I've blurred the sender because it might have been a hijacked account, and it's not like it's hard to get a new gmail account anyways. You can also see that I've blurred all the other people too. Yeah, the scammer cc all his targets.
I was in a good mood, so I replied and made fun of him and warned all the other recipients that, "hey, just in case you're distracted, yes this is a spam email". I didn't use any curse words, or strong language, but I was a bit edgy.
Two days later, my google account was suspended. Apparently, my account was being used to send unwanted e-mails. Ha! I just became a spammer.
And let me tell you, it was very frustrating to be blacklisted like this. A little context for you, I'm a DevOps engineer and I've been using gmail for the past 15 years. I'll skip the classic 'my files, my contacts, my email' because I had backups.
But I lost access to paid services that I had set up with social login, besides all Google's services ( GCP, firebase, youtube premium, google one, subscriptions paid through play store, google ads, etc, etc). And here's the kicker: my gmail used to be the contact I shared with potential clients, current clients, and job applications which, by the way, I was actively job seeking. Not because I don't like my job, but because I had pushback on my raise on a recent promotion, so I was trying to get offers to make a point.
But what if I was out of a job? What if I was expecting a contract to sign? What if I had an SLA with a client? What if my bank or the government, health plan, car insurance, or any of the hundreds of notifications that I've set up throughout the years was triggered and needed my attention?
I know about terms of services, that they're a company and they can do whatever they want. But what if your car maker could take away your car if you turned right without signing first? Or if you went over the speed limit? What if you were a salesman and samsung could take away your phone because you're using it to call people to do your job and they've reported you for unwanted calls? Or AT&T could take away your phone number because you said a curse word on the phone?
You could argue that gmail is not a product that I own, but I paid for it, so technically, don't I own it? Don't I get the right to use it while they figure out if I'm really a spammer or not?
That got me thinking, what is an identity? How can I prove that I am who I am? I thought I could just share my profile, or gmail, or phone number, or identity and prove that I was who I was. But all those things can be taken away because of some rule that can be judged and enforced by someone else.
The google stack is very convenient, and it's 2022, I'm not going to start hosting my email server, but I'm in need of a foolproof and long lasting solution to online identity. And I've started by purchasing a domain name for 10 years and having a 'catch all and forward to gmail' rule setup. So I can just forward it all to somewhere else in case I lose my gmail again. But what if I get reported on my domain name? What if that gets suspended or blacklisted too?
Should we own the free services that we've paid for with money and data? Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?
What do you use for identity? And what are your thoughts on this? Am I overreacting?
I signed up to Quora with my Facebook account, back in the day. Deleted Facebook in 2013 and lost access to my Quora account, with no possible way to recover it.
I haven't used a social login since. In my case, it was fairly harmless, but it made me realise how dangerous social login is. Every time there's a signup, I look for "signup with email". It's the safer option. And if you can, use your own domain for email (Google's paid email offering supports this, as does Fastmail and countless other email providers). That way if your email provider decides to flip you off, you switch DNS records and you're up and running somewhere else, and everything keeps on running.
But: If you don't have a copy of emails then you lose all saved emails, so make sure you have a backup strategy in place.
So, you can use social login (OpenID Connect in reailty), as an automated form filler and add your password, so your account will be effectively won't depend on that provider anymore.
I use a lot of services like that.
I think the whole point is not having to create yet another password.
One solution to all of this is to have some kind of durable identity verification that the user controls and can use everywhere. There are serious challenges with that of course, which is why we don't have it yet.
I connect all my logins with my (custom-domain) E-mail and also do regular IMAP backups of my E-mails. I run Thunderbird once a week and sync all mails.
Ideally one goes in life forcing failures to be uncorrelated, but that's extra work. Anyway forcing them to be correlated is also extra work, so just don't.
But you're far less likely to ever have any issues with your domain name provider, because you literally only have your domain with them, and don't interact with them outside of that.
I would say if you want to be extra safe, your domain provider would NOT be your hosting provider. Because you can lose your hosting, too, and we've seen stories like that here a few times.
I'd love to have webmail on my own domain, hosted by someone else, and with ads on the side. Those ads should generate ~$20 per user per year (after all, they can be targeted based on emails I'm sending and receiving, and I'll be looking at them many minutes every day - the perfect combination for high revenue ads).
With $20/user/year, there should be no difficulty paying the hosting costs of such a mail server and staff to look after it.
I'll tell you why: because you are not worth that much to advertisers. If you are so cheap to the point of asking to get your data harvested, chances are you never going to be a high-value customer.
It looks like Zoho might have a free plan too but I've never tried it https://www.zoho.com/mail/zohomail-pricing.html
ImprovMX also does email routing for free along with webhooks and such
Unfortunately I doubt that would work. Any email solution hoping to get significant use will need to be able to send as well as receive and/or store & organise, because if someone is needing to run their own send route elsewhere they'll run their own receive route there too, and any free email solution that allows sending will be abused in any way possible by junk mailers and other scammy types.
It would be a constant fight to keep the service off black-lists and dealing with the backlash from:
* people blocked rightly because of service abuse
* people blocked because of a false positive in what-ever automated checks you do (the admin involved in doing all the checks manually will be excessive enough that it can't all be done manually)
* those who are inconvenienced by the service, even temporarily, being on a blacklist
And that mass of spammers such a service will attract will be worthless: they'll have everything quickly automated and won't even glance at a single one of the adverts.
> With $20/user/year, there should be no difficulty paying the hosting costs
I doubt $20/user/year would cover it unless you get a decent number of subscribers. And I doubt there would be enough people who would sign up for this, who are not already using gmail or similar big providers that already exist or mail provision included with their web hosting or domain registration service.
Of course my gut reaction could be quite wrong here: why don't you give it a go? If you are right then there is a market to corner that no one else is looking at yet so you could make it big.
Except the domain renewal fees, it's free.
If Gmail blocks me, I can readdress the forwarding to hotmail or usa.net or whatever.
If they cant make it work, why would anyone else have more success by offering even more features for free?
And if you're already buying a domain name then why not just pay for the email account too?
I'd like to self host data and webmail and pay somebody else manage the headache of delivering and receiving.
Did the same but lost my Spotify account. Needless to say, but I haven’t used Spotify since then..
Google mean while has the same business-to-business support that it does for private customers like the author here. For some services it’s because Google doesn’t care, but they do care about Education and they still can’t figure out how to readjust to be a valuable business partner even when they actually want to sell you something.
So my best advice to anyone using Google services would be to find a better vendor as quick as possible. It’s completely ridiculous that you can lose your business account over someone replying to a spam mail.
Just imagine if Microsoft kicked the Danish government out of Office365 every time one of our employees did something silly in their emails. I know there is a difference between us as individuals and the Danish governed, but the point in trying to make is that there isn’t, not to Google at least. So maybe they are just a terrible vendor?
This is all anecdotal by the way. I haven’t seen anyone complain about getting locked out of their azure essential subscription, so in my eyes that is simply a safer way to pay for g-suite type services than g-suite. That being said, I do personally host my domain and DNS stuff on their own separate accounts at their own separate vendors, both privately and professionally, exactly because you want that stuff to remain unaffected by everything else.
My experience with Google's business support is that instead of talking to a brick wall, there's now someone between you and the brick wall. Support is very responsive, and the response is always "I've filed an internal support ticket". When you ask for an update after weeks/months, the response is basically "there has been no update on the support ticket". As a bonus, your support ticket with them will sometimes auto-close because there hasn't been any activity - I had to ask Google Cloud support to re-open an unresolved issue three times once.
That feels like a lot like the support my company (multi bullion dollar company) gets from MS and other vendors. We have super friendly people to interface with but if you have a real problem nothing happens besides a lot of friendly phone calls with "action items" and "follow ups". But when an issue hasn't been addressed for months it's a taboo to call that out. Even the managers at my own company don't like when you say "issue X hasn't been resolved". Instead it seems an unspoken rule to just keep scheduling conference calls that never lead to anything but are very friendly and upbeat.
I've worked both with small clients (under $1k AWS spend) and big ones (monthly billing on the order of my yearly salary) and both got pretty much equal response times from their (paid) support.
The BigCo of course had a dedicated direct contact on company Slack for any issues and zoom calls with AWS staff before big launches - but anyone can get it if they spend money.
Google on the other hand seems to be completely opaque. The front page of HN seems to be the best way to get stuff resolved.
There is really nothing you could do with a car to prompt the car maker to take it from you. And the state will only take it if you break the law in particularly dangerous ways.
When it comes to other possessions it's even harder for anyone to take them away from you. If I take a kitchen knife and stab someone with it I will go to prison for sure, but I don't think they will take the knife away. They definitely won't ban me from buying knives.
But when it's a digital service, even something as crucial as a banking service, it's seen as normal that you can lose them for posting offensive things on twitter. Perhaps it's because we haven't had these digital services for long enough to consider them as really belonging to us, so we accept that they can be taken away at the slightest provocation.
Interestingly the problem of people excluded from the banking system has been addressed by statutory regulation in the UK: https://www.gov.uk/government/collections/basic-bank-account... ; see also discussion at https://publications.parliament.uk/pa/ld201617/ldselect/ldfi... which covers the question of people with inadequate ID.
Getting your email account wrongly banned is an injustice, whether trivial or costly, and whether or not you have alternative arrangements. That's why people are (generally) rightly cross that it's happening. That feeds into wider questions of "why is justice so expensive" and "how does a local justice system address the bad behavior of a multinational". These questions tend to get resolved incredibly slowly.
I wonder if the effort behind this is a Baptist and Bootleggers moment. Surely some maybe most want to solve something that they see as a societal problem, others see opportunity a la payday lenders, and others see an opportunity for social control. Maybe the people who see not-banking as a social problem also want to use the end result to "nudge" participants in the right direction.
To put it more bluntly, my eyeballs are watched by AI to make sure I pay attention enough to deserve the full use of my vehicle.. it's beyond punitive, it requires my positive behavior.
ALSO bonus, if I did something with my vehicle that resulted in losing my account, I would also lose access to my home electricity system.
A normal car in 2022 will not constantly surveil you. No critical functionality is tied to an online account in any non-Tesla mass-produced car that I am aware of.
Somehow I am not sure why, we as technical people, and I would even think that most of the people in these fields are also into fiction and sci-fi, we are taking only the worst things from novels and stories, instead of the good ones, VERY slowly transforming our society in an dystopian nightmare.
Since this is Hacker News I'm sure there will be some who can say the two are compatible, but it will only appear that way to the wealthy and the elites -- the rest of us will gain none of the benefits and will be seen solely as "customers" or "partners" from which revenue must be extracted.
One only need look at the transformation of business from selling products to selling services, changing a sales relationship into a rental relationship. For businesses operating key or critical technical infrastructures this is equivalent to a corporate "universal basic income", such as will never occur for the common man.
For cars I don't think this future is distant at all, ten years max.
I have only one objection here: Doesn't feel all that slow to me.
Maybe one day your Tesla will simply drive off if you don't pay the bills, or worse work for the SEC
Just like your fridge may not dispense water if you buy the wrong filter. Or your random IOT enabled device will refuse to work if you don't let it phone home with surveillance data.
This is true. Generally if you stab someone the police would seize the knife as evidence, but after your trial if the prosecution didn't file a forfeiture case against the knife, then it is still yours and you can get an order from the judge to return it :)
p.s. civil forfeiture cases give the best names, e.g. United States v. Article Consisting of 50,000 Cardboard Boxes More or Less, Each Containing One Pair of Clacker Balls, 413 F. Supp. 1281 (D. Wisc. 1976)
Maybe not take it from you, but with new cars that are always connected (Tesla et. al). They can certainly make them quite terrible if they want to... access to superchargers has been removed when "owners" use unauthorized work shops for instance.
Alternatively, the government will just take over basic id services (think first.last@yourcountry).
Anything that you get from the internet is a service. Even connecting to the internet is a service. And providing a service is ongoing work.
What we need is recognizing services as essential and guaranteeing people has access to them. This is something for the government to do, and the guaranteeing access part is quite complicated when the service can be exploited like email.
Perhaps in the new era of tech we'll have better data portability and ownership. Sure, maybe Google can kick me off but they should still let me export all my data.
See my reply below about public blockchains.
So it's not inherently wrong to say a user of a free service should have some rights. In some situations, it's not fair to pull the rug out under people.
I think that there will come a point where we need to have independent tribunals governing the behaviour of large web services. That point will probably be reached 5 years ago.
Now it is impossible to find unlimited rentals, every contract has yearly extensions! In some countries landlords even rotate tenants every two years, else they would get extra rights from long stay.
If the owner could go to a small cases court and get a bad tenant kicked out with minimal cost, he wouldn't try so hard to defend against the rule.
Either way people will use the system to their advantage.
[1]: https://www.bfmtv.com/immobilier/un-proprietaire-dont-le-log....
[2]: https://www.ladepeche.fr/2021/11/12/temoignages-loyers-impay...
i believe similarly in the US you can't just take away someones car because without it they might not be able to get to work and probably would never be able to pay for their debt.
likewise having an email address is becoming a necessity in life and therefore closing an email account would make it difficult to function in todays society.
the same goes for having a bank account.
all these things should have legal protection.
In theory, you agreed to all the ways they can screw you over when signing up. In reality of course no one can be reasonably expected to understand the full ramifications of multi-page terms of service.
I'm happy that EU is pushing this ownership argument forward. GDPR seemed unreasonable just a few years ago, now it's the new standard. I also don't think it's the final destination. We're moving towards more regulation, but that's expected in any mature industry.
However, this specific topic to me isn't as much about ownership as it's about redundancy and diversification.
Of course it's not a good idea to build your whole identity on some corporate identifier (@gmail.com, @icloud.com...). Of course your business income shouldn't be based on a single platform (e.g. youtube demonetization, facebook news). These problems could've been forseen even without the benefit of hindsight.
There's no such thing as absolute ownership anyway. Even your money or real estate belongs to you within the framework of modern banks and governments. Doesn't mean this ownership isn't meaningful, just that there are always limits and gotchas.
The most meaningful thing you can do is own as much of your digital surface area as you can. Having everything under your own domains will get the most bang for your buck. I don't bother with self-hosting, but for someone else that would be a must. Your mileage may vary.
For full porting, there's a long road ahead, starting with regulating domain names, which email addresses depend on. However, as long as the domain name _de facto_ remains in the possession of the original provider, this is technically possible, already.
Email address porting might even be possible without a persistent domain/DNS entry. After phone numbers get ported, the _sender_ (of sms, or a call) caches the new routing, and the original carrier doesn't know the ported phone number is getting a call in the new carrier's network. I'd be interested in discussing this sort of thing for well established internet services (such a central authority already exists, ICANN, but perhaps legislators can come up with a non-US authority for emails)
There's no reason for a complicated legal structure to ensure mail forwarding (which just begs for abuse). Users already have the power. Use it.
All people sending email will be required by law to first consult the porting server to determine where to send email. It could be as simple as an http endpoint. Total development costs and running costs could be pretty low - low enough that the government can argue it is more than paid for from increased tax revenue from mail providers.
In the event that an ISP or digital services provider wishes to cease providing email service, they could be required to provide minimal access to enable updated provision of either a forwarding email address (which the provider would forward mail to), or an MX to redirect the sender to use. This would avoid the need for a big central "porting server", and retain the simplicity of doing a DNS lookup for one or more current MX records.
Given spam challenges, the former is likely unattractive (who wants to use their own IP ranges to relay potential spam to former users?), but the latter could likely work, or be made to work.
I realise the MX approach doesn't quite work, and you'd likely need to relay the email, but this is more akin to how the phone number porting system works - you ask the number block owner on each call, and they can either accept the call, or point you towards the correct destination network.
This topic is of indirect relevance and interest to the UK telecoms regulator [1], since many households rely on an email address from their ISP, which could become a barrier to switching, or result in long-term extractive pricing from users who have no real choice other than to pay a former ISP over the odds for email service to retain an old address.
[1] https://www.ofcom.org.uk/about-ofcom/latest/features-and-new...
What could possibly go wrong?
Could I urge that posters follow the site convention of prefixing the title with with Ask HN, Tell HN, etc. for posts that don't link to an external source? There are currently two such posts in the top 30.
HN is primarily for discussing external articles, and I'd suggest that this post should have been submitted as such.
It was fine when it was one post in a hundred that was a "Verb HN", but these days these are much more common, and the prefixes make the front page more noisy and less signal-y than I prefer. If you aren't in the habit of taking a quick glance at the domain name before opening a link, I'd encourage you to start doing that, for more reasons than this.
Good question. And my answer is probably that, as things stand, I'm not greatly inconvenienced by it.
My original post was motivated mainly by "that's not how it's done here". By internet standards, I think that HN does pretty well as a self-organising community. And part of that is a general, loose adherence to norms. To maintain that community, I think that sometimes it is necessary for its members to point-out those norms in a friendly way - without trying to police anyone's behaviour. Thats really all I was trying to do.
To me, an important part of HN's value is to direct me to external things. If the norms change so that a significant number of submissions are hosted directly on the site itself, then HN becomes a very different beast. Probably more inward looking, and maybe more like that other site that the guidelines tell us not to compare it to. I think that would be regrettable.
More practically, "Tell HN" and "Ask HN" are hints that the post is addressing the HN community rather than the entire net. That could be useful in deciding whether to read it. And, as a sibling comment mentions, those prefixes result in posts being added to certain lists.
Even though this didn't happen to me I learned that my Gmail is too important to lose so I can't use that account for anything else and that's dumb and shortsighted of Google.
It says a lot that this hasn't been fixed in 10+ years to safeguard your Gmail account in particular. Uploading an offending image (which could be an ccident) to Google Photos shouldn't terminate your AdWords account.
Do NOT send everything to gmail via forward. Every bit of spam you forward is going to count against your domain name. I had someone who did this on a community server and it wrecked our rating for a while.
Instead, have gmail pick up your email via pop3. This will avoid the "spam origin/relay" problem of forwarding.
The fetch approach has some significant caveats.
Firstly, it introduces something like 5–10 minutes of latency before you receive messages compared with forwarding, so it’s not suitable for every purpose. If you’re accessing via the webmail, forcing a refresh may trigger remote fetches too, if you know to expect something.
Secondly, if you leave messages on the server, there’s an undocumented limit at which point it will stop fetching mail, probably without notifying you. Back in early I think it was 2015, I went for a couple of weeks before I realised I wasn’t getting any email to what had been my primary address for six or so years (there were still just enough things going to my @gmail.com address that I didn’t notice), and on investigation, it told me that it refused to fetch from a mailbox containing more than 50,000 messages.
(Qualifier: I haven’t touched Gmail for five years (I now use Fastmail), so parts of this could be obsolete or altered.)
I set this up a couple of weeks ago. I think Gmail only allows pop3 for email fetching, because I just couldn't get it to even try connecting to my IMAP. pop worked great though.
The settings even lists "POP Server", not "Server", even if you choose port 143 or 993
> I don’t think there’s a single legitimate reason to use POP3 any more
Well, pop was designed as a "download the messages" protocol, IMAP as a "keep messages on the server" protocol, right?
So while it doesn't prevent IMAP, pop is actually a better mapping in intent.
Pop is clear about what "the email" is. IMAP opens questions like "so… all email? Or just INBOX, or what?". And while it's not mandatory to delete the emails from the server with pop, it becomes even more of a complex question with IMAP.
The choice of pop3 very strongly implies answers to all of these questions, with no surprises.
Are there downsides to pop here that I'm not considering?
Ironically, you would not have this problem with POP3.
Here is where I am heading (having given the matter much thought and some testing, trial and error)
Free Gmail/Cal account as I enjoy the software
My own custom domains with any registrar
Paid Fastmail account storing all my emails to all my domains/aliases at Fastmail
All Fastmail messages forwarded to Gmail
Mail from Gmail sent through Fastmail's smtp servers
This gives me the mail/cal app I like and the freedom to move. I don't have a problem with paid. Google are forcing Workspace on me when all I want is email with custom domains.
The configuration of the service is much easier than Google makes it. Filtering took some getting used to, but I have it working much better than I ever could on Google, so happy bunny there. And the Android client is OK too.
The only meh part (for me) is the web interface for email/calendar isn't as streamlined as Google, but being out of that eco-system more than makes up for it.
These days I pick a provider for each service that lives and dies by the quality of that service. Fastmail has 'mail' right on the tin.
I am curious: What made you switch from Protonmail to Fastmail?
1. Is it easy to set up the redirect from Gmail to the new account?
2. When I send email from new account (custom domain), how are you completely sure it is not going to be on spam? I send unsolicited emails to people in big corps (journalist asking for interviews/comments, not spammy :-)
Yes super easy. You can do this using Gmail's filter service. However, many services will also let you log in to gmail via POP/IMAP (OAuth for auth) and fetch the email from your gmail for you that way.
> 2. When I send email from new account (custom domain), how are you completely sure it is not going to be on spam? I send unsolicited emails to people in big corps (journalist asking for interviews/comments, not spammy :-)
I guess it's hard to know for sure, but I've not noticed any problems with this when the underlying provider is a well-known sender such as Gmail or Fastmail.
On sending from a custom domain, your mail provider walks you through setting up a few additional DNS records (for DKIM, SPF) that allow you to send from your domain through their servers. They maintain the reputation of their IPs and so you get their good deliverability.
For the .contact gTLD you will find them at https://donuts.domains/about/policies/ or over at ICANN.
It's just lazy admins on a power trip retaliating, doing the easiest & cheapest thing they can think of. Hardly different from blocking an entire /24 because a hacked wordpress install on some VPS started sending spam. Big overreach, but nobody holds them accountable. It reminds me of mafia & gangster movies where the revenge is extended to an entire family/business/building because one bad actor offended one of the mobs.
Social login is more complicated. I usually set up multiple different social logins for every account to make it more redundant against this sort of thing.
Much easier to just click a button.
Nowadays, so many services are so sticky that it is not the case that a business has to give good service and also unrealistic to expect people just to go somewhere else if they don't like it.
In a different but related example, I am remortgaging. The new lender has their own conveyancer who should be handling things. The conveyancer is really slow, doesn't respond to emails or phone calls for an update and if they don't sort things by the end of this month, I will need to pay another $500 on my mortgage payment. What can I do? Go elsewhere? Not at this rate, I cannot afford to wait another 2 months to apply for another mortgage and I could even end up with the same conveyancer. The Lender isn't interested because it is waiting for the conveyancer and the only person who will be out of pocket will be me. Others have had entire sales fall through because the same conveyancer took so long.
So what I was thinking was a new law that you are not allowed to advertise or take on any new customers unless your TrustPilot score is above 4. A bit Black Mirror but it might just work ;-)
It's not just free services. Big hosting providers are taking a similar approach. You might find one day that your VPS has been deleted or your entire account blocked if they have an issue with you.
I got my private MS account suspended after asking a question on their support forums. I could only reactivate it by providing them with my number. I then tried to delete the account, but that would only possible if I could log into it. So now they have another ghost account floating around...
PGP is a good solution, and in general the crypto space has the right idea in my opinion. I like the idea of using cryptographic key pairs to sign messages and prove identity, but the learning curve makes it impractical for general use.
The best place to start is owning a domain you control, at least that way you can manage your own facade.
This would be an excellent topic for new curriculum for the schools. Some ideas need to be generally known to be beneficial.
My domain is completely detached from my online identities, even for private and professional development to a large degree.
Many domains are pretty cheap though, not much more expensive than some mail services. Of course they don't come with respective keys for which you might have to pay extra.
It stinks to end up on the wrong end, but that's part of the cost of getting such massive benefits for free. If you want something more reliable or with better customer service, you have to pay for it.
You don't own phone numbers, emails, names, PO boxes, or addresses. You have them within a legal framework, and you can lose them in that framework. Software products may treat them as unalterable identifiers, but none of them are. Things should always be able to be changed.
Yes we can. We have for centuries. These entities exist as the result of the will of the people. We are the ones that allowed the concept of corporate personhood to come into being.
Rights are important, yes, but this isn't really about rights and everyone knows it. This is about Google optimizing their support staff to maximize their own ends over what would be jointly better for everyone. An email account is more important than a real address these days, and it is perfectly reasonable for us to expect that, at the very least, Google forward mail to a new account after closing it and quite frankly they should do much more than that, especially if someone is willing to pay for support time.
If Google locked me out of my accounts it would cost me around 200 or 300 hours of work. I would literally pay $25k to reverse their stupid decision over the alternative. What I'm trying to say here is that the costs of type 1 error here is completely born out on the public, and one of the roles for Government is to solve these tragedy of the commons situations.
What about phone porting? [1] It's ok for Google to refuse you service, but with something so critical it should be possible for other companies to pick up you account
Although having an @gmail account on outlook sounds weird
[1] https://www.fcc.gov/consumers/guides/porting-keeping-your-ph...
maybe global scale monstruous corporations should be held to a different set of standards than mom & pop shops.
That helps you ‘own’ who you are, but doesn’t stop someone like Google from refusing to work with you in case they think you’re a spammer (though your DID can provide enough evidence that you aren’t).
There's a lot of scenarios where you wouldn't want purchase of service to transfer ownership. People providing services have rights too. You don't get to do whatever you want with their brand, trademark, copyright. And you don't get to expect more service than is promised, or that you won't have your service taken away if the service owner doesn't want to deal with you anymore.
So you ask, well how can I be protected as a user of services? And the answer is: competition, being an informed consumer, and the occasional regulation.
> Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?
Those are all great examples of why there is no simple answer.
You do not own your phone number, but you do have the right to transfer it between carriers, thanks to regulation. You don't own your own email address, but you can rent a domain name and do what you want with your email address while you're renting the domain. You don't own your handle unless it is your real name and you go to court to protect it. You don't own a PO box, but you can rent it while you pay for it.
Ownership is often just a matter of possession. Who possesses your email address? Who possesses your PO box? Hell, who possesses your house? The land it's on? The access people have to it? The impact it has on neighbors?
Identity and ownership are complex ideas that are involved in many different levels of our society. As much as people want it to be simple, it just isn't. And the world is not going to get less complicated.
Forget about all NFTs-as-scam-overpriced-jpegs, but this is exactly what web3/blockchain-based domains are for. Take a look at https://ens.domains or https://unstoppabledomains.com/
You work as devops engineer for 15y and you reply-all to spam emails?
2. Google has been like that since.... its inception? Which is why I have been Anti-Google ( one way or another ) since around 2004? Google just doesn't care. It is not in their DNA to care.
I've commented negatively about Google before, and this seems like a very harsh punishment based on what I assume is a rule/ML based anti spammer policy with no humans in the loop.
I would also recommend buying a domain for your email, that's what I did a few years ago and point it to Protonmail. It's not self-hosted but at least I can always point the domain somewhere else.
The issue is... if you see a mob/protest, Usually the police ask you to leave the place - allow them to take care of the issue. Even if your 'attempts' to resolve/negotiate/help people are very kind, the LE always says that is not your job.
Spam filtering is Google's job. Not yours.
It is possible quite a few people, marked your email as SPAM and therefore you got flagged.
This may sound like victim blaming but please do not take up these tasks unless you know what you are venturing into.
Even https://www.419eater.com/ advice is to stay away from these people (for safety).
I don’t think anything you listed a typical individual owns.
Even street addresses change.
I still use Google Apps at this point as it's pretty convenient compared to standing up my own server. However, I make sure my email address is on my own domain. https://thehorcrux.com/about/
I'd argue no, and that it should stay that way, and that it needs to become more apparent that we don't own those things.
Just because I am using a certain phone number today does not mean that I'll be using it tomorrow, or still have access to it. It should therefore not be used for identification, even less authorization. Hell, it shouldn't even be a requirement to have a phone number.
Grace periods for everything (online and off) used to be 3+ months. Now they're days. These billing policies are quite literally inhumane, as they entirely ignore the logistics of being human.
I know a lot of the comments here are "Never again, I only use email". I fall into that camp personally, but it's hard to expect that kind of discipline from others.
They should be very aware that this could happen and their customers need a backup, that’s on them.
As for emails, contacts, photos, downloads, that’s on us. We need backups like you have but the vast majority of users wouldn’t even know where to begin with this.
You don’t have to. I use Fastmail on my own domain. Purchasing domain is a one time hassle.
It took me a while to realize how fucked up this "free service" was.
We've collectively ben pwned by Google, big time.
I've always thought we were excessively tailoring to ease of use rather than efficiency. Recently I started questioning that idea. We should have probably designed everything with security and stability as the nr 1 priority. If it doesn't need to be implemented in software it probably shouldn't be. Add a few extra chips to the mobo or have some pci card.
Government probably shouldn't be running things like a messaging services but it can offer infrastructure to facilitate it. An actual court for disputes, violations and crimes would be expensive but its probably worth it. No bans until you get your day in court.
Even in extreme cases where you [say] want to discontinue the email service you've provided. We could have laws that force you to auction the domain and force the new owner to continue the service for same price. OR compensate the (free) users for damages.
Case in point, any “free” service that can be used as 2FA authentication, or receive communication from at least one important life service (banking, your school, your job, etc) should fall under consumer protection. They must offer phone support and address any account closures and offer a variety of methods of retrieving the account/data. We got FINRA laws like this in finance.
^ That won’t change the world, but it would change one thing, that we all understand and can get behind. We could do stuff like this, and mobilize everyone.
Relying on Google is a single point of failure.
So you gave Google total control over your entire online presence, tying a bunch of things you depend on into a tight bundle that would all get banned at once. And, by including so many things, you created more opportunities for something you did with one of them to trigger a ban of all of them.
> The google stack is very convenient,
... except when you get totally shut down for no reason. Which is an absolutely predictable consequence.
You have a very strange idea of convenience.
> and it's 2022, I'm not going to start hosting my email server,
This reads to me as "I'm unwilling to take even the most trivial steps to solve the problem".
> But what if I get reported on my domain name? What if that gets suspended or blacklisted too?
That is a risk, but, at least as of today, it's much, much harder to get a domain name shut down than to get something like a Google account shut down.
Nonetheless, you should probably be isolating things that are really important to you under separate domain names unless they NEED to be tied together.
> Do we own our phone numbers, emails, handles, PO boxes, addresses?
The user agreements for most of those will say no. The standard on the Internet right now is "We can cut you off for any reason whatsoever and you have no recourse". It's right there in black and white. And it's been that way forever. Maybe it's wrong. Maybe there should be legal changes. Maybe there should at least be changes in common expectations. But at the moment, that is how it works.
So don't become overdependent on any of them, and don't set up a situation where losing one also loses others. This is pretty basic stuff.
The point you suggested that hosting their own email server is the most trivial step they could do to solve the problem is when I switched off.
Anyway. About your plan with the email server. We ran such a thing for an organisation in Romania. You'll be surprised how many times our emails ended up in Gmail's spam folders (other providers too, but gmail runs an especially harsh algorithm for spam filtering), even though we had DKIM, SPF and all that jazz setup. You will most likely be locked out of most people's reach, unless you use one of the largest providers. So maybe government regulation is the only realistic way out.
Google’s aversion to paying humans to provide customer service is actually a plus in most cases, as that means the nonexistent humans cannot be social-engineered into hijacking your account as is all too easy at cellular carriers. But having dependencies on as arrogant and high-handed a company as Google (or Apple for that matter) is asking for trouble.
Hosting your own email means getting a domain name from a DNS hosting provider, sadly that is also a weak point of vulnerability. I’ve been doing this for 20 years now, but I wouldn’t be confident that a determined attacker couldn’t take me out despite U2F 2FA with my DNS provider.
That said, I'm planning to migrate to either self hosted or a paid service which is not run by algorithms and where customer supports exist (in that regards big tech is terrible: facebook, google, paypal = worthless customer support).
I completely agree with your premise though: Ideally everyone should have their own server providing a personal site and mail and maybe even hosting a decentralised social network.
Is there any significant delay in receiving or sending?
I am currently a google apps user grandfathered in the free plan which is disappearing so I am looking for something new.
I imagine that's less likely to happen? Otherwise I'm on the same boat :D
This is the easiest way to do this since most domain registrars have a forwarding option. Cloudflare recently introduced Email Routing, which has been working well for me.
> But what if I get reported on my domain name? What if that gets suspended or blacklisted too?
Usually IPs or blocks of IPs get reported for spam, not domains. So in case the SMTP server you use starts to see a drop in reputation you can always change to another one without affecting your deliverability.
You weren't wrong to do so, but the convenience/risk bet hasn't worked out for you. For most people it works out fine -- i.e. car driving risks.
I use a different email host, and only use user/pass logins, no social. It's fiddly, and you'll need a good password manager (not chrome) but that's the cost of not being exposed to this risk. Only you can decide if its worth it, very few people have the skills for it to even be an option.
I really don't see how, so this reads as hand wavey to me. Also, keep in mind, even if we're taking claim of payment at face value, you paid something for it, but that doesn't mean you've paid in full & paying for something doesn't imply ownership (like leasing a car, renting an apartment, etc).
Changing infrastructure / hosting can be done quickly for myself if necessary.
Apart from that, knowing that every e-mail I get or send is being processed by google and potentially read by US authorities simply makes me cringe - even though there's nothing special in my e-mails.
I'd love to self host e-mail and love to read HN posts about it, but I think self-hosting e-mail can become a time sink quite easily.
My highest likelihood interpretation is that a bunch of fools marked your email as spam rather than the initial spammer.
I think it’s hard to help most people drawn from the total population in an async context because of the 50% being less than median intelligence problem.
Personally I use my own registered domain for email and would encourage anyone to do so.
Here's what you should do when you spam: Ignore it. A reply only lets the spammer know there's a live account at the other end.
Next time, do a whois on the domain the email came from, see if there's an abuse contact and forward them the email, letting them know there's malicious actors on their system.
This being said, since you got a scare, maybe it's a good time you buy a 2nd domain from another registar and handle accordingly.
PS: how does one find a good domain name?
The main advice would be to avoid Google as if it were the plague. There are other free and paid providers that don't have a persisting and renewing rumour of suddenly, without warning, pulling the plug on you and then making it impossible to get in touch with proper support to try clear things up.
brute force checking thousands of examples till you find one that isn't squatted.
domainr [1] is fast and has a cool autocomplete feature that mixes domain endings with your name
A time machine might come in handy.
(I can just see the cartoon now: guy invents time machine, friend asks if he’s going to stop Hitler, he says no, but to register a good domain name. (Never mind the practicalities of the ten-years-at-a-time limit.))
pay google the 12 bucks or whatever per month to get a paid account, with actual service people you can call on the phone so if something bad happens, yes you can raise a merry stink about it.
become an actual customer! it really works
We should own our own stuff. Your email is your own data. No company should have the right to arbitrarily destroy or block your access to your data. Whether that service is free or paid for is irrelevant; offering a service for free isn't a license to rob and destroy.
I've argued this point multiple times (e.g [0]). Business who host your data should treat your data as your property and take responsibility for it. They don't have right to destroy it or put it through a virtual shredder any more than your landlord or car service should take your property to the junkyard.
I also consider it a security issue [1]; if you can't access your data (or worse: it's gone all of a sudden), security has failed. No, destroying data isn't the same as securing it. Google has poor security. Security should protect your data and your access to it.
[0] https://news.ycombinator.com/item?id=30242824
[1] https://news.ycombinator.com/item?id=30055397
Unfortunately law seemingly hasn't quite caught up with the idea of digital property.
Notice that Google's automatic suspensions may very well be illegal under GDPR. This was discussed here recently [2]. Having been rejected a credit card application (an example of a decision that should't be made automatically, under GDPR [3]) and lost access to a gmail account, I can say the latter was much worse.
[2] https://news.ycombinator.com/item?id=30138669
[3] https://news.ycombinator.com/item?id=30140312
I host my own email these days, and I am my own domain registrar. If someone wants to take away my domain, they have to take it up with my government.
Lesson 2: don’t use gmail. At least, don’t use it for anything you actually care about.
The reason I think government identities are significant here is two-fold. Firstly it left an vacuum for identities that email, despite its obvious shortcomings, then filled. Secondly, weak unconnected identities provide poor means of dealing with abuse.
Sibling threads discuss how kicking people out of e.g. banking or rental involves some legal processes or something comparable. But in those cases both the barrier of abuse is higher because usually there are real consequences, and doing whatever legal process is more practical because the other party is not just some John Doe. In contrast the scale of abuse something like Gmail faces is pretty staggering, and the ability for the operator (Google) to do anything about it is somewhat limited, so it is somewhat understandable how they ended up so trigger happy with bans.
I posit that if we were able to implement real consequences to the actual abusers, then we well-behaved users could have stronger standing to demand better treatment for ourselves and we would be less likely to face the current level of opaque algorithmic bans.
Currently i have about 10 different e-mail accounts:
- one for development related things and communities
- one for newsletters, various online platforms and so on
- one for throwaway purposes, lower importance things like video game accounts
- one for university related things (it stayed after graduation)
- a few separate accounts (and corresponding Google account) for various phones or other devices, as necessary
- some standby accounts if i ever need them, some from different providers to check mail denylisting
- a personal address that's mostly for contacts through my website or my self-hosted automation messages
That said, mail servers that are easy to set up are a godsend (for example: https://github.com/docker-mailserver/docker-mailserver), as long as you also have one of the larger walled garden alternatives for public communications, should there ever be delivery problems.
It's not like Google deciding to ban all of my accounts at once (though fingerprinting, or based on IP because i don't care to set up some sort of an advanced proxy to access all of them from different VPNs) wouldn't be problematic, but this way at least the impact would be minimized.
Plus, with software like Thunderbird and something like KeePass for strong randomly generated passwords, managing everything is really low effort. Of course, this also lends itself nicely to avoiding social logins and creating a separate e-mail based account wherever applicable, for a bit more control, rather than keeping all of your eggs in the same basket.
As for those who will inevitably say that this is too hard or complicated to be practical: i invite you to try setting up your own mail server with the help of the provided link on a 5$/month VPS, things have really improved in the last few years! Of course, creating new Google accounts (or for other platforms) might be a bit more cumbersome with modern verification steps etc., but it's not like it's impossible either.
Sometimes i wish we could do the same for personal identities, e.g. a list of aliases that could be issued through some government org. for particular purposes and revoked as necessary. For example, i wouldn't want a leak of some shopping site result in my personal data being compromised in regards to my online banking or my physical address, in any capacity whatsoever.
Did you actually pay for it? With money? Or was it free?
I know that a lot of good and earnest people work at Google (and the rest) but that doesn't change the nature of the beast. If anything it makes it more pathetic that these good people are powering the corporations that are subjugating the masses. They are the ones that hear the sad stories on the back channels (official support is nearly useless, by design!) and intervene with the "Powers that Be" to fix problems here and there. But by easing the pain of some people they reinforce the dependency of all users. (I could go on about the psychological impact of intermittent rewards and capricious authority on conditioning people to obey, but I'm not an expert and anyway it's really depressing.)
So, we have been hoodwinked by pushers, we have voluntarily given up our let's call them "rights and responsibilities" to these unelected quasi-anonymous semi-authoritarian organizations that are not beholden to us directly in pretty much any way, and we are "fine, just fine" with it right up until they flush our digital lives down the toilet.
> Should we own the free services that we've paid for with money and data?
No. What are you a commie? Seriously though, you own what you own, you didn't pay for anything, and what do you want to actually do anyway? Pass laws that claw back some of your autonomy? Why give it up in the first place? Convenience. Bottom line: you're looking for ways to make other people pay for your laziness.
> Do we own our identities?
Both ownership and identity are abstract mental concepts. In contrast, rights, laws, contracts, Terms of Service, etc. are all part of the vast and ancient mechanisms we employ to manage real world assets and relationships. You can talk back and forth all day but in the end "get it in writing".
> Do we own our phone numbers, emails, handles, PO boxes, addresses?
Again, these are mostly philosophical concepts. If you want to discuss them in concrete terms we have to talk about laws, etc. For example people found it desirable and convenient to be able to be reached by the same phone number even if they switch carriers, so we got enough clout together to make some laws about it, and compelled carriers to support it.
So we can pass laws to, in effect, create new kinds of "owning".
But again, the way I see it is that you're using these FAANG systems out of convenience or because they give you something you want and you don't care that they have you by the "short hairs" right up until they jerk the rug out from under you. Yet, rather than abandoning these systems and using something else, you want to pass laws to make them do what you want them to do. In other words, rather than rewarding the folks who are trying to do right by you by using their systems, you want to keep using and even improve the system that is exploiting you, even if you have to do it against the "will" of the corporation supplying the systems/services.
Is that right?
> What do you use for identity?
Cryptography. (I originally wrote "Fucking cryptography, duh!" but then I thought that might be a little over the top and changed it.)
I use ssh keys mostly.
> And what are your thoughts on this?
To recap: to me you seem like a lazy fool who should have known better. You seem to want a legal solution ("ownership" is a legal concept) rather than just using some other service(s) that won't screw you over.
> Am I overreacting?
Yes. People are hard at work building "identity" services that work under your own control. You should avail yourself of their efforts, stop using exploitative "services", and get on with your life.
Public blockchains have potential to be part of the solution. Imagine the following:
- Decentralized file hosting using IPFS
- Decentralized login using ENS / Ethereum Name Service
- Email service gives you a UI on top of your data, plus an outbound server for relaying to/from non-blockchain email accounts
Overall, you end up with portable data thanks to IPFS, and a login through ENS to whatever UI you want to use/pay for.
This seems like a win to me. Haven't seen anything yet that pulls this together but the pieces are there. Maybe someone here wants to prototype it.
As far as I can tell this is just like regular email that you login using your Ethereum Wallet. Data is still stored the web2 way.