Ask HN: Should we own the free stuff we pay for?

391 points by magusd ↗ HN
Last week I received a spam email from ~generic dumb scammer #199209842982~ here it is for your amusement: https://imgur.com/YYqOgYE

I've blurred the sender because it might have been a hijacked account, and it's not like it's hard to get a new gmail account anyways. You can also see that I've blurred all the other people too. Yeah, the scammer cc all his targets.

I was in a good mood, so I replied and made fun of him and warned all the other recipients that, "hey, just in case you're distracted, yes this is a spam email". I didn't use any curse words, or strong language, but I was a bit edgy.

Two days later, my google account was suspended. Apparently, my account was being used to send unwanted e-mails. Ha! I just became a spammer.

And let me tell you, it was very frustrating to be blacklisted like this. A little context for you, I'm a DevOps engineer and I've been using gmail for the past 15 years. I'll skip the classic 'my files, my contacts, my email' because I had backups.

But I lost access to paid services that I had set up with social login, besides all Google's services ( GCP, firebase, youtube premium, google one, subscriptions paid through play store, google ads, etc, etc). And here's the kicker: my gmail used to be the contact I shared with potential clients, current clients, and job applications which, by the way, I was actively job seeking. Not because I don't like my job, but because I had pushback on my raise on a recent promotion, so I was trying to get offers to make a point.

But what if I was out of a job? What if I was expecting a contract to sign? What if I had an SLA with a client? What if my bank or the government, health plan, car insurance, or any of the hundreds of notifications that I've set up throughout the years was triggered and needed my attention?

I know about terms of services, that they're a company and they can do whatever they want. But what if your car maker could take away your car if you turned right without signing first? Or if you went over the speed limit? What if you were a salesman and samsung could take away your phone because you're using it to call people to do your job and they've reported you for unwanted calls? Or AT&T could take away your phone number because you said a curse word on the phone?

You could argue that gmail is not a product that I own, but I paid for it, so technically, don't I own it? Don't I get the right to use it while they figure out if I'm really a spammer or not?

That got me thinking, what is an identity? How can I prove that I am who I am? I thought I could just share my profile, or gmail, or phone number, or identity and prove that I was who I was. But all those things can be taken away because of some rule that can be judged and enforced by someone else.

The google stack is very convenient, and it's 2022, I'm not going to start hosting my email server, but I'm in need of a foolproof and long lasting solution to online identity. And I've started by purchasing a domain name for 10 years and having a 'catch all and forward to gmail' rule setup. So I can just forward it all to somewhere else in case I lose my gmail again. But what if I get reported on my domain name? What if that gets suspended or blacklisted too?

Should we own the free services that we've paid for with money and data? Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?

What do you use for identity? And what are your thoughts on this? Am I overreacting?

309 comments

[ 2.9 ms ] story [ 230 ms ] thread
No, you're not overreacting since it happened to you. On the other side, you are also overreacting. Take a walk.

This being said, since you got a scare, maybe it's a good time you buy a 2nd domain from another registar and handle accordingly.

PS: how does one find a good domain name?

> PS: how does one find a good domain name?

brute force checking thousands of examples till you find one that isn't squatted.

Also, if you're planning to use it as your primary email domain - pick a "normal" TLD. Using something like .email/.xyz/.live etc can end up in spam (especially for newer domains).
Not overreacting. It can happen to anyone of us and we just ignore it, keep going, and think "it will probably never be me, only happens to others". Until it it us.
> how does one find a good domain name?

domainr [1] is fast and has a cool autocomplete feature that mixes domain endings with your name

[1] https://domainr.com/?q=

How is he overreacting? He lost access to so much on a completely absurd basis. It's (once again) Google and their systems responsible for overreacting and causing damage.

The main advice would be to avoid Google as if it were the plague. There are other free and paid providers that don't have a persisting and renewing rumour of suddenly, without warning, pulling the plug on you and then making it impossible to get in touch with proper support to try clear things up.

> PS: how does one find a good domain name?

A time machine might come in handy.

(I can just see the cartoon now: guy invents time machine, friend asks if he’s going to stop Hitler, he says no, but to register a good domain name. (Never mind the practicalities of the ten-years-at-a-time limit.))

You could even argue that you should own your "free" services, since you pay for them indirectly (through buying products of companies that buy ads, and by watching ads).
also, if you fail to renew your domain, it should not go to someone else tomorrow (or even in a year, ... decade, maybe)
Probably the safest address is with your national telco monopoly or a similiar provider.
It's incredible that companies are so eager to delete your data after a couple weeks. If someone gets sick at the end of the month -- let's say with a deadly virus that caused them to spend weeks in the hospital, maybe even being unconscious and intubated -- they shouldn't come home to a deleted domain name or web server, or need to reupload several terabytes to a backup provider, all over a ~$10 billing issue.

Grace periods for everything (online and off) used to be 3+ months. Now they're days. These billing policies are quite literally inhumane, as they entirely ignore the logistics of being human.

No, you're not overreacting :) it sucks.

In theory, you agreed to all the ways they can screw you over when signing up. In reality of course no one can be reasonably expected to understand the full ramifications of multi-page terms of service.

I'm happy that EU is pushing this ownership argument forward. GDPR seemed unreasonable just a few years ago, now it's the new standard. I also don't think it's the final destination. We're moving towards more regulation, but that's expected in any mature industry.

However, this specific topic to me isn't as much about ownership as it's about redundancy and diversification.

Of course it's not a good idea to build your whole identity on some corporate identifier (@gmail.com, @icloud.com...). Of course your business income shouldn't be based on a single platform (e.g. youtube demonetization, facebook news). These problems could've been forseen even without the benefit of hindsight.

There's no such thing as absolute ownership anyway. Even your money or real estate belongs to you within the framework of modern banks and governments. Doesn't mean this ownership isn't meaningful, just that there are always limits and gotchas.

The most meaningful thing you can do is own as much of your digital surface area as you can. Having everything under your own domains will get the most bang for your buck. I don't bother with self-hosting, but for someone else that would be a must. Your mileage may vary.

it may not be a good idea, but we can't possibly expect a layperson to have more than one email address.
Social sign in means all your eggs were in one basket. Google tries very hard to encourage you to do so.

You weren't wrong to do so, but the convenience/risk bet hasn't worked out for you. For most people it works out fine -- i.e. car driving risks.

I use a different email host, and only use user/pass logins, no social. It's fiddly, and you'll need a good password manager (not chrome) but that's the cost of not being exposed to this risk. Only you can decide if its worth it, very few people have the skills for it to even be an option.

(comment deleted)
> free stuff we pay for

Did you actually pay for it? With money? Or was it free?

Either you think "paying with your data" is a valid argument, or you don't (but then the service needs to be free even without agreeing to the data stuff). Google can't have it both ways.
Can't they? Seems like they do have it both ways.

You can pay for Google Workspace with money, in which case you are the customer, and so you get customer service.

Or you can use the free version, in which case the advertiser is the customer and you are not.

The post mentions a few subscription services, Google One being one of them. That gives extra storage in Gmail and access to Google support. By then I would definitely say that you are a paying customer.
> Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?

I don’t think anything you listed a typical individual owns.

Even street addresses change.

Not if you buy a house
Sure it can. Street-names can change, the numbering of houses in the street can change. At least, it can be changed by the municipality here in the Netherlands.
In the US too. A town in North Carolina recently renumbered the entire town.

Growing up, the houses on the street behind me got renumbered as well.

In sensible jurisdictions, a tenant cannot be kicked out for non-payment of rent without a court order. That's right, a debtor who owes money to another cannot be booted without an independent government body approving it.

So it's not inherently wrong to say a user of a free service should have some rights. In some situations, it's not fair to pull the rug out under people.

I think that there will come a point where we need to have independent tribunals governing the behaviour of large web services. That point will probably be reached 5 years ago.

And as always it will backfire on users!

Now it is impossible to find unlimited rentals, every contract has yearly extensions! In some countries landlords even rotate tenants every two years, else they would get extra rights from long stay.

Limited rentals are actually banned unless you have a very specific reason (you plan to occupy the flat yourself, you plan to renovate extensively or the flat is meant for temp workers - so no extensions and much shorter intervals) in Germany as well.
This is misleading. I moved to Germany last year and there's a whole secondary market - much bigger than I've seen in any other country, in sublets. While you officially need anmeldung (city registration) to live anywhere in Germany, there are at least as many sublet apartments without anmeldung available as official rental apartments on the open market. They're usually a good deal cheaper too. Lots of people (immigrants especially) have their 'official' anmeldung with a friend or relative, and move between short term sublets (1 - 6 months, but usually 3 or less) for years at a time. There doesn't seem to be any regulation of this sublet market at all - except by the management of individual apartments (where the subletter is in violation of their own rental agreement).
I don't think it is misleading, it is simply a different class of problem. And as you said yourself, in most cases these subleases are not actually legal.
Seems to work well in Germany, though.
Because limited rentals are mostly banned, and being caught on a violation is quite bad.
But isn't that the exact point? That strong consumer protection enables business to earn money in a way that at least prohibits the worst behavior towards the consumers?

So essentially what OP stated?

I don’t know from which countries you got such pessimistic view, but for me that’s unheard
(comment deleted)
In Russia literally everyone does 11-month rental contracts that are extended every 11 months because a year or more means the tenant would get more rights and they would also need to pay taxes.
The trick is to keep the rules reasonable.

If the owner could go to a small cases court and get a bad tenant kicked out with minimal cost, he wouldn't try so hard to defend against the rule.

(comment deleted)
decades ago in germany a court decided that people had a right to phone service and it could not be cut even without payment because that would cause an undue restriction to be able to function. (this was pre-internet, so i can't find a reference). there is a more recent court decision that states that service may only be cut if the lapse in payment is sufficiently high,

i believe similarly in the US you can't just take away someones car because without it they might not be able to get to work and probably would never be able to pay for their debt.

likewise having an email address is becoming a necessity in life and therefore closing an email account would make it difficult to function in todays society.

the same goes for having a bank account.

all these things should have legal protection.

Apologies for going meta here:

Could I urge that posters follow the site convention of prefixing the title with with Ask HN, Tell HN, etc. for posts that don't link to an external source? There are currently two such posts in the top 30.

HN is primarily for discussing external articles, and I'd suggest that this post should have been submitted as such.

I wish there was just a dropdown in the "Submit" view to pick well-known prefixes.
I'm curious, what problem does it create for you, clicking a link you momentarily thought was to an external site before realising it's actually a discussion on this site? Honest question, you might have a good answer, I'm not trying to be rhetorical.
> I'm curious, what problem does it create for you, clicking a link you momentarily thought was to an external site before realising it's actually a discussion on this site? Honest question, you might have a good answer, I'm not trying to be rhetorical.

Good question. And my answer is probably that, as things stand, I'm not greatly inconvenienced by it.

My original post was motivated mainly by "that's not how it's done here". By internet standards, I think that HN does pretty well as a self-organising community. And part of that is a general, loose adherence to norms. To maintain that community, I think that sometimes it is necessary for its members to point-out those norms in a friendly way - without trying to police anyone's behaviour. Thats really all I was trying to do.

To me, an important part of HN's value is to direct me to external things. If the norms change so that a significant number of submissions are hosted directly on the site itself, then HN becomes a very different beast. Probably more inward looking, and maybe more like that other site that the guidelines tell us not to compare it to. I think that would be regrettable.

More practically, "Tell HN" and "Ask HN" are hints that the post is addressing the HN community rather than the entire net. That could be useful in deciding whether to read it. And, as a sibling comment mentions, those prefixes result in posts being added to certain lists.

Totally agree and to be honest I slightly misunderstood your original comment. You’re definitely being helpful to politely encourage use of the prefix conventions where they are a good fit.
I would prefer to know it AOT as I find it much more insightful, and even more likely to click on the link.
I honestly find the prefixes to be unnecessarily noisy these days, and prefer it like this - the (lack of) domain name next to the title tells me enough about the post, and I much prefer to quickly get to the actual title of the post rather than a couple of low information words at the beginning.

It was fine when it was one post in a hundred that was a "Verb HN", but these days these are much more common, and the prefixes make the front page more noisy and less signal-y than I prefer. If you aren't in the habit of taking a quick glance at the domain name before opening a link, I'd encourage you to start doing that, for more reasons than this.

Hm, I’m not sure where you got the idea that HN was primarily about discussing articles, because that is in no way true.
Operative word is external not discussing.
Neither is true, though!

I know we’re getting super meta, but let dang police the site. Neither of us should be dealing with comments or submissions that “don’t fit HN”.

Buy a domain (I bought lastname.contact) and subscribe to Fastmail or a similar paid-for service. You can then use anything@lastname.contact and if your email service provider drops you, you can switch to another and not care about your contacts trying to reach you or updating the email address of all your online accounts. I couldn't be happier with the switch (I was using Protonmail before, and Gmail a long time ago). I still use my work g-apps account (only) for the Play Store on my Android phone.
By doing this you are trusting the .contact gTLD provider. Do you have idea how reliable are they? Would they reclaim your domain for some reason?
I tried to do this long ago but I have two main fears:

1. Is it easy to set up the redirect from Gmail to the new account?

2. When I send email from new account (custom domain), how are you completely sure it is not going to be on spam? I send unsolicited emails to people in big corps (journalist asking for interviews/comments, not spammy :-)

> 1. Is it easy to set up the redirect from Gmail to the new account?

Yes super easy. You can do this using Gmail's filter service. However, many services will also let you log in to gmail via POP/IMAP (OAuth for auth) and fetch the email from your gmail for you that way.

> 2. When I send email from new account (custom domain), how are you completely sure it is not going to be on spam? I send unsolicited emails to people in big corps (journalist asking for interviews/comments, not spammy :-)

I guess it's hard to know for sure, but I've not noticed any problems with this when the underlying provider is a well-known sender such as Gmail or Fastmail.

You don't need to set up anything in Gmail either, Fastmail has Gmail connectors that pull all your mail and calendars and even lets you send email through Gmail from Fastmail. It's ridiculously convenient.
I have had Fastmail pull from Gmail for about 10 years just in case I need to log into a website I haven't logged into for ages. It just works. My gmail is abandoned save for the occasional password reset which flows through Gmail to Fastmail.
You point your domain to Gmail. Then when they ban you, you point your domain instead to the new place, like Fastmail. So it's not really redirecting from Gmail, it's just changing a DNS record.

On sending from a custom domain, your mail provider walks you through setting up a few additional DNS records (for DKIM, SPF) that allow you to send from your domain through their servers. They maintain the reputation of their IPs and so you get their good deliverability.

1. Yes, can't be easier 2. None of my emails have been flagged as spam.
> I couldn't be happier with the switch (I was using Protonmail before, and Gmail a long time ago)

I am curious: What made you switch from Protonmail to Fastmail?

You can't use any 3rd party mail app on Android and the official one is really bad (no thread view, fails to send emails to some valid addresses…). Also, you can't two-way sync your contacts. And the encryption thing is not really useful since too few people are on Protonmail (so all your messages will be stored in plain text somewhere) and Protonmail will share your data anyway (see https://news.ycombinator.com/item?id=28427259).
I do the same with my own domains and I'm similarly a Google slave. (huge shout-out to niftylettuce's https://forwardemail.net/)

That said, I'm planning to migrate to either self hosted or a paid service which is not run by algorithms and where customer supports exist (in that regards big tech is terrible: facebook, google, paypal = worthless customer support).

I completely agree with your premise though: Ideally everyone should have their own server providing a personal site and mail and maybe even hosting a decentralised social network.

Do you have any delivery issues with forwardemail.net?

Is there any significant delay in receiving or sending?

I am currently a google apps user grandfathered in the free plan which is disappearing so I am looking for something new.

OP - create a new email address and add it to your profile. A Googler might see this and reach out to help.
> what is an identity?

PGP is a good solution, and in general the crypto space has the right idea in my opinion. I like the idea of using cryptographic key pairs to sign messages and prove identity, but the learning curve makes it impractical for general use.

The best place to start is owning a domain you control, at least that way you can manage your own facade.

In general, if you want people to be able to use cryptographic signatures to prove their identity, they are going to have to know what those things are and how they work. Since this is an entirely new thing in the world there is no existing culture to map it to. The problem is not specific to any particular technology.

This would be an excellent topic for new curriculum for the schools. Some ideas need to be generally known to be beneficial.

In some cases providing identity is a good idea. In a web full of advertising it is mostly not.

My domain is completely detached from my online identities, even for private and professional development to a large degree.

Many domains are pretty cheap though, not much more expensive than some mail services. Of course they don't come with respective keys for which you might have to pay extra.

One thing to consider is the possibility of using multiple separate e-mail accounts from different providers.

Currently i have about 10 different e-mail accounts:

  - one for development related things and communities
  - one for newsletters, various online platforms and so on
  - one for throwaway purposes, lower importance things like video game accounts
  - one for university related things (it stayed after graduation)
  - a few separate accounts (and corresponding Google account) for various phones or other devices, as necessary
  - some standby accounts if i ever need them, some from different providers to check mail denylisting
  - a personal address that's mostly for contacts through my website or my self-hosted automation messages
There are some others, as well as each platform for automation has a separate account as well (e.g. GitLab, Zabbix, Nextcloud, ...), though most of those are on the same self-hosted mail server. Of course, deciding how to structure everything is one's own choice, in my case it's just historical cruft and loosely defined boundaries of how much i care about any particular item.

That said, mail servers that are easy to set up are a godsend (for example: https://github.com/docker-mailserver/docker-mailserver), as long as you also have one of the larger walled garden alternatives for public communications, should there ever be delivery problems.

It's not like Google deciding to ban all of my accounts at once (though fingerprinting, or based on IP because i don't care to set up some sort of an advanced proxy to access all of them from different VPNs) wouldn't be problematic, but this way at least the impact would be minimized.

Plus, with software like Thunderbird and something like KeePass for strong randomly generated passwords, managing everything is really low effort. Of course, this also lends itself nicely to avoiding social logins and creating a separate e-mail based account wherever applicable, for a bit more control, rather than keeping all of your eggs in the same basket.

As for those who will inevitably say that this is too hard or complicated to be practical: i invite you to try setting up your own mail server with the help of the provided link on a 5$/month VPS, things have really improved in the last few years! Of course, creating new Google accounts (or for other platforms) might be a bit more cumbersome with modern verification steps etc., but it's not like it's impossible either.

Sometimes i wish we could do the same for personal identities, e.g. a list of aliases that could be issued through some government org. for particular purposes and revoked as necessary. For example, i wouldn't want a leak of some shopping site result in my personal data being compromised in regards to my online banking or my physical address, in any capacity whatsoever.

Daily reminder to set up automatic forwarding of all email from you Gmail address to a secondary address. I use ProtonMail.
When you put it this way, it's really quite remarkable how tenuous our hold is on even paid for digital services.

There is really nothing you could do with a car to prompt the car maker to take it from you. And the state will only take it if you break the law in particularly dangerous ways.

When it comes to other possessions it's even harder for anyone to take them away from you. If I take a kitchen knife and stab someone with it I will go to prison for sure, but I don't think they will take the knife away. They definitely won't ban me from buying knives.

But when it's a digital service, even something as crucial as a banking service, it's seen as normal that you can lose them for posting offensive things on twitter. Perhaps it's because we haven't had these digital services for long enough to consider them as really belonging to us, so we accept that they can be taken away at the slightest provocation.

But you can't really download a car, can you? :) Joke aside, I think we are actually going in the opposite direction. Looking at the way Tesla wants/already does keep a score of your driving, maybe self driving cars in the distant future, I would predict that we are going in the wrong direction when certain people and groups will want cars to drive away from you back to their home base or your car to refuse to start or unlock if you misbehave.

Somehow I am not sure why, we as technical people, and I would even think that most of the people in these fields are also into fiction and sci-fi, we are taking only the worst things from novels and stories, instead of the good ones, VERY slowly transforming our society in an dystopian nightmare.

Yes that is true, as software keeps eating the world, software mores will eventually rule everything. If it has a microchip in it, it might ban you.

For cars I don't think this future is distant at all, ten years max.

This is because we work for businesses that are fixated on generating revenue and profits rather than on improving the human condition.

Since this is Hacker News I'm sure there will be some who can say the two are compatible, but it will only appear that way to the wealthy and the elites -- the rest of us will gain none of the benefits and will be seen solely as "customers" or "partners" from which revenue must be extracted.

One only need look at the transformation of business from selling products to selling services, changing a sales relationship into a rental relationship. For businesses operating key or critical technical infrastructures this is equivalent to a corporate "universal basic income", such as will never occur for the common man.

> This is because we work for businesses that are fixated on generating revenue and profits rather than on improving the human condition.

Not quite. Few businesses have ever been focused on improving the human condition. The new thing is their ability to control our lives, and our acceptance of that, both in terms of laws and our quiet consent.

I wouldn't say slowly... It seems this thing is becoming a dystopia quite quickly.
> taking only the worst things from novels and stories, instead of the good ones, VERY slowly transforming our society in an dystopian nightmare.

I have only one objection here: Doesn't feel all that slow to me.

There's no way for them to take your car away... Yet.

Maybe one day your Tesla will simply drive off if you don't pay the bills, or worse work for the SEC

Tesla's (and increasingly all cars) are software with attached motors and they don't need to seize them physically to take them. Or disable supercharging, etc.

Just like your fridge may not dispense water if you buy the wrong filter. Or your random IOT enabled device will refuse to work if you don't let it phone home with surveillance data.

It'll probably need new legislation to protect consumers.

Although I was joking about the SEC thing, what happens if Elon get's a grudge? Some would say it's your fault for buying the car, but some guarantees for consumers are useful.

> even something as crucial as a banking service

Interestingly the problem of people excluded from the banking system has been addressed by statutory regulation in the UK: https://www.gov.uk/government/collections/basic-bank-account... ; see also discussion at https://publications.parliament.uk/pa/ld201617/ldselect/ldfi... which covers the question of people with inadequate ID.

Getting your email account wrongly banned is an injustice, whether trivial or costly, and whether or not you have alternative arrangements. That's why people are (generally) rightly cross that it's happening. That feeds into wider questions of "why is justice so expensive" and "how does a local justice system address the bad behavior of a multinational". These questions tend to get resolved incredibly slowly.

Good to hear that you have protections around this in the UK. I know that in Sweden several political, and even ideological organisations have had their accounts frozen because of things they said or held true. Entirely legal things I should add.
Could you provide links? We have similar rules so I'm a bit surprised...
Not really, this is people I know personally. I know some of them have mentioned it publicly but can't find any links. Would be in Swedish anyway. I know two people off the top of my head that had their personal accounts suspended for legal political activity, for organizations it's pretty much any organisation on the right side of the spectrum.
Notice the difference between organizations and private individuals (which the quoted UK regulations seems to protect). I don't know if it's EU wide but Finland also requires banks to provide service to private individuals.
> people excluded from the banking system has been addressed by statutory regulation

I wonder if the effort behind this is a Baptist and Bootleggers moment. Surely some maybe most want to solve something that they see as a societal problem, others see opportunity a la payday lenders, and others see an opportunity for social control. Maybe the people who see not-banking as a social problem also want to use the end result to "nudge" participants in the right direction.

> There is really nothing you could do with a car to prompt the car maker to take it from you.

Maybe not take it from you, but with new cars that are always connected (Tesla et. al). They can certainly make them quite terrible if they want to... access to superchargers has been removed when "owners" use unauthorized work shops for instance.

Cars are also digital service platforms which can and do take away things. I am currently playing a safety score minigame to unlock enhanced driving features. If I pay $2000 my software will enable my minivan to have a 0-60 of a Ferrari. This is all premised upon a connectivity package I'm obligated to pay for but have been gifted for a year by the manufacturer.

To put it more bluntly, my eyeballs are watched by AI to make sure I pay attention enough to deserve the full use of my vehicle.. it's beyond punitive, it requires my positive behavior.

ALSO bonus, if I did something with my vehicle that resulted in losing my account, I would also lose access to my home electricity system.

What car is it? In what country did you purchase it? To me that sounds beyond reality…
Most cars do not do this. Teslas are famous for their DRM, restrictive connectivity, and shady upsells. Those will show up in the "cons" column of any honest review.

A normal car in 2022 will not constantly surveil you. No critical functionality is tied to an online account in any non-Tesla mass-produced car that I am aware of.

Neither of these points are true. Other manufacturers like Toyota are getting into the "features as a service" game with things like keyless entry.

On the surveillance point, I worked for an auto software company that partnered with a big auto manufacturer on a feature. We were granted access to an API that could geolocate any vehicle made by this company in real-time given its VIN. I volunteered my car's VIN to test with (I drove the same make as the company we partnered with) and confirmed that the API returned real-time location data on my 2019 vehicle. If you own a car that was built in the last 10 years, you are more than likely emitting your location to an internal service maintained by the manufacturer.

That is amazing since VIN's are often visible from the outside. This is just so open to abuse, especially if it was a casual to lookup as you make it seem (no verification that you were the owner and for just a lark). We as engineers need to establish a code of ethics. Seriously, every profession needs to have a "do no harm" clause because clearly companies have zero ethics.
To be clear, we signed a contract that explicitly prevented this API to be used for anything other than our particular commercial use case and access to production creds to this service was heavily restricted. I never once saw the service being abused, but you're absolutely right. The question I kept asking myself was: who is out there using this service against the vendor's TOS for whatever reason? This industry was largely built and shaped by people that didn't care at all about the rules, and the longer I work in this field, the more cynical I become about the effectiveness of just adding more rules. It feels like a pinky promise at this point.
You got a model X?
This is going to be one of those situations where we will have legislation passed, especially if our digital identities are tied to 3rd party providers.

Alternatively, the government will just take over basic id services (think first.last@yourcountry).

We already have state run (more or less) digital ids in both Sweden and Denmark. I don't know if anyone has been denied for ideological reasons though.
> If I take a kitchen knife and stab someone with it I will go to prison for sure, but I don't think they will take the knife away. They definitely won't ban me from buying knives.

This is true. Generally if you stab someone the police would seize the knife as evidence, but after your trial if the prosecution didn't file a forfeiture case against the knife, then it is still yours and you can get an order from the judge to return it :)

p.s. civil forfeiture cases give the best names, e.g. United States v. Article Consisting of 50,000 Cardboard Boxes More or Less, Each Containing One Pair of Clacker Balls, 413 F. Supp. 1281 (D. Wisc. 1976)

Not to be That Guy, since I'm not a shill, but "Bitcoin solves this" — not really today, except for pure cryptocurrency, but I can imagine a future where ownership of our access to these services is controlled by public blockchains ...
Why would that solve anything? Google could still cancel my gmail if I say something politically incorrect, regardless of their database technology. It's not like making my email public would change anything, they are not reluctant to cancel people just because others can see it. If anything, that makes the cancellation all the more effective.
If your email were hosted on a public blockchain, Google could not kick you off.

- Decentralized file hosting for all the emails using IPFS instead of Google's servers

- Decentralized login using ENS / Ethereum Name Service instead of Google's login

- a UI on top of your data, plus an outbound server for relaying to/from non-blockchain email accounts

Overall, you end up with portable data thanks to IPFS, and a login through ENS to whatever UI you want to use/pay for.

This seems like a win to me. Haven't seen anything yet that pulls this together but the pieces are there. Maybe someone here wants to prototype it.

By hosted, do you mean that the blockchain would act as the mail server? Wouldn't that be incredibly slow and inefficient?
By hosted I mean stored on IPFS. It's a bit like downloading a file from Bittorrent in that it can be fast and distributed, but with some added crypto layers.

The only part stored on the blockchain is the address itself. The files are not stored on the blockchain.

More here: https://docs.ipfs.io/concepts/what-is-ipfs/

Appreciate your question! That should get you started.

Alright, the data can be stored on IPFS, but where will the computations be carried out?
High level, Ethereum is intended as "computer", and IPFS is intended as "storage". They complement eachother well.

Beyond that, it depends on what you mean by "computations".

Our example is setting up decentralized email. What computation is needed to send and receive email?

1. You may mean the computation needed to encrypt and decrypt the emails. That would happen on your computer locally.

2. You may mean the computation to send and receive emails. I'm not sure how/where this would happen in this example. It might be on the blockchain somehow.

I mean any server application needs compute. Not sure how many clock cycles are needed to run a mail server, but since the Ethereum world computer is like a 10000 times slower than a single laptop, I figured it wasn't enough for really any kind of compute?
> any server application needs compute

I'm curious about this as well so will be learning more about dapps (decentralized apps). Starting here

https://blog.chronobank.io/what-is-a-decentralised-applicati...

https://ethereum.org/en/developers/docs/dapps

For messaging dapps, check out the new Blockscan chat by the creators of Etherscan : https://decrypt.co/91226/etherscan-creators-launch-ethereum-... (note: NOT very decentralized yet)

This is past my level of expertise, but you could map out what those clock cycles of a mail server are going towards. For example, serving files, like we talked about, can happen on IPFS. No compute needed there beyond what IPFS already does.

That's the difference between products and services and between owning and renting.

Anything that you get from the internet is a service. Even connecting to the internet is a service. And providing a service is ongoing work.

What we need is recognizing services as essential and guaranteeing people has access to them. This is something for the government to do, and the guaranteeing access part is quite complicated when the service can be exploited like email.

I like how you put this. Yes, it does seem like our ownership of digital services is tenuous, unlike owning a knife or a car. I could wake up tomorrow and conceivably be locked out of my Twitter, Gmail, Facebook accounts forever.

Perhaps in the new era of tech we'll have better data portability and ownership. Sure, maybe Google can kick me off but they should still let me export all my data.

See my reply below about public blockchains.

The Decentralized Identity Foundation is attempting to build a standard so you can own your own identity that’s independent of any centralized provider: https://identity.foundation/

That helps you ‘own’ who you are, but doesn’t stop someone like Google from refusing to work with you in case they think you’re a spammer (though your DID can provide enough evidence that you aren’t).

An important tip if you intend to send everything to gmail.

Do NOT send everything to gmail via forward. Every bit of spam you forward is going to count against your domain name. I had someone who did this on a community server and it wrecked our rating for a while.

Instead, have gmail pick up your email via pop3. This will avoid the "spam origin/relay" problem of forwarding.

Well, IMAP rather than POP3. I don’t think there’s a single legitimate reason to use POP3 any more (or has been for at least a decade).

The fetch approach has some significant caveats.

Firstly, it introduces something like 5–10 minutes of latency before you receive messages compared with forwarding, so it’s not suitable for every purpose. If you’re accessing via the webmail, forcing a refresh may trigger remote fetches too, if you know to expect something.

Secondly, if you leave messages on the server, there’s an undocumented limit at which point it will stop fetching mail, probably without notifying you. Back in early I think it was 2015, I went for a couple of weeks before I realised I wasn’t getting any email to what had been my primary address for six or so years (there were still just enough things going to my @gmail.com address that I didn’t notice), and on investigation, it told me that it refused to fetch from a mailbox containing more than 50,000 messages.

(Qualifier: I haven’t touched Gmail for five years (I now use Fastmail), so parts of this could be obsolete or altered.)

> and on investigation, it told me that it refused to fetch from a mailbox containing more than 50,000 messages.

Ironically, you would not have this problem with POP3.

… because POP3 isn’t able to leave messages on the server, it’s such a coarse instrument.

You can instruct IMAP fetches to delete too, and that’ll avoid this problem. Better would be to move emails into a new mailbox after fetching them, so that you don’t need to see them again but they’re still there, but I don’t know if anything supports that concept.

> Better would be to move emails into a new mailbox after fetching them, so that you don’t need to see them again but they’re still there, but I don’t know if anything supports that concept.

The best way to do this, in my opinion, is to tee the emails to another mailbox as they come in, not as they get pulled from the inbox.

Yeah, that’ll have much better support.
POP3 defines separate retrieve and delete requests. Some servers lose messages when you retrieve them, but I've only seen that misbehavior on major ISPs.
> Well, IMAP rather than POP3.

I set this up a couple of weeks ago. I think Gmail only allows pop3 for email fetching, because I just couldn't get it to even try connecting to my IMAP. pop worked great though.

The settings even lists "POP Server", not "Server", even if you choose port 143 or 993

> I don’t think there’s a single legitimate reason to use POP3 any more

Well, pop was designed as a "download the messages" protocol, IMAP as a "keep messages on the server" protocol, right?

So while it doesn't prevent IMAP, pop is actually a better mapping in intent.

Pop is clear about what "the email" is. IMAP opens questions like "so… all email? Or just INBOX, or what?". And while it's not mandatory to delete the emails from the server with pop, it becomes even more of a complex question with IMAP.

The choice of pop3 very strongly implies answers to all of these questions, with no surprises.

Are there downsides to pop here that I'm not considering?

The main one I had in mind was POP3’s behaviour around deletion; my recollection is that if you don’t want it to work that way (and I think you might prefer not to in general, so you can be confident of having your own copy of everything), you run into practical performance, bandwidth and processing limits much sooner, because messages don’t have any external identity, so the receiver has to download everything every time to check if it’s seen it before. And you can’t just say “well only look at messages in this folder”—POP3 sees all, and that’s a problem.

But y’know what, I’m going to retract my comment for the case where you don’t want to keep a copy of anything. For most places, POP3 is generally unsuitable, but for this specific type of destructive server-to-server fetching, it’s reasonable.

I've had that happen. I have my own domain, but some of my family just have it set to forward to gmail and they've had mail service disabled intermittently because of spam coming from the domain account.
I have Gmail forwarding all spam to my domain/fastmail. Any issues that way?
> Should we own the free stuff we pay for?

We should own our own stuff. Your email is your own data. No company should have the right to arbitrarily destroy or block your access to your data. Whether that service is free or paid for is irrelevant; offering a service for free isn't a license to rob and destroy.

I've argued this point multiple times (e.g [0]). Business who host your data should treat your data as your property and take responsibility for it. They don't have right to destroy it or put it through a virtual shredder any more than your landlord or car service should take your property to the junkyard.

I also consider it a security issue [1]; if you can't access your data (or worse: it's gone all of a sudden), security has failed. No, destroying data isn't the same as securing it. Google has poor security. Security should protect your data and your access to it.

[0] https://news.ycombinator.com/item?id=30242824

[1] https://news.ycombinator.com/item?id=30055397

Unfortunately law seemingly hasn't quite caught up with the idea of digital property.

Notice that Google's automatic suspensions may very well be illegal under GDPR. This was discussed here recently [2]. Having been rejected a credit card application (an example of a decision that should't be made automatically, under GDPR [3]) and lost access to a gmail account, I can say the latter was much worse.

[2] https://news.ycombinator.com/item?id=30138669

[3] https://news.ycombinator.com/item?id=30140312

I host my own email these days, and I am my own domain registrar. If someone wants to take away my domain, they have to take it up with my government.

I’ve never heard of someone being their own registrar. Was this hard to set up?
It was about five minutes of filling a form with the national authority.

There are some responsibilities that you get along with it (e.g. you're supposed to do risk assessment and document your approach to risks and security, etc.) but you don't actually have to deliver those documents unless they ask for it. They may also require you to respond to some questionnaires and such (I've received only one questionnaire over the years; they were conducting a study about how registrars verify the identity of their customers). Obviously these are primarily intended for commercial operators who have responsibility for customers' domains, and my risk assessment offering domains for myself is going to look pretty simple so I haven't actually written anything down. Will do if/when requested.

Excerpt from my whois records:

    Holder
    
    holder.............: Private person
    
    Registrar
    
    registrar..........: Private person
(It used to have my name along with other info in the registrar field, but this thankfully changed following GDPR)
Here, I'd have to do it on a company, and it would cost $9000 upfront and $2800/year. Not worth it. :)

Free domain lock against NS changes and domain transfers with national TLD authority seems good enough.

I do wonder if the whole data ownership thing has become somewhat confused by the regular usage of "your data" to mean data about you. My email is my data. Facebook's record of how many times I've logged in isn't my data, it's data about me. There should be regulations on what corporations can do with data about me but it's fundamentally different from "my data".
A lot of us have also been caught out by Google announcing they are forcing free G-Suite Legacy users to upgrade.

Here is where I am heading (having given the matter much thought and some testing, trial and error)

Free Gmail/Cal account as I enjoy the software

My own custom domains with any registrar

Paid Fastmail account storing all my emails to all my domains/aliases at Fastmail

All Fastmail messages forwarded to Gmail

Mail from Gmail sent through Fastmail's smtp servers

This gives me the mail/cal app I like and the freedom to move. I don't have a problem with paid. Google are forcing Workspace on me when all I want is email with custom domains.

Also caught in the Legacy drama. :-( still haven't decided what to do about it. blurg.
Me too. Currently leaning towards iCloud. It’s very inexpensive for email with a custom domain and I trust Apple a bit more than other tech companies.
Migrating to Zoho is super easy. Did it for 2 domains.
I looked at office365 as well and discovered the bizarre fact you can only redirect custom domains from one registrar. GoDaddy I think it was?
Zoho just wanted some TXT and MX DNS entries. Any registrar should provide you that.
I moved to Zoho for business and have 2 accounts there for £10 each/year.

The configuration of the service is much easier than Google makes it. Filtering took some getting used to, but I have it working much better than I ever could on Google, so happy bunny there. And the Android client is OK too.

The only meh part (for me) is the web interface for email/calendar isn't as streamlined as Google, but being out of that eco-system more than makes up for it.

Damn, I've been through this too and I have even forgotten about it. 5 users, no cost, gone. I've even used zoho for a while after that, but that's gone too. My current solution is to use custom domain with icloud and forwarding emails around.
What do you enjoy about Gmail/cal? I don't see the point of that level of indirection in your setup. Fastmail seems indistinguishable from Gmail UI except I don't have crap on the left nav. And gcal is unreliable garbage, in my experience.

These days I pick a provider for each service that lives and dies by the quality of that service. Fastmail has 'mail' right on the tin.

Phone number porting is a thing due to regulation. I'm looking forward to having email address porting legislation, one day.

For full porting, there's a long road ahead, starting with regulating domain names, which email addresses depend on. However, as long as the domain name _de facto_ remains in the possession of the original provider, this is technically possible, already.

Email address porting might even be possible without a persistent domain/DNS entry. After phone numbers get ported, the _sender_ (of sms, or a call) caches the new routing, and the original carrier doesn't know the ported phone number is getting a call in the new carrier's network. I'd be interested in discussing this sort of thing for well established internet services (such a central authority already exists, ICANN, but perhaps legislators can come up with a non-US authority for emails)

I would imagine it takes the form of a government "porting server", where anyone can query an email address and receive back a different target email address.

All people sending email will be required by law to first consult the porting server to determine where to send email. It could be as simple as an http endpoint. Total development costs and running costs could be pretty low - low enough that the government can argue it is more than paid for from increased tax revenue from mail providers.

This could perhaps be integrated with PGP keyservers
Rather than creating a central "government porting server", you could make this a "cost of doing business" of someone wishing to provide an email service to the public.

In the event that an ISP or digital services provider wishes to cease providing email service, they could be required to provide minimal access to enable updated provision of either a forwarding email address (which the provider would forward mail to), or an MX to redirect the sender to use. This would avoid the need for a big central "porting server", and retain the simplicity of doing a DNS lookup for one or more current MX records.

Given spam challenges, the former is likely unattractive (who wants to use their own IP ranges to relay potential spam to former users?), but the latter could likely work, or be made to work.

I realise the MX approach doesn't quite work, and you'd likely need to relay the email, but this is more akin to how the phone number porting system works - you ask the number block owner on each call, and they can either accept the call, or point you towards the correct destination network.

This topic is of indirect relevance and interest to the UK telecoms regulator [1], since many households rely on an email address from their ISP, which could become a barrier to switching, or result in long-term extractive pricing from users who have no real choice other than to pay a former ISP over the odds for email service to retain an old address.

[1] https://www.ofcom.org.uk/about-ofcom/latest/features-and-new...

> who wants to use their own IP ranges to relay potential spam to former users

In your example, anyone who wants to legally run an email hosting business.

This is literally how DNS works. Get your own domain and you can forward mail anywhere in the world.
Having the government having information about everyone’s email address…

What could possibly go wrong?

Probably nothing? They (or we I guess) have phone numbers and addresses as well.
You have a lot more faith in a government that has proven plenty of times that they can’t be trusted with information than you probably should.
How would you even solve porting without breaking legacy systems? You can point the MX records to another provider's server (or your own), but porting single email addresses won't really work.
I assume a similar issue existed for telephone numbers. Was it wrong to require that they be portable?
When you dial a number, you generally look up the owner of the number range in a list, then initiate signalling contact with them. They may take the incoming messages, or they may point you towards another network the user can be reached on (i.e. if they have ported their number)

In essence, in the regulated telecoms space, the number block owner retains responsibility for routing to the new network after a number port.

And did all Telecom providers have the ability to do that sort of forwarding before the statutory requirement to allow numbers to be ported?
Legacy systems will be broken.
You could easily oblige forwarding. You cannot shut someone out and then not allow them a) a backup of all data noe unavailable and b) and auto forward to an email of their choice.
Alas, email forwarding is fairly broken since DKIM/DMARC/SPF/SRS came into the picture.

As for not allowing people to save their data before shutting down, I agreee. That's a consumer rights issue though, and not a technical one.

Forwarding won't be enough if you need to reply from the same email address.
We have email porting already. With a custom domain, you can point it at any mail host you like. It costs a few bucks a year.

There's no reason for a complicated legal structure to ensure mail forwarding (which just begs for abuse). Users already have the power. Use it.

Are you volunteering to call my grandma and walk her through setting that up? Are you also going to pay the yearly domain fees? No? The legal framework needs some work.
Seriously, the domain fees shouldn’t be an issue. And while registering a domain and connecting it to a suitable email provider is a bit more involved than setting up a new phone number, it’s not that complicated either. People without any technical affinity will need help with both.

I agree though that there should be legal resort to not losing your email address.

Are you suggesting that everyone has a legal right to a free email address? Phone numbers aren't free either, a phone line is way more expensive than a domain.

If you think there's real demand for email portability, go into business! A service that lets you buy a domain and route to different email providers is well within the abilities of a single programmer. Make the UI idiot proof and charge a few bucks more than the registration fee.

> I paid for it, so technically, don't I own it?

There's a lot of scenarios where you wouldn't want purchase of service to transfer ownership. People providing services have rights too. You don't get to do whatever you want with their brand, trademark, copyright. And you don't get to expect more service than is promised, or that you won't have your service taken away if the service owner doesn't want to deal with you anymore.

So you ask, well how can I be protected as a user of services? And the answer is: competition, being an informed consumer, and the occasional regulation.

> Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?

Those are all great examples of why there is no simple answer.

You do not own your phone number, but you do have the right to transfer it between carriers, thanks to regulation. You don't own your own email address, but you can rent a domain name and do what you want with your email address while you're renting the domain. You don't own your handle unless it is your real name and you go to court to protect it. You don't own a PO box, but you can rent it while you pay for it.

Ownership is often just a matter of possession. Who possesses your email address? Who possesses your PO box? Hell, who possesses your house? The land it's on? The access people have to it? The impact it has on neighbors?

Identity and ownership are complex ideas that are involved in many different levels of our society. As much as people want it to be simple, it just isn't. And the world is not going to get less complicated.

> lost access to paid services that I had set up with social login

I signed up to Quora with my Facebook account, back in the day. Deleted Facebook in 2013 and lost access to my Quora account, with no possible way to recover it.

I haven't used a social login since. In my case, it was fairly harmless, but it made me realise how dangerous social login is. Every time there's a signup, I look for "signup with email". It's the safer option. And if you can, use your own domain for email (Google's paid email offering supports this, as does Fastmail and countless other email providers). That way if your email provider decides to flip you off, you switch DNS records and you're up and running somewhere else, and everything keeps on running.

But: If you don't have a copy of emails then you lose all saved emails, so make sure you have a backup strategy in place.

There really needs to be a zero cost custom-domain email hosting solution.

I'd love to have webmail on my own domain, hosted by someone else, and with ads on the side. Those ads should generate ~$20 per user per year (after all, they can be targeted based on emails I'm sending and receiving, and I'll be looking at them many minutes every day - the perfect combination for high revenue ads).

With $20/user/year, there should be no difficulty paying the hosting costs of such a mail server and staff to look after it.

Just a heads up you could use Cloudflare Email Routing to forward *@foo.com to foo@gmail.com for free

It looks like Zoho might have a free plan too but I've never tried it https://www.zoho.com/mail/zohomail-pricing.html

ImprovMX also does email routing for free along with webhooks and such

I use the free plan from Zoho and it's been solid. But... I have been using it for a while and it is my understanding that certain features I have (IMAP) are no longer in the free plan.
Just looked at their pricing and it looks quite sane. How good is their calendar and does it sync to iOS and Android?
I use the Zoho app (iOS and Android) for mail and calendar, so yeah, it syncs that way. I haven't tried setting up another mobile app.
Their Calendar is exactly like any other caldav icalendar, works fine on iOS and any other platform using the calendar standard protocol.

Been using Zoho for many years, switched from my free grandfathered Google Apps account to Zoho around 2014.

Cloudflare Email Routing is still in private beta. I'm eagerly awaiting it
Thanks. I've been on the waiting list for quite a while. But I didn't get any notification.
One thing that wasn't immediately clear from the blog posts --- does Cloudflare's solution allow configuration to also send emails from the custom domain email address?

In GMail (and using Google Domains to host my DNS) I've configured this by inputting various settings as per the guide here:

https://support.google.com/mail/answer/22370?hl=en

The key relevant step is: "For school or work accounts, enter the SMTP server (for example, smtp.gmail.com or smtp.yourschool.edu) and the username and password on that account."

Is that kind of thing supported with Cloudflare?

You just have to apply for it for each domain you've added and they approve it within a few days
Some domain registrars provide a catch all email for your domains. Just forward that to your own gmail (or whatever service you are using). That way you are in control of the email addresses and can take advantage of free email services.
Why can't you just go around selling your data to the highest bidders and use the money to pay for the myriad of already-existing hosting providers?

I'll tell you why: because you are not worth that much to advertisers. If you are so cheap to the point of asking to get your data harvested, chances are you never going to be a high-value customer.

Sure, let’s do that. Where can I sell my data?
No one wants to buy the data from cheapskates.
The comment you replied to said exactly why this won't work: “If you are so cheap to the point of asking to get your data harvested, chances are you never going to be a high-value customer.”

Though I think “high-value bit of cattle” or “high-value mark” are closer to how the stalking side of the advertising industry sees us!

> If you are so cheap to the point of asking to get your data harvested, chances are you never going to be a high-value customer.

But if you are so dumb as to not know your data us harvested, you are a great gullible idiot, er, I mean customer.

I don't think logic holds any water. There is no rational 'free market' reason you can't sell your data, it's just logistically too difficult to deal with millions of individual 'sellers' istead of paying $supplier to get all of it at once.

1) I did not say anything about not having data harvested.

2) Even if the data is being harvested, doesn't mean that there is any morality in trying to get a share of the profits. That doesn't make you smart, it makes you a cheap accomplice.

3) "free market" would apply only if all exchanged data were offered by those that own the data, and if they could determine how and when the data could be used. GDPR has shown already that some sites would rather not serve their sites to European citizens than comply with data regulations. You can bet that the intersection of high-value prospects who would be interested in selling their data for some meager dollars/year is very, very small.

I think you underestimate the training/socializing effects of being raised with advertising, and the steps toward closing that gap already underway.

You can buy discounted TVs (and in some places they are the only TVs you can buy), which clearly have advertisements on them that others do not.

When more people wake up my bet is they will be accustomed to advertising, they will just want better advertising. And if one can get paid for receiving short-form entertainment with relevant product information, with appropriate branding I bet there is a market.

I replied in the other thread. The flaw in your argument is that the only way for "better advertisement" is through personal data selling.

Brave's model has shown that you can have a ad distribution system that gives more power to the users, the ads are still relevant, fraud is much more easily detected and it can still reward the users for their attention.

With zero knowledge proofs, you can even have a system where the advertisers only get to show ads for those that match certain criteria, but no personal data needs to be given away.

If you are working on anything that depends on direct exploitation of user data, I urge to go back to the drawing board and seriously consider the morality of it.

Fully agreed with the last paragraph - consider the morality of direct exploitation of user data, and the risks that it is used in ways not originally intended. Maybe read some history too such as McCarthyism, Stalinism and many related instances throughout history. This data exploitation that has swept through the world has the potential to be a terrible nightmare in the making.
The issue is far more likely the low volume transaction (of one user) which is itself likely to be a consequence of lack of demand/reason for this service so far.

No one is set up to explicitly monetize your data with consent. It doesn’t seem like a bad idea once society catches up with it.

There is no need for the monetization of data.

Monetizing users' attention is enough.

Look at the Brave model. People get paid for the ads, no personal data is exchanged.

Something like improvmx but, like $3-4 a month instead of $9 with just bare bones POP3 and SMTP for personal use only would suit me.

I'd like to self host data and webmail and pay somebody else manage the headache of delivering and receiving.

Fastmail handles the whole thing admirably as far as I'm concerned.

Get your custom domain, create a mail user with Fastmail: username@mydomain.com

Set things up nicely (do read the docs), particularly look at catchalls, wildcards and aliases

Give out separate email addresses to each and every service you use: service@username.mydomain.com

Bonus: You can easily send emails back from each address you give out and if you create a label called "service" for the example above, mail coming to that address will be automatically labelled without needing to create a rule.

I used to use spamgourmet and used to get some resistance from sites using misguided email validation considering it a spam service (oh the irony) - now with Fastmail, everything just works.

+1 for Fastmail "just works". It's a bargain, has great UX, and all the features I could think of.
I use mail forwarders on my custom domain so anything sent to me@mydomain.co is simply forwarded to myregular@gmail.com.

Except the domain renewal fees, it's free.

If Gmail blocks me, I can readdress the forwarding to hotmail or usa.net or whatever.

That works but to cover your bases you need some sort of regular IMAP backup as well.
(comment deleted)
I just use Thunderbird and tell it to keep everything local.
My domain registrar provides free, simple mail hosting with a domain - maybe yours does too?
> There really needs to be a zero cost custom-domain email hosting solution.

Unfortunately I doubt that would work. Any email solution hoping to get significant use will need to be able to send as well as receive and/or store & organise, because if someone is needing to run their own send route elsewhere they'll run their own receive route there too, and any free email solution that allows sending will be abused in any way possible by junk mailers and other scammy types.

It would be a constant fight to keep the service off black-lists and dealing with the backlash from:

* people blocked rightly because of service abuse

* people blocked because of a false positive in what-ever automated checks you do (the admin involved in doing all the checks manually will be excessive enough that it can't all be done manually)

* those who are inconvenienced by the service, even temporarily, being on a blacklist

And that mass of spammers such a service will attract will be worthless: they'll have everything quickly automated and won't even glance at a single one of the adverts.

> With $20/user/year, there should be no difficulty paying the hosting costs

I doubt $20/user/year would cover it unless you get a decent number of subscribers. And I doubt there would be enough people who would sign up for this, who are not already using gmail or similar big providers that already exist or mail provision included with their web hosting or domain registration service.

Of course my gut reaction could be quite wrong here: why don't you give it a go? If you are right then there is a market to corner that no one else is looking at yet so you could make it big.

Sounds like a startup opportunity you should jump on. ;)
It is a basic utility, and it should be provided by (nation) states. Every citizen should have a domain, or a subdomain.
The largest email providers already show ads to the free tier. They don't earn that much per user and it's just not worth supporting custom domains at that scale.

If they cant make it work, why would anyone else have more success by offering even more features for free?

And if you're already buying a domain name then why not just pay for the email account too?

(comment deleted)
A friend of mine had a similar problem with her Spotify account after she canceled her facebook account. Self-made Spotify playlists usually can have quite a bit of a sentimental value. I can only image what services the OP would have lost access to in case he/she used social login for all signups.
Social logins only carry your information and a token, and you can enter to your profile and add a password too (99% of the time).

So, you can use social login (OpenID Connect in reailty), as an automated form filler and add your password, so your account will be effectively won't depend on that provider anymore.

I use a lot of services like that.

>> Social logins only carry your information and a token, and you can enter to your profile and add a password too (99% of the time).

I think the whole point is not having to create yet another password.

One solution to all of this is to have some kind of durable identity verification that the user controls and can use everywhere. There are serious challenges with that of course, which is why we don't have it yet.

I use a durable identity verification that I control and can use anywhere (within reason): a standard offline password manager (keepass) synced via dropbox. I create "yet another password", but I never see it or directly interact with it (outside of tweaking the password generator to fulfil weird password requirements)
> I think the whole point is not having to create yet another password.

That's the fallacy. You're always creating a new password. Only its storage location is changing. You can store a password in a variety of ways and places. When you use a social login, you're using a time limited password stored in the OIDC provider. And if you lose your account there, you lose all your passwords.

Also, you can store your passwords in OS key chains (Linux, macOS), browser password managers (Mozilla Lockwise/Firefox), in myriad of other online/offline password managers, on a text file or paper.

Many sites allow you to "reset" your password for an account created with a social login. However, if you created an account with Google OIDC and lose access to your GMail account, that's another matter.

But that also creates security risks especially relating to information exposure. The ID provider will always know which services you use, how often you perform logins etc.

A secured password manager is the superior option, especially since you would not compromise every service in case your password is known by third parties.

Finding the place to enter and save and confirm a password sounds a lot harder than just putting in my first name, last name, email and a password in the first place.
(comment deleted)
Especially with increasingly convenient password manager UX’es (e.g. integration on iOS)
Yeah, most new services allow sign-up with e-mail. However, there was a brief period which made it almost impossible to register without a social registration path.
I've run into that a few times, yeah. I walk away if that's the requirement to join.
How do people remember which social login they used for any given site? There are usually multiple and they overlap between sites and none work with every site.
People generally tend to use one of them, mostly Google.

However, I always sign-up with an e-mail directly if possible, and don't use OIDC login pathways. If I had to use or was lazy during registration, I change my password immediately, so I can use an e-mail/password/2FA path.

I make it easy by Never using social login because I don't want the chance of being locked out and password managers are easy enough.

So they are always in my password manager, and that part of life is good.

I am not that smart but I always thought that using one company's authentication system to log into another site can be a source of massive trouble.

I connect all my logins with my (custom-domain) E-mail and also do regular IMAP backups of my E-mails. I run Thunderbird once a week and sync all mails.

Yes, do not force failures to be correlated.

Ideally one goes in life forcing failures to be uncorrelated, but that's extra work. Anyway forcing them to be correlated is also extra work, so just don't.

> Deleted Facebook in 2013 and lost access to my Quora account, with no possible way to recover it.

Did the same but lost my Spotify account. Needless to say, but I haven’t used Spotify since then..

I created my Spotify account back when they only had the option to create it with a Facebook account (or at least they hid the email option very well). Eventually I disabled my facebook account and realized that disabled my spotify too. I spent an hour or so with Spotify support to transfer all my playlists to a new account since they couldn't (at least back then) convert my account to be a non-FB account. So much time wasted. Never again.
They may have fixed this. Either that or I did something explicitly that resulted in my Spotify account being accessible by the email I used on FB.
This is naive question, but I think a valid one, and I'd love to know what you think, is using a domain name to sign in, just moving the issue of losing an account to the domain provider? So instead of Google, your host controls your sign-in instead?
It is, but you're much less likely to find your account suspended by your domain name provider. People lose Google accounts and Amazon accounts and all kinds of other accounts because there's so much going on with them and something somewhere triggers an automated ban (for Google, we've seen issues with people and their YouTube, or their Play Store apps, or in this case, their Gmail).

But you're far less likely to ever have any issues with your domain name provider, because you literally only have your domain with them, and don't interact with them outside of that.

I would say if you want to be extra safe, your domain provider would NOT be your hosting provider. Because you can lose your hosting, too, and we've seen stories like that here a few times.