483 comments

[ 3.4 ms ] story [ 332 ms ] thread
Someone needs to tell this librarian Google has 2FA backup codes you can just write on a piece of paper.
You do not need to enable 2FA to be affected by this issue, so IIRC it is possible you never received the 2FA backup codes to begin with. "Suspicious" logins will prompt 2FA from your connected phone.
I used to work as a librarian and ran into the issues the author writes about. Less than she did - but it being a community that skewed older I have plenty of experience shepparding older and/or low income individuals through basic online tasks such as applying for unemployment etc. If you have never done this kind of work then it is very easy to take for granted how low the baseline technology competency of certain folks is. Telling someone they will need a working phone number, a password, and recovery codes to access their email when "it used to just work" will simply not fly for them.

This side steps the issue that often these are scenarios where the patron is already locked out of their account and coming into a library as a last resort - so lecturing them on backup codes will be of no avail.

Obviously, it would be better if Google would do something, but they won’t. A temporary solution could be something like a sign that encourages people to print out backup codes and the librarian could help them with it. Maybe the librarians could even store them in a folder and retrieve with ID. Not saying these are good solutions, but they could maybe help a bit.
To give a sense of the level of tech literacy samsa is talking about, I've had to teach multiple people how to use a mouse and keyboard + had to explain to dozens of people that the icon called 'Internet' on the library computer will let them go to Facebook just like the 'Internet Explorer' icon at home or the 'Facebook' app will.
Google has basically made 2FA mandatory if you have set-up an Android phone, which doesn't even prompt to back up recovery codes.
And this is more likely to happen to the poor since they're going to have Lifeline Assistance phones, which are all shitty Android phones. (I had a couple and keep them as burners but they're crap.)
Does your grandma have printed out backup codes?
My father was a statistician and programmer for most of his career. He's switched to a new gmail account three times, at least, when he couldn't remember a password.

So, no, nobody has printouts of backup codes except the people who are already aware of Google's reliability problem.

My grandma just creates a new google account whenever she gets locked out and it doesn't matter because she doesn't use email for anything important.

I'm starting to wonder if she's the smarter one.

This is great, until you're locked out of a service that you actually need, and the only password-reset way is to send a reset link to the e-mail account she never uses anymore.
Something that I don’t think has been mentioned yet is that Google requires a phone number attached to every account (not just a 2FA method). This is to prevent scammers from making an infinite number of Gmail accounts. (With a max of 5 accounts per phone number if I remember correctly.) This means that people without phones are unable to even set up an email account—backup code or not.
I've attempted this multiple times through the years.

As of my most recent attempt, the OTP flow still mandates input of a phone number. Those who lack phones cannot request OTP.

Google, we know a river of $$ flows from G-Mail - do you not feel any need to create a useable account recovery mechanism, all it would need is a few drops from that river?
Nah, they're good, lol.
Yes, the cash register works fine!!
With 2FA it is a matter of time until you are locked out.

I picture a world in 2050 where there is no more Google because everybody got locked out or banned.

On one hand, you have the perspective of this and other librarians where users are locked out of their accounts by Google in a (debatable) measure to secure them.

On the other hand, you have the perspective of computer repair people who routinely field calls and service computers due to the elderly (mostly, but also everyone, including tech literate folks) getting scammed, account takeovers, downloading malware, and worse!

So maybe the solution here is not to *force everyone and their literal grandma* to be using these machines for all of their business??

Better that elderly folks stuck at home should be shut out of major activities of life?
It’s an impossible situation. Account security reset processes are the number one target for most account takeovers.
About a decade ago, a broken iPhone caused me to experience how bad Google's MFA reset process was — there were multiple _years_ where the “hard landing” form triggered a flow which sent an email to an internal mailbox which didn't exist! — and while I was able to use printed backup codes after I returned home the experience left me concerned enough that I went to one of their identity group's public meetings here in DC.

One of the things which I was struck by was how unseriously they appeared to view their role in modern life. People were generally very casual about the need and were especially uninterested in anything which required them to work with outside parties.

My suggestion was that they consider a protocol where trusted civic authorities could be allowed to confirm someone's identity, which sounds like it would be useful for this case: let the person initiate a mediated reset flow where someone like a librarian, police officer, etc. could authenticate in their official capacity and check a box saying that they've confirmed the photo ID for the person standing in front of them. Most of the benefits from MFA are preventing things like phishing attacks which are also stymied by limiting it to people in your geographic area, although you might want to disable this for high-risk people enrolled in Google's Advanced Protection Program.

I agree with your suggestion. I think Post Offices, DMVs, and large reputable retailers (Walmart, Target, Cellular Phone companies, etc.) could verify our identities for a small fee and help us reset our social accounts when needed. I arrived at the same conclusion and wrote a blog post about it a few years ago:

https://www.go350.com/posts/now-they-have-2fa-problems/

Aren't half of those things you listed (Walmart, Target, Cellular Phone companies, etc.) also exactly how people get unauthorized access?

You convince the employee to port "your" number and they do so and then you reset that accounts password?

https://www.wptv.com/money/consumer/phone-porting-leads-to-s...

Make it a choice. It sure sounds like the patrons of this library would opt in.
Well, good old Yahoo Mail does that. Time and time again it tries to convince me to set up 2FA (for an account I use rarely), and time and time again I say "No" - and that's it! The library patrons would probably be very happy with that...
I distinctly remember lynching from HN security crowd when SIM cards were being unlocked and moved to new people from "trusted companies" like Verizon and AT&T.

HN demanded for such security holes to be disabled and prevented - what changed since then?

What changed is that we're starting to learn about the breadth of needs by people with different lives and opportunity sets, and feel at least a desire to talk through potential solutions for a subset of people who opt into it.

If the worst thing that people could commit in this discussion is hypocrisy, I'm sure they're willing to step over that line.

What changes is that there are different needs from different segments of the world, and we have reached a problem (authentication in general) that is truly impossible to solve with our current toolset.

For me, the larger threat is that someone impersonates me and takes everything I have. If I lost my email, it would be a nightmare but I could work around significant portions of the system. For my cousin, the larger threat is losing her email, as she has no significant assets to steal but could run into every problem in the email.

There are likely people in the middle as well, and other threat vectors. (For example: caregivers committing fraud, dementia, state actors, and 20 other we could brainstorm pretty quickly.) Perhaps the right answer is that we need 20 different services that can segment. Perhaps the problem is that some sectors aren't profitable: maybe we need a grant for emails for poor people with a circle of trust.

I don't have answers. Maybe we need a collection of people to think deeply about this problem.

Walmart may be a reputable retailer, but it is utterly disreputable in being a reliable arbiter of identity. It doesn't train its employees well, its employees are often not the brightest bolts an the box, and those that are often don't give a shit.

As for post offices, they aren't eligible because half the government is actively trying to kill them.

That sounds like a good idea! Perhaps expand what notaries do?
It sounds nice. if everyone plays nice. Slip some underpaid gov worker a 50 and suddenly you are someone else. There would need to be abuse provisions put in place. Then a whole org around that too. Not saying it can not be done, but it looks like to me is Google has a poor customer service issue, even if not true. Roping our govs into doing googles customer service seems odd.
> Slip some underpaid gov worker a 50 and suddenly you are someone else.

by that logic, slip some policeman a $50 and they might plant drugs on your enemy or shoot him because he had a wallet that looked like a gun.

Have employees of private conoaniea never been involved in fraud?

It's a real concern, but how is this different from the current ink & paper scenario? I know people who use county notaries to keep important documents and we, as a society, have apparently deemed that an acceptable risk. Is the distinction the potential scope and scale of digital theft?
Library op-sec is pretty weak IME. Mine accepted seeing an email of a utility bill on my phone. Which is probably fine for just checking out books.

I still love libraries and the services they provide. But wouldn't want them to be an arbiter of identity any more than a faceless, human hostile corporation.

I wonder if that's deliberate. My bank also accepted an email utility bill but they said they only ask for the utility bill to prove that you didn't make a careless mistake when entering your address.
> Mine accepted seeing an email of a utility bill on my phone.

To be fair, tons of places use those as proof of residence. It’s not as if it makes a real difference if you print them first.

It's supposed to be easy to get a library card! The threat of an out-of-towner getting a local library card is nothing like a stranger getting access to your inbox.
So we have come full circle: starting from a call for help from a librarian seeing lots of people unable to access their accounts because of 2FA, we have proposed various methods of avoiding that, and then concluded that it's better if 100 people are locked out of their own accounts rather than letting one unauthorized person access an account that isn't theirs? I guess that's Google's position as well, because if they let someone unauthorized log in they might be liable, whereas if they lock 100 people out they can say it's their fault...
No, I'm saying those situations aren't comparable. We should not conclude librarians will be poor stewards of MFA reset powers just because they are lax in giving out library cards.
Ah, ok, then sorry for misunderstanding...
> Mine accepted seeing an email of a utility bill on my phone. Which is probably fine for just checking out books.

I mean, I just got my `REAL ID` from California, and they accepted printed utility bills as proof of address for me. I could have easily modified the name and/or address on them before printing.

The other proof of identity I used was my birth certificate... that I was able to just order online with the only information required from me was my social security number and answering a few questions that would not be that hard to find out about someone.

Proving identity in a way that works for everyone while not allowing anyone to fake it is practically impossible.

I think something like this could work iff the accounts were required to be set up by said civic authorities with confirmable paperwork. Otherwise, librarians are stuck awkwardly trying to decide if 'John Doe' really owns the email account 'ILoveButts64@gmail.com'.

I also doubt this will ever happen since it would require more $$$ for things that are not profit generating and supports a population that is useless from the tech companies' POV.

Or now that I think about it… for 2FA in particular, what about enrolling a software FIDO token with an extension on every library computer that can be triggered by a librarian from their desk? Doesn’t require hardware for each patron, only applies to accounts that have been enrolled at the library. Feels like it could work.
Then it opens up a backdoor for malicious (or socially engineered) library staff to access email accounts.
And given that a lot of the staff working those desks aren't librarians + are working part time, it's also great incentive for bad actors to get jobs in libraries specifically to start stealing that data.
Not sure data theft from homeless or poor people is a major threat. What could an attacker gain from that?
I can see some value in it for scammers, hackers, and businesses that pray on the poor. (For example the 'buy now, pay later' Aaron's Rent-A-Center type businesses).

Or for identity theft.

If this were discovered the library as their employer would necessarily have sufficient personal information to prosecute them. That’s a lot more risk than your typical online scammer has.
That seems like a movie plot threat: who’s going to go to library school, pass a background check (government job, access to children), and actually do a job which isn’t easy and doesn’t pay anywhere near enough just in the hopes that someone will walk in the door with enough money to be worth scamming in a manner which is both obvious and easily traced to them?
I think it would be fine for the library to have/be the 2ND FACTOR and the user would still need their password. Being at a physical location seems like a reasonable 2FA (more reasonable than a phone in these cases).

Could the library buy a few FIDO tokens, hot glue them into the backs of the computers, users add them as 2fa to their accounts and now the computer being wiped between users is no longer an obstacle?

The downside of this is:

- Users would only be able to use the exact same computer each time. If it’s out of order, too bad

- Users wouldn’t have unique tokens between each other, so there’s a risk of other library patrons shoulder surfing and then logging in with the same token after you

Agreed — I was thinking something along the lines of allowing you to register a government ID on your account so the process would be something like the librarian starting an assisted reset process, confirming that the ID you present matches what's on file, etc. and people with strong privacy concerns could choose to take the risk of not doing that.
Why would Google want to do this? Current 2FA suits its role perfectly: it prevents a large scale leak, one that would result in bad PR. There is no incentive for Google to care for individual users.
The government is slowly figuring out digital ID and will show up to regulate it.

Identity is too critical a business for services companies like Google to walk away from. It’s stupid, because once the camel gets it’s nose in the tent, it will cost them more.

> trusted civic authorities

They'll need to be resistant to threats and bribes, so it will be difficult to have these on-site at the library.

I think we've overlooked an option. Note that the article's objection to FIDO keys was financial, not UX. This sort of confirms the hunch I got when first playing with them: "hey, the key metaphor is so strong and intuitive that these might be even better than passwords for people with low tech literacy." I held off on saying anything until their compatibility actually lived up to the hype, which IIRC only happened in 2020 (all major browsers, all major platforms, by default), but it did happen.

As for the financial barrier, yeah, it's wild that these are still $30/ea on Amazon. Can they be bought cheap in bulk? Or does the market need some aggressive new entrants? In any case, they are "near practical" and the shove needed to make them "very practical" is probably 100x smaller than, say, creating a Central Bureau of A12N.

It is not uncommon for unhoused people to lose all their possessions, so even if purchasing multiple hardware security keys wasn't a huge financial hurdle, the recovery model I use (Yubikey on my keychain, two in my safe, mail one to my parents) falls apart for those on the margins of society. If email is an essential service in modern society, recovering access to it from some first principle of identity is essential. I don't have an easy answer for how to do that, but I also don't have a trillion dollar market cap.
That's true, we still need a good last-ditch fallback. FIDO could still save a lot of people from the hard login screen, the phone number gotcha, and the need to become literate in information-keys. Last-ditch fallback becomes a lot more viable at any given expenditure level if it doesn't have to serve as the primary authentication mechanism for half of the library's elders.
The CEO of Fastmail, a company which deals directly with the ID problem as an email provider with customer service, has made some insightful comments on this:

https://news.ycombinator.com/item?id=15864579

I am a happy Fastmail customer, in a large part due to trust inspired by Bron’s comments.

How about: the library gets a few Yubikeys and offers to let people register their accounts with them as backup? So, if they get into trouble they can ask the library to unlock their account for them?

This essentially grants the librarian what they think they should be able to do.

But the next step would be to figure out how to reduce the risk that this system can be abused.

The libraries will just do this with their huge slush funds. They can put the YubiKey desk next to the ball pit back by the employee lounge.
> > trusted civic authorities

> They'll need to be resistant to threats and bribes, so it will be difficult to have these on-site at the library.

That's why I mentioned things like APP: some people do have a threat model where that's realistic but it's a much smaller number than the people who are inconvenienced by being locked out so it seems like it'd be a net-win for most people to be able to get unlocked easily. There are also ways to mitigate some of that risk like having notifications for all actions with an easy way to report unapproved requests, geographic restrictions, enforced MFA for the civil servant (“tap your FIDO token to approve this request”), rate-limiting, etc. which are all bread-and-butter tasks for one of the major tech companies.

The other thing I think is relevant here is the degree to which things fall back on civic authorities anyway — e.g. Facebook's process where they require scans of your government ID or the various ways you can report a deceased relative. It seems to me like it'd be better to embrace that and work better together rather than pretending there isn't already a fairly large trust relationship.

In this situation, maybe one thing that could help is if the library holds on to the backup codes for patrons. So they can sort of act as a quasi trusted authority. In fact if these people can't even log in without backup codes, they can just keep their password in their wallet.

Of course, yubikeys also work very well in this situation. So the library could sell a yubikey and keep backup codes on file for in case the yubikey is lost.

Or since you can store so many identities on an individual yubikey, just give the librarians one.

I was thinking among options:

- Library is a Group Administrator for patrons' Google accounts.

- Library offers its own email services to patrons.

- Library holds recovery codes (perferably under some sort of escrow).

All of these put burden on the library, of course. Though there's already a substantial burden.

There's also the issue of itenerant / mobile patrons who may only be using a library on a temporary basis or operate between several locations. How much this is a use pattern I've no idea.

The USPS offering email services might be yet another option. Points of presence in every ZIP code, often several.

Given other ongoing challenges (housing is now a full-blown crisis), the problem of mobile / indigent / precarious indivudal will only grow.

The pattern is also likely to be repeated in other global regions.

Lots of services are available to opt-in to validate identity. In fact, Google sells solutions on the cloud side.
It’s an absolutely catastrophic experience, that they clearly don’t take seriously.

Regulation solves this. I hate to say that, as so much of tech regulation is a ham-fisted disaster that misunderstands the problem and creates even bigger ones, but this is really a very serious problem that can ruin lives, and regulators really should step in here.

I’ve known a couple of people who have been through this experience, and one in particular who not only couldn’t get back in to their account - but had no way of knowing if someone else was able to get in to the account later. They’ll never know. It will never be possible to know. The kicker is that they could never have their data deleted due to the same problem. And no amount of help or time spent with chat support ever changed anything.

Can you describe how regulation solves this problem, how exactly are you proposing for this regulation to work?
I’m not GP, but I expect that regulation could help by requiring customer service. Similar to banking.

And there could be an agency similar to CFPB where citizens could appeal who would then make formal investigations.

So regulation would force the workflow described in the article to not have a grim outcome for elderly users of gmail.

Since opening all these offices costs money, this means that the accounts can't be free anymore.

I suppose they could be subsidized by the state for low income people.

Not necessarily. The margin is really high on Google services even though they are free.

I don’t know Google well enough to know what they would need to do to offer non-shitty service. Maybe they show more ads.

I also think they could automate good service if they wanted to, but it’s not a priority and they aren’t required. I used financial services before and after CFPB and I don’t remember price increases on my bank accounts. So perhaps something similar would apply here.

Could it not be similar to FOSS companies where the software (service) is free but customers pay for support?
That's why I proposed linking to existing services: Google doesn't want to open an office in Podunk, but they could very plausibly setup a way to allow agencies like DMVs, libraries, maybe the VA or post office, notaries, etc. to use some kind of “I attest that person X showed me photo ID matching the information on account Y” web app. This could be really useful paired with things like senior centers whose residents are far more likely to need help.
I write software at a fintech, and the CFPB regulations are super important for protecting the customer. They also give important guidance on how the customer needs to be taken care of, which is important for a company that wants to do the right thing but doesn't have expertise in customer service.
We already have that structure. It's called "court". And if you think it's not working well, I would agree with you. But neither will the other bureaucracy you are proposing, because neither really care about any of low income people who can't even pay for the phone service.

But let's put aside the efficacy of said institution, and presume it's working very well. They got call from some Joe. He claims that certain email address belongs to him, but can't prove it. Forgot password, no access to phone. What this customer service of yours going to do? Let's imagine they can order Google to give the guy access to account. Is that a right thing to do? What if that email belongs to a journalist or a whistleblower and you just gave access to it to a Russian intelligence? Remember, benefits are one thing, but it's not the only thing for which email is used.

And if it really comes down to this, why is Google under obligation to provide emails for government use? Government can provide email access to everyone who needs it. If they require email in order to access benefits, well go ahead and set up necessary infrastructure. Why Google had to do it? Google provides service on as-is basis. If that service level is unacceptable for government use, well newsflash: it's not the only provider.

It's not the only provider, except when it is.

If you have an Android phone, your e-mail is on Gmail. It doesn't need to be, but it is, because you didn't know that when you were funnelled into the e-mail when you set up the account and oops now that you're locked out ten years later it's too late to make a choice.

I really don’t understand how regulation makes it better? you can simply write down codes if you want a way of recovering a gmail account. Most users don’t do this because they’re not educated and they don’t understand opsec. If a government agency had the power to recover any account, it would be abused by corrupt government officials.

Remember scale when thinking of potential solutions here! it’s not just the US that would be affected by this as well. The reality is that google does a better job at identity any than US government institution (ssn, drivers license). How many people have their identity stolen versus having their 2fa protected gmail account stolen?

As far as support, how would it be better if support gave you access to an email account if you complained enough? please consider the abuse side before you suggest a solution.

You’ve misunderstood the problem.

Backup codes wouldn’t help here, and the person I was referring to had their 2FA to hand.

Forgetting a password is unrecoverable on gmail - they even had recovery options on the account (secondary email and phone), but the recovery form never asked for that information so it could never be used (it insisted on the previous password). As no member of staff has access to prompt the system to offer a different one of the specified recovery options, the account is permanently frozen to this user (but not potentially to an attacker in the future, assuming that other information could be obtained somehow).

Helping the elderly is hard, but Google’s system is horrifically dangerous to people in ways even Google aren’t aware of.

This was an elderly gentleman, not well versed in computers, but all the savviness in the world couldn’t have helped him. He was forced to just walk away and hope for the best. Holiday snaps, photos of grandkids, personal files - all permanently retained by Google but locked out of his reach forever.

In EU (Italy) there is eIDAS (SPID) that could allow this. It is essentially a national SSO.

Today it requires almost always a Android/iOS phone AFAIK, but it could easily be massaged to solve this problem.

The system is set up so that your account is owned by the state, and you can register with documents to providers; then after certification they run the actual SSO process.

A library provider could set up a computer that automatically passes the SSO login for your national account after certificating your identity.

Honestly this feels a bit too open to social engineering attacks, but probably there is a good middle ground.

Edit: Maybe in the US this is already almost possible by extending something like https://en.m.wikipedia.org/wiki/FIPS_201

a protocol where trusted civic authorities could be allowed to confirm someone's identity

This is already a solved problem, and without getting the government involved.

There are plenty of identification confirmation companies out there. If you've ever requested your credit report, or applied for a new apartment online, you've probably interacted with one.

Oh, but that's an expense. It might costs pennies per user! Google doesn't do expenses. It would rather spend money on rooms full of toys and gourmet catering than on helping people use its own products.

A credit report on John Doe doesn't prove that I'm John Doe, it only tells you whether or not John Doe is likely to pay his bills on time.

This thread, in general, is a great example of engineer hubris. It looks at a complicated problem, and all the top discussion sub-threads are highly up-voted non-solutions to it.

That doesn't show that you're that person, however, only that you've learned some trivia about them — often details which are visible on Facebook, pilferable from their mail, or known to no longer trustwothy family members & friends. My hope would be that we could find a way to reliably fall back on a government ID check since, for example, an abusive ex who knows all of those details doesn't look like their target.
I got locked out of various MFA sites when I got a new device and had to redownload my Authenticator app it wasn’t linking to the accounts anymore and I could not get in. It became a chicken and the egg problem. Eventually going through support channels for each site I was locked out of I was able to get back in but it was a giant headache.

I vaguely remember someone posting about a hypothetical scenario where their house burnt down and they lost all their physical devices and couldn’t get into anything etc.

It looks like the librarian's letter is from July 2021. So, the frustrated librarian raised this issue more than a year ago.

Has GOOG done anything about it in the past year?

There needs to be a better way.

This has been an issue for years. (I've worked in libraries, including public ones, on and off since 2004).

It's not just a GOOG problem. In fact, Yahoo makes me want to show up and yell at some business people: They lock people out of their accounts and then CHARGE THEM TO CALL IN and fix it. Another general issue is how much of this population uses/sticks with old products: There is a large number of Yahoo, AOL, and Hotmail addresses still being used, as well as old ISP mailboxes.

Agreed on Yahoo and ISP emails being awful, but Microsoft migrated all the hotmail users over to Outlook years ago. At this point, there is only a cosmetic difference between a hotmail.com email and a outlook.com email. I'm normally not a big Microsoft fan, but that was one change they handled reasonably well.
Oh yeah, it was just an example of how this population stays with familiar products far beyond their usual lifespan. So they often want support for products and services that are old or unsupported. And why changes really screw them over: A lot of these people just have GMail accounts from when they were easier to use.

MS did well on this one, I agree. (And I also hate MS but credit where credit is due.)

Considering my experience with the migration and merging of various Microsoft accounts, I find this statement very surprising...
i suspect that basic digital identity and messaging services will eventually be operated by governments. similar to how many major urban transportation systems were adopted and then glued together to provide subsidized public services.
Weird to blame Google for the government's refusal to provide basic services like telephony to its residents. Why doesn't the library provide a SIM with every library card, and store it at the front desk?

Or, you know, an email account with its own security policies? I got my first ever Unix shell account from a library.

Another solution to this problem would be competition. If there were a workable alternative to Gmail that had account recovery mechanisms better suited for this population than the librarian could simply recommend that for their patrons.

Can anyone suggest what a good alternative to Gmail would be for this population?

Outlook.com/Hotmail.com?
Hotmail once deleted all my emails because I hadn't logged in through the web interface for 30 days, instead used another client. Then one day I got a weird message and logged into the web interface to find all my emails from more than a decade gone.
(comment deleted)
Maybe a Government-supplied email address that is only accessible from libraries?

I would hope that libraries would have fixed IP addresses, so surely that could be factored into the authentication process? Some FIDO keys used to be able to be bought for as little as $5 (https://wiert.me/category/power-user/security/u2f-fido-secur...) so it shouldn't be beyond the budget of any self-respecting town/county/state?

Great letter. Wanna bet it was completely ignored? Glad to see it here. Maybe it won't be ignored.

Librarians rock. There's even a show about them[0], Starring Number One.

I can't access the gMail account I set up, because I made a mistake, when setting the password, and did not save the one I used.

It will not allow me to access the account I set up.

After a while, I just gave up. I am satisfied that someone can't use my gMail address to impersonate me (because even I can't get it). I have plenty of other eMail accounts.

[0] https://www.imdb.com/title/tt3663490/

> Wanna bet it was completely ignored?

I just tweeted it to @Google. Maybe if enough people ping Google about it?

It's important to understand that Google is, as an organizational body, psychopathic in nature. (Many corporations are, but Google especially, through well-indoctrinated concepts like being solely data-driven and putting scale first, combined with a belief that Google hires the best people and hence is already doing the best possible thing.)

Google does not care. You cannot make Google care. Employees who care get fired, or burn out trying to make the company care, and inevitably quit. Google is Google, and the only thing that's going to make it change is regulation.

This is an extremely bleak perspective. Individuals care, but most are powerless to make a difference if they don't work in the area of concern. It's often a knowledge sharing game of making sure the right people hear about it which can be hard. They are intentionally shielded from direct feedback to keep them focused, but that is a double edged sword. I honestly believe the reason viral stories get resolved is because the information gets to the right people, not because of a desire to avoid bad PR. Google is a collection of largely independent tiny organizations.
Information/signal propagation (along with costs incurred by remedial activity) are the most important damn topic in our society today.

Almost every problem out there at some level is an info prop problem, and in cases where it isn't the signal getting lost, it's the remediatory activity being judged as too expensive, and thereby getting the process routed to /dev/null

It’s indicative of structural limitation and is not necessarily any reflection on the innate humanity or lack thereof of participants in Google.

Google has designed itself to be psychopathic from a human frame of reference because it is more streamlined (profitable) to be psychopathic. It is a product of its environment.

(comment deleted)
The letter was subsequently updated to say that the situation has improved and in fact the author is currently looking to get less attention (apparently it was posted to HN without their knowledge and now their work email is getting a ton of non-helpful noise from hackernews commenters). So it would probably be better to not tweet about this.
> Wanna bet it was completely ignored?

Well, looking at the date...

> "Today, July 19th 2021"

Edited Sept 10,2021 per Activity and Details. The year is not a misprint.
>I made a mistake, when setting the password

That's a feature, not a bug.

Yes, but not being able to recover the account, is a bug.

The issue was that I used a randomly-generated password from 1Password, and accidentally re-generated, before copying, so the original was lost.

That's a fairly common mistake. I'm usually careful to avoid that (now).

At least in bitwarden app they provide history of passwords for every url.
So does 1Password. However, the generator can be run standalone (not connected with an entry). In that case, the password is not saved, because there's no entry to save it to.

It does not offer to automatically create an entry, until after the login, so it's still quite possible to "fall through the cracks," which is what happened here.

Yeah, my bad. :P

Some people generate random passwords and never use them, always using recovery to regain access. That has to work.
> Starring Number One.

OG Mystique as well. Rebecca Romijn has done some great roles.

(comment deleted)
The author updated the document to say that they worked with google security and the problems have been resolved. So it wasn’t ignored.
So what's the resolution for the billions of people who weren't contacted?
This comment is sort of funny, because the author says that Google is being responsive but is upset at the army of HN commenters (plus the guy who posted this originally.)
Currently the doc says:

""" STOP EMAILING ME AND CALLING THE LIBRARY ABOUT THIS

This was shared without my permission. This was not supposed to be public. It was meant to be shared internally to Google. It was not an open letter. It went directly to the security team and we had a conversation about it and it’s over. This is from well over a year ago and we no longer are having this issue as often as before due to various improvements.

Please delete this from HN. You are essentially DDOS’ing my work email and the library branch phone number making it very difficult for us to perform our duties as civil servants today.

I do not know how this made it onto HN. Someone must have leaked it. If they need to work that out internally then I’m leaving this here for their reference. But I do not want news reporters or random HN readers contacting me or the Free Library over this. """

Seems like it was not ignored and was already resolved.

> we no longer are having this issue as often as before due to various improvements.

Doesn't sound like it was completely resolved. In fact, it sounds like Google may have treated it as a "squeaky wheel," and only that library is getting better help.

In any case, I think that HN (@dang) should honor her request; regardless of its resolution.

I would suggest that the letter is great, and should be made more available, sans the identifying information.

I'd suggest someone try and get her permission to host an anonymized version of the page, on a different server that could handle the lurve.

Which email service should one recommend in these cases? ProtonMail?
Losing a password would lock them out of all previous emails but they would be able resume use of the account
To the target audience of the library?

Outlook.com as it's the simplest to use. Their immediate concern is their livelihood so they need a free email account and not have to think about anything else including its lifetime.

To a techie audience?

ProtonMail, FastMail, Tutanota, GMail, Postfix...

Gmail sounds like an odd recommendation as a replacement for Gmail.
Gmail but the Workspace version so that you have a better customer support*.

* Relatively better, but still lower than what I expect.

So, what should Google do, here?
Google employs the smartest minds on the planet and also have full insight on how Google works and what tools they have, so it shouldn't be hard for them to come up with a viable solution I believe.
HackerNews is a collection of brightest minds of software engineering who all know better than incompetent Googlers. So asking for how the brightest and bestest of HN engineers handle these security cases is educational for everyone.
It's indeed proving very educational and insightful so far. Several of us are convinced that Yubikeys will solve all their problems, which makes it evident that we have not read the letter. A majority of us are bashing on Google for other reasons.

I'll print out all the comments and forward them on to the Free Library. The next time a patron gets stuck, the librarian can read one of our comments out to them.

I think it is a good question that isn't well answered by "they are smart so just figure it out".

Credential stuffing is a big problem. It is a really big problem for email accounts, which often are all you need to reset a password for other critical accounts. 2FA, even SMS-based 2FA observably reduces the rate of account theft. 2FA also fundamentally requires access to some extra thing that you posses, often a computing device. So it also adds friction and can lock people out (as can losing passwords). I think in part because 2FA appeared later, we seem to be okay with people getting locked out of accounts if they lose their password but not okay with people getting locked out of accounts because they cannot access their second factor.

Library computers are also untrusted devices. They are also not the only untrusted devices that people want to use to login to their accounts.

As for solutions.

Printable access codes are supported in gmail. This is a pain to do over and over but does permit 2FA without any additional computing device. You can let people disable 2FA (which is possible), though you can expect another letter pointing at the suffering this causes and arguing the opposite.

You could enroll the library in a "Bob uses this library to authenticate, don't ask for 2FA here" mechanism that does not use cookies but I'm not sure what this would actually be given that the library is deliberately resetting state on the machine after each session. Perhaps there is some acceptable state that the library could keep around? A solution in this vein requires coordination between email providers and libraries but is maybe the most promising approach. Or you could do something like a family account that permits the librarian's account to tell gmail to temporarily permit 2FA-less logins for a particular account/device pair.

You could recognize that 2FA most protects against stuffing and not let people choose their own passwords to guarantee uniqueness, but I suspect you'll get an equal number of people who fail to remember their long password of random characters and get locked out, leading to a similar letter complaining that Google is harming people who need memorable passwords.

The problem is almost impossible to solve. When a person has forgotten their password, lost their device and doesn't have 2fa recovery codes in hand or a recovery account set up, there is no way verify the identity of the user. Real-world identity is not linked with the account, since many goverments don't provide an online identity service (and even if they did, the people in question probably wouldn't have digital IDs either). Moreover, any manual processing is prohibitively expensive and vulnerable to social engineering attacks.
Yeah but we can't expect them to be able to handle a problem that ( checks notes ) many other kinds of business have been solving since the earliest days of commerce.
Have a Support line where people can call and verify their identity?
How would they verify their identity?

Those sorts of password reset systems are regularly bypassed by convincing scammers who have stolen some personal information.

> How would they verify their identity?

How do they verify requests coming from Police and courts who want data?

People who forgot their login can go to Police or maybe some govt office who can help them to prove their identity and then approach Google.

I am sure Google has brilliant people who can come up with a solution if a law is passed for such things.

I think the main issue with that approach is that they could verify that the person in question is Mary Jane born 1/1/1970 in Texas, but there's no simple way to verify that mj1970@gmail.com belongs to Mary Jane born 1/1/1970 in Texas.

You would need to verify your real-world identity before losing your account which people would really hate if mandatory and nobody would bother with if optional.

Google can ask questions like what credit card providers do. They can ask questions about some of their emails, if the verified person can answer them, then they probably are the owner.
Well for a start, not set you into a loop telling you to use your phone to log-in if you've lost your phone.

I mean, even a paid-for, ad hoc ticketing system (e.g. if you need a reset on your account, pay $10 and create a ticket; no need to have an enterprise subscription in advance) would be better than what we have currently.

But financial institutions solve for this all the time when people forget their online banking details or their phone breaks for 2FA. It probably costs them a far amount in customer services support, but they suck it up as the cost of doing business (probably because they legally have to). Whereas Google just foregoes it entirely.

setup an alternative identity system - even state wide one. phone 2fa is extremely poor identification system - it's convenient, but that's pretty much it.
Allow users to link accounts to widely accepted forms of government ID. Maybe a state ID, whatever the common ID is amongst that community.

If a user has chosen to link their account to a real ID in this way, they must be able to regain access to their account regardless of password/2FA blah blah by presenting a valid ID.

Banks and lots of institutions have processes to do this. The librarian is right, "how" is not an issue because verifying identity is _not_ an unsolved problem lol.

Can the library set up Google authenticator codes for all of their emails and look after the authenticator codes on behalf of their users?

Or is SMS the only possible second factor authentication method?

No. This suggestion is, I'm sorry, utterly ridiculous. Even if it were possible---which it isn't due to the fact that many patrons have their emails long before they come to the library---but it would amount to get another public subsidy of a private mega corporation in the way of free tech support and data storage. Not to mention the security concerns, though to be honest I think that's secondary in the face of losing access to housing and benefits.
“The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.”

s/man/woman, in this case of course.

Why is the US so far behind the rest of the world when it comes to technology? State IDs/Driving Licenses already exist. These should have chips on them that could be used for authentication.
Getting an ID in the US is more difficult than this account recovery procedure that the letter complains about.
Especially for the the specific demographic that this letter is referring to. It's so easy to get caught in a catch-22.
Making these (and especially electronic ones) mandatory is a baaad idea : <insert random dystopian example>
I used to feel the same. But in reality, we prove our identity daily - every credit card transaction, banking, electronic tolling, bill payment, health care visit, tax payment, legal proceeding, employment opportunity, voter registration …

What protects us from invasive search is not lack of a uniformly accessible system for identification - its due process. And if the government chooses to compel you against your will and without due process - whether or not you have a laminated ID in your pocket will be irrelevant.

Most of those are optional. You can use cash, you don't need a bank account, nor electronic tolling, or bill payment, emergency room visits are free and there's free clinics. Other various things like legal proceedings, voter reg, and taxes are not things that are "tracked", that's just basic citizenship requirements.

A national ID would make the few cases where you need to hide your identity (like you're a 10 year old girl who was raped and needs an abortion, or the doctor that needs to perform it - https://www.seattletimes.com/nation-world/10-year-old-rape-v...) much harder. Until our government decides not to be so fucking crazy, we need to push back on its ability to unjustly track and then punish its citizens.

The main reason we don't want a ubiquitous national ID is that once it's there, everything will require it, which means everything you do will be tracked. Which is okay until the government decides to go psycho and attack some section of the population. Right now, literally every red state would love to get their hands on logs filled with IDs of people who have anything to do with abortion (a Texas bill makes it illegal to even drive someone to an abortion) so they can put them all in jail (abortion doctors get 99 years). In the past it was the gay rights movement, civil rights movement, the satanic panic, the communist panic, rounding up all asians into concentration camps during ww2, etc. We can expect more of this, and a ubiquitous ID makes it much easier for the government to execute these plans.
I'd be more sympathetic to this argument if all that info weren't a couple subpoenas or search-warrants away at most—in fact, the government can often just pay for access to these things, usually with the implicit threat that if access isn't granted at a reasonable rate, the business may find itself in some trouble. Like, if we banned private parties from collecting tons of info about us, then maybe that concern would have some merit, but we don't, so it doesn't.

Point is, they don't need a national ID to pin you to some cell phone records that place you at location X at time Y, to get your CC usage data, to find out pretty much anything they like, to connect that to a license plate, to snag toll and other photo records of the vehicle from various sources, et c., and the only reason there are any restrictions whatsoever on that ability isn't because we don't have a national ID, but because we're not yet living under a tyranny. Difficulty IDing people isn't the limiting factor.

The public-private hybrid ID we have now is terrible and also carries all the same risks under tyranny as a national ID, which is at least not-terrible.

It's not like having a national ID would mean all the spying-data companies collect on us would automatically be shared with the government—more than it already is, anyway. It'd be the same as now, except with fewer ID-related problems for people.

Yes, the government can trace people right now, if people are not protecting their identity. Because there is no ubiquitous ID, it is still possible for you to protect your identity in almost every part of society. But that possibility will rapidly disappear when a ubiquitous ID arrives.

The difference between rounding up people or not is often just whether it is logistically feasible. Right now, even if they collect every kind of data from every business, it would be a nightmare to attempt to collate it all, because it comes in so many sources with so many differing fields that may be out of date or inaccurate or wrong and would have to be normalized etc etc etc. Impractical to do on a very large scale. Except when there's a single identifier they could look for, which would completely solve the problem for them, and make it easy to round people up.

Companies that sell data to the government without the consent of the public is a huge problem we need to deal with, for obvious constitutional reasons (4th amendment).

This is what happens when private for-profit companies through monopoly become public infrastructure with no oversight and no obligations but turning a profit.
Perhaps the solution is for libraries or local authorities to setup their own email providers. An email address “for life” with your library card, with the necessary support and in-person reset verification that their patrons need. I’m not suggesting this would be an easy or inexpensive undertaking, but maybe that’s just the next step in service evolution for a public information service like a library group.
Indeed, but this will then going to face the issue of Gmail (et al.) refusing to accept e-mail sent from small providers.
I am sure a another huge vendor like Amazon, facebook, or Microsoft will step in to provide the email services :)
This is where regulations can step in, to require email providers to accept mail from essential service providers.
I will pass on that, no one should be required to accept messages from anyone
How about "required to not mark as spam"?
I am not a fan of regulation in general

But SPAM should be resolved with strict adherence to standards like SPF, DKIM, etc. and where those fail it should be improved

Today many companies, large and small, as well as government agencies, large and small do SPF and DKIM very very very wrong.

Unless we can get this right I fail to see how regulations would do anything other than make things worse

Some of the biggest SPAM abusers are not the small providers but the Large companies like Gmail and Microsoft who do not vet their customers very well

If they are refusing messages, there's no need to bother marking them as spam.
Ah yes, I can see how this even worse situation could easily happen trying to "fix" the previous one...
This isn't necessarily a "from a small provider" but rather "administered by the library."

It could be any email service that allows the librarian-administer to reset the password for an account. If I mess up my exchange email, the helpdesk can verify my identity and reset my password.

I suspect that most going down this approach would find it easier to use a large hosting service that they provision and administer (along with allowing password resets) than to try to have an underfunded library IT staff stand up an arbitrarily large email service and manage all parts of it.

i absolutely think this is the next step. we're at a point now where it's becoming obvious to even a layperson that we really are lacking a lot of agency over our lives, which has been given over to big tech companies to arbitrate. i also think it could be a way away from the monopoly of facebook over our social lives, to have e.g. library servers which run a local instance of mastodon, for local people, to be connected to the actual community they're in. the only way to reverse suppression of small email providers is to make it more common for people to /use/ small email providers - which happens if it's more common for email addresses to be administered by someone you actually, physically know. for that to be the trust relationship with the system administrator, rather than blindly accepting every new privacy policy just because it feels like there's no other option. the more i research this topic, the more this feels like the only sustainable way out of the dystopian hellhole described in her letter.
I'll extend off of your great commentary and suggest that the letter/small correspondence delivery portion of the USPS (not the parcel/package delivery segment) should be collaborating with U.S. libraries to establish more digital infrastructure for citizens; especially those who lack what others might consider the digital basics. This could include free/low cost email, local instances of ActivityPub servers, matrix (or other secure, but open source equivalent) chat services, etc. I understand this would open up many issues, and not an easy fix...but if more and more things are truly becoming more digitized, then government (and government-adjacent) services should not just evolve, but also help the citizenry evolve to take advantage of said services. At that point, i can imagine a scenario where if such a free/low cost email service were available, the likes of google and microsoft could not block digital correspondence since there would be at least some regulatory framework/policy in place to avoid such issues. Again, none of this is easy, but i feel the path forward can still leverage gov. entities - like libraris and USPS - that have greatly helped citizens in the past throughout our history.
They (libraries) could even set it up using Google Workspace, or any other email service provider like FastMail, Outlook, etc. Maybe companies could add a super inexpensive plan for public service providers like libraries to enable this sort of account for which librarians could do password resets, unlocks, etc. Maybe charge for the # of administrators only?
How do they get away with not having a support number. Even Amazon has humans you can eventually talk to as you go through the customer service interface
Many people pay well over $100/yr to Amazon they expect a certain amount of support. Google by contrast doesn’t have nearly as many paying customers, and thus doesn’t feel the need to support them.
I hate, hate, hate how so many web services have started to force 2fa on us. I have many accounts that I don't care that much about and I use bitwarden so it is extremely unlikely that I will get hacked and if I do I don't really care. Still, they force me to open my email account every time I log in because my cookies or ip address do not match my last login so I can input a stupid code. Big offenders in this regard are google, amazon, twitch, outlook, twitter (rarely). I know 2fa exists. If I don't enable it it is because I don't want to.
Shelly Rosen is a hero, and should be recognized as one. It is not very often I get to read business requirements that are so clearly defined. Kudos. This letter should be obligatory reading in schools.
It's a good letter.

I'd like to see another letter drafted to other librarians recommending specific competing email providers that people who are MFA-challenged should use for anything important.

I wish that Shelley had co-written this letter with either a tech employee or a more tech-focused librarian. The problem that she mentions is real: I've worked in her position and can confirm. But the way the letter is written makes it clear that she's not very familiar with the tech industry or how things are developed.

If I were a Google engineer, this would read like one of dozens of pleas we get constantly to change X, Y, or Z for some small portion of the served population. And software devs in general find those demands annoying, particularly given some of the language that Shelley uses.

I think this would have gotten more reach and been better received if Shelley had a co-writer that acknowledged the reasons for 2FA from a security standpoint and emphasized the trade-offs that are being made + suggest other security measures. Likewise, having someone with a better understanding of tech would mean being able to do things like present some solutions that don't amount to "Oh most magic of Google Oracles, please fix this." Also the suggestion that they could contact her to learn about where patrons get stuck made me cringe slightly.

Basically, there's a misaimed moralizing tone throughout the letter that I think is at odds with its stated purpose, and it could have been written better, but the problem is real.

yikes. old poor people are having their lives upended because technology has infiltrated the processes by which basic business is conducted and the designers of said technology had not bothered to consider them as a real use case, and your response is "she's not asking nicely enough."

yikes*10000. cringe^inf.

Maybe I should have mentioned I'm a programmer and a librarian, and my suggestion is one of tactics/strategy.

I care more about getting the problem fixed than the writer's feelings not being hurt, and I think that things would be more likely to change if she'd written it differently.

sure, maybe you do get more bees with honey. or more often than not you never get seen. we live in a sad era where the only way to get real attention from large companies is to embarrass them in public. this is by their design.

> I care more about getting the problem fixed than the writer's feelings not being hurt

i don't really follow how the writer's feelings could be hurt in any case. you seem to have an odd perspective on all of this.

So we disagree on the best tactics to take here. In particular, I think the embarrassing tech companies in public works when it's done by either other tech people OR it gets into the media where the bottom line could be impacted. This

That doesn't make me 'cringe^inf' or boil down my tactical critiques to '"she's not asking nicely enough'. I presumed you were attempting to call me out for tone policing, and usually the point of that call out is to protect the feelings of the person being critiqued. Or to prevent the person making the tone argument from making it for biased reasons, but as I am ALSO a female librarian, that doesn't really apply here.

> you seem to have an odd perspective on all of this.

Yes, I imagine I would. I differ from both HN's average readership and the average librarian enough that my views on things are odd. I also did some time in communications work and I can't turn that off either. It's like seeing poorly written code for me.

the call out was more in line with a general disagreement with what i saw as a tech industry apologist take. i don't think people who work in the tech industry are bad people, but if people are losing housing because of their products, inventions, or service policies, then it appears that they have certainly (possibly inadvertently!) done some very bad things and that needs to be acknowledged plainly and clearly.

no masters need to be pleased, no egos massaged (it's time for that obnoxious culture to die). they done bad and it's time to make it right.

embarrassing companies in public is an old tactic that predates consumer technology companies by a large margin. in the old days letters would appear in trade rags or newspapers to the same effect.

also, thank you for your time in public service.

That's fair, that would be a decent read on the comment assuming average HN demographics. I am a librarian who was raised by hackers, so I was programming and playing around online for years before starting library work and eventually getting my MLIS. So I was critiquing her from a colleague's POV of 'this clearly isn't your area of expertise, why didn't you ask a colleague who does know this area so the letter was stronger?' I wouldn't write a letter about, say, the impact of social media on kids' media without talking to some of the children's librarians I know, since I don't know much about children's services.

Also libraries have a major cultural issue of their own, which is that they love credentialism and gatekeeping, and part of that manifests through assumptions that they and only they know the right thing to do (you'll note she suggests that Google contact her for more information rather than perform their own research or, God forbid, asking the userbase directly). Related to this, librarians, because of their vocational awe, are very, very susceptible to forms of communication that affirm their righteousness, and I see signs of that in this letter. From a communications standpoint, it's just not ideal to ask people do something by shaming them and assuming a stance of superiority while ignoring some context. That's just asking to be dismissed.

So that's where I'm coming from.

I actually greatly agree that tech culture needs to change.

> embarrassing companies in public is an old tactic that predates consumer technology companies by a large margin. in the old days letters would appear in trade rags or newspapers to the same effect.

Same problem, though. Embarrassing a company in a trade rag means that your employees are going to be judged by their peers and you're going to have a hard time hiring new employees. Using a newspaper meant that it went through some sort of editorial gatekeeping and the newspaper determined it was an issue that was likely to blow up. There were also plenty of cranky letters to the editor/opinion pieces in newspapers (especially smaller ones) that were dismissed as 'lol old people be cranky'. You have to have a strategy there.

I actually miss public service a lot.

I strong disagree. This isn’t a tech issue, it’s a poorly delivered solution that didn’t consider the needs of the users. The solution is so poorly delivered librarians are an ad hoc support team for thousands of people.

Google in particular created a moral problem by choosing to implement a security solution that doesn’t serve people who depend on the services. They have the metrics to know better, but didn’t consider the use case.

I provide services to users in these use cases. It’s very possible to serve them in a way that is both secure and respectful to humans.

I honestly can't remember who implemented 2FA in this case first, but it's not only a Google problem. People also end up locked out of their Yahoo and AOL accounts fairly regularly.

> The solution is so poorly delivered librarians are an ad hoc support team for thousands of people.

Well, yes. We're also expected to be teachers, social workers, etc. Everybody has been outsourcing/dumping the unprofitable work on us for decades now, why would Google and other tech companies act any differently? It's a problem that goes deeper than Google and the tech companies; it's a general assumption that infrastructure design can ignore the worst off parts of society and that people like volunteers and librarians will step in without considering whether or not we have the capacity for that as a society.

I just think instead of 'Google, fix it', it would have been wiser to make clear that this is a general problem (not a Google specific one) and to suggest things like partnerships between the GMail team and the PLA, etc.

I'm saying this in the spirit of 'yes, we need to take this territory but maybe a cavalry charge isn't the best way to do that given the other side has machine guns'.

But in this case the affected "portion of the served population" is not even "small" !
It's a small proportion of the served population, not a small population in absolute numbers.
But it still isn't ! Last time I checked, about 20% of the population was not computer literate (and that in a rich country!)

And it might be even larger than that since you need to be rich enough too...

My goodness, I think you just might be lacking in empathy. I honestly recommend that you take a step back and reread what you have written here.

> But the way the letter is written makes it clear that she's not very familiar with the tech industry or how things are developed

And she should not have to be familiar with the tech industry. The tech industry's job is to figure out what the users want, by understanding what they do.

> And software devs in general find those demands annoying, particularly given some of the language that Shelley uses.

No no I hope not! I hope that engineers who possess some empathy will see a letter like this and feel their pain and feel compelled to do something for them. If someone feels nothing after reading this letter, they are lacking in empathy.

I'm a colleague of Shelley's, loosely: I've been working in libraries since 2004, a fair amount of it in public service, and my first job was literally teaching people basic technological skills in a public library.

I don't think it's 'lacking empathy' to focus on whether or not the tactics or strategies my allies are using are likely to, you know, work. I would consider it more important that the letter be taken seriously and lead to actual change than people pat themselves on the back for their empathy in agreeing. It's because I have empathy for the people affected by this issue that I care more about effectiveness than the feelings of the people reading/writing the letter.

> And she should not have to be familiar with the tech industry. The tech industry's job is to figure out what the users want, by understanding what they do.

I mean, she's a librarian. I do expect people in our profession to be able to look at an issue, understand where our experience is lacking, and seek to either remedy it or find someone with complementary skills. For a librarian to run into a problem and not act to acquire relevant information is something I (as another librarian) am pretty comfortable judging as 'unwise'.

> The tech industry's job is to figure out what the users want, by understanding what they do.

The tech industry's job is to make money.

> No no I hope not! I hope that engineers who possess some empathy will see a letter like this and feel their pain and feel compelled to do something for them. If someone feels nothing after reading this letter, they are lacking in empathy.

I would like the world to be that way. It would be great. I would feel much more optimistic!

Focusing on tactic and strategy is the opposite of empathy. An empathetic response communicates that you understand the feelings and experience of someone else. Your comment did the opposite by only focusing on your own thoughts/desires/experience. You may find it useful to research emotional intelligence so that you can respond appropriately and productively to another's emotional state.

https://students.ubc.ca/ubclife/emotional-intelligence-101-e...

> misaimed moralizing

The moralizing is in fact aimed directly and purposefully at google

And I think she's wrong, as another librarian who's worked in public services.

I think Google's poor implementation of 2FA is a result of misaligned incentives, unknown unknowns in the product development cycle (because she's right that engineers assume a baseline technological literacy and access that isn't there for everyone), and deeper social issues.

Lying it directly at Google's feet and implying that they made that choice maliciously rather than ignorantly (or to maximize their actual goal, which is $$$) + not noting that the bad decisions have also been picked up by their competitors makes it read more as a judgment than an invitation for collaboration/plea for help. I think a different approach would have been more effective.

I have a tactical disagreement with Shelley. No disagreement on the actual issue, which she's right is a huge problem and one I've personally encountered hundreds of times.

Write to your law makers. Don’t trust companies to provide access through public shaming and media, force them all to do so.
Yeah, Google just doesn't give a shit.

I was a gmail user since gmail was in private beta 18 years ago. I never had a phone number associated with it. And yet two or three years ago when I tried to log in Google decided to just... not let me do that, because fuck you, and started extorting me to give it a phone number. If I don't give it a valid phone number it won't let me access my email. But I can't really do that because, you see, I don't actually own a phone number.

So now I'm essentially locked out of my almost two decades old email account, for no good reason whatsoever except the fact that Google is a bully. Fortunately I've long since migrated to another email address on my own domain as my main address, so it doesn't really matter.

Do not depend on any Google-provided service. They don't care about you, and they will screw you over sooner or later. You're just a number to them. Most importantly, pay for any critical service you need (like email). Do not wait until it's too late. Do it NOW.

I also have it since beta -- and no phone associated.
It's not just Google, many corporations are starting to make "assumptions" about their customers, and these assumptions totally exclude entire groups of people.

A great example I use is there are a ton of restaurants and fast food places around me. I used to walk to get lunch every day but eventually had to stop, these places realized most customers went through the drive through so they closed the lobby. Now even though this place is a 5 minute walk from me, it's no longer accessable if I'm not in a car.

Same thing with my TV and Router, both of which required an app to just setup. The TV required an internet connection to "activate" and I realized that if some family saved up and bought this TV but didn't have an smartphone or internet connection, well they just bought a $500 brick.

And that's why authentication standards like FIDO scare me. To me it almost seems that the standard was written by a bunch of out of touch tech bros thinking to themselves: "Well of course EVERYONE has a phone these days"

> The TV required an internet connection to "activate"

I’m a huge fan of shoving crap like that back in the box, and returning it DOA. The soulless bastards that built it don’t know if I’m computer literate or not.

> A great example I use is there are a ton of restaurants and fast food places around me. I used to walk to get lunch every day but eventually had to stop, these places realized most customers went through the drive through so they closed the lobby. Now even though this place is a 5 minute walk from me, it's no longer accessable if I'm not in a car.

I think this may have to do COVID and then staffing shortages creating a necessity rather than a active business decision. It would be ridiculous but couldn't you walk through the drive through? (I probably wouldn't do it either but I can't really think of a reason you couldn't)

A lot of places won't let you do that for safety/liability reasons. And it's not a completely nonsensical concern, there are often multiple blind corners, people driving way too fast for conditions and only looking for other vehicles.
I walk through drive-throughs regularly. I don't even get particularly odd looks like I'd initially expected. These include both fast food and bank/ATMs (or a teller at the other end).
I think this may have to do COVID and then staffing shortages creating a necessity rather than a active business decision.

There's a Starbucks near me that was built as drive-through only. Where there should be a lobby, it's just blacked-out glass and a door for the employees to enter through. Makes the whole strip mall look really scary, especially since vagrants sleep in the doorway.

I assume it's for commuters, which means all Starbucks contributes to the neighborhood is traffic and crime. Thanks, Starbucks!

It would be ridiculous but couldn't you walk through the drive through?

I used to do this all the time when I was a kid, but more and more places won't serve walk-ups at drive throughs. They claim it's for safety, hygiene, insurance, or whatever the excuse-du-jour is. They just close the window and ignore you.

I've been turned away more often than not by restaurants (of a variety of brands) for attempting to walk/bicycle through the drive-through. I have no idea if it's corporate policy, franchise policy, or incapable exception handling by staff, but the de facto result is that no, you can't reliably go through a drive-through without a motor vehicle (I assume they allow motorcycles, despite that I can't see at all what the functional difference between a motorcycle and a bicycle is from the perspective of a restaurant drive-through).
Walking through a drive-thru probably becomes an insurance and liability risk; and depending on local laws, it might be seen as a pedestrian entering traffic.
It’s private property so traffic laws won’t apply. Pedestrians are allowed all over parking lots.
(comment deleted)
> It would be ridiculous but couldn't you walk through the drive through?

I was told "Sir please come back in a vehicle" when I tried. When I told the guy I don't have a car, the guy gave me a blank stare.

> Same thing with my TV and Router, both of which required an app to just setup

Off the top of my head, both Xfinity and Google Home have this problem and it aggravates me to no end. I can reset my gateway from my PC but for some reason, *need* to use my phone to manage Xfinity or any of my Nest routers

This is a great point. My wife and I were attracted to the Google Pixel lineup because they advertised unlimited original quality photo storage through Google Photos. Well they reduced that to just unlimited "high quality" a year or so ago, and I broke my 3A a few months ago. Silly me forgets that newer Google Pixels don't have unlimited photo storage at all, I buy a 5A, and all photos/videos get uploaded to Google Photos and count against my quota. Even though Google technically isn't in the wrong here, I've always felt like I got a rug pull.
The photos would be in Google Photos even if you no longer had access to your old phone and you do not have to reupload them.
(comment deleted)