304 comments

[ 2.9 ms ] story [ 303 ms ] thread
Okay, so it's not very likely.

What made me transition away from Google/Gmail as my identity provider was pondering the question:

How screwed am I if I get locked out of my Google account?

The answer: Well, if you're on Hacker News, you may have a chance of reaching a human. But if you broke a policy, good luck.

I'm paying $5/mo. for that to not be that screwed.

(I have family who got locked out. It does happen.)

Hackernews made me realize manual recovery should never be a thing. My first account was taken over by a scammer even with a unique password. I suspect the admins of this site 'manually recovered' my account and gave it to them.

The last message of my first account, areallygoodname, is spam. I couldn't be bothered getting the admins to recover it back. I just took the lesson that hackernews is really insecure due to allowing manual recovery.

At the end of the day, you either have onerous procedures to recover an account--notarized signatures and the like--or you just don't allow it at all. Or there's always going to be some susceptibility to sophisticated social engineering.
I'm not sure I understand.. where do you pay $5/mo for a service similar to Gmail? Or do you mean you have a paid Google account with extra storage?
Fastmail is $5/mo as is ProtonMail.
I'm paying $10 a year for https://purelymail.com. Yeah, I'm pretty sure there's a hit-by-a-bus factor at play here that could bite me but the one time I had an issue it was resolved within 8 hours with a follow-up to make sure the uptime they were seeing was also my experience. If the bus ever does meet my provider, I can move providers within a day. For my personal email, that is more than sufficient.
> I'm paying $5/mo. for that to not be that screwed (I have family who got locked out. It does happen.)

But the article precisely addresses that:

For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). Especially given that these are much smaller services I'm not convinced that the risk is lower there. Any system is going to have to handle this sort of problem, and you're not going to find one that never has false positives.

What I'd like to know is : do FM/PM more easily enable to talk to a human ?

I submitted a support request to FastMail about passkeys not working properly (enrollment failure) for 2FA and had a human response in under 15 min on a weekend.
I'm a Fastmail customer, and it's pretty easy to talk to a human. They don't always fix my issue quickly, but I can at least get a hold of a human within 24 hours.
Talking to a human doesn't necessarily make anything any easier.

Lots of large companies have a bunch of customer support agents who are easy to get in touch with, but entirely powerless to solve these sorts of problems: "Computer says no". They are just, to be blunt, executing flowcharts, and have no scope to escalate beyond that.

The only reliable ways to get decent customer support are, in my experience:

- The CEO is a friend of yours

- Your account is so large that a significant chunk of the company depends on you for their income

- You have an ironclad support contract

- Regulatory requirements enforce a level of customer service

Unfortunately, none of those are likely to apply to an average person looking for an email provider, and running one is usually impractical due to these large companies blocking small hosts. Next best thing is taking regular backups and having your own domain with a low TTL MX record.

Right. Say you forget your password. Say you get to a customer support agent and they tell you how to get a password reset sent to your alternate email or phone number.

"Um, I don't have an alternate email and my phone number changed when I moved countries last year."

They'll probably (and correctly) maybe make sympathetic noises but basically say too bad. Presumably this wouldn't happen with a (non-trivial) company where there's some level of known identity. But for an individual there would presumably need to be a last-resort process that required real-world identity verification in some form.

The point of Fastmail and similar is that you get to use your own domain. Then if your account is disabled, you can just change your DNS and use your email with another provider.
If I lose access to my Fastmail and they won’t let me back in, I still own my domain name. If my DNS provider blocks me, I’ll change the DNS provider. My main email domain is a ccTLD with a pretty reliable registrar who requires national ID 2FA. Things can still go wrong, but I have control at so many levels compared to having a free email at someone else’s domain.
That's the same calculation I made. It doesn't make sense to have all of your eggs in a single basket.
This reminds me, again, that I should look into setting up my own home mail server. Is there an off the shelf solution for this? I don't mind setting up another PC as a server for this, but how hard is it?
If, perhaps, you decide against self-hosting, but still want a reasonably good solution, consider owning your domain but buying a hosted mail service. You own the MX records, so you can point it to a service and change it in the future if you need to (without fiddling with setting up a new mail host). Say you use XYZ mail provider, but they shut down for business. You can buy mail hosting from someone else within a day, and all the undelivered mail (if senders follow spec) will be delivered to the new service. And, in most cases, you can import your whole mailbox if you have it synced locally. I find this to be a good balance between privacy and not fiddling with anything at all. I thoroughly respect someone who selfhosts their mail but for me it's too crucial to worry about an update bringing it down - outsourcing it to an expert with proper fallbacks is more safe to me.

I personally use migadu, $19/yr (they have a student discount as well) for unlimited domains, 200 emails in/20 out daily/5GB storage. That's the lowest plan and I don't think I've ever surpassed it (the limits are soft anyhow). I get surprisingly less actual important email than I thought. (I use my gmail for rewards cards, etc)

But, to actually answer you, mailcow.email seems pretty good :)

Is it possible to „own“ a domain? I thought domains are basically rented. If you don’t pay (or payment fails), then u lose your domain.
Well, yes, it's something you are technically renting. There has to be a balance between cost and convenience. If there was a lifetime fee to own it, think of all the domains that would be already bought up - there'd be barely any left. However, in almost every case, there is nothing that will get your domain taken from you, unless you fail to pay or break the domain registrar's TOS (copyright infringement, etc). Far higher bar than Google's AI deeming you bad.

And regarding failed payments: My registrar at least emails me 30 days in advance, will email in case of failure, and will not put the domain up for sale until after a grace period (IIRC at least a week), during which they will repeatedly attempt to contact you.

Also, even if you can't own it: that's true of self-hosting also and doesn't apply to just purchasing hosting

If the answer is no, then your hosting choice doesn't matter at all.
Thank you! I've owned my name in domains for over 20 years, it was the first domain purchase I ever made. I want to be able to store the mail etc. locally. OPs post reminded me of the guy who sent a photo of his child to their doctor and was locked out of his gmail account. I've heard of similar incidents with even less evidence and reason and it worries me. Making the switch to my own domain and hosted mail server would hopefully solve that.
Impossible. Don't bother. Many threads on HN detailing the pain.
It’s hard because the top 10 providers represent 90% of the traffic.

Best bet is to own your domain name, as you can control that out of band. If Google, Microsoft, Apple screw up, you can fail over.

there's mailinabox - but instead I would recommend just setting up your own domain with MX records, and using IMAP locally to store archives. Worst case scenario you lose a few hours of email if your provider kicks you, and you can flip to another one.

personally I would pick fastmail.

Email is harder than you think mainly because of spam protection. The big four will just bin emails received from you if the server's IP doesn't have some reputation.

Instead use your own domain with whatever email provider suits you. Much easier to setup and worry-free.

I believe your biggest hurdle will be developing the sender reputation for your IP address so that you don't have an issue with email delivery.

(It has been a while since I looked in to this, so things may have changed)

I would split it into two parts. First and most critical, is to set up your own address in a domain you control. As long as you control the address you can move it between providers. Then you can decide whether to self-host (which I would not) or use a commercial service.

The problem with home-hosted email is, as most folks said many times, that an email sent from a non-major provider would be marked as spam at best and dropped at worst.

My personal solution is to use my own domain, but have mail delivered by protonmail. This is an inexpensive option in a Swiss jurisdiction with generally sane laws. I maintain a copy of all emails on my home system, so if I wanted to switch from protonmail to a homegrown solution or another provider I can easily restore the same IMAP state there. And I would obviously keep the same email, so will not need to notify anyone of any email changes.

This is my setup too. One caveat w/ Proton Mail: you have to use their "bridge" software if you don't want to use Proton's client. Seems easy to configure, though I've never done it. Their web client is fine.
I use bridge and it is easy to configure and works great most of the time. And absolutely, completely and totally horribly a small fraction of the time.

Specifically, the bridge + Proton Mail combo reuses UUID. It is a known bug, which proton does not see as a big deal (we will fix it; someday; when we care enough). But what this means is that some messages may be mis-tagged, mis-labeled or mis-deleted between your mail client and the server.

I hit it when I was reorganizing my folder structure, freely adding and deleting subfolders from Thunderbird to create the structure I like. Then, the changes stopped reflecting and a fraction of my messages appeared gone. I finally was able to undo it through the web client, but the experience left me deeply suspicious of anything except the simplest operations with local client. And encouraged more diligence with making local backup copies of my emails.

That's a great point about spam, I had not considered that!
Check out https://mailu.io/

It's very easy to set up, although your mail might get caught in the spam filters of the giants, even if you are configured 100% correctly.

Wouldn't recommend this, you'll spend your life trying to get taken off reputation blocklists, and if someone like Google flags you then good luck ever getting unbanned. Email is the wild west, and hosting a mailserver (even a personal one) is a massive undertaking in time cost alone.
I ran my own mail server from 2007 until 2021. I would highly recommend that you don't.

It takes little effort to setup a mail server to receive mail.

It takes a TON of effort to setup a mail server to send mail. Most ISPs will block your IP address, through various services you can get your IP unblocked but it's a slow and very time consuming process. And $god help you if your server ever gets exploited by a spammer. Your IP address will be permabanned by everyone.

It takes more effort to filter out spam

It takes more effort to deal with all the various email-related attacks. Like Joe Jobs [1], and DSN attacks [2].

You have to get reverse-dns setup on your IP which depending on ISP can range from impossible (comcast) to a pain in the ass (AWS).

You then have to worry about backups, firewall rules, server maintainance, power outages, and yada yada yada.

Then you'll get into it and have to figure out IMAP, SIEVE, and TLS. You'll spend more time managing your email server than any other thing you do in your life. You mail server will replace your family, your job, and all your hobbies.

Just buy a domain, pay for FastMail or ProtonMail, and setup or MX records. You'll be much happier.

[1] https://en.wikipedia.org/wiki/Joe_job

[2] https://community.fortinet.com/t5/FortiMail/Email-users-are-...

Yup - happened to me. https://shkspr.mobi/blog/2015/11/the-day-google-deleted-me/

"Luckily" I had enough identity documents to prove to Google's satisfaction that I was who I said I was. But even after I recovered the account, it was all screwed up.

Since then I've dropped my reliance on Google. I don't use them for sign-in, my mail gets regularly backed up, I use alternative apps where I can.

Google scale only works when people and processes are infallible.

This was related to Google+ (which is rightfully dead now). I wonder if they have something similar to recover for regular Gmail accounts. From the horror stories, doesn't seem like it.
but there is not process or person that has ever existed that has been infallible, therefore you are arguing that Google scale does not work?
That's correct.

Google boasts that it doesn't do customer service because it can't scale to meet the demands of their user base.

That can only work if their systems and processes never cause a user to have to go further than an FAQ page or community support.

Given that Google are fallible, you end up in a situation where users' have a poor experience and cannot contact someone to resolve it.

I suspect you mean infallible rather than fallible.
Thanks. Corrected.
Technosocietal Mechanization is a term I might float here.

I'm in a weird spot. I find myself surprised at how actively I defend these company's right to speech. Section 230 still seems like the bedrock that made it possible to have everyday people put words online to me, and I can't imagine renegotiating a way to preserve that while heaping liability onto those who offer online services.

Yet these completely mechanized processes, with no appeal, no humans, no way to get back into graces if something ever does goes awry, is curdling. I cant imagine mandating change, I can't imagine what we could demand that would be reasonable, but I also think this represents one of the worst possible sides of technology & the world; is most quintessentially de-humanizing.

One option is "the opposite of tort reform". Our legal system has been ratcheted one way that's a bit more anti-consumer, we could ratchet it back the other way: increase legally allowable civil damages again, allow more consumer protections against arbitration clauses in EULAs and Terms of Service agreements, stop limiting individual civil court cases in class action agreements, limit the reasons that class action lawsuits right now are the only lawsuits that major corporations are listening to, etc.

In theory, extremely mechanized companies could have to either fix their customer support operations or face an endless stream of lawsuits. You can let the market (again) decide whether they want to spend more money on customer service labor or lawyer labor.

> Google boasts that it doesn't do customer service because it can't scale to meet the demands of their user base.

Which is a huge red flag, and a fantastic reason to avoid relying on any Google service.

So strange, what if I wanted to pay $500 to be helped? It seems like there should be an option if desperate.
Out of curiosity, in what way was the account screwed up after you recovered it?
Just guessing, but does Google reject messages for suspended accounts? If so do they do it as temporary or permanent?
As I said in the post, they set all my YouTube videos private. It also caused an issue with my Developer account.
I had an account from 2005 with a bunch of email with my high-school friends. I then made another account using my real name, which became my primary. A year or two ago I wanted to reach out to one of those old friends, and knowing that I had their email address in the contacts of that old account, tried to log in. Nope, got stuck in an infinite loop of errors and impossible security challenges.

Ultimately I gave up and used another way of contacting that old friend. The experience also made me feel even better than I already did about having migrated to a domain I owned and a non-Google provider for my primary personal email.

I also don't use any 'identity services' because I have no basis of trust in any of them.

It's true that every service has to deal with the same policy and lockout problems, but that doesn't lead to the conclusion that the risk is the same. I pay for FastMail because

1. if something goes wrong, I can reach a human without needing to write a viral blog post first. Other services pay for a customer service department.

2. I trust FastMail more to not shut down their product because they got bored. Sure Gmail will probably not go away, but I'm honestly not as confident about Google Workspaces or whatever it's called now for individuals.

3. I'm tired of acting like using products from an ad company is a good idea. People happily use an email service, browser, OS, and more from the modern DoubleClick without a second thought.

"I can reach a human" is a huge security vuln. I don't want people social engineering my identity provider.
An extremely underrated (and insightful) point to consider.

More generally, how do you actually get a measure of risk between two providers, when the absolute frequencies of measurable events are very low?

It seems plausible to me that FastMail could have 10x or 100x the level of security incidents as GMail, and it would still net out to an undetectable difference in the number of public complaints.

If we had internal data… but of course we don’t.

When I worked in the anti-abuse business, account security was tracked by lurking in organized crime fora and determining the market price for stolen accounts. I don't know what it looks like for FastMail, but I do recall that the range between good and bad platforms was huge. A stolen Google account was like $10, but stolen Yahoo! Mail accounts were more like a nickel per thousand.
You can search for "bulk account purchase" and there are various "sellers" where you can compare the price quickly.
You do want that. But with proper (actual) procedures in place.

The opposite of that is, you do not have a way of recourse, ever. Even states have some.

It is a fantasy that you can have humans adhere to procedures. That's the whole underlying problem of social engineering. Just take the human out of the loop.
> Just take the human out of the loop.

"I don't know if you wanna entrust the safety of our email to some silicon diode."

All joking aside:

I mean... we already know that taking the humans out of the loop leads to undesirable consequences (like losing your Google account with no recourse). So the only question is whether or not the consequences of one scenario or the other is particularly worse.

> Just take the human out of the loop.

This i going to be funny if you get locked out of your bank-account or you have to lock-down your credit-card...computer says no.

> Just take the human out of the loop.

Should we do the same for accusations of crime, get rid of judge and jury, consult a decision tree on whether you get the electric chair

See, that's the fundamental hubris/weakness of the "Silicon Valley current ethos" (well, most tech ethos today) taken to the extreme: taking the human out of the loop. Then who/what does it actually serve?

(or maybe, they perfectly know it, but don't saying out too loud)

I'll take the limited risk. I've had to contact Fastmail support and it was a breath of fresh air. It's a bit absurd that something so fundamental as email has essentially no support from a company as large as Google; it's not a bug-free product.

I suppose eliminating humans is a security win, but HN is full of stories of AI systems failing and banning accounts for essentially nothing. Not having a human to appeal to is far riskier to me. It's not like these AI systems can't be gamed to knock people offline. I'll take the risk of having humans involved -- it's far less stressful.

My main email account was through Hotmail in 2000, and it got shut down that year due to a social engineering attack. The guy who did it even told me he was going to do it first. I didn’t get to have it covered in any mainstream news headlines either :P
> It's a bit absurd that something so fundamental as email has essentially no support from a company as large as Google; it's not a bug-free product.

I'd be willing to bet that gmail has a couple of orders of magnitude more users than fastmail while also providing a substantially bigger inbox (than the cheapest fastmail option), and providing the whole thing for free. I dont think it's surprising that they make trade-offs to support that model. Just think of how many support staff you'd need to support 1.5 billion users!

> HN is full of stories of AI systems failing and banning accounts for essentially nothing. Not having a human to appeal to is far riskier to me. It's not like these AI systems can't be gamed to knock people offline. I'll take the risk of having humans involved -- it's far less stressful.

I don't think the trade off is that simple. There are plenty of stories of support staff getting scammed in to incorrectly providing access to accounts. Is one better than the other? It's not a clear choice imo.

>> I dont think it's surprising that they make trade-offs to support that model. Just think of how many support staff you'd need to support 1.5 billion users!

Google has a shitload of money, they can afford hiring enough staff. Cost is a lame excuse here.

Someone made a good point a few months ago: if you can’t afford to support your users, you have a broken business model.
The provide support for users that pay them, and for advertisers. Their business model is to sell things, and it is working pretty well. They can certainly 'afford' it, but they don't want to, and your complaint as a 'free' tier user means little to them.

What is needed is legislation or some practiced standard regarding real-person online-id so that losing access to your email account doesn't nuke your ability to operate online in a way that requires you to verify your identity even pseudonymously.

I've managed a Google Workplace account (~30 paid users) for over a decade and have never had support respond in less than a week. And each time I got a canned response. I just don't even bother anymore, which is likely what they want. I don't think this is a free vs paid thing. It's just the way Google operates.
It depends how much money you spend with them. If you shell out for expensive support in GCP you get guaranteed response times, dedicated account reps and so on.
I'm paying $10 a year for my email and the one time I had an issue I got a response within 8 hours and a follow-up after everything was resolved. It shouldn't require Fortune 500 levels of spending to get basic service.
That's weird, I have a Google Workspace account with less than 10 paid users and had several in-depth conversations with support personnel on SMTP and DNS setup issues. It was outsourced to an overseas call center, but they did respond to my queries.

That said, I have issues with spam being delivered to my organization's group aliases and I can't report the spam because it flags it against my group alias not the original sender (!) I can't turn spam filtering on the group alias because it flagged legitimate emails from our customers. So I'm kind of stuck between a rock and a hard place, with no one at Google to talk to about it.

They can afford to not support their free users.
Not really. It sounds like you don't have a sense of how much it costs to hire people, how many people are needed to provide oncall support, and the scaling cost of managing and training people.
> AI systems failing and banning accounts for essentially nothing.

The strongest statement you can make about the standard HN Google account outrage post is that the complainant is unaware of or unwilling to admit to the behavior that got their account suspended. Drawing the conclusion that all such complaints are false positives is not warranted by the evidence.

Unless you're implying that the false positive rate is 0%, then it's still a concern for me. I've seen cases where the user obviously did something in error but had no chance to appeal. E.g., they uploaded a photo that got flagged and then lost access to their email, domains, YouTube content, any form of social login, etc. My email account is too important to me to risk with an automated system without an option to appeal to a human. That risk is much higher to me than someone social engineering their way into my Fastmail account.

To me, this is analogous to backing up your BitLocker key with your online Microsoft account. Is it the optimal approach to security? No, but the far more likely risk factor is losing your key locally and then losing access to all of your data. I'll take the peace of mind that comes with knowing I can speak to a human if things go sideways. As an added benefit, I've been able to speak to a human when routine service issues have come up and it's been a pleasant experience.

On the contrary, I would argue this is the exact mindset that makes Google so bad at securing their systems. Every single large Google platform is also the leading distributor of its kind of malware, ultimately because computers are stupid and once you understand what they are programmed to handle you can work around them. Humans can become suspicious and can be held accountable, computers do what they're told and nobody is taken to task when something goes wrong.

I would contend that if you cannot reach a person, you cannot trust a system. And that has generally held in the entire history I've been on the Internet. I chose my web hosting by who had phone support, I've had the CEO of Fastmail respond to my support tickets before. I have yet to be betrayed or compromised by a single platform where humans were involved, but automated systems have failed me regularly.

This is true of offline systems as well. If you want a security system to protect your business, you may have keypads and sensors and things, but you also have a monitoring center staffed by people who can see events in real time.

I think our industry has had a fantasy that complex enough math problems can provide real security, but I would hope by now the cryptocurrency market would've put that silliness to bed by now.

> I can reach a human" is a huge security vuln

Google's algorithms make entirely too many errors.

"I can't get my account back unless a viral account of my problem makes the front page of HN" is an unacceptable risk.

I'm not sure how you can make that judgement without extra context (that is almost certainly tightly held within google). For example, what actually is the error rate? How does that compare to improper access that is successfully prevented?

Obviously any real person losing access to their account is a rubbish experience for that person, but an error rate of 0% is not possible with any system (including those with plenty of humans involved) when there are billions of users involved. I think a much more interesting question is "what's the acceptable error rate?"

I highly doubt that Google even tracks the error rate. I mean that you somehow need to make a viral post on HN to get your account back is evidence of that, they don't even know they made a mistake. Also based on the number of posts that we see here it's a nonneglible error rate. How many users does HN have a couple of 10thousand. So 32 posts makes it maybe 1 in a 1000, even if it is a 1 in 10000 or even 1 in 100000 error rate that's a pretty high probability to loose your online identity.
> I highly doubt that Google even tracks the error rate.

Please. Google has an entire team devoted to account abuse quality research.

https://storage.googleapis.com/pub-tools-public-publication-...

So if there is no way of contacting a human if you have been locked out of your account, how do they determine a false lock out? I am serious, every thread here on HN about being locked out said that the affected person tried all other avenues and did not get anywhere near a real human. So that would make all research flawed wouldn't it? Because it simply checks that the algorithm is consistent. Let's not assume malice. However, that doesn't make it much better because it means the account abuse quality research team is borderline incompetent.
> So that would make all research flawed wouldn't it? Because it simply checks that the algorithm is consistent. Let's not assume malice. However, that doesn't make it much better because it means the account abuse quality research team is borderline incompetent.

I don't think it follows that you need to speak to an affected user to confirm they were improperly locked out of their account. You could have a human review the account history and the steps that led up to the suspension and so on to make a decision about whether it was a good decision or not. No doubt you'd get more info if you spoke to the affected user, but that in itself is not perfect (a scammers whole game is trying to convince google they're someone else, after all.)

I guess what Im getting at is that I think there is a lot of grey areas when you're trying to do account recovery at scale. No doubt there are cut and dry cases where people are locked out of accounts they've used for a long time (and that's shit for the people affected), but there are also plenty of scammers who'd put a lot of effort in to convincing a support person that they should have access to an account. I just don't think having support staff is the panacea it is often portrayed as.

> How does that compare to improper access that is successfully prevented?

Last year I had an email from immigration services and I had to reply within 10 days. If I lost access to my email, I would be deported right now. They don't call, they just email. Why? I don't know, but that's what it is.

On the contrary, if someone get's access to my email, what can they do? Send random porn to my contacts? No-one will care.

As long as I can call the provider and fix the problem, it is irrelevant.

> if someone get's access to my email, what can they do?

Take over every account you have that's configured to send password resets to that address.

One can easily make that judgment. The absence of extra context is a good reason to make that judgment. Google has a reputation for closing accounts and refusing to communicate. Google does not contest this reputation. They give no numbers and share no rate. "What's the acceptable error rate?" isn't an interesting question if you have no numbers. We do, however, have other companies and service providers.
I'm not sure that "better scream loudly on social media" is any better of a solution.
>I don't want people social engineering my identity provider.

How do you balance that risk vs the risk of losing control of your identity altogether due to a technology control malfunction etc. though?

This isn't just a hypothetical: a few years ago Fastmail support was socially engineered into giving access to a HN user's account: https://news.ycombinator.com/item?id=15855081
(Architect of Fastmail's login/account recovery protocols here.)

Firstly, I will say this incident was unacceptable, and we were deeply sorry about it. However, it is also the only time it has happened in our over 20 year history (to the best of our knowledge of course). We already had several projects underway to improve the security of account recovery at the time, which unfortunately hadn't quite landed yet. Since then we have introduced an automated recovery tool with a very carefully designed flow (more info: https://www.fastmail.com/blog/security-account-recovery/) that securely handles most common cases (e.g., forgotten password, or user's account stolen due to password reuse/phishing). Human support is still available, but any account recovery request can only be handled by senior support agents who have undergone rigorous training, and in the case of any doubt are escalated all the way up to our senior security engineers.

Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account. We provide some flexibility here. If a user has 2FA enabled, we must verify two separate means of verification to grant access, whether via our automated tool or support-assisted recovery. Users can also submit a support ticket to request we add a note to their account to never do human-assisted recovery.

I realise it's very hard to assess the security competence of an organisation from the outside, and for what it's worth, we think the Google security team also do an excellent job. But overall I think we do a very good job of keeping users secure while not locking them out of their own account.

> Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account

Thank you, this is the most important observation.

Service providers should be providing flexible mechanisms to meet different needs, they should absolutely not be imposing a one-size-fits-all policy. That's the fundamental wrongness with google/facebook and their ilk.

Only I know what the security levels I need for any given account I own. I must be able to configure the policy.

Sometimes, I value my access above all else. With some other account I may value preventing access to others even at the risk of losing access myself. Other variants are possible. Only I know what the correct policy is in any given case.

A critical question is what threat models you're worried about:

Are you worried about an individual interested specifically in you, Jeff B, to get something worth many thousands of dollars that they know you have? Don't put a human in the loop, they're going to track you across Facebook/LinkedIn/local government resources, they're going to know more about your car registrations and when you bought your home than you know about yourself, and they're going to be able to very convincingly social engineer a human in the loop if one exists.

Or are you worried about a group of hackers continuously crawling the web for a database dump from some service you and ten thousand other people signed up for, or some flaw in the authentication sequence to automatically sign everyone in the database and all their contacts a spam network for pennies per person? Their scheme falls apart if they have to call a human, because it's just not worth the time to look up your public records and talk to a human about you.

Second, what happens after you get hacked? Are you more concerned whether you no longer have access to something very important to you? For example, if you've distributed business cards or have contacts stretching back decades with jeffb@gmail.com, losing that account might mean an old friend or business contact fails to find you again. Having a human in the loop for the last-resort password reset can prevent completely losing access.

Or are you more worried about someone getting access to the data behind your login? You've presumably got backups, so you'd rather no one ever had access again than some malicious third party got the password to your crypto wallet, SSH keys to your website, or other private data.

Those have very different ideal responses. Unfortunately, most people tie both categories together in their single Google account, or in an Amazon account tied to both shopping and AWS resources.

"For Security!" has become a universal cudgel:

* For your own security (from theft) we'll hardware lock your phone. Best to throw it in the dumpster if you forget the password.

* Can't allow people to repair their own hardware. What if kids try to do it and end up burning the whole apartment block. Best to forbid it for security.

* You can't film public institution: it's a security issue.

* And now: can't allow humans to operate business decisions. What if they're socially engineered? Best leave everything to automation and fuck you if you slip through the cracks.

It's funny because in the airplane industry, even though planes basically fly themselves, companies still want pilots, because that's what people are best at: solving unique problems as opposed to repetitive issues.

2) Why in the world would Gmail get shut down? The veins of treasure to be mined from within the user's emails are vast and endless. It is quite simply a mother lode. The only bigger source within their direct control is the search input screen.
I think they are talking about some change to workspace effectively breaking the service for them. This has some precedent (with the old “dasher” personal accounts having growing pains for some people migrating IIRC) but also seems like a very low risk.
What are the "dasher personal accounts"? I haven't heard of that before and search results seem to think I'm asking about DoorDash.
That was the internal name for personal paid gmail - I honestly cannot remember the nondescript word combination they called it publicly, but it was rolled into Gsuite which is now google workspace and google decided they wanted to focus on business users instead.

I think this is a relevant article: https://arstechnica.com/gadgets/2022/01/google-relents-legac...

Anyways, basically agree that gmail isn’t going anywhere, just a gmail-related story of people depending on a new flavor of gmail/ google identity that was being migrated messily.

GAFYD (Google Apps For Your Domain)

I used this for 10 years or so before realising they'd moved the backends as they were planning the workspace thing and they were separate - you couldn't share between the two, loads of features missing etc .

Typical Google - all the ideas, no execution.

It will not go down, but you can get locked out by AI policies. This is likely.
Why do you say this is likely?
It may be unlikely if google already mined all information from you.
This explains it, better than I would in an Off hand comment: https://www.devever.net/~hl/logindenial
Your link describes how security lockouts are probabilistic, yes, but it doesn't get into what the probability is. The article we are commenting on does try to get there, by looking at how often ending what scenarios HN users report getting locked out.

Your link is also talking about the no 2FA case, while the article is recommending 2FA with (multiple!) hardware security tokens.

OP specifically mentioned Google Workspace for individuals - that's what I used to use so I can use my own domain and so "own" my email address. There's a good chance that gets shutdown. Google Workspace for large orgs or Gmail does not have the same risk.
(comment deleted)
I agree, but I do worry about it being ruined some other way - forcing me to use Chrome, censoring emails, bundling it with a paid service, ad-blocker-blocker, something else...
This is more the truth of it. It isn't some quantifiable probability that a big-tech service night disappear. It's that they're such clumsy lumbering beasts, and so insensitive to humanity they will steamroller over your rights and needs like crushing an ant. You mean nothing to them. And in turn their pledges and promises mean nothing. A cow is a dangerous animal not because it has claws and teeth, but because it's big, fearful and a basically a bit dumb.
> The veins of treasure to be mined from within the user's emails are vast and endless.

https://support.google.com/mail/answer/6603?hl=en-GB

> We will not scan or read your Gmail messages to show you ads.

the veins dried up back in 2017.

only if you believe them.. I dont.
> only if you believe them.. I dont.

And I don’t believe that PHP is the best ;-)

Having read some 'digital archeology' where people gather data off old MainFrames and Minis, that at some point someone could just buy all of @NetZero.com, netscape.net or ZipLip's email servers and opening up all of the stored email for a fee ($99 per email address). How much would you pay to read your former business partner, ex-girlfriend/boyfriend, or that person you crushed on email?
Any company with a business model that takes your money and gives you service is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff. The former companies have a direct incentive to keep giving you service as part of their core business. The latter are really only paying attention to the money they get from advertisers.
This comment is so ironic considering that Apple has just lost their lawsuit in the EU for doing exactly the same.

Wherever you paid for the product seems to have little impact, the reality is that all tech giants carelessly invade your privacy with no recourse for the user.

>Any company with a business model that takes your money and gives you service is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff.

If anything, companies try to double-dip and serve multiple masters. See: the security and privacy mess in smart TVs. Last I checked, LG wasn't giving their TVs away.

> If anything, companies try to double-dip and serve multiple masters. See: the security and privacy mess in smart TVs. Last I checked, LG wasn't giving their TVs away.

This is true, and you transition from customer to eyeballs once you take delivery of the product, but it is also tempered by the fact that they would like to sell you your next TV as well.

Google has the same incentive to consider users. If your eyeballs go away they have no recourse for tomorrow. This is no doubt why they give their services away. If they thought they could achieve similar market share while also charging you they certainly would. (And they do whenever they see the chance.)
Google certainly could charge a very small fee for existing gmail, youtube, etc, accounts and make a bunch of money.

In fact there is a pretty strong argument that they are leaving money on the table by not doing so.

Imagine you like your gmail and you have had it for the past decade. If Google charges only $1 per year across say a billion users that is a billion dollars.

Even if they lose some users at the margin it may makes sense...

According to wikipedia gmail had 1.5 billion active users in 2019.

As internet services mature and stop growing exponentially it makes sense to charge for them.

Yes it is true that some might switch but what makes more sense from the perspective of most users?

Charge for the service and show you ads and sell your data like cable. It’s a win, win, win!

I long for a post advertising world. What cataclysmic event or human evolutionary change could cause that, I wonder.

Is there any sci-fi that has a world without advertising or is that so far-fetched it’s unimaginable to even futurists?

Funny enough advertising was relatively small part of the economy until the last several decades. Now it is an "industry" in the multi-trillion dollar range.

Even funnier, if Google search worked effectively for product discovery the vast majority of advertising would not be necessary.

Good point. Maybe the death of advertising comes when some entity knows us so perfectly well it automagically provides the exact thing we want/need exactly when we want/need it.
Google used to for me at least from around 2010-2015 +/- a few years. It was incredible. Now it is usually very hard to find anything I want via search. I suppose a certain amount of defect in search results is optimal for the ad business.
$1 a year would probably barely cover the administrative and payment processing costs. $2 a year would do the trick though. :)
While I agree with your premise, once you charge someone for something, even if it is $1/year, then they start expecting something for that money above and beyond what you provided earlier. In other words, now you've got to budget for real customer support and that will undoubtedly cost you more than the $1/year you're receiving as payment from that customer.
Why not a projector connected to NAS or RPi as media center that is free of ad craps?
The amount of nonsense on my LG C1 is nonsense given what I paid for it. Seriously considering getting an Apple TV or Nvidia Shield to run all my stuff on. Their UI is so bloated with crap.
Have you looked into displays built around the raspberry pi compute module? I don't have experience with them but I've heard them mentioned (here iirc but it's been some time). I don't know much about them so I'm sure the implementation varies between manufacturers. An example from Sharp: https://www.sharpnecdisplays.us/system-on-a-chip
Unfortunately, the Nvidia Shield hasn't been the community darling for some time. Ever since there was an OS update that started putting ads on the homescreen.
I stopped using the Shield when I realized that my LG C9 runs the streaming applications much better than the Shield. The Shield has always been slow for me and Hulu on it never worked right. Every time it went to the next episode of a TV show, the screen would be black while the audio played. I don't think it was consistent how long it stayed like that for but it could be up to a few minutes.

I'll just let LG collect my viewing habits if that's what it takes for a good experience. But I did decline all of the agreements that have anything to do with data collection, so hopefully they're not being overly intrusive anyway.

I just hate that I can only download a few apps unless I make an LG account. I don't want an account to log into my tv so I can access my accounts I log in to. That's some Xzibit nonsense.
These days I get better performance out of my $25 Fire stick than the Shield. The ads are a bit worse, especially since I don't even have Prime anymore but I'll stick with it until it gets to be too much or too slow and then probably buy an AppleTV.
I got a Sony Bravia, but made sure never to enter the wifi password into the TV directly, but rather hook up an Apple TV and only use that.

This way I still have a "dumb TV" (apparently impossible to get now).

Second option would have been to get a projector.

I have a Sony Bravia, configured it on WiFi, and created a new gmail account to use with the built-in Android TV system.

It seems fine: no ads, nothing spamming, and it has an option to not share any data, which presumably (!) it pays attention to.

I started with the no wifi plan for my Sony. They would put popups on screen warning me that I wasn't connected to the internet, even when using a streaming device or blu-ray just often enough that they got me to connect it to the internet. I don't use their apps and turned off the data sharing. I haven't noticed an uptick in personalized ads anywhere. If anything, my Facebook ads are worse than they were before. Just a bunch of crap I'm not actually interested in.
> LG wasn't giving their TVs away.

No, but they're selling them at cost, and using monetization tactics to make up for that over the long term.

Well, that's lg off the list then. Thanks, that saved me a bunch of time, money, and eyestrain.
Pretty much every modern TV manufacturer does this. Don't kid yourself into thinking it's just one company.
I've got bad news for you, it's all of them.

Fortunately, it's not so bad, just run firmware updates after you get the new tv, and then disconnect it from the internet.

"is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff. "

Not necessarily, and in fact this case I would disagree.

I trust Google's security 10x more than that of FastMail.

The 'advertising company' reaps in billions of $ with which they can get all sorts of good engineers for 0-day research, exploits, updates.

They have a lot more of a reputation to defend.

Without hard evidence, I suggest that Google is probably 'more secure' than FastMail. Certainly more than 'Mom and Pop Mail'.

Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.

>> Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.

If you are paying for google apps this is not a trade-off. I dislike how (as a paying) customer they continually push me towards google-only <everything> but they don't require it.

gary_0 seems to be using "security" to mean "sureness of their continued existence", as in "food security". I don't think there's any question that Gmail is more secure in the computing sense.

> Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.

Iirc, Google reads your email, but explicitly says they do not use what they read to personalize your ads.

So what’s the reason for reading it then?
Probably the relevant bit:

> To provide you features like smart inbox categories, Smart Compose, and spam detection, we use Gmail data to provide a more intelligent email experience and keep you safe. - https://support.google.com/mail/answer/10434152?hl=en

Famously, a while back, at some Google subdomain, you could see a list of all of your payments extracted from your emails, but I'm not sure that still exists.

For me, the likelihood of getting locked out without recourse should also be included.
On the other hand, if FastMail has a more focused product, less surface area for exploits.
> I trust Google's security 10x more than that of FastMail.

I trust Google security to protect Google, not me. For example by blocking my account.

> They have a lot more of a reputation to defend.

Actually no, if Fastmail pulled the shit that Google does, they'd be out of business.

> I trust Google security to protect Google, not me. For example by blocking my account.

Any company will protect itself first. As they say in the VPN world, "nobody here is going to jail for your $5/month".

> They have a lot more of a reputation to defend.

that didnt stop them from having vulnerabilities in gmail that allowed anyone to fake the dkim verification and pretend to be the CEO of google, which they then ignored until someone did in fact do this, to prove it :)

> I suggest that Google is probably 'more secure' than FastMail

The overused phrase "more secure" doesn't mean anything without context.

To evaluate the security of anything you first need to identify all the threat models that concern you (and perhaps call out the ones you don't care about). Then evaluate each solution against every threat you identified.

For instance for the threat of the vendor itself sabotaging my access to my account, I'll score FastMail far better then gmail.

> Any company with a business model that takes your money and gives you service is inherently more secure

I just finished reading Postmail For Dummies. Since I'm charging $5/mo for email accounts, you'll obviously want to migrate your gmail over since my solution is so much more secure.

The only time I've been locked out of e-mail is when my credit card company incorrectly labeled the payment to the provided as fraud and the so called company that you can call and reach a human to discuss issues with, was not very sympathetic to my case and I didn't have e-mail access for 4-5 days until the issue was resolved.

Just an interesting data point. It wasn't my intention to label the payment that way. It is what it is, but, just as OP seems to be believe, I would expected the issue to be resolved faster. Though, perhaps if I were to receive a "fraud" label on a non-paid account maybe I would be blocked to this day.

Used fastmail (and proton) for a year or two. Had to go back to google because there’s just too much spam otherwise
I've been on Fastmail for several years and I've had no spam in my inbox at all. Not a single email. That's a better track record than Gmail for me.
Same experience here. Fastmail is amazing.
I've been on Fastmail for almost a year, and I get spam/obvious phishing attempts in my inbox. Compared to my experience with GMail before switching to Fastmail, I found Gmail to be noticeably better at spotting and filtering both spam and phishing emails.

Having said that, I'm still not going back to Gmail.

I haven't have any problems with spam on PM, but I also don't give out my email addresses willy-nilly. I have junk emails for that.
What I'm hearing is that PM's spam detection is so poor that you don't feel like you can freely share your PM email address, out of fear that you'll get spammed. That's not a very convincing pitch for their product.
I am using Protonmail for some years now. I have maybe one spam mail per week in my inbox, everything else is filtered correctly.
Left Gmail b/c for months it locked me out periodically for too many hits. Neither they nor I could ever identify the source of this.

Moved to Fastmail. No issues since.

I used to use gmail as primary and yahoo as spam.

Now I use proton as primary and gmail as spam.

gmail's quality right now is absolute garbage.

Humans executing security policy (inherently imperfectly) versus ML algorithms executing security policy (deliberately imperfectly) is not the main issue. The real problem is that the industry hasn't purposefully sat down and hammered out the full contours of user verification. Each company just starts off with simple passwords, bolts on a few other arbitrary mechanisms, and then forces that on their customers - residual probabilities and collateral damage be damned.

Strong passwords, hardware security keys, shared secrets meant for offline storage, SMS challenge, other accounts, snail mail address verification, notarization (governmental identity), voiceprints, time delays, etc. Each one represents its own tradeoff of convenience versus reliability versus forgeability versus privacy.

Users should be able to pick their own policies. For an email account where I've already provided my real world governmental identity, I'd most likely prefer snail mail address verification plus notarization (combined with notifications to the account and a waiting period). Whereas for another where I've deliberately avoided spilling my governmental identity, I should be able to express that a password plus hardware security key is the highest level of verification there will ever be.

Furthermore, companies need to make their own rules for falling between everyday access to account recovery explicit, and allow users to express preferences there too. There should be no cases of the wind blowing from the east so we require account recovery today, forcing users to be policed on what IP addresses they're coming from, etc.

4. I like separate services/accounts. So many stories of people being locked out of their account because of YouTube or something.

I feel much better now that my Google account is only used for Android and YouTube.

Good it's a paid product. I had an account with a free email provider openmailbox.org, which closed down. I lost my mail box and, together with it, a valuable domain I bought in 1995.
> I pay for FastMail because - if something goes wrong, I can reach a human

You can do that with GMail too, upgrade to the workspace account. I had some issues with it last week, and I was able to reach a human and get it resolved soon.

This is regardless of Google. Reaching humans is impossible with "Outlook" free email accounts, but amazing with Microsoft 365.

I can't find any information on what happens if you stop paying for a Fastmail account. 1Password for example freezes your account in read-only mode. It's documented that Fastmail will re-use addresses for free trials and when a user requests to cancel [1]. It isn't clear what would happen if for some reason your card expired, they stopped accepting it [2], or your bank messed up and blocked the transaction [3].

To me, this introduces a new way to lose your account that isn't there with a free email service like Gmail.

[1] https://www.emaildiscussions.com/showthread.php?p=622760

[2] https://news.ycombinator.com/item?id=29988359

[3] https://www.reddit.com/r/personalfinance/comments/d1okxu/cha...

I had an issue with the credit card used to renew a Fastmail account. Fastmail sent me emails about the issue, but it took a couple days to fix everything on my end. Even after the renew date passed my email functioned as normal, so there seems to be, at least, a grace period. Not sure what would have happened if it went on for longer though.
>Not sure what would have happened if it went on for longer though.

When I missed the payment they sent me this:

"You can still use your account for now. If the subscription is not renewed soon, sending and receiving email will be disabled. If the subscription is still not renewed after a few weeks, access will be disabled. Eventually, the entire account will be deleted, including all stored messages."

Specific timelines would be nice to know, but otherwise this sounds reasonable. If you stop paying, you have a grace period to download all of the messages before they stop you from using their service as a read-only archive. Then you have another grace period to pay before they clear out your data so they're not wasting space holding onto your junk and to avoid maintaining any liabilities that come with having your data stored on their servers.
(comment deleted)
(comment deleted)
This is why paying for your own domain is so important. I keep mine prepaid for multiple years and my registrar sends me at least 5 emails before I would ever be at risk of losing it. My email address won't be getting reused until either emails are no longer relevant or I'm dead.
(comment deleted)
Another one: I can link my domain. I backup my emails regularly. Getting locked out of fastmail is a temporary disruption for me.
Two comments on this.

1. Merely looking at published noise may vastly underestimate the size of the problem. Lots of "normal" people including one close to me have several accounts containing parts of their life history lost for one reason or another, and just accepted it and moved on.

2. "Kids in the bath", ha. Carefully framed photo to avoid sensitive areas, taken with a tablet that happened to be handy that is not usually used for photography. Next thing I know I see them on another device. Darn thing had Google Photos with cloud sync enabled by default! Not for long, and I made sure to purge those photos from the cloud. But it can happen that easily.

> Merely looking at published noise may vastly underestimate the size of the problem.

Exactly so. My rule of thumb is that for every problem/complaint you hear about, there are [at least] 100x that many whose unhappy campers won't/can't bother to do anything about it.

Overall good analysis but this one quote is kinda crazy if you think about it

"I put a little effort into avoiding grey areas (not filing chargebacks to Google, not taking pictures of my kids in the bath) but otherwise don't worry about this."

Downright dystopian world we've created for ourselves. Don't anger your corporate overlords, and don't do anything that could even remotely be conceived as not Thinking Of The Children. Or, how to pave the path to hell.
Right!? Not being allowed to take pictures of your own kids as you might anger your land lord as they'll evict you without warning and burn all your stuff.
(comment deleted)
Chargebacks can get your Google account locked. If you have a dispute with Google and protect yourself by reversing a credit card charge, Google might lock you entirely out of your account. The Google Pixel subreddit has a bunch of people's stories about that: https://www.reddit.com/r/GooglePixel/search/?q=chargeback

Not sure if this counts as "policy reason" for the article's purposes; he sort of dismisses payment disputes. I could argue either side about whether a suspension like this is reasonable. In the Google Pixel case the chargebacks mostly start because Google outsources hardware support to a bunch of unreliable third parties. Some of whom seem to eitiher lose or just be stealing customers' phones when they are sent in for repair.

My takeaway was that if I was ever in a dispute over a couple of hundred bucks for Google, I would not risk a chargeback for fear of retaliation. My account is one of Google's very first, when I worked there I launched one of the first products to ever use a Google account. I have no faith that as an outsider now I'd ever get a reasonable hearing over an account dispute.

> My takeaway was that if I was ever in a dispute over a couple of hundred bucks for Google, I would not risk a chargeback for fear of retaliation.

My takeaway from that is to never spend more than a few quid (i.e. money I'd care about losing) on anything linked that directly to Google.

Or get yourself a chime account or something that does not allow overdraft and put that debit card on your google account.
To me, a chargeback is a 'burn the bridges' moment. If a company has wronged me to the point I'm prepared to do a chargeback, then I obviously don't want anything to do with that company anymore, and I welcome them to close my account since I will never do business with them again. Why would you want to continue doing business with a company that has frustrated you to the point of doing a chargeback?
Because you have to. For example, no matter how badly Microsoft wrongs them, people in many industries need to use Windows, or Office, or LinkedIn.
Microsoft, I get it.

Google no. I am very very close to being able to kill my google account though I probably will just leave it parked.

Believe it or not Google Voice is the one thing holding me at the moment. Nobody offers the same quality service period, let alone free. Come at me HN, I'm open to alternatives. Google Voice also has one killer feature nobody else has; the ability to make and receive calls using your carrier voice service and not DATA. Generally a higher quality connection that on most plans these days is unlimited, where as a lot of plans still count data usage whether it's a "unlimited" (but throttled) account or not.

OpenPhone is the closest I've found and seems their customer service is horrible, I see people on reddit complaining about them all the time.

Google Voice is the only service I don't have a good replacement for either. I pay for Youtube TV (cable streaming) because it has the best price/value proposition for my viewing habits but there are a half dozen other services I could switch to and be happy.

I still have a shared calendar on Google but only because I can't convince my wife to try something different. I used to be all-in on Google but have spent the past 2 years getting away as much as I can.

Maps was my killer app for google. Early on I started with TomTom on a PDA, but Google maps for years was the absolute best. Until all the blatant ads showed up. First every McDonalds is visible at far zoom levels. Then garbage I don't want starts showing up in search results. Viewing your travel history is mildly disturbing and even if you delete it you just know it's already been data mined.

I hear OSM has some decent map and navigation solutions now, but for me Apple maps long ago passed the touring test. I only trust that Apple with all their positions and statements on privacy will suffer irreparable harm if it is discovered they sell user behavioral data like google blatantly does.

I hear you, but Google is a giant dominant player. Just because their third party cell phone hardware service contractor loses a phone doesn't mean someone doesn't still need to use them for email or cloud computing services.

It's the lack of a central, accountable point of contact for everything under the "Google Account" that's the real problem. Since its very beginning Google has been bad at consumer relationships.

Maybe I'm reading this too negatively, but I just view it as their cost for not having a streamlined process and that it is just part of the transaction. It is one of the main reasons I use a credit card. If a company takes my money and reserves my room at a hotel and I show up at 2am, I expect access to the room. If they don't, I request my money back in person for services not rendered. If they cannot do it right then and there, I just tell them I'm going to chargeback because I don't really trust a company that took my money in the first place to return it in a timely manner. This happened to me in 2022 and I still plan to stay at that hotel chain. Just a rare occurrence for which they paid.
The problem is that Google is a conglomorate. You might be disappointed with their phone service or their phone store or their tv service or whatever and never want to do business again with that section of the company, but still want to keep using other parts. Maybe that sours you on the whole company, maybe not, but even if you don't want to end your ties with them, you probably want to end it on your terms, not immediately as you get your money back.
Sometimes you have little choice⁰, sometimes there are convenience¹² issues.

My point is that to avoid even having to consider this choice to make by never doing anything that I might ever want to charge back. Separation of concerns: don't do (significant) money stuff with Google, then money stuff can't affect your other uses of Google.

----

[0] Some have a lot of contacts who know them at their @gmail address, getting people to update your contact info when you deliberately change address can be enough of a faf, imagine having to do it without warning. Some also have other accounts where they login via Google, they need to make sure those are transferred to something else (if possible).

[1] I have nothing irreplaceable in Google's sphere (my phone contacts & other content is backed up there, but not only there) though there are a few shared photo albums and so forth that I interact with using that account.

[2] Even if you intend to move away from Google or other large multi-pie-fingered company, and are actively doing so, you want to do that at your conveniences not with them chucking you out in an automated hissy-fit.

There are stories of Apple locking accounts over chargebacks too. Cutting both of those out would be nice but probably tough for me.
> My takeaway was that if I was ever in a dispute over a couple of hundred bucks for Google, I would not risk a chargeback for fear of retaliation

And my takeaway is that it is high time that these corporations that hold people's livelihoods in their hands got regulated like public utilities...

Exactly! Maybe this way we could do something about mail delivery issues too. I think it shouldn't be okay to accept mail and then still drop it, yet Microsoft does it sometimes with new mail servers.
It also really needs to be mentioned that Google’s store was (is) absolutely awful for buying gear.

I wanted to buy 2 pixels from them. Put the order in, no news for 7 days, at the exact 7 day mark my order gets cancelled. Tried talking to customer support with no success because there isn’t any.

So I put the order in the second time and the exact same thing happens: after exactly 7 days, my order gets cancelled. I say f’ it and buy from a local dealer, with next day delivery.

A few days after the fact, I try using my credit card for something and my transaction gets denied (I had a -200 euros limit). I call the bank and they tell me that there’s a hold on my account from Google, for the price of both orders (about 1500 euros I think) and they are waiting for the funds so it can clear. My only two options is to talk to Google to cancel the charge (lol) or wait 30 days.

I simply closed my card and got a new one.

A few months later I started getting notifications that transactions on this card are being rejected - someone was trying to buy stuff for 1-3$ with my card but it was closed so they didn’t go through. Since I mostly use virtual cards for online stuff (which Google doesn’t like), and the physical card rarely, there is a really big chance that my credit card number got leaked from Google, but there is no way for me to prove that.

They're so bad at it I wonder why they try. They clearly don't want to do it well.
Googler, opinions are my own. I work on payments, and have dealt with our credit card processing a bunch.

As far as I know, we've never lost control of credit card numbers and had them leaked. We actually work very hard to make sure humans can never see card numbers (our internal controls are more strict than most banks and card networks).

Also, I didn't think we would hold an auth on a card for 30 days (normally it's less than that). For the MCCs we charge payments on, I believe Visa and the others will only hold an auth for 7 days[0]. If the Auth is staying on your card for longer than that, it's likely your bank is holding the funds, not Google. We try to always cancel auth holds before they expire, to make sure we don't have lingering auths like you saw (I've tweaked this previously due to complaints like yours).

I can maybe look into the payments on your account if you'd like (my work email is in my profile), but I wouldn't be able to reply. It would just give us data if we are failing to cancel auths in some cases.

[0] https://www.chargebackgurus.com/blog/credit-card-authorizati...

Hey, thanks for the reply. I got the info with the 30 days from my bank alongside with the options I had, so it may as well be from them - I use a VISA card in Europe.

Also thank you for the offer to check my account, but there’s no need for that as I will try to never ever buy anything directly from Google

That is very close to if not monopolistic behavior.
Is there any company that won't blacklist you if you do a chargeback? As far as I know, this "criticism" applies to every company in existence.
While it's true that most companies will probably blacklist you at least for a while, you can work around it by using a different card or having a partner make the purchase if you really want to continue doing business with them.

Google knows more about me than the CIA and FBI. If they truly want to blacklist me, I'm not working around that without the aid of operators I'd rather not be associated with.

I feel like this is interesting anecdotal evidence, but its asking the wrong question: what is the risk of losing a google account. if the scope and impact of the loss is significant enough (and in most cases it poses a serious impediment) then you may wish to revisit the google offered service entirely. It is well documented that google accounts can be rescinded for any number of arbitrary reasons, and remediation is either time consuming and cumbersome or entirely impossible.

There is a strong consensus forming in the tech community that core services like email or authentication should be delegated to google only as a last resort.

I am amused by the way HN collectively expresses contradictory opinions on this topic. When presented as getting locked out of Google, a vanishingly small probability of losing access to your account, sometimes only temporarily and often through the fault of the user, is a crime against humanity. When framed as American-style "voter ID", a 15% false positive rate is just the natural price of ballot security. Maybe the sets of commenters on the two categories of articles are disjoint, but I still find it puzzling.
With the government, you have legal recourses for anything. You can eventually get to someone to be able to recover something. You can even take them to court.

With the unregulated private tyrannies that the US tech corporations have become, you have no recourse if some algorithm or someone just nukes your account in some major provider. Your history, your business contacts, even your infra may be gone in seconds.

We still treat the Internet as if its mid-2000s and its still a mostly hobbyist thing with some big business doing their thing elsewhere while the plebs go about their lives in the fringes of some user-run websites and forums. Losing nothing was a problem then. But now everyone's lives, businesses & livelihoods, professional histories are hooked up to the Internet. Its no longer a hobbyist's ground.

Its amazing how corporations that could kill your business within a second have gone unregulated this long. If some company holds the livelihoods of millions of people in its hands, its not a mere business - its infrastructure.

(comment deleted)
no. whats amazing is that a bunch of people who supposedly care about such basic fundamentals like having open protocols always unanimously agree with "the company has an advanced proprietary risk analytics model to decide whether and how you get to log in. we can't talk about it because of security reasons".

well, the article is just wrong but i don't feel like going into the nuances of how identity works with a bunch of zero attention span web devs but i blame UN*X for this situation by making computers too hard to use (both securely and at all) with contraptions like email and PGP. all authentication should be done with public keys. open protocols require solid foundations which include the user being security-competent. you can layer on the "poor old dumb user" stuff on top of that, for example by letting him have a 3rd party company hold his private key. but again, this article is just wrong and scoped into very specific things people like to "debate" while having no clue about the big picture. it's absurd to even imagine that the web meta (a bunch of dot com boomers who dont give a fuck about anything other than going with the flow and creating solutions looking for problems, and knee jerk solutions to current problems) represents anything about established security engineering literature

I find that owning the email address domain it is safe enough with any decent provider. If you get locked out just change the provider and dns configuration.

Even if you are storing passwords in Google account you should be able to reset all of them since you have access to the email.

Given the low likelihood of this happening (for Google, Fastmail, Outlook, etc.) it's really not worth thinking that much about this. My approach is to have a custom domain and forwarding to another provider.

Gmail -> Outlook forwarding iCloud Photos -> OneDrive

etc

You seem to be only thinking about Gmail. What about the other Google services that would be lost? Anyone who makes their living making YouTube videos will be devastated by the loss of their YouTube account. It can also be a huge problem for those who log into other websites using their Google account.
Google is too good not to roll the dice. I use Gmail in my own domain with a different registrar. Push comes to shove, I'll move, restore backups, and carry on.

But damn are non-Google ecosystems bad. At work we use m365 and everything is atrocious compared to Google. Loggin in is a mess, email search is dreadful, OneNote search unhelpfully defaults to searching the current pagwe, integration with Android is weak, Outlook Calendar never seems to do what I want it to and doesn't seem to handle location in any sane way... I could go on but every time I switch to my private machine and Google-first setup, it's like a weight has been lifted.

I would tell you that after using Fastmail, Gmail seems positively glacial and slow. Like, it's borderline "why would anyone put up with this, except maybe because they haven't used good email before". And we just got a huge fine for missing a bill here because a family Gmail account spam-binned it, which isn't an issue for my Fastmail, which handles spam better.
It could be a little faster, maybe, but with good indicators of things happening under the hood, which Google offers, reliable results, and the daily comparison to m365, I have no complaints.

And really, the only faster email setup I have ever used was mutt right on the MTA. I haven't used Fastmail but ProtonMail (my backup choice due to their combo mail+VPN+drive offer) certainly doesn't feel faster than Google.

> which isn't an issue for my Fastmail, which handles spam better.

That's interesting, can you expand on this?

My Fastmail account receives, at most, a handful of spam emails a week. And Fastmail uses a personal spam filter heavily weighted off your own mail and reported spam as opposed to the whole world's emails. Obviously it has weighting rules that are easily understandable and readable in the headers, but my own trained filter has a really strong impact on the spam score.

Whereas I find Gmail both often misclassifies legitimate mail as spam, and fails to catch obvious spam, the biggest issue is it rarely is fixable by my actions, because it's mostly based on Gmail-as-a-whole's perspective on spam. My Gmail is also receives an absolute deluge of junk even though I haven't used it as my primary mail since 2016. I have a somewhat short Gmail address and I strongly suspect it gets dictionary-spammed because the server name is a given, it also gets signed up to random things I never signed up for (including the NRA and Shutterstock, both of whom I had to contact and ask to remove me).

> OneNote search unhelpfully defaults to searching the current pagwe

If this trivial complaint is the worst you can think of for OneNote then that shows what a good job they've done. I actually hate how good OneNote is because it doesn't work on Linux (as a native application) and there's no good alternative that does. The usual answer I hear is to use a wiki but one of OneNote's killer features is how good its offline capability is when using a notebook on a shared drive, and an online-only wiki is about as far from that as you can get.

(Ctrl+f to search current page, ctrl+e to search everywhere, by the way.)

My list of m365 complaints is virtually endless. It's nothing major but rather death by 1000 cuts.

The focus is almost never where I expect it, the notes overlap each other by defualt, the sync takes enough time to notice every time you make notes on your laptop before a meeting and then try to use them off the phone.

Well yeah, don't compare them to Microsoft... MS Teams suck, all 365 is a mess.

Actually, don't compare to ecosystems at all. Specialized service providers are much much better.

I have been pleasantly surprised at the management tools provided by Microsoft to manage 365/Azure/Exchange accounts. Everything seems intuitive and easy.
I had the opposite experience.

My google inboxes are full of spam. To catch the companies that were causing all of this spam, I setup a catchall email account on a non-google email service and switched every vendor over to a dedicated email address (i.e. hn@foobar.com, homedepot@foobar.com).

I expected to catch a tonne of vendors "red handed" sharing my email address, since spam was so prolific on gmail. Nope, I simply don't see spam anymore. In the last four years I've caught exactly one vendor sharing my email address (TicketMaster gave my email address to Warner Brothers).

Given I haven't changed anything materially with how I share my email address (it's still in my git commits as code@foobar.com, still on my website as website@foobar.com, etc., if anything I share it more freely now since I know I have control over each inbox), I'm lead to strongly believe GMail has a unique spam problem.

Dealing with GMail's spam problem isn't worth my time. That is amplified by the risk of me getting locked out of an email account. I have one Google account with files and emails dating back to grade school I can no longer access and no approach to "recover my account" has worked in the last 5 years - I've even paid Google for support to have someone tell me there was nothing they could do.

Google is a massive liability for me. They are a huge risk trusting them with anything that doesn't have a dedicated customer support team, a large part of their business model is to waste my time instead of charging me $$ for services rendered, and they do a pretty poor job of maintaining a level of quality in their products like GMail.

Whenever I have to deal with Google I get the distinct feeling that they consider their time infinitely more valuable than mine. I don't like doing business with people who are willing to waste my time like that.

I do something very similar, and have a similar result - almost no cross-sharing/selling of addresses.

The two sources I have: - Leaks - Guesses - eg. webmaster@domain.com - Kickstarter

Kickstarter gives over your email to projects, and now I get get lots of kickstarter type spam where it's clear projects have shared it out. It's annoying. My fault for using a real email with kickstarter years ago.

I'm pretty sure all the spam I get on my original account (20 year old email, first@firstlast.com) are also more leak related than anything else. That email has been around for so long, and is in a lot of leaked cred dumps. Whenever there's a new dump I get a small spam uptick.

I've been segregating passwords for several years, but nothing like the age of my original one true email.

I recently bought a whole new anonymous domain too, to keep non-personal email off my personal domain (it's firstnamelastname.com). It's fun to have a second domain and totally unique emails per vendor, but doesn't seem to do much. I suspect this is also a volume/value thing for spammers. Everyone has a gmail so search/guess/spam those and it's easy. Individually targeted attacks on domains with very small address lists aren't worth it, and almost worth removing from your spam attack because someone with a small custom domain isn't likely to fall for it. Similar to the delivery typos approach of selecting for people who aren't sensitive/cautious to correct language.

I find Fastmail does a really good job at detecting spam in general too.

I don't doubt your experience, but I've had the same pattern (gmail.com email spammed to hell, custom domain -> no spam) except that I'm in a grandfathered Google Workspaces account. I also do the custom email trick, and I'm very liberal about handing out those (makes remembering accounts easier as well), but no dice.

I'm convinced that companies filter out custom domain email addresses when they share and spam user data.

Eh.

I had Google hosting my family's email for a long time (I had one of those grandfathered free custom domain setups).

It wasn't bad and it was free (!), but:

- Google threatened to cut me off. - Wife's account needed attention to keep it under the disk space quotas. - Google had creepy marketing based on private email content (making you worry about what else they are doing with my private email content). - It was free. (Yes, I list that as both a positive and a negative, since it means they have no real responsibility to me.)

I migrated to fastmail and it's every bit as good as gmail with none of the downsides, for a small $/month.

Sure, Google backed down from terminating my service, but that reminded me not to rely on "free" services -- free is always limited. So I thought, "Fair enough, time to pay." I considered Google, but they did not make the cut.

> Google had creepy marketing based on private email content (making you worry about what else they are doing with my private email content

As far as I know, email content was never used for ad targeting on any iteration of Workspace/Gsuite/Google Apps for Your Domain/etc. (And it hasn't been used for consumer gmail for many years either.)

How would you know though?

Not that the details of how they use a specific information stream are all that important (if they aren't using one it's just because they've got something else better). The fundamental problem is that their interests are fairly heavily misaligned with mine. They want to make money by effectively mining my information and I don't like that and find it creepy.

Because they've made public statements to this effect, including in the privacy policy.

Why trust those statements? Because lying would be a very bad idea. The lies would be revealed very quickly (e.g. via whistleblowers). The outcome would be expensive civil lawsuits, probably billions in fines, and a loss of trust in their $20 billion / year cloud business.

> At work we use m365 and everything is atrocious compared to Google.

In my experience the admin side is the opposite. I only have a legacy Google Apps account to judge, so maybe the paid stuff is better, but MS365 has some pretty good tools when it comes to email.

However, both of them have absolutely brain dead policies sometimes. Ex: Google bounces mail sent to accounts locked for suspicious login attempts and MS forces you to give admin privileges to normal users that have to deal with messages that are incorrectly flagged as high confidence phishing.

MS is a double edged sword though. You get access to a lot of tooling on the admin side, but they very obviously don't care about small business users. The Business Basic accounts are more like paid beta testers than anything. You can see it if you look at the release lifecycle for a lot of the products. Ex: Business Basic accounts get app updates before Enterprise accounts.

I currently use MS for everything, but the bloat is starting to get to me. They can't stop adding features and everything there is starting to feel unpolished. They can't even keep their own docs / support up to date and sometimes support will send you links to stale information.

The support is 100% useless from both Google and MS, so I almost never use them and prefer MS because I get more tools to solve my own problems. The "confidently wrong" part of ChatGPT feels like a Microsoft product. Lol. They could literally replace their support with that "AI" and I bet people wouldn't notice the difference. That's not because ChatGPT is good. It's because MS support is so bad.

"My name is ChatGPT. I understand your problem and I'm going to help you fix it." >>> Proceeds to demonstrate a complete lack of understanding and doesn't fix the problem.

> For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021).

I think this is a bit dismissive of Fastmail: in all three of the linked reports (2017, 2020, and 2022) Fastmail has apologized and reinstated the account or provided some other mitigation.

Nobody is perfect, any service will have bugs causing lockouts and false-positive fraud claims. But what makes Google untrustworthy is that they don't seem to have any recourse if you are caught in a mess. To the point where engineers in other Google departments can't get human support, and the linked case which made mainstream news did not get his account back despite being proven beyond-doubt innocent.

A good service can make some mistakes, what differentiates them from a bad service that they attempt to correct them. Like how a good company can do layoffs if they provide good severance and also cut top executives' pay.

In cases where someone was able to get their Google account back only after taking their case public (ex: [1][2]) I'm still counting this as a lockout, under the assumption that if they hadn't been able to draw attention to the situation they would have been stuck. Are the Fastmail cases different, or was taking it public and getting noticed a necessary part of the resolution process?

[1] https://techcrunch.com/2017/12/22/that-time-i-got-locked-out...

[2] https://news.ycombinator.com/item?id=2794529

> Nobody is perfect, any service will have bugs causing lockouts and false-positive fraud claims

The HUGE difference is both Fastmail and I assume Protonmail (I only have personal experience with FM) actually have customer service departments, with real people.

I had already begun using my own domain for emails by the time it happened to me, but nothing accelerated that process faster than getting locked out of my Google account. I was lucky it wasn't permanent in my case, at least, but it was a wake up call that I really cannot trust them.

For me, it all happened because I tried to purchase, of all things, Minecraft from the Google Play store and typed my CVV in wrong a couple of times. That locked me out of my email and all Google services for about three days while they did some sort of fraud verification.

While, yes, things can happen to FastMail, etc, the likelihood of having my domain stolen from my registrar (which is very possible) is a lot lower than something happening to my Google account. And, god forbid it did happen, in my experience, getting in contact with a human at a domain registrar is easier than getting in contact with a human at Google.

Has anyone else had trouble with Google takeout? I tried to download my GMail history and it just failed with no extra info. (I made a post about this that didn't get any traction... https://news.ycombinator.com/item?id=34456459)
In my experience, you need to have been logged in on a particular device for 7 straight days before Google will let you use Takeout.
It is about the expected value, and not the likelihood alone. For some of us, the expected value is so much in the red that using Gmail is not worth it.
I have decided to multiplu Cloud services by 2. So I also use Microsoft 365, onedrive and Outlook. It feels more solid than Google nowadays anyways.
Just last week someone called my shop saying they couldn't get into their Outlook.com account. They had a backup email and had a code sent to it but Outlook.com said the code was bad. I told them to look into FastMail, preferably with their own domain name. It's not free but it's inexpensive and you can contact someone if there is a problem, and worst case, you can re-point your domain. Mailbox.org is another option.
I like getting an Office license wand functionnality with my email.
If anyone can help woththis,please reach out : My father owns a business that has been family owned and operated by my grandpa and my father for nearly 50 years. The name of the business contaibs our last name. The google street view of the business is my fathers home.

Recently my fathers domain registration lapsed and someone bought the domain. We changed the website to a different address and went to change the google listing for his business only to find that someone had also claimed the business. We have tried requesting ownership, we filed a formal 3rd party dispute, and we have requested a domain change. Through all of this we have just been completely ignored by google. I cannot figure out for the life of me how to get someone from google to help us verify his ownership of the business.

Its had a real impact on how many calls he's getting for work and has created financual hardship for my parents and there is seemingly nothing we can do about it.

If anyones been through this or something similar and has advice please leave a comment. Any help is greatly appreciated.

Can you share the domain?
Well since it involves my last name and former home address unfortunately I cannot without doxxing the shit out of myself
> Even if the risk is low, however, maybe it would still be better to switch to something else that is even lower risk? The problem is that security and policy lockouts are something you can find with any service. For example, in HN discussions people will often recommend Fastmail or Protonmail, but they've had their problems too (FM: 2017, 2020, 2022, PM: 2018, 2019, 2021). Especially given that these are much smaller services I'm not convinced that the risk is lower there. Any system is going to have to handle this sort of problem, and you're not going to find one that never has false positives.

Good breakdown for this person's use case.

I disagree with the conclusion above though. My experience (as a person who handles technical support around these issues, for customers of Gmail and more specifically ATT/Yahoo/SBCGlobal) is that many people that get locked out of their accounts do not understand all the options available to them to regain access. Also it appears, to me, that at least for Fastmail, their security protocols are a bit more friendly, less strict about how the security is applied (I.E not spamming customers to use the security methods, changing the methods willy/nilly without warning). Also Fastmail sends an email to your mail email account if you accidentally trying to use your main account password in an app specific use-case, I.E makes it easier to understand how the security measures are being applied.

Also the security measures implemented by providers that you pay for, appear to me, to be designed to be customer centric, rather than trying to create a blanket one size fits all approach to security that I feel google tries to implement (because they have so many customers). My meaning about this is that the control of the security options appear, to me, to be more in the hands of the customer to implement how they see fit, where as google security measures appear to be implemented from a cover our assess approach and not really designed for the customer per say.

> The problem is that security and policy lockouts are something you can find with any service.

This is one of the reasons I don't like or trust SaaS as an end-user, at least for critical failure points.

It's not just about policy lockouts; the company can go out of business or get sold and the product shut down. Data leaks and breaches can be a greater risk since you're too small to target as an individual but all users collectively is another story. Outages, both locally and service-level, can prevent you from having access to your data when you absolutely need it (doctor or legal appointment etc.). Oh and they will track you, make you a perpetual guinea pig for A/B testing purposes and can change critical features that you depend on at any time of their choosing without notice.

There are trade-offs in the other direction, like the mobility and the convenience to access data across multiple devices. For historically expensive products (like Photoshop and Pro Tools), subscription based models make services more accessible. It's just too bad that we can't seem to land on the best of both worlds as the common case. I'd like a subscription model and the ability to sync data across devices automatically (preferably using e2e encryption) without the software being at all "web based."

Using your own domain with a well-reputed registrar is the way to go IMO. It makes you independent of the email provider used. Registrars don’t run algorithms to lock out domain owners. You can also move between registrars when needed. Domains can be locked ("Client Transfer Prohibited") and set to auto-renew, which nowadays is the default. You can have an actual paper trail proving your domain ownership. Depending on jurisdiction, you have certain rights associated with your domain.
For the 99+% of us who aren't computer savvy, "using your own domain with a well-reputed registrar..." is as achievable as suddenly speaking Sanskrit. Think outside the echo chamber.
While my recommendation was targeting the HN crowd, where I assume some level of computer savviness, buying a domain doesn’t require technical expertise. Wiring it up with an email provider may require some, although providers often provide good instructions, and, more pertinently, you can also buy this as a service, or have a friend or family member take care of it. The important part is that you own the domain.

I fully agree that it should be made easier. But people have to create the demand for that to improve.

>... buying a domain doesn’t require technical expertise.

I respectfully disagree. I succeeded in buying my own domain but it was a VERY painful, confusing, and disagreeable experience, which I wouldn't recommend to anyone who's not amongst the HN techie crowd.

When I bought my domain, granted a decade ago when there were fewer TLDs, it was a typical search bar. Then click Buy then enter payment and user info. It wasn't any more difficult than any other online purchase. The config/DNS steps require a certain level of techiness but buying the domain, the key step, was easy.
What is usually not mentioned is that enabling two factor authentication is a mayor reason for people getting locked out of their accounts.
Actually, in my experience it can also bite the other way around:

I was locked out of my Google account after using it in Italy and coming back to Germany. Unable to login: It would first ask username, password, then send me an a-mail, then ask for the code from the e-mail (which I provided) and then either tell me to enter a phone number (Google is not going to get it from me!) or alternatively:

“You're trying to sign in on a device Google doesn't recognize, and we don't have enough information to verify that it's you. For your protection, you can't sign in here right now.”

If that isn't dystopian.

I interpreted the phone number requirement as a signal that “had I setup 2FA, it would not have asked for the phone number but maybe just the second factor?”. Then I went on an odyssey to setup a Google account without linking it to a phone and with 2FA enabled (also not linked to a phone!). Seems OK so far, but the procedure is highly complicated and partially luck-dependent. I am probably going to publish it, because there are tons of articles about how to setup Google account without phone number, but none of them worked for me at the time :)

I still do not rely on Google for anything but the search engine which still works without any login...

> I interpreted the phone number requirement as a signal that “had I setup 2FA, it would not have asked for the phone number but maybe just the second factor?”. Then I went on an odyssey to setup a Google account without linking it to a phone and with 2FA enabled (also not linked to a phone!). Seems OK so far, but the procedure is highly complicated and partially luck-dependent. I am probably going to publish it, because there are tons of articles about how to setup Google account without phone number, but none of them worked for me at the time :)

I'd be interested, even if it was just a rough guide. My experience has been that some services apparently let you sign up without a phone number, but then try to extort it out of you either at first login (or worse) after you've used the service for awhile.

I've noticed some of my own old accounts (not google anyway) seem to be grandfathered in and do not have a hard requirement here.

> I'd be interested, even if it was just a rough guide.

Here we go: https://masysma.net/37/google_how_to_create_an_account_witho...

You might notice the date on that page being 2021/04/06 -- I had this in draft state for a long time, but newly put it online now. What has worked back then may not work anymore, though.

> My experience has been that some services apparently let you sign up without a phone number, but then try to extort it out of you either at first login (or worse) after you've used the service for awhile.

Yes, that is basically what Google did to me, too. It was not a new account either -- from 2012 (I still have the initial "registration" e-mail).

I just checked: I can still login into that account that I had created around 2021 when I discovered the "trick" as described on the website. It asked for username/password/2FA and that was it. I did not use it much in the meantime, though.

There is a lot of bias at play here. You only hear about the newsworthy lockouts because they are in the news. You don't hear about lockouts that didn't hit the news because, well, they didn't go viral. But they still got locked out...