I can't believe the response after the media approaching them was still "We're right and your account remains banned" I understand the reluctance to expose themselves to potential legal complications but in this case with the police report it's pretty clear cut that these photos were not criminal and the photo taker has not committed the crime Google is accusing him of.
It seems like a problem that requires legal change. Right now Google is fully entitled to nuke the persons email and phone number, completely locking them out of their life. And they can do this for any reason without any recourse.
Once you reach the scale and importance of these services, it shouldn’t be legal to lock people out like this.
Playing devil’s advocate, possession of CP is criminal with absolute liability [1]. Deleting someone’s account, far from it. (Civil. Maybe.)
Weighing someone who might have CP, even to an absurdly low probability, against them being suing and like two people deleting their Gmail accounts, I can see how someone chose the former. If they got the call wrong, Google would not only be liable for damages, the individuals involved could be criminally charged.
I’m assuming everyone in this chain would appreciate laws clarifying an email bill of rights. On the other hand, Google made their bed with its surveillance-first culture.
You are playing devil's advocate against the current legal situation. I don't agree, but fine. But you're responding to the suggestion to make a legal change, this legal change presumably would put a liability on these kinds of false positives too. One of the two could still have stiffer sanctions, and cause Google to prefer the other, but the idea is at least that this choice wouldn't be that obvious anymore.
> they got the call wrong, Google would not only be liable for damages, the individuals involved could be criminally charged.
So how come this has never happened?
Google and Facebook have existed for decades, and so has CP, they didn't have automatic detection untill decently and yet none of their employees have ever been charged.
I wonder whether the man could sue Google for defamation because they've asserted that he's done something and taken an action as a result of that. As a result they're defaming him. I'm not a lawyer and definitely not sure of US law. It'd be interesting to hear a real lawyer consider this.
It does require legal change but not the one you're implying. I love how the conversation moved from the initial outrage of "they're scanning my private images!" to "ok, they are scanning my images but I need to have a legal recourse to get my accounts back in case I'm banned improperly".
There is no good excuse for this kind of spying apparatus, period. If anything, having a mandated formal process for reinstating banned accounts will make the scanning more acceptable, which it shouldn't be. "You see, yes, we're regularly checking out your dick pics but it's all good, we have a process in place and if we tag an image as CP, when it's not, you'll eventually be exonerated. No harm done"
I'm more than prepared to just stop working for a few days or even a week or two.
I already actively boycott Chinese products where possible (I buy non Chinese if at all possible, even at significant higher prices), support the Georgian Legion with my own cash and have probably spent hundreds of hours on unpaid online activism this half year on top of what I do for my church (although in all fairness it still does more for me).
If enough people band together and just plain stop working, sooner or later politicians will have to listen.
Why? Why should be fight for legal recourse first before we tackle the real problem? (At least in this context, legal recourse for unwarranted service termination can also be useful for things unrelated to scanning of private data, but that's not the point) This sounds like the "step back" in the "two steps forward, one step backwards" ideom.
I'd argue because it would likely be an easier battle and would still win rights and, perhaps, set precedent for the limitations of entities like Google here and elsewhere. The alternative of blocking scanning all together is extremely easy to railroad.
Companies like Google rely heavily on AI and automation and keep humans out of the loop to the extent possible. Once the models detect these sort of photos, they won't be stopping. If they don't add a permanent exception then the AI would flag it on the next pass and repeat the process. Google certainly won't be retraining the models to learn to exclude "but not photos for doctors". Having humans going through and flagging accounts (or photos) for exceptions will ruin the economies of scale.
This can't keep going on like this. To somebody like Google, an account might just be a profit source, but to the affected people it can be their lives or livelihood.
The issue of right of redress really needs to be forced, legislatively.
I think companies that have sufficiently significant market capture should be laden with a "universal service obligation" as an antitrust-type measure. They shouldn't be able to refuse service unless they can prove the customer is doing something illegal. If they do refuse service, the customer should have grounds to sue them to restore service.
This might go against some people's idea of a free market. I think it should only apply where there isn't a free market - when a customer doesn't have many other options, such as in the case of Google or Apple, or Visa/Mastercard, a major supermarket, or the choice of cellphone provider or Internet provider in markets where there are only a few options. It wouldn't apply to small independent traders by definition.
Capture enough of the market where there isn't enough competition and you get obligations to treat them fairly.
He could probably still get his data as a data dump if he was European, just not his accounts reinstated. As Mark is apparently an American citizen though, the GDPR does not apply.
How could they conceivably even look at the data to unban the account though? That shit's radioactive, as soon as the AI flags it I don't know how a (non-LEO) human could possibly view it without running afoul of the law. There's no reasonable way to reverse this action.
I don't think it's legal for those people to view it though if they have reason to believe it contains certain images of child abuse. Once the AI flags it that shit goes radioactive and is basically unviewable until LEO looks at it. Even if local LEO looks at it and clears it, that doesn't clear you from being federally prosecuted if you review the content later.
Here is how it worked when I ran a file sharing service:
- We would allow people to upload files
- these files would go into a 'holding tank'
- the files would then get greenlit if some rudimentary algorithm determined
they were landscapes or other innocent content
- the remainder would be flagged for review
- bulk images would be displayed in a grid of 8x8 thumbnails
- the vast majority of those would not be reason for further action and
would be greenlit, the remainder would go into yet another holding tank
- now the pictures would be viewed full size, any kind of image that
would be against the TOS would be rejected and a hash would be kept
to avoid seeing it again
- any kind of image that was deemed illegal or borderline would be
passed on to LEO for another decision, possibly resulting in
criminal charges against the uploader.
The complications:
- uploaders would try to mask their identity
- uploaders would be all over the world
- even after reviewing LEO would sometimes indicate that an image was
inconclusive (in those cases we erred on the side of caution)
--
In short: companies can and do work together with law enforcement to stop service abuse and illegal activities. Whether it is an AI that flags it or a human is from a legal perspective utterly immaterial, and if LEO clears it
that definitely means that you are allowed to either view it or pass it on.
If AI flag and human is "immaterial" difference as you noted, wouldn't AI flagging it as abuse material make it impossible to view it by a (non-LEO) human afterwards, as now that would show actual intent to view that material (it is illegal to view it with intent to view it).
Surely your reviewers never deliberately looked at the material a second time after marking it as abuse material for law enforcement, as that would be legally risky I would think.
The issue here is even if local LEO clear it, the federal prosecutor's opinion can differ and he can use the fact you knew AI flagged it and that you released it anyway to damn you. There are cases out there where local/state government cleared someone of wrong-doing but they still got hemmed up federally.
The biggest worry about these kind of situations is not that mistakes are made, but that it's almost impossible to make contact with a real human being to put things right [even, as in this case, when press and police are involved]. It's only a matter of time before someone loses their livelihood or even their life over this kind of cock-up.
It's also easy to lose your livelihood or even life if you fail to eject something from your company's possession after you have reason to believe it contains certain materials of abuse. Federal and state prosecutor opinions differ, so clearance from local or state LEO (as done here) basically means dick. If you're wrong, then you get thrown in prison where you hear stories of "chomos" getting raped and shanked. If google is right, maybe they get a little bit of advertisement money. Imagine if this father did something later and the prosecutor uses this happening as evidence that this content was 'knowingly' harbored by the company. Seems like a bad calculus to me, just cut the guy loose whether he is innocent or not. You don't have the same rights to private service as you do rights in public.
'local government/LEO gave the all clear' is not a tight defense against federal prosecution and conviction. For instance, Jeremy Kettler was convicted despite full local and state blessing for possession of a silencer in violation of federal law (he, the state, and local government all thought he was following all laws including federal ones, but it turned out federal prosecutor had a different opinion on what 'interstate commerce' is). I personally would never risk getting registered as an offender on the hopes some federal prosecutor has a different view than local LEO, it's just not worth unbanning the guy unless both the state and federal prosecutor have signed statements granting immunity from prosecution.
I've got a question for the lawyers here. These photos were for communication with a medical professional. Can't the argument be made that this was a HIPAA violation? Isn't this grounds for an entire whale of a class action lawsuit ?
HIPAA specifies how medical professionals should handle patient information. None of the parties in this dispute are medical professionals, so HIPAA does not apply.
IANAL, but my understanding is HIPAA applies to covered entities, i.e. medical professionals.
Google can use the defense that somewhere in the TOS it probably says you agree to share everything with them when it goes to cloud storage.
HIPAA doesn't prohibit people from sharing info about themselves (even accidentally). Though it does probibits your doctor from putting photos like this near Google anything.
I guarantee that the doctor has a HIPAA agreement that you sign when you agree to communicate over email that says that you grant him the right to share the files with Business Associates, and that their email providers are considered Business Associates for the purpose of transmitting ePHI.
The "blue check fix" minimizes negative publicity while doing nothing for 99% of people. If a bad policy is consistently applied, at least it can be understood and criticised.
Google has a policy that they delete permanently the contents of any account that has been suspended for 30 days or more. They do this to comply with European GDPR regulations (which require they not hold any data they no longer have the users permission to store, nor have ongoing legitimate interest in), and they have written it into their own privacy policies.
Therefore, this account and all the data contained is already gone. The most they could do is allow him to create a new account with the same name, but to my knowledge that isn't supported technically in their systems (too many bugs to be found by re-using unique identifiers).
That's why they stand by their decision - they don't have the capability to implement any other option.
> They do this to comply with European GDPR regulations
In this case, they actually satisfy the two requirements:
1. "ongoing legitimate interest". They are still in a dispute with the customer. Deactivating an account does not require deleting data, so long as the case it not closed. There is no "30 day" limit in this case, and it seems like an arbitrary time period imposed by someone who hasn't thought of the consequences.
2. "users permission". In this case they do have the user permission to keep the content, because the user wants to keep access to the account.
> they don't have the capability to implement any other option.
As mentioned above, you can deactivate an account without also deleting it. It may of course be easier for Google to just delete it instead of introducing a new state, but I would argue that a company such as Google does have the capability to implement this option. I would go so far as to say this is a failure of Google to not have such a process in place.
Unfortunately, when they deactivate the account, they lose any ability to communicate with the customer. Anyone who emails claiming to be the customer may or may not be the same person.
That works both ways - as well as not being able to get the customers permission to keep the data, they also would not be able to get the customers request to delete the data if they were to keep it 'just in case'.
Until they have built some functionality to communicate with the customer behind a suspended account, they have to delete the data within 30 days.
Even building functionality to communicate with the person behind a suspended account is hard...
For example, if the login requires a password and SMS 2fa, but the SMS is to a Google Fi phone number, then you're going to have to also enable the Google Fi account for that user to be able to login. Or what if they need to use email password resets to another suspended account? (remember you will probably suspend all accounts of a user at once if you suspect something illegal).
Making a special 'chat' tool inside the login flow that only requires a single factor (the account password) which allows presenting evidence to a google rep seems like the obvious solution (or requesting the account suspension be delayed, or that the data be deleted).
Building and staffing that sounds like quite a lot of work though, which would be hard to justify for the tiny number of impacted accounts and zero revenue potential.
Email account deletion and recovery should be regulated by law. Nowadays it's an essential service - just imagine that electricity provider, ISP or anyone else is doing the same without any period of notice, nor ability to dispute the problem with a company's representative.
Poppycock, it’s just communism with extra steps. Google’s email server is not your email server just because you’ve come to depend on it. If you want your own server, build your own server.
How far does that argument go? "$ELECTRICITY_COMPANY's power is not your power just because you've come to depend on it. If you want your own electricity, build your own infrastructure".
Granted, most people here on HN would be able to deploy their own, but you can't ask that of the average citizen who just needs email.
I would hazard a guess that nobody on this forum has an alternate electric company they can go to. But there's dozens of search engines, and thousands of email providers that users can choose from, all competing for your business.
Again, you know that, I know that, will your average non-techie person know that? This also isn't only about email. Their entire data was on the account.
Don't put all your eggs in one basket, "everybody" knows that. It doesn't just apply to computers - non-techies are familiar with the concept too. It's common sense.
Err what? Non-technical people can have a hard time telling the difference between email and Gmail. They don't understand the difference of photos stored on their smartphone vs in the cloud.
Some states Americans can change the generation company, but last mile company can't be changed. (the power lines either underground or on a pole). This is managed by whatever company (or sometimes rarely the municipality) operates in that region.
I largely agree. There are many public utilities on the internet on which we each individually rely.
Careful what you wish for, though. Ever tried to sign up for a public utility without your real name, personal identification, a physical address, or billing information?
You can also set up a mailbox at any address and receive actual letters there, no registration required. Needs permission of the owner of the place, but that’s similar with email.
There are many states around the world where you can buy a prepaid SIM card without registration and participate in the public phone network. No permission at all required, cash payment works.
There is no direct connection between “public” utility and “requires registration.” But many public utilities consist in a delivery to a specific place (water, electricity) or want to charge you. So they need your address to perform their service.
In Canton Zürich (Switzerland) the parlament argued, everybody has a smartphone today anyway, so for public transport, from now on it legal, the only way to buy a ticket is an App.
Do it without an Google account.
But a postcard is a good example. Even the badest murder / raper in a prison will get a postcard.
It also seems to be wrong, since the ZVV website explicitly mentions the app, the online ticket store and vending machines. [1] What seems to have happened though is that during the pandemic, the bus and tram personell that used to sell tickets as well stopped doing so to minimize contact. [2] This obviously is still a problem since not all stops have vending machines, so there’s the extra rule that you can buy your ticket at the next stop that has a vending machine. Inconvenient? Certainly. End of the anonymous travel? Certainly not.
"You can no longer buy a ticket on the bus" is different to "you have to use the app" You can't buy a ticket on a Subway, S-Bahn or regional train in Berlin - it's been like that for decades. You have to use a vending machine.
Thank you for clearing that up, I had a hard time envisioning the Swiss from disenfranchising the elderly in such a callous way. Usually their policies make good sense.
Maybe I wrote it a bit quick. It is still possible to buy tickets on machines. But they changed the law on the beginning 2022. Now in regional busses, they don't have to sell a ticket. They still do. But the law is now, they don't really have to do it.
Änderung bei ÖV-Tickets
Billettverkauf in Zürcher Regionalbussen wird abgeschafft
I'd totally do any government/police assisted dance, even if that cost a couple hundred bucks and needed an unpaid day off, to get a banhammer-immune Google account. And that's despite currently working there.
Disagree. Google, Facebook, and Apple only seem like entrenched behemoths because this community grew up with them, and it's hard to imagine a world without them. But make no mistake, they're just as fragile as every other Standard Oil that's ever existed.
Pay for an email service, and sue if you incur damages due to them terminating your service. Or run your own email server if you care to.
Aight, I paid for an e-mail service and now I had to sign the same agreement as google except I had to pay on top of that. What exactly can I sue them for that I couldn't sue google for? If I run my own server what fraction of clients and customers will actually get my mail rather than it being auto-filtered out as spam?
You're not paying Google anything. You know what they owe you? Nothing.
You pay Company X to host your email, and you enter into a service agreement. They kick your account off. If they're in violation of the service agreement, now you actually have a case against them. They know this. Their legal council knows this.
Company X sent me the same service agreement as google, that basically said pay us and we promise absolutely nothing and we don't promise you'll actually get e-mail either. The only difference is I pay on top of that.
They operate as a corporation in the United States and are subject to its laws. They owe what the law says they do. And the laws can be changed.
Feel free to vote for people who think companies can do as they please just because you aren't directly paying for them (even though they make money off you), I'll vote for other people.
> But make no mistake, they're just as fragile as every other Standard Oil that's ever existed.
It's ironic that you chose Standard Oil as an example. It was an unbeatable monopoly that was broken up by govt regulation, not by competition. You're arguing against your own position.
> Pay for an email service, and sue if you incur damages due to them terminating your service.
You always sign away this right when using a commercial email service. Their terms of use allow them to terminate your account with impunity.
> Or run your own email server if you care to.
This is a very 1990s understanding of the email ecosystem. It's almost impossible to start a new email service today because the big players (primarily Google and Microsoft) won't trust you and will silently refuse to deliver your emails. Sometimes you will be blanket banned, sometimes you'll just have a few missing here or there.
Because the email market is dominated by so few players, they have complete control over the ecosystem. Even if you choose your email service, your recipients will have chosen one of the big players 99.999% of the time, meaning you're also playing by their rules.
> But make no mistake, they're just as fragile as every other Standard Oil that's ever existed.
You realize that Standard Oil was broken up by the courts through the Sherman Act, which is precisely the type of regulatory action you're arguing against, right?
Was Standard Oil really that fragile? From Wikipedia:
> Its history as one of the world's first and largest multinational corporations ended in 1911, when the U.S. Supreme Court ruled that it was an illegal monopoly.
Seems like it was broken up by the government and not due to competition.
> Email account deletion and recovery should be regulated by law.
I think the problem goes even deeper than that. No non-state actor, who holds no democratic mandate of any kind, should hold the kind of power over citizens that Google holds.
Regulation is a ship that has kind of sailed, in my mind. The kind of regulation that we now recognize we need would have had to be in place 20 years ago. ...mostly antitrust stuff, but also specialized things like privacy / data protection and "due process" for things like account suspensions etc.
If such regulation had been in place, it would have prevented the formation of an entity such as Google in the first place, and we would instead have a healthy system of smaller players competing on who does the best job at providing the kinds of functions to society that Google provides.
Now that we are in the unfortunate situation we are in, I think it might be necessary to consider nationalizing the whole thing and putting in place governance with a democratic mandate.
When I watch American culture on TV channel, it is always fat African-American lady talking about their private parts and shaking ass. Where can I watch American Puritanism?
Well, taking a photo of just the groin, for non-medical reasons would be kind of weird. Taking a photo of the whole baby, e.g. in bath is perfectly normal, even if it also shows the groin.
My son (3 at the time) had phimosis, I took a few pictures of it when a friend doctor asked to see what it was.
I sent the pics to him for advice and then we consulted officially to get a prescription for a cream when je told me it was fixable (to dr: it wasn’t entirely but it helped).
I hope I didn’t overstep some kind of bullshit law where I can’t take pictures for medical advice.. this is ridiculous, and I’m happy that I’m not pushing my pics automatically to google, I might have been banned? I still have the pics somewhere on my phone, probably, amongst others where he’s naked when he was messing with foam in the bath or playing in the garden with water in summer. Isn’t this like 90% of parents?!
I feel that this whole CSAM is a new obsession of phone actors because they feel there’s norhing else they can innovate on.
I'm not saying taking photos of your child's groin is normal. But, whatever the reason may be, a father is allowed to do so (unless the law of the land explicitly prohibits such as thing).
Steering away from your actual question, another would be: how is Google's photo algorithm supposed to know it's their son or not? I get that Google knows a lot about us and might be able to piece that together, but CSAM laws might not care.
To how many parents has this already happened? I get the feeling "Mark" who lives in SF probably knows folks in media or tech. How many nameless, powerless people in Middle America or the Global South had their digital lives nuked and suffered in silence?
There was a link here a few months ago about a stranger getting access to someones wifi, doing some illegal stuff and then the police come and seize all of the wifi owners devices for several months resulting in them losing their job as a teacher, access to everything and having to go through a very difficult process to sort everything out.
Even if you eventually resolve things, its a life ruining event to even have to go through this process.
My dad ran for mayor in a small town. The opposition kept flagging our (I was a sort of campaign manager) posts as being nazi propaganda (hint: it wasn’t). They did this until my dad’s account got banned.
There was no way I could recover his account after this. Ultimately he just created a new account, with reversed first and last name and the same profile picture which seems to have fooled the almighty AI.
I've had an ex get banned (still banned) from Facebook's suite of products for supposed extremist or terrorism materials. She suspect that a former Meta employee she dated and ended up bad terms may have something to do with it, but all the normal appeal channels end nowhere and I don't know any Facebook employees.
It was however, trivial for her to make a new account.
It’s quick and easy to move from Gmail to Fastmail. Did it earlier this year. Now YouTube is the only Google product I use, and it works pretty well without an account.
Honest question: can one (reasonably) use an Android phone without a Google account? If not, should one just accept losing access to half the phone market? What if Apple decides to pull a similar move?
In many places, you need a phone from one of those two providers in order to do mundane things like riding the subway without having to jump through extra hoops.
You can use several google-free AOSP builds. GrapheneOS is great. You lose the ability to use a few apps like uber/lyft, but you should also know how to navigate cities without those apps.
I'm impressed by GrapheneOS. Only when you need apps from the Play Store will you need a Google account. As long as anything you get there is free and easy to reinstate if you lose your Google account, that's not much of a risk.
For navigation without transportation, OsmAnd and OrganicMaps (both OpenStreetMap) often do quite well.
yes it is, and I agree their home page is shit. I downloaded it trough F-Droid and didn't really background check it, maybe you wanna take a look at their repo: https://gitlab.com/AuroraOSS/AuroraStore
One thing I noticed after closing my decades old Google accounts and opening a new one just for the Play store was that there suddenly was no way to view age restricted videos on YouTube without uploading an ID. Does Newpipe allow that? Also, the absurd amount of puerile crap being pushed on the front page of YouTube when you lack the filter of a longer used account is startling.
Stop giving Google control of one of if not the most important communications identity in your life. I know gmail is cheap and easy, but theres a reason for that: you're giving up so much.
This is like staying you should stop trusting the supermarket to not poison your food and to instead trust the smaller supermarket to not do it or to just grow your own food.
It’s not practical to not trust anyone and maintain a functional life. The real insight should be at regulating tech companies so they can’t do this anymore.
Email is a utility and should be regulated like one. The power company can’t just shut your house off because you tweeted something bad but for some reason tech companies can do effectively this.
> This is like staying you should stop trusting the supermarket to not poison your food and to instead trust the smaller supermarket to not do it or to just grow your own food.
More like, have alternatives ready and know what to do to avoid downtime if your main supermarket randomly permabans you for accidentally losing a receipt between purchase and exit, or having unaccounted for bottle of coke in your backpack that you bought at another store, or just looking sus. Or yes maybe it's found to be poisoning food. Fairly reasonable to be prepared.
> Email is a utility and should be regulated like one.
I want less barriers to operating my own email if I want it, having to get a license and such is the opposite of the goal. Maybe that's not what you mean though.
Generally regulating anything is a tradeoff. It helps established monopolies and prevents competition.
> Generally regulating anything is a tradeoff. It helps established monopolies and prevents competition.
How is this relevant when discussing Gmail of all things? When was the last time they had an actual competitor with some market share (outside corporate email), Yahoo! Mail?
are you aware how legislation works? you regulate a category as a whole, not randomly pick a specific company and write laws just for it.
if you regulate alphabet in particular, that would send everyone a message that this is now the "officially approved" provider. no others are regulated, after all! it would only increase the barrier to competition.
competition is a good thing. currently, thanks to email+DNS being open protocols, there are no barriers to operating e-mail for your own domain or providing it as a service. as a result, plenty of profitable providers (fastmail, aws) between which users can seamlessly switch.
>it’s not practical to not trust anyone and maintain a functional life.
I'd say it's very practical to not exchange medical information over an insecure channel. I don't email naked pictures of myself or even worse share pictures of a child's genitals in some google drive folder anyone can copy or share. my life is perfectly functional. Anyone who deals with email should treat any email they write like they're public, because there's always one dude who copies some entire chain into a reply or forwards something to a hundred random people that weren't supposed to get it.
When you mail something like this you don't even know if the doctor or the secretary opens them. If they're immediately backed up to some remote server now some tech worker has access to naked pictures of your kid. You can't request to delete that information, there's no ownership. That's a completely insane way to treat your most sensitive data.
For tele-medicine there's strict regulations on the safety of apps and how patient data are treated. Consult doctors through one of those. I'm not even sure if it's technically legal for a doctor to interact with patient data as described in the article.
The majority of people these days have their photos backed up to cloud services which happens without any user action other than taking the photo itself.
I don’t think there is any user error here. The user used the services and devices how they are meant to be used and google majorly messed up.
the complaint was sent to multiple agencies, including the SEC. This is clearly stated in the CNN article (which Schneier also links to) already. Even if the detail that it was also sent to SEC were new, it'd still be a dupe. Even if it was entirely new complaint, a 4 sentence blogpost saying that other media has reported something isn't the thing to submit to HN over the original source.
"Mark was cleared of any criminal wrongdoing, but Google has said it will stand by its decision."
Can someone explain what Google's logic is? At this point [after the news articles], clearly humans are involved at Google, clearly they know this is not child porn, so why not reinstate the account and move on?
It's quite likely that their lawyers have concluded that if they do reinstate the account, and some nutjob somewhere claims that they're covering up for actual child abuse, the reputation loss is going to be higher still.
Basically, CSAM is too radioactive for common sense.
Also, in the U.S. there seem to be an extremely large number of people who accuse their political opponents of being child abusers, so that might make sense for Google from a purely strategic perspective.
What's even sadder for us across the pond is that this US oversensitivity to any kind of nudity and desire to censor it for political and religious reasons, is spreading here though tech companies enacting their crazy US policies across the world.
"But a kid seeing a nipple isn't illegal here"
"Doesn't matter, it's illegal in 'Merica, so to simplify things, it's now illegal wherever Google operates "
I guess it's payback for the EU cookies banners. /s
This kind of stuff is one reason why it should be illegal for platforms to censor at will, it should be possible to sue them for censoring stuff they shouldn't be censoring just as it is for not censoring stuff they should be censoring. No matter how much they like to say they are fReEEeE pRiVAte eNTErpRiSes, they provide de-facto public spaces(public as in accessible to the broad public, not as in government-run) and should be treated as such. They shouldn't have the power to be legislative and judiciary of public communication.
Google has a policy that they delete permanently the contents of any account that has been suspended for 30 days or more. They do this to comply with European GDPR regulations (which require they not hold any data they no longer have the users permission to store, nor have ongoing legitimate interest in), and they have written it into their own privacy policies.
Therefore, this account and all the data contained is already gone. The most they could do is allow him to create a new account with the same name, but to my knowledge that isn't supported technically in their systems (too many bugs to be found by re-using unique identifiers).
Changing this would probably be a huuuuge undertaking, since every Google product would have to be modified to expect email addresses might be reused for a new account. And some products are in maintenance/bugfix only mode, so those products would probably have to be sunsetted if the changes were too invasive.
That's why they stand by their decision - they don't currently have the capability to implement any other option.
> “We follow US law in defining what constitutes CSAM and use a combination of hash matching technology and artificial intelligence to identify it and remove it from our platforms,” said Christa Muldoon, a Google spokesperson.
> Muldoon added that Google staffers who review CSAM were trained by medical experts to look for rashes or other issues. They themselves, however, were not medical experts and medical experts were not consulted when reviewing each case, she said.
Which is a nice way of saying: "AI flagged the pictures, we can't really judge if they are medical pictures or not. Enjoy your permaban!"
Besides, permabanning someone because of a single flagged picture seems like a dumb policy anyway. Even if there was no rash or inflammation in the picture, the child could have had a pain in the groin, so wanting to visually examine it could make sense for a doctor.
It’s stated clearly in the ToS Google will not stand for explicit images of a child. Google reserves the right to punish those who break the rules. It may not seem fair but it’s not worth the risk, it’s easier to just delete the user’s account and move on to the next user.
As a user, there is a dispute process but as a user I must obey the ToS if I don’t want my account to be deleted. If someone came into your place of business and began taking explicit photos of their child, for medical or any other reason, would you stand for it? Would you give them a second chance to explain themselves?
Google’s place of business is whatever you do on your phone and any content generated by it. You don’t own Android OS just by buying a phone the same way you don’t own a pizza shop just by buying a slice of pizza there.
Maybe they should shout a bit louder about the “this is not fit for any particular purpose “. Not buried as some legalese boilerplate in the EULA but on the signup page in big letters.
Yeah. And there should be many comparable alternative businesses that do sell communication devices that don't opaquely Zucc legal albeit questionable content. The people who play apologetics for this and think this sort of service is in any way comparable to pizza have every right to keep hanging out in their auto-modded environment eating their thin crust diavolo, swiping their oily fingers all over their device's controls, as long as there's a reasonable habitat for the rest of us.
I do agree. In this case I think it should be common enough knowledge that the doctor should have known that it wasn't reasonable to ask someone to use this email provider (or frankly any provider) for this purpose.
But Google needs to make a bigger deal of the fact that their services shouldn't be relied on for any particular purpose. (I feel the same way about banking apps too)
I work for a non-profit medical group, and we have pediatricians in our group.
Starting in March 2020, due to, well, you know, all of our doctors started doing consultations via video chat and picture-enabled text messaging. This service continues to this day, particularly for our most vulnerable patients (which included, until very recently, children under five who could not be vaccinated against the novel coronavirus).
Children come down with a lot of things that look strange to parents, especially new parents who have never had a child before. Especially parents who are staying home with their children to avoid a new (that's where the "novel" part of "novel coronavirus" comes from) disease that they don't want to give to themselves or their kids.
What you've advocated for is a world where parents can't communicate with doctors except by showing up in person. This is something we demonstrably do not want for a whole host of reasons. For a period of almost a year, unless you were basically bleeding from an artery or your arm was hanging by a thread, you could not see a doctor in person, at least not through our group.
It should be common sense that we are intelligent, thinking beings with the ability to discern right from wrong and that those are not binary choices. There are myriad reasons why someone might take a photo of a naked child that are free of malicious intent and, legally, are perfectly valid. Medical assistance is just one of them.
I never said that I advocate for making the production / transmission of certain types of photos illegal.
Personally, I advocate for freedom of speech, but I recognize that there exists laws currently that restrict it in America. I say that it is common sense because that is the one thing you aren't allowed to post on the internet. Everything else you can get away with.
Have you already forgotten about Covid 19? Most of my doctor appointments have been remote for the past 3 years, had to take pics of an injury. So, honestly, have you forgotten?
To stay on topic, I'm a parent and have autoupload to google photos.
How can I prevent the photo from bring uploaded? I could disable autoupload, but as soon as I resume it, the photo will be uploaded, unless I remove it from the phone.
don't use google photos at all. And probably don't have pictures that are even remotely questionable on your phone, even if it's for legitimate reasons.
That's fine, and it sucks that often there is not really a choice in which camera software to use either. It doesn't help that by choosing Android or IOS you almost inevitably get hooked into the clouds of Google and Apple.
I deliberately bought a Pixel 6 in order to install GrapheneOS (a degoogled Android) and leave out all links to Google except for the Play store for a handful of apps pushed by governments and banks. The built-in camera app works fine, and OpenCamera is a great alternative too now that it supports all cameras of the Pixel 6.
Turn off Google's auto upload. The entire photos thing has long been a way to get images to train ML, and since they actively use these images you're not in a position of power here. i.e. you're doing Google a favour by using the auto-upload.
Either find a service that you're paying for, or if you want to trust a big corp maybe go with Apple. Not perfect, but best of the lot from what I can see. All of the logic is on-device, so they're less inclined to peek at your photos. There was a big hubbub a while ago when they tried to do unsafe photo detection on-device, but they backtracked.
Apple does same exact scanning of iCloud photos and ban iCloud accounts with the same glee as well, so I'm not sure why do you think recommending another megacorp will help the OP (outside of buying into Apples marketing schtick).
I disabled iCloud Photos sync some time ago, and even though there are some pain points, it's surprisingly easy to work without it. Just do a manual direct sync every so often. Run borg or bupstash to encrypt and backup the copied photos to any location.
Google Photos has a feature for exactly this on Android. It's called "Locked Folder". It is not synced, and accessing it requires your screen lock code or biometric authentication. You can choose to save photos directly into the locked folder as you take them, in which case they are never uploaded.
If you're concerned about your privacy I'd advise against just trying to disable uploading but still giving your photos to apps you don't trust, primarily because of possible future implementation of client-side scanning(they are making steps to mandate that for messengers in the EU atm, for example).
AFAIK android phones upload all sorts of data to google by default, my recommendation is to install a custom ROM (like lineageOS), that will rid you of a lot of these privacy violators without dealing with them individually. If you don't want to do that, avoid google services/apps entirely for anything that you don't trust them with. I'm not familiar with google photos(never used it for (now) obvious reasons), and I don't know what features you need, so I can't really give recommendations on that specifically.
I've grown up to believe that we deserve this, at a societal level. As long as we've let technology invade each and every inch of our private space this was bound to happen, sooner or later.
Props though to the SF police which has stopped the investigation when, I guess automatically, they had been made aware of the whole thing by Google. I suspect in a few years' time that won't be the case anymore, even the Police investigation in this sort of cases will have become "automated".
With Google representing all branches of a shadow trias politica is like a secret police in totalitarian countries. If thanks to this news on Google's move only one person decides _not_ to send pictures on their doctors request, then this action has sent out the same message as the secret police making your neighbours disappear after saying something unfriendly about the dictator.
Plenty of facets on this one, and I fear they all require changing and enforcing legislation and to fix them.
* Google provides a good product free of charge to everybody, but claims it can withdraw the offer to anyone with no notice and without giving any reason. The law should require more rights, guarantees and due process even for free service providers. At minimum, the right to recover my data, the right to have some time to fix the problem, the right to have everyone following the same rules, knowing the rules and knowing the exact violation, and some basic warrantees. As a parallel: Malls are open for everyone just like Google, and it still doesn't allow them to ban people at random. The USA learned with black people how quickly this becomes ugly. But a mall still can remove customers too troubling, the cops can be called, and both mall and customer can sue if it is really worth it.
* People should pay (and be able to pay) for a product that is worth it. The services provided by Google are easily worth money.
* It's hard to ban anyone on the internet without a stable identity, government provided or not. People just take a new identity and come back. This is especially sensitive in the USA, but it causes all kinds of trouble. Maybe coupling the ID to a payment is an alternative, so you can get a new ID if you pay for it. €10 /id / year would probably be enough to shut out almost every troublemaker, and the law can deal with what's left.
* The child porn laws are insane and should be changed. It is not normal that you can send a picture to someone, and the law requires the receiver should go to jail even without him knowing anything happened. Under such laws, the google 'scorched earth' policy is the only option they have.
* EULAs need to cease existing. If I buy an Andriod phone, I give money to the manufacturer, the manufacturer gives money to Google. That means I should have a right to access google play etc without all kinds of EULAs making the device I bought non-functional on any whim from Google. Just paying should be enough. It used to be that license agreements existed only between companies, and were deemed too complicated for ordinary consumers. The 'End User' aspect has to die off. Normal copyright will still protect the software just as it does with books and DVDs, so there really is no need.
In this person’s case, they were paying Google for their Android phone and Google FI phone service, so it wasn’t even a free product they got banned from.
Also, see Apple’s scanning stance. Google isn’t obligated to scan and report to law enforcement.
Child pornography together with drugs is probably the easiest way to frame someone for a crime. Especially in the computer world where people could be framed randomly and automatically by viruses without any motive.
I was reminded of David Graeber's description of banking bureaucracies, as I read this.
At ground level, bank employees blame irrational form filling, small and nonsensical process requirements on "regulation." In reality, they are implementing a bank "compliance" policy that is relates to regulation. That way, neither the regulator nor the bank is culpable... either for solving the problem or for consequences of the solution. Meanwhile, the banks themselves probably lobbied for the regulation specifics, and almost certainly wrote large parts of it themselves. It's cozy.
At Google-scale, there is no dividing line between between private & government bureaucracies. They're merged in a way that evolves to deflect criticism & responsibility from both.
The scariest line, to me, was this:
"These companies have access to a tremendously invasive amount of data about people’s lives. And still they don’t have the context of what people’s lives actually are."
Well... "luckily" Google & such are getting better all the time at "context." The response to such issues is usually to deepen the bureaucracies, not to pull back.
I would be shocked if it's not universal. They could be sued in the USA for storing CSAM in any other country, even if that country happens not to recognize this as CSAM.
About 10 days ago, my 3 year old son developed Bell's palsy in a period of 24 hours. This means the right side of his face became paralyzed, for no good/known reason. Most cases of Bell's palsy, esp. with toddlers, go away within about a month.
I'm taking videos of his face every day to track progress, to see whether it's recovering. Also, I'm sharing some of the videos on a Messenger chat with other concerned family members. Obviously, since this is his face, I'm not in danger of violating any TOS on this. I have Google Photos auto-upload turned on.
But, knowing how stressed I was when this started, I was definitely not thinking about Google's (or Facebook's) TOS when I was making the videos, so if it had been some other condition where the affected area was the groin, like in the article, I'm pretty sure I would not have realized I'm risking my entire online presence.
Some good news to close: my son's face is showing good movement after ~10 days, so I think he'll recover within a month.
If you're so stressed about it, why don't you turn off auto-upload? Why don't you use something other than Google Photos?
If you have a genuine requirement for photo sharing -- to share your shild's photos with their doctor, say -- there are plenty of other ways to do that. It's not like you're some captive hostage to Google here.
eta: I do wish your child wellness and a speedy recovery!
eta2: To the downvoters: Go for it - I can afford the decrementing of a number in someone else's computer. But. This was not an attack on the parent. Answer the damn questions!
I wasn't stressed about the auto-upload. I was stressed because half my baby's face went paralyzed. The fact that the pics/videos get auto-uploaded and Google scans them didn't occur to me until I read the OP.
Apple says they don't currently scan, due to the previous backlash. But the capability is there in iOS, waiting for the mothership to remotely enable the feature flag.
Uhm, I’m not a doctor, but kids don’t generally just get Bell’s Palsy for absolutely no reason. Since it’s summertime, I’m going to go out on a limb and guess you’re in the eastern US.
Get your kid tested for Borrelia burgdorferi. If you catch it early, there will be a lower likelihood of ill effects.
I spotted Lyme in myself around age 12 thanks to Wikipedia’s article on Bell’s and confirmed the infection the same week via blood test. Next to nobody clears it on their own.
If, witnessing the kind of power Google wields unchecked, you haven't - at the very least - taken steps to regularly pull all of your data out of Google, because, oh, this kind of stuff just won't happen to me ... please reconsider.
339 comments
[ 2.9 ms ] story [ 368 ms ] threadfurther discussion on the original NYT story here: https://news.ycombinator.com/item?id=32538805
Once you reach the scale and importance of these services, it shouldn’t be legal to lock people out like this.
Playing devil’s advocate, possession of CP is criminal with absolute liability [1]. Deleting someone’s account, far from it. (Civil. Maybe.)
Weighing someone who might have CP, even to an absurdly low probability, against them being suing and like two people deleting their Gmail accounts, I can see how someone chose the former. If they got the call wrong, Google would not only be liable for damages, the individuals involved could be criminally charged.
I’m assuming everyone in this chain would appreciate laws clarifying an email bill of rights. On the other hand, Google made their bed with its surveillance-first culture.
[1] https://en.m.wikipedia.org/wiki/Absolute_liability
So how come this has never happened?
Google and Facebook have existed for decades, and so has CP, they didn't have automatic detection untill decently and yet none of their employees have ever been charged.
There is no good excuse for this kind of spying apparatus, period. If anything, having a mandated formal process for reinstating banned accounts will make the scanning more acceptable, which it shouldn't be. "You see, yes, we're regularly checking out your dick pics but it's all good, we have a process in place and if we tag an image as CP, when it's not, you'll eventually be exonerated. No harm done"
> If anything, having a mandated formal process for reinstating banned accounts will make the scanning more acceptable, which it shouldn't be.
We should fight first for a proper legal recourse, and once this happens, then we can also fight for no scanning.
It does not matter, because we don't have any fight left in us at all..
I'm more than prepared to just stop working for a few days or even a week or two.
I already actively boycott Chinese products where possible (I buy non Chinese if at all possible, even at significant higher prices), support the Georgian Legion with my own cash and have probably spent hundreds of hours on unpaid online activism this half year on top of what I do for my church (although in all fairness it still does more for me).
If enough people band together and just plain stop working, sooner or later politicians will have to listen.
This can't keep going on like this. To somebody like Google, an account might just be a profit source, but to the affected people it can be their lives or livelihood.
The issue of right of redress really needs to be forced, legislatively.
This might go against some people's idea of a free market. I think it should only apply where there isn't a free market - when a customer doesn't have many other options, such as in the case of Google or Apple, or Visa/Mastercard, a major supermarket, or the choice of cellphone provider or Internet provider in markets where there are only a few options. It wouldn't apply to small independent traders by definition.
Capture enough of the market where there isn't enough competition and you get obligations to treat them fairly.
Can one invoke EU rights, or is it tied to being physically resident like a DVD region?
What if the EU citizen flies to Europe? Can they then invoke their right from the physical territory of Europe?
I feel this is somewhat uncharted water.
- We would allow people to upload files
- these files would go into a 'holding tank'
- the files would then get greenlit if some rudimentary algorithm determined they were landscapes or other innocent content
- the remainder would be flagged for review
- bulk images would be displayed in a grid of 8x8 thumbnails
- the vast majority of those would not be reason for further action and would be greenlit, the remainder would go into yet another holding tank
- now the pictures would be viewed full size, any kind of image that would be against the TOS would be rejected and a hash would be kept to avoid seeing it again
- any kind of image that was deemed illegal or borderline would be passed on to LEO for another decision, possibly resulting in criminal charges against the uploader.
The complications:
- uploaders would try to mask their identity
- uploaders would be all over the world
- even after reviewing LEO would sometimes indicate that an image was inconclusive (in those cases we erred on the side of caution)
--
In short: companies can and do work together with law enforcement to stop service abuse and illegal activities. Whether it is an AI that flags it or a human is from a legal perspective utterly immaterial, and if LEO clears it that definitely means that you are allowed to either view it or pass it on.
Surely your reviewers never deliberately looked at the material a second time after marking it as abuse material for law enforcement, as that would be legally risky I would think.
The issue here is even if local LEO clear it, the federal prosecutor's opinion can differ and he can use the fact you knew AI flagged it and that you released it anyway to damn you. There are cases out there where local/state government cleared someone of wrong-doing but they still got hemmed up federally.
https://news.ycombinator.com/item?id=32178108#32178137
The biggest worry about these kind of situations is not that mistakes are made, but that it's almost impossible to make contact with a real human being to put things right [even, as in this case, when press and police are involved]. It's only a matter of time before someone loses their livelihood or even their life over this kind of cock-up.
How about "oh, everyone says we are wrong click to unban"?
Not even "everyone".
How about "law enforcement that we reported it to says we are wrong"?
cmiiw
Google can use the defense that somewhere in the TOS it probably says you agree to share everything with them when it goes to cloud storage.
HIPAA doesn't prohibit people from sharing info about themselves (even accidentally). Though it does probibits your doctor from putting photos like this near Google anything.
The "blue check fix" minimizes negative publicity while doing nothing for 99% of people. If a bad policy is consistently applied, at least it can be understood and criticised.
Therefore, this account and all the data contained is already gone. The most they could do is allow him to create a new account with the same name, but to my knowledge that isn't supported technically in their systems (too many bugs to be found by re-using unique identifiers).
That's why they stand by their decision - they don't have the capability to implement any other option.
In this case, they actually satisfy the two requirements:
1. "ongoing legitimate interest". They are still in a dispute with the customer. Deactivating an account does not require deleting data, so long as the case it not closed. There is no "30 day" limit in this case, and it seems like an arbitrary time period imposed by someone who hasn't thought of the consequences.
2. "users permission". In this case they do have the user permission to keep the content, because the user wants to keep access to the account.
> they don't have the capability to implement any other option.
As mentioned above, you can deactivate an account without also deleting it. It may of course be easier for Google to just delete it instead of introducing a new state, but I would argue that a company such as Google does have the capability to implement this option. I would go so far as to say this is a failure of Google to not have such a process in place.
That works both ways - as well as not being able to get the customers permission to keep the data, they also would not be able to get the customers request to delete the data if they were to keep it 'just in case'.
Until they have built some functionality to communicate with the customer behind a suspended account, they have to delete the data within 30 days.
For example, if the login requires a password and SMS 2fa, but the SMS is to a Google Fi phone number, then you're going to have to also enable the Google Fi account for that user to be able to login. Or what if they need to use email password resets to another suspended account? (remember you will probably suspend all accounts of a user at once if you suspect something illegal).
Making a special 'chat' tool inside the login flow that only requires a single factor (the account password) which allows presenting evidence to a google rep seems like the obvious solution (or requesting the account suspension be delayed, or that the data be deleted).
Building and staffing that sounds like quite a lot of work though, which would be hard to justify for the tiny number of impacted accounts and zero revenue potential.
It isn't as far as I can see.
IMO it is just Google trampling over peoples rights while trying to use a weird reading of GDPR as excuse.
I'm so ready for EU to start punishing more of the blatant abuse of GDPR that we see, especially by the big players in the market.
Granted, most people here on HN would be able to deploy their own, but you can't ask that of the average citizen who just needs email.
https://www.google.com/search?q=email+provider+service hundreds of options from the same page.
Don't put all your eggs in one basket, "everybody" knows that. It doesn't just apply to computers - non-techies are familiar with the concept too. It's common sense.
Careful what you wish for, though. Ever tried to sign up for a public utility without your real name, personal identification, a physical address, or billing information?
There are many states around the world where you can buy a prepaid SIM card without registration and participate in the public phone network. No permission at all required, cash payment works.
There is no direct connection between “public” utility and “requires registration.” But many public utilities consist in a delivery to a specific place (water, electricity) or want to charge you. So they need your address to perform their service.
Do it without an Google account.
But a postcard is a good example. Even the badest murder / raper in a prison will get a postcard.
That's horrific.
[1] https://www.zvv.ch/zvv/de/abos-und-tickets/tickets/einzelbil... [2] https://www.zvv.ch/zvv/de/allgemeine-seiten/medienmitteilung...
Änderung bei ÖV-Tickets Billettverkauf in Zürcher Regionalbussen wird abgeschafft
Änderung bei ÖV-Tickets
Billettverkauf in Zürcher Regionalbussen wird abgeschafft
https://www.tagesanzeiger.ch/billettverkauf-in-zuercher-regi...
I argue in this way since quite some time.
Same goes for Apple, Facebook etc. In Germany there is also some sort of compulsory contracting, for example in regards to energy supply.
Pay for an email service, and sue if you incur damages due to them terminating your service. Or run your own email server if you care to.
You pay Company X to host your email, and you enter into a service agreement. They kick your account off. If they're in violation of the service agreement, now you actually have a case against them. They know this. Their legal council knows this.
Feel free to vote for people who think companies can do as they please just because you aren't directly paying for them (even though they make money off you), I'll vote for other people.
It's ironic that you chose Standard Oil as an example. It was an unbeatable monopoly that was broken up by govt regulation, not by competition. You're arguing against your own position.
> Pay for an email service, and sue if you incur damages due to them terminating your service.
You always sign away this right when using a commercial email service. Their terms of use allow them to terminate your account with impunity.
> Or run your own email server if you care to.
This is a very 1990s understanding of the email ecosystem. It's almost impossible to start a new email service today because the big players (primarily Google and Microsoft) won't trust you and will silently refuse to deliver your emails. Sometimes you will be blanket banned, sometimes you'll just have a few missing here or there.
Because the email market is dominated by so few players, they have complete control over the ecosystem. Even if you choose your email service, your recipients will have chosen one of the big players 99.999% of the time, meaning you're also playing by their rules.
You realize that Standard Oil was broken up by the courts through the Sherman Act, which is precisely the type of regulatory action you're arguing against, right?
> Its history as one of the world's first and largest multinational corporations ended in 1911, when the U.S. Supreme Court ruled that it was an illegal monopoly.
Seems like it was broken up by the government and not due to competition.
Only to find your mail blackholed by said behemoths because your counterparty uses them.
I think the problem goes even deeper than that. No non-state actor, who holds no democratic mandate of any kind, should hold the kind of power over citizens that Google holds.
Regulation is a ship that has kind of sailed, in my mind. The kind of regulation that we now recognize we need would have had to be in place 20 years ago. ...mostly antitrust stuff, but also specialized things like privacy / data protection and "due process" for things like account suspensions etc.
If such regulation had been in place, it would have prevented the formation of an entity such as Google in the first place, and we would instead have a healthy system of smaller players competing on who does the best job at providing the kinds of functions to society that Google provides.
Now that we are in the unfortunate situation we are in, I think it might be necessary to consider nationalizing the whole thing and putting in place governance with a democratic mandate.
I hope I didn’t overstep some kind of bullshit law where I can’t take pictures for medical advice.. this is ridiculous, and I’m happy that I’m not pushing my pics automatically to google, I might have been banned? I still have the pics somewhere on my phone, probably, amongst others where he’s naked when he was messing with foam in the bath or playing in the garden with water in summer. Isn’t this like 90% of parents?!
I feel that this whole CSAM is a new obsession of phone actors because they feel there’s norhing else they can innovate on.
Define "allowed"
By whom in particular.
Even if you eventually resolve things, its a life ruining event to even have to go through this process.
There was no way I could recover his account after this. Ultimately he just created a new account, with reversed first and last name and the same profile picture which seems to have fooled the almighty AI.
It was however, trivial for her to make a new account.
If not, the answer is: obviously yes.
People risk their entire lives for significantly less.
I work for another FAANG, and I would never be able to take any action on any part of a customer's account.
I guarantee you Tommy that works in the team that handles tags on marketplace listings cannot do anything about any other system in Facebook.
Humans are great at solving technical issues with human solutions…
In many places, you need a phone from one of those two providers in order to do mundane things like riding the subway without having to jump through extra hoops.
For navigation without transportation, OsmAnd and OrganicMaps (both OpenStreetMap) often do quite well.
Which is a lot of apps that society assume people have access to!
Newpipe FTW
> it works pretty well without an account.
Disagree, especially given how broken YT Search is.
It’s not practical to not trust anyone and maintain a functional life. The real insight should be at regulating tech companies so they can’t do this anymore.
Email is a utility and should be regulated like one. The power company can’t just shut your house off because you tweeted something bad but for some reason tech companies can do effectively this.
More like, have alternatives ready and know what to do to avoid downtime if your main supermarket randomly permabans you for accidentally losing a receipt between purchase and exit, or having unaccounted for bottle of coke in your backpack that you bought at another store, or just looking sus. Or yes maybe it's found to be poisoning food. Fairly reasonable to be prepared.
> Email is a utility and should be regulated like one.
I want less barriers to operating my own email if I want it, having to get a license and such is the opposite of the goal. Maybe that's not what you mean though.
Generally regulating anything is a tradeoff. It helps established monopolies and prevents competition.
How is this relevant when discussing Gmail of all things? When was the last time they had an actual competitor with some market share (outside corporate email), Yahoo! Mail?
if you regulate alphabet in particular, that would send everyone a message that this is now the "officially approved" provider. no others are regulated, after all! it would only increase the barrier to competition.
competition is a good thing. currently, thanks to email+DNS being open protocols, there are no barriers to operating e-mail for your own domain or providing it as a service. as a result, plenty of profitable providers (fastmail, aws) between which users can seamlessly switch.
I'd say it's very practical to not exchange medical information over an insecure channel. I don't email naked pictures of myself or even worse share pictures of a child's genitals in some google drive folder anyone can copy or share. my life is perfectly functional. Anyone who deals with email should treat any email they write like they're public, because there's always one dude who copies some entire chain into a reply or forwards something to a hundred random people that weren't supposed to get it.
When you mail something like this you don't even know if the doctor or the secretary opens them. If they're immediately backed up to some remote server now some tech worker has access to naked pictures of your kid. You can't request to delete that information, there's no ownership. That's a completely insane way to treat your most sensitive data.
For tele-medicine there's strict regulations on the safety of apps and how patient data are treated. Consult doctors through one of those. I'm not even sure if it's technically legal for a doctor to interact with patient data as described in the article.
I don’t think there is any user error here. The user used the services and devices how they are meant to be used and google majorly messed up.
Reponding here only because HN blocked my ability to respond to your 8-minutes-ago comment or post a new one in thread that you have flagged.
Can someone explain what Google's logic is? At this point [after the news articles], clearly humans are involved at Google, clearly they know this is not child porn, so why not reinstate the account and move on?
Basically, CSAM is too radioactive for common sense.
"But a kid seeing a nipple isn't illegal here"
"Doesn't matter, it's illegal in 'Merica, so to simplify things, it's now illegal wherever Google operates "
I guess it's payback for the EU cookies banners. /s
"We are Google. We don't give a fuck."
Therefore, this account and all the data contained is already gone. The most they could do is allow him to create a new account with the same name, but to my knowledge that isn't supported technically in their systems (too many bugs to be found by re-using unique identifiers).
Changing this would probably be a huuuuge undertaking, since every Google product would have to be modified to expect email addresses might be reused for a new account. And some products are in maintenance/bugfix only mode, so those products would probably have to be sunsetted if the changes were too invasive.
That's why they stand by their decision - they don't currently have the capability to implement any other option.
> Muldoon added that Google staffers who review CSAM were trained by medical experts to look for rashes or other issues. They themselves, however, were not medical experts and medical experts were not consulted when reviewing each case, she said.
Which is a nice way of saying: "AI flagged the pictures, we can't really judge if they are medical pictures or not. Enjoy your permaban!"
Besides, permabanning someone because of a single flagged picture seems like a dumb policy anyway. Even if there was no rash or inflammation in the picture, the child could have had a pain in the groin, so wanting to visually examine it could make sense for a doctor.
Another version of this same story, also marked as a dupe: https://news.ycombinator.com/item?id=32557294
As a user, there is a dispute process but as a user I must obey the ToS if I don’t want my account to be deleted. If someone came into your place of business and began taking explicit photos of their child, for medical or any other reason, would you stand for it? Would you give them a second chance to explain themselves?
Google’s place of business is whatever you do on your phone and any content generated by it. You don’t own Android OS just by buying a phone the same way you don’t own a pizza shop just by buying a slice of pizza there.
But Google needs to make a bigger deal of the fact that their services shouldn't be relied on for any particular purpose. (I feel the same way about banking apps too)
Starting in March 2020, due to, well, you know, all of our doctors started doing consultations via video chat and picture-enabled text messaging. This service continues to this day, particularly for our most vulnerable patients (which included, until very recently, children under five who could not be vaccinated against the novel coronavirus).
Children come down with a lot of things that look strange to parents, especially new parents who have never had a child before. Especially parents who are staying home with their children to avoid a new (that's where the "novel" part of "novel coronavirus" comes from) disease that they don't want to give to themselves or their kids.
What you've advocated for is a world where parents can't communicate with doctors except by showing up in person. This is something we demonstrably do not want for a whole host of reasons. For a period of almost a year, unless you were basically bleeding from an artery or your arm was hanging by a thread, you could not see a doctor in person, at least not through our group.
It should be common sense that we are intelligent, thinking beings with the ability to discern right from wrong and that those are not binary choices. There are myriad reasons why someone might take a photo of a naked child that are free of malicious intent and, legally, are perfectly valid. Medical assistance is just one of them.
I never said that I advocate for making the production / transmission of certain types of photos illegal.
Personally, I advocate for freedom of speech, but I recognize that there exists laws currently that restrict it in America. I say that it is common sense because that is the one thing you aren't allowed to post on the internet. Everything else you can get away with.
How can I prevent the photo from bring uploaded? I could disable autoupload, but as soon as I resume it, the photo will be uploaded, unless I remove it from the phone.
Any suggestions?
I deliberately bought a Pixel 6 in order to install GrapheneOS (a degoogled Android) and leave out all links to Google except for the Play store for a handful of apps pushed by governments and banks. The built-in camera app works fine, and OpenCamera is a great alternative too now that it supports all cameras of the Pixel 6.
Either find a service that you're paying for, or if you want to trust a big corp maybe go with Apple. Not perfect, but best of the lot from what I can see. All of the logic is on-device, so they're less inclined to peek at your photos. There was a big hubbub a while ago when they tried to do unsafe photo detection on-device, but they backtracked.
Go into more camera controls , enable Storage Access Framework, select custom directory.
AFAIK android phones upload all sorts of data to google by default, my recommendation is to install a custom ROM (like lineageOS), that will rid you of a lot of these privacy violators without dealing with them individually. If you don't want to do that, avoid google services/apps entirely for anything that you don't trust them with. I'm not familiar with google photos(never used it for (now) obvious reasons), and I don't know what features you need, so I can't really give recommendations on that specifically.
Props though to the SF police which has stopped the investigation when, I guess automatically, they had been made aware of the whole thing by Google. I suspect in a few years' time that won't be the case anymore, even the Police investigation in this sort of cases will have become "automated".
* Google provides a good product free of charge to everybody, but claims it can withdraw the offer to anyone with no notice and without giving any reason. The law should require more rights, guarantees and due process even for free service providers. At minimum, the right to recover my data, the right to have some time to fix the problem, the right to have everyone following the same rules, knowing the rules and knowing the exact violation, and some basic warrantees. As a parallel: Malls are open for everyone just like Google, and it still doesn't allow them to ban people at random. The USA learned with black people how quickly this becomes ugly. But a mall still can remove customers too troubling, the cops can be called, and both mall and customer can sue if it is really worth it.
* People should pay (and be able to pay) for a product that is worth it. The services provided by Google are easily worth money.
* It's hard to ban anyone on the internet without a stable identity, government provided or not. People just take a new identity and come back. This is especially sensitive in the USA, but it causes all kinds of trouble. Maybe coupling the ID to a payment is an alternative, so you can get a new ID if you pay for it. €10 /id / year would probably be enough to shut out almost every troublemaker, and the law can deal with what's left.
* The child porn laws are insane and should be changed. It is not normal that you can send a picture to someone, and the law requires the receiver should go to jail even without him knowing anything happened. Under such laws, the google 'scorched earth' policy is the only option they have.
* EULAs need to cease existing. If I buy an Andriod phone, I give money to the manufacturer, the manufacturer gives money to Google. That means I should have a right to access google play etc without all kinds of EULAs making the device I bought non-functional on any whim from Google. Just paying should be enough. It used to be that license agreements existed only between companies, and were deemed too complicated for ordinary consumers. The 'End User' aspect has to die off. Normal copyright will still protect the software just as it does with books and DVDs, so there really is no need.
Also, see Apple’s scanning stance. Google isn’t obligated to scan and report to law enforcement.
- Patients find it too risky to store medical information on Google drives/devices.
- Exhausted patients are forced to scrutinise every upload for the potential for Google to mistakenly perceive a breach of TOS.
This is not good for the world.
At ground level, bank employees blame irrational form filling, small and nonsensical process requirements on "regulation." In reality, they are implementing a bank "compliance" policy that is relates to regulation. That way, neither the regulator nor the bank is culpable... either for solving the problem or for consequences of the solution. Meanwhile, the banks themselves probably lobbied for the regulation specifics, and almost certainly wrote large parts of it themselves. It's cozy.
At Google-scale, there is no dividing line between between private & government bureaucracies. They're merged in a way that evolves to deflect criticism & responsibility from both.
The scariest line, to me, was this:
"These companies have access to a tremendously invasive amount of data about people’s lives. And still they don’t have the context of what people’s lives actually are."
Well... "luckily" Google & such are getting better all the time at "context." The response to such issues is usually to deepen the bureaucracies, not to pull back.
What are those "countries" you speak of?
Do you mean where the user resides?
Do you mean where the data is stored?
Do you mean where Google is incorporated?
Do any of these "countries" matter when it is a corporation with a country-sized budget on the left side of the ring?
About 10 days ago, my 3 year old son developed Bell's palsy in a period of 24 hours. This means the right side of his face became paralyzed, for no good/known reason. Most cases of Bell's palsy, esp. with toddlers, go away within about a month.
https://en.wikipedia.org/wiki/Bell%27s_palsy
I'm taking videos of his face every day to track progress, to see whether it's recovering. Also, I'm sharing some of the videos on a Messenger chat with other concerned family members. Obviously, since this is his face, I'm not in danger of violating any TOS on this. I have Google Photos auto-upload turned on.
But, knowing how stressed I was when this started, I was definitely not thinking about Google's (or Facebook's) TOS when I was making the videos, so if it had been some other condition where the affected area was the groin, like in the article, I'm pretty sure I would not have realized I'm risking my entire online presence.
Some good news to close: my son's face is showing good movement after ~10 days, so I think he'll recover within a month.
If you have a genuine requirement for photo sharing -- to share your shild's photos with their doctor, say -- there are plenty of other ways to do that. It's not like you're some captive hostage to Google here.
eta: I do wish your child wellness and a speedy recovery!
eta2: To the downvoters: Go for it - I can afford the decrementing of a number in someone else's computer. But. This was not an attack on the parent. Answer the damn questions!
Maybe not now but Google/Apple will scan your photos for potential child abuse.
Get your kid tested for Borrelia burgdorferi. If you catch it early, there will be a lower likelihood of ill effects.
I spotted Lyme in myself around age 12 thanks to Wikipedia’s article on Bell’s and confirmed the infection the same week via blood test. Next to nobody clears it on their own.