FYI: Google Can Lock You Out Of Your Account For No (Legitimate) Reason. And When That Happens, You May Be SOL
A cautionary tale about how the excesses of big tech are allowing major tech providers to ride roughshod over users’ right to access their own data
Cross-posted from Reddit (/r/degoogle); lightly edited for clarity and formatting:
So I’m delighted to see that there’s a whole subreddit for this topic.
But before I do some digging through the posts here let me quickly share my story.
I have been using Google and Gsuite for many years. In fact, I’m old enough to remember a time when it was called Google Apps.
How long exactly?
If I were to venture a guess, I’d say around 10 years.
For the past several years (at least) I’ve been paying monthly for access to two Google Workspace accounts.
It’s kind of the digital glue that keeps my personal and work lives in good working order.
I make liberal use of the full panoply of cloud-hosted services that Google puts at users’ disposal.
I answer email from Gmail; use Google Calendar to set myself hacky reminders about what I need to get done by certain deadlines; create custom Google Maps before I embark upon trips to map out sites I want to check out.
Oh, and I’ve got a few years’ worth of photos in Google Photos. That particular trove of data includes thousands of personal photos, including some of deceased relatives. The only way I can access that data currently is via the only device in my possession — an Android — that hasn’t been blacklisted by Google’s uncaring security features. But Google doesn’t care for such trivialities. It’s too big.
As a longtime Linux user, I’ve always loved and appreciated the fact that Google’s services live in the cloud. That means less Libre Office <> Word tug of wars for me to deal with. We can both agree to exchange Google Docs and get over that particular headache. Much more than that, for a long time, it made intuitive sense to me that everything should be cloud-hosted where data remains accessible from anywhere on the planet (even if that means it’s simply being hosted on somebody else’s computer…). That’s what I thought. Before the cloud turned on me.
Although my accountant could probably pull this information up for me, I have no idea what my cumulative spend to Google has been over the years. I’d imagine it’s in the thousands at this point. Sure, a true minnow in the ocean of paying Google customers that I’m sure is littered with tech titans spending six figure sums for access to Google’s infrastructure. But I’m a paying customer nevertheless. And what I’ve experienced from Google this week isn’t how paying customers deserve to be treated.
Now let me tell you my war story.
Because it illustrates why I think that big tech companies in a position of market dominance need to be held to better account. Their potential to seriously screw with people’s lives is just too big for that not to be the case.
I spent the last few weeks on vacation in the US.
While there, I received a warning about suspicious activity on my account.
Once of those cookie cutter ones. Thinking relatively little of it, I assumed that the Google filters didn’t like the different IP activity caused by checking my email from a few different cities / hotels / etc while moving about the US. It said as such. I reviewed the login activity and everything looked okay.
I changed password per Google’s demand. I disabled and then recreated 2FA — which I use on just about every service that offers it as a feature (if I recall correctly, there was no other way to change the password). I made sure I had access to both the recovery email and password. I thought I was doing everything by the book, exactly as Google wanted it to be done. And so I moved on with my life expecting to be able to access my email.
Earlier this week, I returned to my home country to find my Google account totally inaccessible.
Needless to say, this is is never the best thing to come home to when you’ve just taken a 12 hour flight full of screaming children and have meetings to prepare for the next day (noted on a calendar that you can now only access from an Android device that’s now conveniently out of juice).
And then, in a moment, I realized how grave the risks of allowing oneself to become dependent on a single entity that controls everything from your email to your calendar to your personal photos to your burgeoning interest in videography could be (I recently got into YouTube and while my account remains relatively small, I still receive a small stream of daily comments).
If you want the boring technical details then here they are:
I can’t log into my account because it triggers a warning that I’m violating my own “two factor policy.” That’s the start and end of this cryptic technological dead end. Even if I click the shiny blue ‘forgot password’ button that’s as far as I can get.
There’s no option to provide backup codes. Or to verify the login attempt through my recovery email. There are just two lines of text. And no instructions other than to contact your “admin” (which doesn’t help when … that person is you!)
I have my 2FA codes at the ready in my password generator, my updated password, my recovery email, and my recovery phone. As far as I know, this is everything Google “tells” us to do. You could say that I’m potentially the textbook Google user. I’ve attempted to implement every form of security on my account that the service asks us to in an attempt to keep my account safe including approving my phone as a safe device that’s ready to accept security prompts. And none of it has helped. In fact, it may have even gotten me locked out of my own data.
As a tech enthusiast that cares about cybersecurity, I ask myself how it is even possible to wind up in a situation like this.
I realize that it sounds too far-fetched to be true. And yet unless I have been hallucinating for the past few days, it really is.
Other pertinent questions:
If Google can summarily seize access to your account, what’s the point of all this second layer security for account recovery is?
And if I didn’t have a second Google Workspace from which to contact Google (or know how to create a DNS CNAME in order to pass the first part of the authentication test) how would I possibly have been expected to resolve this!?
What I didn’t expect is how useless Google has been or unwilling to … you know, let me access my own data. Such as the calendar appointments and emails and bookmarks that collectively forms the digital glue that holds my life together.
Their support is virtually non-existent and — for Workspace — appears to be exclusively comprised of outsourced tier one workers whose grasp on the English language can be limited (like their ability to lookup support threads).
It’s been almost 3 days and the best I can get is half literate support staff with obviously fake names who tell me that the “account recovery team” (whom I can’t speak to) is “looking into” my case. They won’t tell me who these mysterious “support engineers” are. Nor provide me with a guaranteed time for account recovery — presumably because I’m still considered somehow suspect to them.
I’ve tried, without success, to impress upon Google how serious and potentially even dangerous being locked out even temporarily from Google is (I almost wasn’t able to receive medical test results needed to get out of quarantine thanks to it).
It’s caused massive disruption to my business even in the short time frame so far.
To issue clients with invoices in a reasonable timeframe, I’m currently having to forward payment confirmations on from my personal email that can only be accessed from my phone. To attend Zoom meetings that are booked on my calendar, I have to copy and paste them into an email and send them to myself — to the business email that I can still access.
None at Google seem to get it. Or remotely care about these trivialities.
Calling this experience “shoddy” wouldn’t be going far enough, in my opinion.
Take a customer’s money, harvesting their data (isn’t that what all these guys do?) and then not giving a toss when your systems wrongly lock them out. How low can you go?
I’ve gone through all the verification processes repeatedly including answering a ridiculous “knowledge test” intended to prove that I (the sole user of the account) am … me.
I’ve created a DNS record to prove that I own my own domain.
And yet the majority of support representatives I’ve contacted at Google have not so much as apologized for any of this.
None have been able to so much as offer me a reason why my account was locked. I believe that, at a minimum, this should be my right to know.
To the best of my knowledge, my only wrongdoing has been travelling and accessing my Google account from a few different IP addresses while I moved between hotels (as one does when on the road…).
This is in itself a total deal-breaker. Nobody at Google has been able to provide even the slightest degree of reassurance that this couldn’t happen again. So what, given that fact, is one who wishes to continue using Google’s products and enjoy travelling expected to do? Never leave one’s home town out of fear that accessing your email from a new IP or device could paralyze your business and leave you data-less?
By any standard of what proper customer support should look like, the experience has been complete rubbish.
It’s like dealing with a massive bureaucracy that’s also an authoritarian anarchy that just makes up its own rules and tramples over the little people that fall victim to its (flawed) technologies.
While trying to research how something like this could even happen, the good and often very knowledgeable folks over at Reddit (incidentally, it’s where the anti-big-tech moment has coalesced) have taught me that being the sole user on a Gsuite account (as super admin) is bad practice.
That’s fine. And I accept that this represented a degree of fault on my part.
a) If that’s really true, then Google has a responsibility to warn users about this repeatedly and in clear terms. If that’s really the case, potentially don’t even let users operate single user accounts. I’ve been doing just that for more than 10 years. It shouldn’t take a major business continuity incident like this to tell me that that wasn’t okay.
b) That still doesn’t excuse the fact that their support is atrocious — even downright abusive — and that they seem incapable of understanding that locking people out of infrastructure they’ve come to depend upon is unethical. Actually, I believe that it should be illegal. The implications are scary and far-reaching. I came very close to being stuck in quarantine — without a means of leaving my home to order food and water — because I couldn’t access medical test results that were being sent to the email I could no longer access. What if I didn’t know enough about tech to know that I could (in the worst case scenario) re-route email by changing MX records? What would I have been expected to do then? What if I missed a flight or a job interview because I couldn’t access my Google Calendar? Or a surgery because that’s the only place in which I’d noted the details?!
And finally c) if one single user Google Workspaces have to have a separate admin user then the de facto minimum is two seats and not one. Not a deal-breaker. But their marketing literature should reflect that fact.
To say that this experience has been eye-opening would be a gross understatement.
It’s been nothing less than completely alarming.
I’m not planning to de-Google my life to the fullest extent I can as a knee-jerk reaction to this experience.
I’m doing so because I’ve seen very clearly this week that depending upon this company to be a reasonable custodian of your data seems like a very irresponsible decision to take — whether you’re a solo consumer or a business.
You need to stop treating your paying customers like cattle.
You’ve gotten big.
You’ve developed some great tech.
But your ambition seems to have stretched beyond your ability to regulate yourself.
I worry that countless digital lives will be disrupted by some of the practices you are currently implementing.
3 Ways To Protect Yourself From Getting Digitally Cancelled By Google
A random fraud detection filter is all that may stand between you and being able to access your digital life through…