notification sent to the user if the sharing of a file is restricted. Why is that deeply disturbing news? Seems like a strict improvement in usability.
What is disturbing is the reason they give for why they will do it. One thing is if the drive is specifically used for cyber attacks and other malicious operations over the internet, but they refer to these rules; https://support.google.com/docs/answer/148505 and they are extensive to say the least. On top of that this is yet another move from Google to declare their rights to control your content and access to it if you use their service.
sorry, maybe I misread your question. Did you mean to say that they already did this without any notice to users, and the only change now is that they will start to send notifications when they do?
Yes, that is exactly what the blog post is saying. It has never been the case that you could use Drive to just share files in an unlimited manner. They used to notify about this in the Drive user interface. Now they will also send an email notification in addition to that.
Yes, this is not new. People have abused Drive to host illegal content and spam for years. They have been silently banned and removed. The fact that you rarely hear about it shows that they actually have a fairly low false-positive rate.

The only change now is that the file gets unshared, you get a notification, and can try to dispute the claim. This is a strict improvement.

It's slightly more, but this is why I have stuck with Dropbox. Their only business is storage and it means they are less likely to do things like this. They have't been in the news, that I have seen, about actions like this.

Google is a consumer hostile company at this point. Unless you have a friend with pull there, or make it a big enough news issue, the little things are treated with automated hostility.

Google isn't alone here, it's the result of very large companies being under regulated on the consumer side.

Dropbox has the exact same policies and procedures, they just don't have the same technical abilities that Google has. Quoting from their AUP:

"...you must not even try to do any of the following ...: ...

- publish, share, or store materials that constitute child sexually exploitative material (including material which may not be illegal child sexual abuse material but which nonetheless sexually exploits or promotes the sexual exploitation of minors), unlawful pornography, or are otherwise indecent;

- publish, share, or store content that contains or promotes extreme acts of violence or terrorist activity, including terror propaganda;

- advocate bigotry or hatred against any person or group of people based on their race, religion, ethnicity, sex, gender identity, sexual orientation, disability, or impairment;

...

We reserve the right to take appropriate action in response to violations of this policy, which could include removing or disabling access to content, suspending a user’s access to the Services, or terminating an account."

Quoting from their privacy FAQ:

"Examples of Dropbox processing your data in furtherance of its legitimate interests in operating our Services and business include:

...

- Investigating and preventing security issues and abuse of the Dropbox Services or Dropbox users."

It's not the rules, those are common, it's the lack of human after. When the automation goes wrong, how much effort is it to get a human and to fix the issue. Or how many other services are taken down too. Google as an identity provider means that other third parties/devices are down in the mean time.
The point is really, that these companies are so large that they should be much more regulated and treated like any utility. That means it is a legal proceeding when they want to drop customers. This many mean that people, gulp, pay for services, but they have chosen to intertwine themselves into too many places in the consumer landscape.
I wonder how much it used to suck when the power company wasn’t as regulated and would do stuff like “we detected illegal activity so we shut off your power.”

I’d like some balance because I don’t want Google and Dropbox to suck as much as my power and phone company. But do want some regulation around lack of due process and “bundling” where a YouTube comment can result in my GCP account shut down.

I disagree. Google has always been a consumer hostile company. The only "at this point" thing is: they have become worse at hiding it.
(comment deleted)
Honestly surprised they weren't forced to do this earlier, Google likely already hashes files for deduplication or integrity checks, making it rather trivial to keep a database of known pirated movie hashes.

Obviously it can be easily defeated with encryption / changing the metadata, but it's so easy to implement I'm shocked they didn't do it earlier.

Google drive is commonly used for a backup of media or even a host of media when using rclone.

This is, suddenly, a FAQ for us.[1]

Many, many pre-sales conversations are now focused on whether or not we hash files or keep databases of file hashes, etc. Do we collude with other cloud providers to report file incidence. Or, for people who really have no idea who they are talking to "which cloud do (you) run on top of".

This was not the case before. I think the advent of 'rclone'[2] has created a lot of use-cases that very efficiently use (cheap online drives) and all the kids are storing their warez with it.

Yes, trivially easy to defeat with encryption and rclone has a very nice and simple workflow for this.

[1] You know who we are.

[2] https://rclone.org/

Wait for ToS banning 'double encrypted files' aka 'we encrypt your files on google' and user adding rclone or other crypt on top.
They have been doing it since at least 2017. I noticed it on my account with Game of Thrones episode and when I googled it at the time, it was a known issue. They didn't warn you like they do for virus, the files simply wouldn't show up when people opened the shared folder.
How is this going to be effective if files are encrypted and with no discernible name?
I’d place bets that >99.9999% of files on Google Drive are not.
Yes, but aren't the abusers now going to do exactly that?
Perhaps it may surprise you to learn that many "bad actors" are rather stupid. This is one of the few large advantages that defense has over offense in security matters.
You could try to express yourself in less condescending ways, it should have a positive outcome, on average, in interactions with people
Remember, this means Google has already been scanning and collecting the contents of your Google drive. All they’re talking about is applying a filter to certain files they find objectionable. Even without this announcement, this could happen at any time. If one day something you own is found to be illegal or objectionable, Google may delete it without notice. At worst, they may report you to the authorities.
How on earth is this seen as surprising? Its their servers, they can read anything you upload, I thought this was common sense part of the bargain.
Being able to read the fat you upload is different from doing it automatically and en masse, and then applying rules and filters to that data.

As with many topics, this should be self evident to many HN readers, but I doubt it is obvious to most users of Google Drive.

Automatic monitoring should also be obvious at this scale. Also I am sure non-technical users also understand what it means to put up something on someone else's website.
Aren't we even scared anymore by the fact that google is inspecting our files?
Why in god's name do so many people with even modest IT knowledge keep using this invasive dumpster fire of a cloud service with conditions like this one and others being piled on? There are so many affordable, secure and easy to use options on the web that trusting Google with your data seems absurd, especially considering how easily the company can simply permaban you for no discernible reason and not a human in range to dispute the matter with. At this stage, using any Google service is sort of like trying to expect decent customer service from the DMV and IRS rolled into one.
Because

(A) it's a usable interface accessible by pretty much anyone [with a phone number, as of recent]

(B) it's cheap as you don't pay for bandwidth and storage is either $0 for 15GB or paid storage at a low-priced rate[0]

(C) all of that storage is geo-redundant and thus extremely unlikely to ever be lost, outside of Google terminating accounts (which isn't part of a lot of people's risk models).

0: https://one.google.com/about/plans

Perhaps one should encrypt files before uploading to cloud services. Sure it destroys the possibility of webview for your data, but then you don't have to worry about situations like this.
Unless they decide that encrypted files violate their TOS.
Which should be a red flag not to use the service because they're collecting your data for any and all reasons.
This is your redflag
I've been using rclone+restic to back up files to my university-provided Google Drive, which has unlimited storage. Apart from occasional "rate limit exceeded API warnings", I haven't faced any issues so far. Wonder if that'll change with the new policy.
Cryptomator is a great tool for this.
I never thought I'd consider going back to MS Office or Libre Office... but the thought that my Google Account and all of my files are at risk by a company that has well known poor customer support is very scary.
We need “dumb” infrastructure again, that you can simply pay for with few strings attached, where the provider cannot fiddle with things at all, leaving enforcement to other authorities.

We build roads; yes, those roads might be used to transport stolen goods but the road builder doesn’t get to sit there and inspect every vehicle (and accuse the wrong people sometimes and ban them from driving).

It’s just so damned complicated now and I don’t know how it got that way.

(comment deleted)
That "dumb" infrastructure still exists. You can host your own file server, either on your own hardware, or in the cloud.

Use of these consumer-grade cloud services comes with pitfalls. I see no utility in pretending that alternatives don't exist though, because they're pretty abundant.

Is there a source that breaks down this sort of stuff on your own hardware in a beginner friendly or at least explicit way? One hesitation I have to exposing something public that may not be secure, compromising my home network. It’s intimidating and holds me back, a bit.
I'll second this. I'm pretty techno-savvy if I do say so myself but I haven't the slightest when it comes to self-hosting and security concerns also prevent me from doing it.
> That "dumb" infrastructure still exists. You can host your own file server, either on your own hardware, or in the cloud.

Can you though? I would consider AWS "in the cloud" yet they will give you the boot if they disagree with you morally[0]. Same with Cloudflare[1].

So it seems even infrastructure-level cloud offerings are prone to moral arbitration. Hosting on your own hardware is the only option, but even then... I don't see any reason twitter mobs couldn't pressure Comcast or whoever is connecting your hardware to the internet to cut you off.

[0] https://telecoms.com/508138/aws-banning-of-parler-exposes-th...

[1] https://blog.cloudflare.com/why-we-terminated-daily-stormer/

Your best bet is probably to pursue hosting in another country with better freedoms.
The best you're going to get is different freedoms. Russia might have free speech for nazis, but not for Putin critics, for example.
> they will give you the boot if they disagree with you morally

I don't think this is accurate. They pretty much only ban you if you're exposing them to legal liability.

You say this as if it is easy or inexpensive to do well... If it was why would the service even exist in the first place? Surely everyone would just do it themselves.

I also don't think you would be arguing that people bothered about WhatsApp or iOS tracking them should just create their own messaging app or mobile OS. The vast majority of software is not just difficult do yourself, but almost completely infeasible. In fact it's hard to even think of any software I use regularly which I as a experienced software engineer could easily build myself, let alone an average user concerned about this stuff...

Even it if was open source, just deploying something as convenient as google drive is a challenge. i.e. something that works on iOS , Android and Web + has proper access management and has enough storage (including automatic backup).
lol at all the downvoting.

You're totally right. Depending on one's standards and expertise, yes, there are alternatives to the mainstream dumping grounds for your files.

The most basic is to just store files on external drives. This is what I do because, most of the time, I'm not actively sharing or using all my photos and downloads. I've scattered them between drives for well over a decade and only had a problem when one of my magnetic drives began to fail, but I ended up not losing anything. Even if I lost all my photos and stuff I really wouldn't care that much. That's why I can't be arsed to trust The Google or Zuckerborg or whomever with my files or using Dropbox. I'm more likely to wake up one day to be hard locked out of all my Google accounts than to lose anything meaningful because of physical on-premises storage.

There's also network drives, and plenty of off-the-shelf ones exist. My parents have one and it's exactly what you'd think; a device with a ton of storage that's accessible through a Dropbox-like web interface.

And if you're really geeky, you can hack together a way to shove files into S3 or whatever storage service of choice.

Yes, the average person won't have the motivation or wherewithal to do anything besides my first option, but that's really the kind of thing you'll always get by being average.

And obviously those who believe they need all the bells and whistles of Dropbox or Google Drive may also believe there are no practical alternatives outside of Silicon Valley Big Tech, in which case it's entirely up to them how comfortable they are with that. Personally, I would rather rely on services as little as possible.

If the road builder was held legally liable for everything on their roads you can be sure they would do.
You can store your data encrypted. I use Cryptomator on top of Dropbox for keeping my personal files in the cloud and synced between systems. It works on any online storage that presents itself as a drive to your OS. You lose all of value-added functionality of the cloud storage application, though, like the web interface and the ability to share.
> You can store your data encrypted.

You can, I can (actually, I run my own file servers, even better).

Average person can't (won't even be aware they should). We could say let's educate people (yes, let's). But really, infrastructure should be neutrally available to everyone like roads or the old POTS network.

It can only be achieved through regulation, since these companies will always be self-serving at every step otherwise.

> You lose all of value-added functionality of the cloud storage application, though, like the web interface and the ability to share.

Only because you chose the wrong solution. ;-)

Look at Tresorit[1] instead.

[1]https://tresorit.com/

Using "Swiss privacy" gets my hackles up. And what is with the website hijacking my back button? If I click on "Individual" at the top, I can't go back from that page.
Well its a million times better than better than "I'm Dropbox/Google etc. , a US jurisdiction company, with servers in the US, trust me (wink wink) , I will never give Uncle Sam your data"
That's the thing, I'm not so sure that it is that much better.
(comment deleted)
Yes, this!

It’s because cloud should have been just custodianship of the data in order to funnel it into their application but it was all too easy for these companies to want to profit further by prying on the data, monetising the data, curating the data and ultimately taking control away from the owner of the data.

Not going to happen in a world where linking to illegal content makes you legally liable for it. Instead of grousing about Google or AWS or Cloudflare, you'd be grousing about Comcast. And Cloudlfare, because they'd still be in the picture, with all the same incentives.
I've again started using a usb-c thumb drive in place of google drive. It's extremely convenient and safe from big brother eyes.