People consider google as a trusted partner whereas it is designed as a retail factory. Mass serving of millions and protectioms whose false positives can destroy the lives of thousands. Still they are statistically correct. Nuking everything instead of the offending service? Convenient fir them. Unavailable support reps? Convenient for them? Meaningless automated answers? Convenient for them. Its not a solid system that has defects, it was designed that way. Their unavailability and abrupt cruelty does not serve as cost optimisation, it serves as liability optimisation.
Haha, what "people"? Even people who aren't computer techies seems to be aware having a Google account is "a privilege lost at any time for any reason", almost everyone seems to know at least one acquaintance that somehow lost access to their personal account at one point and if you bring up any Google products in discussions, it isn't uncommon to hear "Yeah, I'd give that a try if I want to use a product that only works for a year".
Not sure there are many people left treating Google as a "trusted partner" unless you have a multi-million deal/contact with them.
I know more people than not who have gmail as their primary email.. the one that _every_ other account and bank and government service sends out to. It's not exactly well known that there are challenges for account recovery etc.
I have a gmail account that is connected to my Android phone. I don't use it for anything else, so it's unlikely that I would run afoul of Google for anything I do with it.
Any hosted email, paid or free, is going to have terms and conditions and you will be able to find anecdotes from people whose service was suspended "for no reason" but it's that or buy your own domain and host your own email.
> it's that or buy your own domain and host your own email.
Those aren't the only two options, there are two in the middle ground (and perhaps more that I'm failing to think of) that are well worth considering.
Option 1:
The best option IMO (what I chose, anyway) is to buy your own domain, and point its DNS MX records to a reliable email provider, which can even be gmail (though they're not who I chose).
That way you get almost none of the hassle of hosting your own email - it's very quick to set up the DNS records when you first get the domain, easy enough that even non-tech people can follow a simple tutorial, and after that you don't have anything to manage - and you don't need to worry about whether your emails will look trustworthy enough to avoid going straight into most people's spam folders (so long as you pick a provider that most of the world's email servers do tend to trust, such as gmail).
But if you do get locked out by the email provider you choose, you can point the DNS records at a different provider and not have lost your address. Obviously it's slightly more expensive than using gmail for free, but it's fairly cheap, affordable for many people (though not everyone).
Option 2:
Alternatively, if you need to stick to a free solution, you could create a free account at two different providers (let's say Protonmail and Gmail, or Hotmail and Yahoo, or...); have one of them as your primary email account, that you use like normal, but use the other one for signing up to accounts that would be a problem to lose ability to receive emails from.
Have the second account set up to automatically forward everything to your primary account. That way, when you need to click an email verification link, or open a password reset email, or whatever, it will have been forwarded to the inbox you use normally, so there's no extra hassle. But if you do lose access to your main account, you can still login to the account that receives the important emails to access them directly and to change it to forward to a new primary account elsewhere.
Of course there's still technically a risk that your important emails account could also be shut, but if you are only using it to receive emails from companies that you create accounts with, and you're never sending anything from it nor using it for any other services (ie not also using it for YouTube or similar) then the chances of losing access are almost as low as the chances of that business completely disappearing without warning.
Note that you need to be on a paid Google Workspace plan before pointing your DNS MX records at Gmail as provider, or else your emails will either be rejected at best or simply vanish into thin air in the worst case.
Oops yeah I forgot to state that, thanks for pointing it out.
There are cheaper options than Google Workspace (which is £11.80/month) for quality email hosts for your custom domain though - like FastMail (£4.50/month), ProtonMail (£8.19/month), or Microsoft 365 Business Basic (£5.52/month).
Personally I think it's a price well worth paying for knowing you genuinely own your own email address (while not having to manage both the software and the reputation of your own email server) - even more so if you either have friends/family to share the cost with (one domain cost between you, and potentially discounted per-account cost for multiple users depending on the plans available from the various email host options, such as Fastmail family going as low as $2.33/user/month), or if you also want other services bundled with email (such as Google Workspace's other tools, or Office 365 software, etc)
But for anyone who can't afford it, the free alternative of Option 2 from my comment above is still a big upgrade on just relying on a single account for everything.
"Not sure there are many people left treating Google as a "trusted partner" …"
Trouble is that whilst many have realized that Google (like much of Big Tech) is the quintessential example of a Poisoned Chalice they remain all too aware they've little choice but to endure or risk unavoidable abuse.
The tragedy of the modern internet is that these monopolies have reduced competition and choice to irrelevancies.
Cloud feudalism. The feudal decides what rules to apply, their reasoning is opaque and the protests of their subjects don't reach them. One day the feudal can confiscate all your possessions within his territory and banish you from his reign, for whatever reason. You can ask the feudal's henchmen for redress but they can ignore you or just tell you bullshit.
Sometimes protests that reach enough crowd get heard and the problem gets fixed...
"Sometimes protests that reach enough crowd get heard and the problem gets fixed..."
That's the stuff of revolution. Feudalists don't listen until forced to under duress, that's when things usually turn very nasty—shades of 1789 and like. The Ancien Régime sans a head or two.
Feudalists all have certain traits in common: arrogance and a sense of superiority coupled with shortsightedness and a lack of empathy.
I mean most people and business treat google as a "trust partner".
You should see the sideways looks I get from people when they find out I backup all our gmail to another service and don't allow employees to use Google SSO logins for sites. Just encase googles 'fraud' bots randomly shut down our workspace. I don't want the entire business to ground to a halt because we can't login to any sites.
Not doubting you, but what possible purpose could anyone have to use LLMs to output HN comments? Hardly exists a lower-stakes environment than here :) But yeah, I guess it wouldn't be the first time I reply to LLM-generated comments...
Ha — fair point. Hacker News comments are about as low-stakes as it gets, at least in terms of real-world consequence. But there are a few reasons someone might still use an LLM for HN-style comments:
Practice or experimentation – Some folks test models by having them participate in “realistic” online discussions to see if they can blend in, reason well, or emulate community tone.
Engagement farming – A few users or bots might automate posting to build karma or drive attention to a linked product or blog.
Time-saving for lurkers – Some people who read HN a lot but don’t like writing might use a model to articulate or polish a thought.
Subtle persuasion / seeding – Companies or advocacy groups occasionally use LLMs to steer sentiment about technologies, frameworks, or policy topics, though HN’s moderation makes that risky.
Just for fun – People like to see if a model can sound “human enough” to survive an HN thread without being called out.
So, yeah — not much at stake, but it’s a good sandbox for observing model behavior in the wild.
Would you say you’ve actually spotted comments that felt generated lately?
I...think you may be in a bubble if you believe this.
I've never talked to anyone outside of tech circles like this that has any inkling that Google just shutters people's digital lives with no warning or recourse.
In general, with any kind of mainstream large company, you should assume that the overall public perception of them is that they're fine, of course, if they weren't why would they be so big and popular??
> I've never talked to anyone outside of tech circles like this that has any inkling that Google just shutters people's digital lives with no warning or recourse.
Because they generally don't do this. The people who get suspended are not just normies using gmail. They are (as in this case) running complicated services doing a lot of access to Google APIs and though likely with no bad intent are activating tripwires that Google has set up to detect abuse.
Only if you're not paying attention. Case comes to mind, their AI decided it was child sexual abuse images. No, it was a picture of their toddler's penis being sent to his pediatrician. The cops cleared him, last I heard he remains banned by Google.
Right. That's exactly my point. Most people are not paying attention to these things. That's tech news; it's only for nerds and IT people (but I repeat myself).
If you think about Google, even about the possibility of Google banning an account, and a story like that is the first thing that comes to your mind, you are already an outlier. We all are here.
> I've never talked to anyone outside of tech circles like this that has any inkling that Google just shutters people's digital lives with no warning or recourse.
I thought I was specific enough but seems maybe I wasn't clear enough. I'm specifically talking about "outside of tech circles" (hence the "Even people who aren't computer techies"). I'm talking about acquaintances that works in retail stores, gas stations and similar, even these people seem averse to Google today when I've chatted with them about it for unrelated reasons.
Maybe it's because this is in Europe and people generally have more measured views of US companies, especially as of late? Not sure how it looks/seems in other parts in the world, but since I'm bound to one location, I definitely live in some sort of local bubble here like everyone else on this earth, not gonna lie :)
All these platforms go for scale. They can't have individualized relations with people and have the rentability of a drug lord, especially when said people aren’t part of some world-scale enterprise who provides a sizeable chunk of their revenue. If they catch one good person for every bad one they eliminate, it’s seen as an unfortunate side-effect, a necessary cost, and they’re fine with it.
Yesterday was a wise account(1), the week before was GitHub (2)
Companies are fiefdoms, they’re not democracies with a judicial system. If one of the automated sheriffs identifies you as a criminal, it doesn’t put you on trial, but directly sentences you to jail. Your process from there is never clear and it's anyone's guess to what the outcome will be.
This is so true. That's why I always say it's better to choose smaller companies with whom you can still get in touch with a human being, not just a chat bot. I went with Tuta Mail and haven't looked back: quantum-safe encryption, no tracking, no ads. Plus, with my domain I can have as many aliases as I like.
A few years ago google blocked my youtube red / premium account for spam even though the account was only used to watch videos. Not only did they wipe the account the wiped access to the payment page so I couldn't even cancel membership for months, dealing with robotic messages (you get to appeal every 3 weeks) all while being charged. Oh I also had Google One which promised in person support but they couldnt do shit because YT different team. I ended up cancelling the credit card. Earlier this year, I got a random message that my suspension was reversed and the original suspension was in error.
Just anedotally, I've had my wechat account blocked before and it took less than a day to talk to a person to get it sorted. At least PRC censorship has good customer service.
The problem here is not just Google, but huge companies in general that operate at a scale where algorithms are the only viable way to sufficiently keep abuse under control.
Reddit recently shadowbanned me as my account was approaching 20 years old. There was no message about what violation had been committed, and attempts to appeal went unanswered. All posts started getting filtered at some point and all comments throttled.
The Fediverse provides a template for a better way-- smaller connected services with better moderator to user ratios.
If your concern is being mysteriously cut off from communities by capricious and inscrutable moderators then all the Fediverse offers is an opportunity to experience that over and over indefinitely. I've never encountered a community less interested in accountable moderation.
Is it still true that pretty much anyone can post your handle with #fediblock and get you and your entire instance sent to the cornfield automatically by hundreds of servers? This destroyed my city's mastodon instance and drove everyone I knew there to bluesky.
There are basically three options that someone designing a social platform has to choose from:
1. Some designated entity decides who gets hidden from everyone's feed. (Google is here)
2. Everyone decides on their own, who they want to hide from their own feeds.
2a. The same but they can also form voluntary groups that share ignore-lists between each other. (Fediverse is here)
3. You can't hide spammers from your feed.
1 is vulnerable to the entity being corrupt (they always turn corrupt) - let's say 5% of global ignore list entries are there for corrupt reasons.
2a has the exact same problem but it's separately per ignore list group, perhaps each individual ignore list has 5% corrupt entries on average, which conversely means that every person is on about 5% of the ignore lists for corrupt reasons. Instead of 5% of the people being on 100% of the lists, now 100% of people are on 5% of the lists (except the spammers who are on 95%) which may give an impression the system is more corrupt than option 1.
The other options, 2 and 3, mean you're constantly bombarded by spam so you give up and quit the platform entirely.
The Fediverse has multiple hosts. And the option to host your own should you choose to do so.
I've been on the Fediverse for nearly a decade. I've jumped instances a few times. I'm currently with an instance run by a friend I've known online for well over a decade, who does have a strict moderation approach, but is also reachable out-of-band and is quite responsive and principled.
On Reddit, Google, FB, etc., you've got a single provider, and if they freeze you out you are fully frozen out.
That friend is not the only moderator who can impact your account though. Someone else on the instance you're on might do something silly that gets it defederated from a ring of 100+ other instances that share a blocklist. You might have friends on those instances you can't communicate with now. Do all 100 of those servers expose the admin's email? Do they respond? Are you going to go through that work in the first place? Obviously not.
It's weird to have to explain this to someone who's used Fediverse services for nearly a decade.
After a ban, it's no easier or harder to make a new account on a new mastodon instance than it is to make a new account on reddit/google/fb/etc. You're never fully frozen out of anything, that's not the point. The point is that gmail will never stop accepting emails from yahoo addresses regardless of how many badly behaved yahoo users there are.
100 people vastly underestimates both the complexity of the GCP landscape and the relentlessness of the daily fraud onslaught, and you don't know what the false positive rate of humans is vs that of the algorithms.
It would take thousands, at least, with top training and the breathing space to actually engage with customers individually. Mind you Google should still do it in my opinion.
The problem here is not just Google, but huge companies in general that operate at a scale where algorithms are the only viable way to sufficiently keep abuse under control.
The companies you speak of are billion- and trillion-dollar companies. Banning people is not the only viable way of doing things.
This will probably become a major problem with the Gemini APIs in enough time.
A customer does something crappy, e.g.: generates an image they aren't supposed to, and boom you're business Gmail and/or the recovery personal Gmail gone forever.
The example in this blog post, they did something recommended by Google and still got banned. Based on that, I'm not sure their built in moderation tools are enough insurance.
It can be super hard to moderate before an image is generated though. People can write in cryptic language and then say decode this message and generate an image the result, etc. The downside of LLMs is that they are super hard to moderate because they will gladly arbitrarily encode input and output. You need to use an LLM as advanced as the one you are running in production to actually check if they are obscene.
Like Uber drivers' using their girlfriends' ID verification because they have a criminal record, you can also just cut in some random guy to borrow his ID for another chance. There should be plenty of dudes available willing to sell an ID verification for cheap in poorer countries but there's also plenty in wealthy countries because very few anywhere were ever going to have a Google developer account in the first place.
Heh, I have been wondering about this for a very long time. The walled garden toll booth is too strict.
For example, the old Uber with the crazy thing they did. What if in the alternate universe they straight up got banned? That’s it. All investments would go to zero.
Isn't it simple? You do it because it makes money.
Lots of businesses can fail at any time. People still run them and work for them as long as it makes money, and WHEN it stops working, they stop that and do something else to make money. All business is ephemeral.
It doesn't matter. As long as you can spam people with crap like popups and notifications easier than on the web, we will still see all those unnecessary 'apps' that could just be a web page.
Some of us started long long ago, Android 1.0 time, when Google seemed like a different company. Their first blogs didn't mention splitting your personal google account from your developer account. I never heard of anyone getting banned. Oh boy, things have changed!
Isn't it already quite bad? I remember HN post about small company where employees' private accounts got terminated for "due to a prior violation or an association with a previously-terminated Google Play Developer account".
We had ours unexpectedly blocked and we were just using it for a "Login with Google" button. The only explanation was the vague "You did something against our terms and conditions." We hadn't done anything. Our use case is nothing beyond the "Login with Google" button.
We opened a case to appeal asking for more details or a review. Meanwhile, we're scrambling to implement some kind of workaround for our users that log in with their Google account.
And then early the next day, we get the email that our appeal was granted. Just need to be sure we follow the terms and conditions in the future.
I guess it could have been worse but still a bit of a slap in the face.
My AdSense account was suspended three times because I had an exclamation mark in my ad. I closed my account after that. I am certain Google still tracks my account as "potential fraud" to this day.
It's insane. They have the tooling to automatically lock my account because an ad doesn't follow the rules, but can't tell me while I'm making the ad? Why even let people submit invalid ads? What is the point of making it easy to sign up for adwords if new users are automatically banned in an hour?
I wonder if this is a situation where the right course of action is to sue Google and/or push for stronger regulation around suspension of customer accounts?
If you reframe this as: a commercial entity progressively dominates a service that is increasingly becoming necessary for survival in the modern world (e.g. primary email / identity provider) or in a given profession (Android developer), and then denies that service to some individuals, while also keeping the cost of switching away to competitors high, then there is a case for natural justice, even if there (still) aren't laws in the books to cover it.
A lot of what you are describing is a "monopoly". Last I checked anti-trust laws are still on the books in many places, just good luck finding politicians willing to go to bat on them and enforce them.
1: SSLMate is a paying customer. (Correct me if I'm wrong.)
2: Google harmed SSLMate, and their customers, by deliberately interrupting the services that were paid for.
The big question is if SSLMate was following the terms of service. If SSLMate was actually violating the terms, then it's a hard case to make. Otherwise, Google violated the contract and harmed SSLMate, and is therefore a valid target in US court.
For EU citizens, GDPR requires that if you ask for it, a human has to review your case. (Article 22 "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.")
I guess a lawyer can argue against this, but I'd say that losing access to a lifetime if mails is absolutely up there with "legal effects concerning him or her or similarly significantly affects him or her."
And from my own experience building software for government services, I can tell you this: In my experience in those systems it is not acceptable to just have a list where someone clicks “deny” all day. Or allow for that matter. We tried with a system were the rule is that the citizen gets <think they apply for> whenever all relevant demands are met. Legal was very clear: No automated decisions either way unless the relevant laws or regulations explicitly allow it, every case has to be reviewed independently — even when the outcome seems completely obvious to anyone who knows the field.
Annecdotally you do stand a decent chance of winning if you take them to small claims, either because Google doesn't send someone or they try to argue their misbehavior is warranted per the TOS (apparently that doesn't go down well).
So, what happens to an account that is registered with said suspended email account and with a passkey-only login?
Does Google-synced passkeys on Google Password Manager still work even when your account is suspended?
Can't recover your accounts because you can't access your email, unless Google still allows existing email client access even when suspended but I'm not unfortunate enough to test this out.
A major downside of any service once it becomes too large is that the overall complexity introduces lower reliability. From Google's perspective perhaps each rule and feature makes sense, but from a customer perspective, there might be too much risk of who-knows-what issues coming up. I don't think this is limited to Google. I miss the older, less complicated versions of most bigtech services; Facebook, Instagram, Google, Amazon, etc. Even looking at Vercel's project settings the other day I found myself thinking "hmm this is getting a bit unwieldy."
It just doesn’t make sense; they have so much money they are one of the few that can actually make slightly less profit and have good customer support. But they choose to treat everyone like a robot & allow scam ads
They are very well on their way to becoming the "never interact with Oracle" of the internet giants.
As far as I can see they are still living a bit off the "do no evil" of ages ago and latent animosity towards Microsoft, but they're creating an animosity that will take ages to erase unless they start putting some minimal amount of money into customer support today.
They are definitely living off of their "boy genius" phase too. People still consider Google to be somehow smarter than other organizations that provide more reliable services.
Perhaps if a company is providing a service that might be considered critical (e.g. primary email address / identity provider), then there should be regulations about the level of customer support, especially some sort of human response SLA.
For YEARS I have been "screaming at the sky" (pun somewhat intended) about, what later became know as, cloud services. Family, friends, and coworkers would laugh at my resistance to use Google, Apple, Microsoft, etc. storage. Would tell me that I do not need a µSD card slot for my phone because these wonderful "free" services existed. Would mock me for continuing to purchase DVDs and CDs. I remember when Apple told me my @mac.com email address would be free forever. I feel that, as of late, I am being vindicated somewhat. With stories like this increasing. Stories of services eliminating the movies, games, music, books, storage they promised you would be around "forever", celebrities nude photos being hacked and put out there for everybody to see. Neither the cloud, and DEFINITELY not big business, is your friend at all. To them, you are just dollar signs until you aren't.
I submitted my app to App Store Connect for Apple and Google Play Store. After a few reviews on Apple my app was approved after a week or so. On Google, I got a couple rejections. I addressed the concerns resubmitted. Got another rejection without much detail, but changed a couple things and submitted again. App suspended... without any explanation why.
Also beware of having the owner for your Google Workspace be that of an employee who no longer works there. I was never able to fulfill all the "requirements" of Google support to get the Workspace back, despite the fact that it was linked to our domain... and we couldn't register a new Google Workspace to that domain. Ok, Google, I guess we just won't use your products, and we lose access to all our mail and files?
If you were running a business and suffered financial harm because of this, you're probably eligible to sue them to recover that financial loss. Don't let their ToS (where they can write anything they want and it often has no legal effect) scare you from consulting a lawyer.
To me it sounds like you're a weird business model for GCP and you keep being hit by tooling designed to block bad use cases that come across this uncommon use case.
You're going to look like an attacker to google for almost any model of review of access. You're in a niche role which would demand they build systems to take account of you. I can understand why a monolith has back pressure towards that cost and consequence.
Totally agree. But the docs aren't going to guide their model. Contradiction between the reality of a service, monitoring, and docs don't go to "align with the docs" they go to "align docs to reality"
I don't like this. I too have looked like an attack on their models using things inside the customer-side of google, took special relationships to get over this, an ongoing threat to how we relate to them.
(it's not in GCP btw. different arc of the megaplex)
Docs will guide what the courts think though if this gets that far. You can be sure lawyers will bring any documentation that seems to show your case before the judge and demand why they said it worked if it didn't.
I'm not in favor of going to court, but if it does a lawyer doesn't have be very good to think of the above.
They’re too big and no one has the authority to clean it up. I’m honestly shocked we don’t see more account suspensions.
I’ve migrated my businesses to Microsoft’s cloud offerings and they’re also a clusterfuck, but at least I can get real support people on the phone pretty easily (for now…).
Not related to this particular reason for suspension, but I had a friend who's GCP account got put on pause a few weeks into his project because his payment method was flagged for suspicious behavior. This friend had an incident of stolen identity in the past 24 months which caused a lot of issues and basically any CC linked to him seemed to be problematic for GCP. Swapped CC linked to the account to his business partner and fixed everything.
Lesson: if you use a CC with GCP or cloud services, firewall it from everything else you do to be safe.
It might be a case where illegal / scam / anything of that type were using the SSLMate service to issue and deploy those certificates, whereas some aspects of this process (DNS / HTTP / Mail) verification or similar were processed directly on the GCP.
I could not get from the OP what really happened and what was the claim / explanation from Google side.
Google said "general terms of service violation" or unspecified "abusive activities". Google is only involved in the publication of DNS records, not the deployment of certificates. Note that they didn't require us to take any action after the suspension in 2024 to correct this alleged abuse; they just re-enabled access without any further explanation.
This is very similar to how DoIT manage their client projects. I needed to add one of their service accounts to my organization's IAM policy so they could have complete visibility over all resources for monitoring / cost reporting purposes. The only potential difference being that DoIT is a Google Cloud Premier Partner™
No people to interact with. Only AI and automated systems. Engineers/PMs/leaders/etc are incentivized to develop something new (more bonus, RSU, promotions) and move on. Nobody gets rewarded to improve things already developed.
The Great Decoupling of Labor and Capital: https://www.mbi-deepdives.com/the-great-decoupling-of-labor-... explains this with numbers: Alphabet required 76k employees to get to their first $100 Billion. Their most recent incremental $100 Billion? Just 11,000! (assuming they add another 3k employees in 4Q’25)
Sometimes I think what's the worst it could happen if Google decided to delete my main personal account that I use for everything: banking, utilities...
I guess it would a hassle to go to the bank but loosing some images or old emails wouldn't be so catastrophic TBH. Maybe being somewhat nihilistic/minimalist I think that it all will still be lost when I die, so why trying to grasp those things? In some sense it's kind of liberating not depending too much on these kind of things.
It's important to keep in mind that many (if not most) people ad-blocking google ads do so because of the fear of malware (usually from youtube).
So to Google, killing accounts of malicious actors is a primary concern, and obviously you can wield a lot of damage to people through google's services if unchecked. And even with checks, every bad actor wears the mask of innocence when appealing.
So this puts Google in a rather intractable position. Without numbers it's hard to say whether they are leaning to hard towards stopping fraud (many false positives), or too hard towards giving accounts freedom (high levels of malware served).
I think the best reason to block ads is that ads are ugly and annoying and there's no law that says you have to watch them. I think people assume you have to watch them, when they're actually completely optional.
I don't use Google cloud but the seven step OIDC configuration process is the kind of thing that can be scripted quite easily in Azure, e.g. using the az CLI tool. When a step creates a new object the command can return its ID so you can save it in a variable and use it in a subsequent step.
If Google has something similar this seems preferable to the alternatives.
Honestly, many companies are suicidal to put "everything" in the hand of AWS or Google, thousand of accounts are banned everyday, a simple accidental VPN/Tor connection can lead to losing everything (at least temporarily) and their rules aren't transparent so we can't really anticipate it.
There's a reason Google has a reputation of "Don't use it for anything that you can't afford to have disappear with no notice or recourse."
You also can't expect it to get any better, both because Alphabet has never shown any interest in improving things and because you and the services you've been using them for aren't the new AI hotness. Even if you're absurdly profitable for them (and you're clearly not) you're not in an area that their internal people are competing to serve.
I can't help but think that the mass layoffs at Amazon will produce the same culture soon. And I wonder how much is downstream of Google "defeating" antitrust.
It's open season for customers, employees, suppliers and contributors.
> You can access data from your users' Google Cloud projects by creating a service account to represent your service, and then having your customers grant that service account appropriate access to their cloud data using IAM policies. Note that you might want to create a service account per customer if you need to avoid confused deputy problems.
If you look at most SaaS services, they rarely use a service account per customer.
IMO it's no different than any part of your own services where you need to handle multiple customers.
Creating multiple service accounts is just overhead.
The text you quoted explains why you wouldn’t want to create a single service account for all customers. It’s a security decision, which yes adds overhead.
I'll note that the overhead is only on the provider side; from the customer's perspective it's all the same. In contrast, OpenID Connect puts overhead onto the customer (in addition to the provider) which I find unfortunate since I want to provide a good experience.
The problem is that they manage customers through automation. If the system flags you, you’re out. By using their products, you accept the risk of being cut off.
Gcp still can’t change our street address because of the d-u-n-s validation (of course d-u-n-s actually uses our new address… and all other vendors are fine with it).
How bad must their service be that they can’t change a fucking address. Oh and the free billing support is horrible, always the same response like ‘a special team is working on it’.. yeah sure and they can’t fix an address for like a month. It’s worse since all our invoices use the old address which in Germany is a fucking problem. Time to make a migration plan.
This pattern is a big part of why Google is a poor company to buy infrastructure from. They are horrible at customer support, and have made it clear over the years that they have no intention of changing that. That's simply unacceptable for production infrastructure.
I hated it. Much better from akamai, tornado, kamatera, others.
I gave it a try -- Google offered a free tier vps which was a no brainer. It worked but the ui seemed jank and somewhat confusing. The cost wasn't particularly compelling, so I never deployed. I kept the free tier VPS running for a while to continue evaluation since I value a diversity of services.
However, google charged me like a dollar, and i never saw the charge since i never logged into the webui. I never got an email saying I owe them a dollar so they canceled my GCP access and blacklisted my google account from GCP.
There was a lot of friction here, and the fact that i "feel lucky" I didnt lose my very old gmail account over $1.00 makes me laugh...a very nervous laughter.
I like a lot about google. I cannot depend on google. I use google's AI offering and I am slowly becoming concerned it could affect my legacy email account. Like, everything gets locked and my doctor cannot email me.
You're going to need to buy your own domain and move to a solution that has you being responsible for your own email.
Note that doesn't mean you have to do it all yourself, there are plenty of hosting places that you can just configure with your own domain name details.
I have all of this. You need a google account to use GCP and I used my google account which was created with a gmail invite code shortly after gmail was released.
Some things are still using this email. Hey, I'm not perfect. Sometimes I exceed posted speed limits, too.
Edit: I have to choose a tech giant to get a phone app with decent push notifications as far as I can tell (I haven't scoured the earth for this .... yet) The gmail app is pretty good.
Here are options I can recommend:
Proton
Tuta
Apple (iCloud)
All of these withh be your MX with DMARC/SPF. If you use an android cellphone you'll almost certainly need a google account anyhow. The tuta experience is not as advanced as the others, but is servicable and likely offers better security guarantees than the others. You get a lot of bang for your buck from Proton (personal wireguard tunnel vpn included), and apple is apple.
I've always felt like Google's confusing UI is completely intentional. Making a user feel lost is a great way to make your product seem larger than it really is. If they boiled down their settings and workflows into easy-to-understand screens then your understanding of the entire product could be conceptualized.
Simple example - in the early days of Microsoft Office, every new release would cause office confusion. I learned to say "it's the same product, they just moved things around". My conspiratorial sense was that the confusion was intentional to make users feel lost.
So, we all know Google is pure Evil - pure greed. But people said this in
the past too: don't become dependent on these giant mega-corporations, be
it Google, Amazon/AWS and so forth. The cake is a lie - this is another
example we can add to the "never trust Google" meme.
Google paid $32B for Wiz to try to sell GCP into every org Wiz is embedded in, expect this to continue until those making procurement decisions stop buying Google, which could take...some time.
If you use Google at this point for commercial services, you get what you deserve when they nuke your resources (caveat being services you cannot go elsewhere for, like an Android dev account). The evidence is robust they cannot be relied upon as a commercial services provider. Stop. using. Google.
(thoughts and opinions always my own, I am aware and understand in this context OP needs Google Cloud to integrate with customers in Google Cloud, which is very unfortunate, and so their Sisyphus task continues)
For personal or family, I think Fastmail is fine. I use it for a family account (paid years in advance), and admin other Fastmail tenants "family office" style for those who trust me to and offload the responsibility. I can get ahold of someone at Fastmail easily when issues crop up, which is rare. O365 is what I recommend for anything SMB and up. You can at least get support from Microsoft when needed. AWS is fine for cloud resources and infra, again, you can get support from a TAM or similar. But Google? I have never once had a good experience attempting to get in touch with a human when resolution is needed, hence my position on the topic. You cannot self serve critical business infra (imho), and Google is allergic to providing human support.
Buy your own domain and run mox (https://github.com/mjl-/mox) on it. In the setup it provides details on the DKIM info you need to put into your DNS records. Get a PTR record from your ISP (if hosting at home); periodically check your blocking from spamhaus etc.
I run mine on a Pi4 no problem whatsoever, but I guess a VPS could also be used, although the scamalytics analysis will show it's a server or an IP shared with an anonymising VPN etc. if it's a shared IP on the host.
I'll tell you the problem with Google (in my experience). They've moved to Big Company cash cow mode. They even use SAP Ariba ... which dictates that their teams are silo'd and ultra rigid ... and so dealing with them is a nightmare.
> Clearly, I cannot rely on having a Google account for production use cases. Google has built a complex, unreliable system
You cant use anything from Google. I only use gmail, my mail account only got banned one time for a week. For years I thought the punishment for using gmail was just a mater of time. I tried to imagine what weird things could trigger it. Maybe they will one day just end the service because it isn't profitable enough?
I decided the most likely would be that the mail account gets banned as a punishment for using any of their other services.
Then I made the "mistake" to switch from iphone to android. It almost immediately started complaining that my mailbox was full. The new reality is that each and every button I press on the phone could potentially end my mailbox.
Now that they [also] have very sophisticated LLM's the crappy customer service seems intentional.
GCP is a terrible idea for anything important unless you're big enough to have an executive team and yours knows theirs - was the quote I heard somewhere but am struggling to attribute.
They explain in the article why they still have to have a Google Cloud account. I am sure that they would gladly not deal with Google at all if they could...
Right, and we will be ditching our Google Cloud account this time, but as explained in the post this will come at either a security or a usability cost for our customers, which is why I did not ditch after the first suspension.
I can understand you not ditching after the first suspension but the second suspension should have been the point where you took the choice.
First time is a fluke, second time is a serious wake-up call, third time it's your fault.
Do you really want to reach the point where all your customers have an outage, you have to rush implementing something else (oidc or api keys) AND rush your customers to change your settings?
Second and third suspensions are a week apart. Wouldn’t be enough time to shift customers to a new auth format, specially when most of the burden is on them.
Those are negligible compared to a 100% availability / uptime cost to your business incurred from being a serf to a feudal tyrant with no name or face that enjoys abusing you.
Using GCP, AWS, or Azure is like volunteering to use your own money to rent heavy construction equipment to construct your own jail cell and excavate your own grave.
But hey, at least you get to avoid the capex on the heavy construction equipment, and it's always¹ available!
¹ except for when human error takes it offline for 14 hours straight
You're not just dealing with a massive bureaucracy, you're dealing with a massive automated bureaucracy whose rules aren't explicit, whose algorithms are buggy, and which can destroy your business on a whim with no recourse, without even noticing.
If you had actually read the post you would have understood there are ways to ditch GCP, but they are perceived as cumbersome.
The exaple is OpenID Connect. It works well with Azure (according to the post).
I'm sorry to say this, but the author is choosing something easy but unrealiable over something a bit more complicated but reliable.
It's really the author's fault. They are choosing their comfort over the service reliability (and keeping promises made to customers).
Heck they might even go with api keys. They could give explicit direction on the minimal amount of permissions the api key would need and they could ping the users each 3-4 months to rotate them.
But no, I guess we'll have another post at some point about the fourth (definitive?) account suspension.
> If you are a business, I am not sure why on earth do you want to deal with the world’s worst customer service company: Google.
The answer is extremely simple. People aren’t businesses. You are right, no business should choose Google. But people do, for their own reasons. And businesses can only act through people. And people have their own priorities which override the interest of the business, like “What should I choose to never be blamed if/when it fails?” Google is an extremely safe bet there, like IBM of old.
People consider google as a trusted partner whereas it is designed as a retail factory. Mass serving of millions and protectioms whose false positives can destroy the lives of thousands. Still they are statistically correct. Nuking everything instead of the offending service? Convenient fir them. Unavailable support reps? Convenient for them? Meaningless automated answers? Convenient for them. Its not a solid system that has defects, it was designed that way. Their unavailability and abrupt cruelty does not serve as cost optimisation, it serves as liability optimisation.
> People consider google as a trusted partner
Haha, what "people"? Even people who aren't computer techies seems to be aware having a Google account is "a privilege lost at any time for any reason", almost everyone seems to know at least one acquaintance that somehow lost access to their personal account at one point and if you bring up any Google products in discussions, it isn't uncommon to hear "Yeah, I'd give that a try if I want to use a product that only works for a year".
Not sure there are many people left treating Google as a "trusted partner" unless you have a multi-million deal/contact with them.
I know more people than not who have gmail as their primary email.. the one that _every_ other account and bank and government service sends out to. It's not exactly well known that there are challenges for account recovery etc.
I have a gmail account that is connected to my Android phone. I don't use it for anything else, so it's unlikely that I would run afoul of Google for anything I do with it.
Any hosted email, paid or free, is going to have terms and conditions and you will be able to find anecdotes from people whose service was suspended "for no reason" but it's that or buy your own domain and host your own email.
> it's that or buy your own domain and host your own email.
Those aren't the only two options, there are two in the middle ground (and perhaps more that I'm failing to think of) that are well worth considering.
Option 1:
The best option IMO (what I chose, anyway) is to buy your own domain, and point its DNS MX records to a reliable email provider, which can even be gmail (though they're not who I chose).
That way you get almost none of the hassle of hosting your own email - it's very quick to set up the DNS records when you first get the domain, easy enough that even non-tech people can follow a simple tutorial, and after that you don't have anything to manage - and you don't need to worry about whether your emails will look trustworthy enough to avoid going straight into most people's spam folders (so long as you pick a provider that most of the world's email servers do tend to trust, such as gmail).
But if you do get locked out by the email provider you choose, you can point the DNS records at a different provider and not have lost your address. Obviously it's slightly more expensive than using gmail for free, but it's fairly cheap, affordable for many people (though not everyone).
Option 2:
Alternatively, if you need to stick to a free solution, you could create a free account at two different providers (let's say Protonmail and Gmail, or Hotmail and Yahoo, or...); have one of them as your primary email account, that you use like normal, but use the other one for signing up to accounts that would be a problem to lose ability to receive emails from.
Have the second account set up to automatically forward everything to your primary account. That way, when you need to click an email verification link, or open a password reset email, or whatever, it will have been forwarded to the inbox you use normally, so there's no extra hassle. But if you do lose access to your main account, you can still login to the account that receives the important emails to access them directly and to change it to forward to a new primary account elsewhere.
Of course there's still technically a risk that your important emails account could also be shut, but if you are only using it to receive emails from companies that you create accounts with, and you're never sending anything from it nor using it for any other services (ie not also using it for YouTube or similar) then the chances of losing access are almost as low as the chances of that business completely disappearing without warning.
Note that you need to be on a paid Google Workspace plan before pointing your DNS MX records at Gmail as provider, or else your emails will either be rejected at best or simply vanish into thin air in the worst case.
Oops yeah I forgot to state that, thanks for pointing it out.
There are cheaper options than Google Workspace (which is £11.80/month) for quality email hosts for your custom domain though - like FastMail (£4.50/month), ProtonMail (£8.19/month), or Microsoft 365 Business Basic (£5.52/month).
Personally I think it's a price well worth paying for knowing you genuinely own your own email address (while not having to manage both the software and the reputation of your own email server) - even more so if you either have friends/family to share the cost with (one domain cost between you, and potentially discounted per-account cost for multiple users depending on the plans available from the various email host options, such as Fastmail family going as low as $2.33/user/month), or if you also want other services bundled with email (such as Google Workspace's other tools, or Office 365 software, etc)
But for anyone who can't afford it, the free alternative of Option 2 from my comment above is still a big upgrade on just relying on a single account for everything.
[dead]
"Not sure there are many people left treating Google as a "trusted partner" …"
Trouble is that whilst many have realized that Google (like much of Big Tech) is the quintessential example of a Poisoned Chalice they remain all too aware they've little choice but to endure or risk unavoidable abuse.
The tragedy of the modern internet is that these monopolies have reduced competition and choice to irrelevancies.
Cloud feudalism. The feudal decides what rules to apply, their reasoning is opaque and the protests of their subjects don't reach them. One day the feudal can confiscate all your possessions within his territory and banish you from his reign, for whatever reason. You can ask the feudal's henchmen for redress but they can ignore you or just tell you bullshit.
Sometimes protests that reach enough crowd get heard and the problem gets fixed...
"Sometimes protests that reach enough crowd get heard and the problem gets fixed..."
That's the stuff of revolution. Feudalists don't listen until forced to under duress, that's when things usually turn very nasty—shades of 1789 and like. The Ancien Régime sans a head or two.
Feudalists all have certain traits in common: arrogance and a sense of superiority coupled with shortsightedness and a lack of empathy.
You should see the sideways looks I get from people when they find out I backup all our gmail to another service and don't allow employees to use Google SSO logins for sites. Just encase googles 'fraud' bots randomly shut down our workspace. I don't want the entire business to ground to a halt because we can't login to any sites.
That was not a person, it was an LLM.
Not doubting you, but what possible purpose could anyone have to use LLMs to output HN comments? Hardly exists a lower-stakes environment than here :) But yeah, I guess it wouldn't be the first time I reply to LLM-generated comments...
Building up account reputation (which HN has) so you can then manipulate opinions.
Ha — fair point. Hacker News comments are about as low-stakes as it gets, at least in terms of real-world consequence. But there are a few reasons someone might still use an LLM for HN-style comments:
Practice or experimentation – Some folks test models by having them participate in “realistic” online discussions to see if they can blend in, reason well, or emulate community tone.
Engagement farming – A few users or bots might automate posting to build karma or drive attention to a linked product or blog.
Time-saving for lurkers – Some people who read HN a lot but don’t like writing might use a model to articulate or polish a thought.
Subtle persuasion / seeding – Companies or advocacy groups occasionally use LLMs to steer sentiment about technologies, frameworks, or policy topics, though HN’s moderation makes that risky.
Just for fun – People like to see if a model can sound “human enough” to survive an HN thread without being called out.
So, yeah — not much at stake, but it’s a good sandbox for observing model behavior in the wild.
Would you say you’ve actually spotted comments that felt generated lately?
I'm not sure whether to be amused or annoyed by this comment (generated in the style of ChatGPT).
Don't forget, if it stays busy with HN comments then maybe it won't have time for air traffic control or surgical jobs.
I...think you may be in a bubble if you believe this.
I've never talked to anyone outside of tech circles like this that has any inkling that Google just shutters people's digital lives with no warning or recourse.
In general, with any kind of mainstream large company, you should assume that the overall public perception of them is that they're fine, of course, if they weren't why would they be so big and popular??
> I've never talked to anyone outside of tech circles like this that has any inkling that Google just shutters people's digital lives with no warning or recourse.
Because they generally don't do this. The people who get suspended are not just normies using gmail. They are (as in this case) running complicated services doing a lot of access to Google APIs and though likely with no bad intent are activating tripwires that Google has set up to detect abuse.
Only if you're not paying attention. Case comes to mind, their AI decided it was child sexual abuse images. No, it was a picture of their toddler's penis being sent to his pediatrician. The cops cleared him, last I heard he remains banned by Google.
Right. That's exactly my point. Most people are not paying attention to these things. That's tech news; it's only for nerds and IT people (but I repeat myself).
If you think about Google, even about the possibility of Google banning an account, and a story like that is the first thing that comes to your mind, you are already an outlier. We all are here.
Even for people in tech using Gmail as the primary email is still quite common. Outside of tech Google is perceived as utility like tap water.
> I've never talked to anyone outside of tech circles like this that has any inkling that Google just shutters people's digital lives with no warning or recourse.
I thought I was specific enough but seems maybe I wasn't clear enough. I'm specifically talking about "outside of tech circles" (hence the "Even people who aren't computer techies"). I'm talking about acquaintances that works in retail stores, gas stations and similar, even these people seem averse to Google today when I've chatted with them about it for unrelated reasons.
Maybe it's because this is in Europe and people generally have more measured views of US companies, especially as of late? Not sure how it looks/seems in other parts in the world, but since I'm bound to one location, I definitely live in some sort of local bubble here like everyone else on this earth, not gonna lie :)
Yeah, at least here in the US that isn't the perception. For most people it's not even something they think about.
All these platforms go for scale. They can't have individualized relations with people and have the rentability of a drug lord, especially when said people aren’t part of some world-scale enterprise who provides a sizeable chunk of their revenue. If they catch one good person for every bad one they eliminate, it’s seen as an unfortunate side-effect, a necessary cost, and they’re fine with it.
Yesterday was a wise account(1), the week before was GitHub (2)
Companies are fiefdoms, they’re not democracies with a judicial system. If one of the automated sheriffs identifies you as a criminal, it doesn’t put you on trial, but directly sentences you to jail. Your process from there is never clear and it's anyone's guess to what the outcome will be.
1: https://shaun.nz/why-were-never-using-wise-again-a-cautionar...
2: https://x.com/vmfunc/status/1978079375183536440
This is so true. That's why I always say it's better to choose smaller companies with whom you can still get in touch with a human being, not just a chat bot. I went with Tuta Mail and haven't looked back: quantum-safe encryption, no tracking, no ads. Plus, with my domain I can have as many aliases as I like.
with smaller companies there is another problem - they get acquired and then you get the same deal.
A few years ago google blocked my youtube red / premium account for spam even though the account was only used to watch videos. Not only did they wipe the account the wiped access to the payment page so I couldn't even cancel membership for months, dealing with robotic messages (you get to appeal every 3 weeks) all while being charged. Oh I also had Google One which promised in person support but they couldnt do shit because YT different team. I ended up cancelling the credit card. Earlier this year, I got a random message that my suspension was reversed and the original suspension was in error.
Just anedotally, I've had my wechat account blocked before and it took less than a day to talk to a person to get it sorted. At least PRC censorship has good customer service.
The problem here is not just Google, but huge companies in general that operate at a scale where algorithms are the only viable way to sufficiently keep abuse under control.
Reddit recently shadowbanned me as my account was approaching 20 years old. There was no message about what violation had been committed, and attempts to appeal went unanswered. All posts started getting filtered at some point and all comments throttled.
The Fediverse provides a template for a better way-- smaller connected services with better moderator to user ratios.
If your concern is being mysteriously cut off from communities by capricious and inscrutable moderators then all the Fediverse offers is an opportunity to experience that over and over indefinitely. I've never encountered a community less interested in accountable moderation.
Is it still true that pretty much anyone can post your handle with #fediblock and get you and your entire instance sent to the cornfield automatically by hundreds of servers? This destroyed my city's mastodon instance and drove everyone I knew there to bluesky.
There are basically three options that someone designing a social platform has to choose from:
1. Some designated entity decides who gets hidden from everyone's feed. (Google is here)
2. Everyone decides on their own, who they want to hide from their own feeds.
2a. The same but they can also form voluntary groups that share ignore-lists between each other. (Fediverse is here)
3. You can't hide spammers from your feed.
1 is vulnerable to the entity being corrupt (they always turn corrupt) - let's say 5% of global ignore list entries are there for corrupt reasons.
2a has the exact same problem but it's separately per ignore list group, perhaps each individual ignore list has 5% corrupt entries on average, which conversely means that every person is on about 5% of the ignore lists for corrupt reasons. Instead of 5% of the people being on 100% of the lists, now 100% of people are on 5% of the lists (except the spammers who are on 95%) which may give an impression the system is more corrupt than option 1.
The other options, 2 and 3, mean you're constantly bombarded by spam so you give up and quit the platform entirely.
This problem is unsolvable.
The Fediverse has multiple hosts. And the option to host your own should you choose to do so.
I've been on the Fediverse for nearly a decade. I've jumped instances a few times. I'm currently with an instance run by a friend I've known online for well over a decade, who does have a strict moderation approach, but is also reachable out-of-band and is quite responsive and principled.
On Reddit, Google, FB, etc., you've got a single provider, and if they freeze you out you are fully frozen out.
That friend is not the only moderator who can impact your account though. Someone else on the instance you're on might do something silly that gets it defederated from a ring of 100+ other instances that share a blocklist. You might have friends on those instances you can't communicate with now. Do all 100 of those servers expose the admin's email? Do they respond? Are you going to go through that work in the first place? Obviously not.
It's weird to have to explain this to someone who's used Fediverse services for nearly a decade.
After a ban, it's no easier or harder to make a new account on a new mastodon instance than it is to make a new account on reddit/google/fb/etc. You're never fully frozen out of anything, that's not the point. The point is that gmail will never stop accepting emails from yahoo addresses regardless of how many badly behaved yahoo users there are.
Algorithm isn't the only viable way. G has a massive amount of cash. Enough to employ 100 people to manage these edge cases. But that cuts margin.
100 people vastly underestimates both the complexity of the GCP landscape and the relentlessness of the daily fraud onslaught, and you don't know what the false positive rate of humans is vs that of the algorithms.
It would take thousands, at least, with top training and the breathing space to actually engage with customers individually. Mind you Google should still do it in my opinion.
The problem here is not just Google, but huge companies in general that operate at a scale where algorithms are the only viable way to sufficiently keep abuse under control.
The companies you speak of are billion- and trillion-dollar companies. Banning people is not the only viable way of doing things.
They have the money. They choose not to spend it.
It's profitable to ban your free users, but not your 4- or 5-digit paying customers. That part is some combination of arrogance and incompetence.
Corollary: it's more profitable to act this way than otherwise.
This will probably become a major problem with the Gemini APIs in enough time.
A customer does something crappy, e.g.: generates an image they aren't supposed to, and boom you're business Gmail and/or the recovery personal Gmail gone forever.
there are built in moderation tools you should turn on if you have external customers generating images, or inputing data that might be sketch
The example in this blog post, they did something recommended by Google and still got banned. Based on that, I'm not sure their built in moderation tools are enough insurance.
It can be super hard to moderate before an image is generated though. People can write in cryptic language and then say decode this message and generate an image the result, etc. The downside of LLMs is that they are super hard to moderate because they will gladly arbitrarily encode input and output. You need to use an LLM as advanced as the one you are running in production to actually check if they are obscene.
And these tools are perfect?
[dead]
Android developer verification would end up just like this. Lots of people would be banned from developing for Android.
How do you justify specializing in mobile development when it's very clear that you're just sharecroppers on someone else's land?
Like Uber drivers' using their girlfriends' ID verification because they have a criminal record, you can also just cut in some random guy to borrow his ID for another chance. There should be plenty of dudes available willing to sell an ID verification for cheap in poorer countries but there's also plenty in wealthy countries because very few anywhere were ever going to have a Google developer account in the first place.
Eventually you run out of IDs, and as a Sybil attack you're gonna get slowed down.
(remote identity proofing and fraud mitigation is a component of my work in finance)
https://pages.nist.gov/800-63-3-Implementation-Resources/63A...
https://pages.nist.gov/800-63-3-Implementation-Resources/63A...
Heh, I have been wondering about this for a very long time. The walled garden toll booth is too strict.
For example, the old Uber with the crazy thing they did. What if in the alternate universe they straight up got banned? That’s it. All investments would go to zero.
> What if in the alternate universe they straight up got banned?
The zeitgeist of the time wouldn't have allowed that. Everybody talking about banning Uber or Airbnb was framed as an enemy of progress.
Isn't it simple? You do it because it makes money.
Lots of businesses can fail at any time. People still run them and work for them as long as it makes money, and WHEN it stops working, they stop that and do something else to make money. All business is ephemeral.
It doesn't matter. As long as you can spam people with crap like popups and notifications easier than on the web, we will still see all those unnecessary 'apps' that could just be a web page.
Some of us started long long ago, Android 1.0 time, when Google seemed like a different company. Their first blogs didn't mention splitting your personal google account from your developer account. I never heard of anyone getting banned. Oh boy, things have changed!
Isn't it already quite bad? I remember HN post about small company where employees' private accounts got terminated for "due to a prior violation or an association with a previously-terminated Google Play Developer account".
We had ours unexpectedly blocked and we were just using it for a "Login with Google" button. The only explanation was the vague "You did something against our terms and conditions." We hadn't done anything. Our use case is nothing beyond the "Login with Google" button.
We opened a case to appeal asking for more details or a review. Meanwhile, we're scrambling to implement some kind of workaround for our users that log in with their Google account.
And then early the next day, we get the email that our appeal was granted. Just need to be sure we follow the terms and conditions in the future.
I guess it could have been worse but still a bit of a slap in the face.
I would just stop supporting “login with Google”.
Consider dropping social logins for only user/pass/MFA and Passkeys.
My AdSense account was suspended three times because I had an exclamation mark in my ad. I closed my account after that. I am certain Google still tracks my account as "potential fraud" to this day.
It's insane. They have the tooling to automatically lock my account because an ad doesn't follow the rules, but can't tell me while I'm making the ad? Why even let people submit invalid ads? What is the point of making it easy to sign up for adwords if new users are automatically banned in an hour?
Or terminate your account while you see ads for similar products (your competitors) still showing.
Mine was permanently suspended with no recourse for that reason. Many years ago though.
What is their reasoning? Exclamation marks are in almost every print ad since the invention of the exclamation mark.
I might be misremembering, but I recall reading that Facebook Marketplace used to disallow posts with a “$”. Which is hilarious from the outside.
are exclamation marks not allowed or is that just some absurd mistake by them?
depends: https://support.google.com/adspolicy/answer/14847994?sjid=16...
They surely aren't going to tell you what you did wrong. That's the real problem here.
"Multiple exclamation marks,' he went on, shaking his head, 'are a sure sign of a diseased mind." – Terry Pratchett, Eric
I wonder if this is a situation where the right course of action is to sue Google and/or push for stronger regulation around suspension of customer accounts?
"Company declines to do business with me" isn't usually a cause of action you can sue over.
If you reframe this as: a commercial entity progressively dominates a service that is increasingly becoming necessary for survival in the modern world (e.g. primary email / identity provider) or in a given profession (Android developer), and then denies that service to some individuals, while also keeping the cost of switching away to competitors high, then there is a case for natural justice, even if there (still) aren't laws in the books to cover it.
A lot of what you are describing is a "monopoly". Last I checked anti-trust laws are still on the books in many places, just good luck finding politicians willing to go to bat on them and enforce them.
The US legal system is all based on proving harm.
In this case:
1: SSLMate is a paying customer. (Correct me if I'm wrong.)
2: Google harmed SSLMate, and their customers, by deliberately interrupting the services that were paid for.
The big question is if SSLMate was following the terms of service. If SSLMate was actually violating the terms, then it's a hard case to make. Otherwise, Google violated the contract and harmed SSLMate, and is therefore a valid target in US court.
You can sue over anything, doesn't mean you'll win.
If enough people started making companies show up to small claims court for their shitty behaviour maybe they wouldn't act so shitty.
But sue-ing means your problem goes to legal and not tier 1 customer support.
So Mary from legal walks over to Manager whoever and says "Hey why the fuck did you terminate this guys account? Now I have to go to court."
Account reinstated. You drop the case.
This produces stupidly improved results.
[dead]
https://en.wikipedia.org/wiki/Tortious_interference
covers some situations where someone stops you for making money, for no good reason.
"As an example, someone could ... obstruct someone's ability to honor a contract with a client by deliberately refusing to deliver necessary goods."
For EU citizens, GDPR requires that if you ask for it, a human has to review your case. (Article 22 "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.")
I guess a lawyer can argue against this, but I'd say that losing access to a lifetime if mails is absolutely up there with "legal effects concerning him or her or similarly significantly affects him or her."
And from my own experience building software for government services, I can tell you this: In my experience in those systems it is not acceptable to just have a list where someone clicks “deny” all day. Or allow for that matter. We tried with a system were the rule is that the citizen gets <think they apply for> whenever all relevant demands are met. Legal was very clear: No automated decisions either way unless the relevant laws or regulations explicitly allow it, every case has to be reviewed independently — even when the outcome seems completely obvious to anyone who knows the field.
Annecdotally you do stand a decent chance of winning if you take them to small claims, either because Google doesn't send someone or they try to argue their misbehavior is warranted per the TOS (apparently that doesn't go down well).
Winning... What? Small claims is about recovering money due to you, not getting access to your Google account.
Courts can order specific performance when that wouldn't bring undue hardship to the one performing. Not sure if small claims can, but it's plausible.
[flagged]
That seems a simplification. Suing Google could backfire. Who has more money to win in court?
Backfire how? Small claims is a different game.
In your jurisdiction do you have to pay Google's legal fees if you lose?
So, what happens to an account that is registered with said suspended email account and with a passkey-only login?
Does Google-synced passkeys on Google Password Manager still work even when your account is suspended?
Can't recover your accounts because you can't access your email, unless Google still allows existing email client access even when suspended but I'm not unfortunate enough to test this out.
[dead]
A major downside of any service once it becomes too large is that the overall complexity introduces lower reliability. From Google's perspective perhaps each rule and feature makes sense, but from a customer perspective, there might be too much risk of who-knows-what issues coming up. I don't think this is limited to Google. I miss the older, less complicated versions of most bigtech services; Facebook, Instagram, Google, Amazon, etc. Even looking at Vercel's project settings the other day I found myself thinking "hmm this is getting a bit unwieldy."
It just doesn’t make sense; they have so much money they are one of the few that can actually make slightly less profit and have good customer support. But they choose to treat everyone like a robot & allow scam ads
> they have so much money they are one of the few that can actually make slightly less profit and have good customer support.
They do not want "slightly less money", they want as much money as possible
They are very well on their way to becoming the "never interact with Oracle" of the internet giants.
As far as I can see they are still living a bit off the "do no evil" of ages ago and latent animosity towards Microsoft, but they're creating an animosity that will take ages to erase unless they start putting some minimal amount of money into customer support today.
They are definitely living off of their "boy genius" phase too. People still consider Google to be somehow smarter than other organizations that provide more reliable services.
>actually make slightly less profit
Blaspheme!
Perhaps if a company is providing a service that might be considered critical (e.g. primary email address / identity provider), then there should be regulations about the level of customer support, especially some sort of human response SLA.
For YEARS I have been "screaming at the sky" (pun somewhat intended) about, what later became know as, cloud services. Family, friends, and coworkers would laugh at my resistance to use Google, Apple, Microsoft, etc. storage. Would tell me that I do not need a µSD card slot for my phone because these wonderful "free" services existed. Would mock me for continuing to purchase DVDs and CDs. I remember when Apple told me my @mac.com email address would be free forever. I feel that, as of late, I am being vindicated somewhat. With stories like this increasing. Stories of services eliminating the movies, games, music, books, storage they promised you would be around "forever", celebrities nude photos being hacked and put out there for everybody to see. Neither the cloud, and DEFINITELY not big business, is your friend at all. To them, you are just dollar signs until you aren't.
I submitted my app to App Store Connect for Apple and Google Play Store. After a few reviews on Apple my app was approved after a week or so. On Google, I got a couple rejections. I addressed the concerns resubmitted. Got another rejection without much detail, but changed a couple things and submitted again. App suspended... without any explanation why.
Also beware of having the owner for your Google Workspace be that of an employee who no longer works there. I was never able to fulfill all the "requirements" of Google support to get the Workspace back, despite the fact that it was linked to our domain... and we couldn't register a new Google Workspace to that domain. Ok, Google, I guess we just won't use your products, and we lose access to all our mail and files?
If you were running a business and suffered financial harm because of this, you're probably eligible to sue them to recover that financial loss. Don't let their ToS (where they can write anything they want and it often has no legal effect) scare you from consulting a lawyer.
To me it sounds like you're a weird business model for GCP and you keep being hit by tooling designed to block bad use cases that come across this uncommon use case.
That might just be me though.
As mentioned in their writeup, they are following documentation and best practices from Google themselves.
That trick with service accounts is how every ETL provider loads data into their customers' data lakes, isn't it?
Setting up ETL pipelines is for highly technical users. Using SSLMate as described was something that was considerably easier.
Ideally after first ticket support could flag their account as needing manual review for suspension
This seems like the easiest fix.
But it adds a human interaction and that costs money so… no! Suspend.
Sounds like they do have human interaction already, since the suspended emails need to email customer support to get unsuspended.
At a guess that makes the account a net loss for Google.
Their support reps would have to be paid thousands per hour for that to be the possible reason
This is actually a very common use case.
You're going to look like an attacker to google for almost any model of review of access. You're in a niche role which would demand they build systems to take account of you. I can understand why a monolith has back pressure towards that cost and consequence.
Sucks.
They probably shouldn't have suggested doing this in their own documentation then.
Totally agree. But the docs aren't going to guide their model. Contradiction between the reality of a service, monitoring, and docs don't go to "align with the docs" they go to "align docs to reality"
I don't like this. I too have looked like an attack on their models using things inside the customer-side of google, took special relationships to get over this, an ongoing threat to how we relate to them.
(it's not in GCP btw. different arc of the megaplex)
Docs will guide what the courts think though if this gets that far. You can be sure lawyers will bring any documentation that seems to show your case before the judge and demand why they said it worked if it didn't.
I'm not in favor of going to court, but if it does a lawyer doesn't have be very good to think of the above.
So then it seems like different departments are undermining each other’s credibility on a daily basis?
That’s been my experience with Google.
They’re too big and no one has the authority to clean it up. I’m honestly shocked we don’t see more account suspensions.
I’ve migrated my businesses to Microsoft’s cloud offerings and they’re also a clusterfuck, but at least I can get real support people on the phone pretty easily (for now…).
There was that Australian pension fund who had all their data suddenly deleted (not suspended) by Google.
https://www.business-standard.com/world-news/google-cloud-ac...
Just like it supposed to be in a corporation.
Not related to this particular reason for suspension, but I had a friend who's GCP account got put on pause a few weeks into his project because his payment method was flagged for suspicious behavior. This friend had an incident of stolen identity in the past 24 months which caused a lot of issues and basically any CC linked to him seemed to be problematic for GCP. Swapped CC linked to the account to his business partner and fixed everything.
Lesson: if you use a CC with GCP or cloud services, firewall it from everything else you do to be safe.
There's an old saying in Tennessee - I know it's in Texas, probably in Tennessee...
I read the article to know, not what happened, but why it was allowed to happen three times. They have a compelling reason.
Fool me twice, can't put the blame on you..
It might be a case where illegal / scam / anything of that type were using the SSLMate service to issue and deploy those certificates, whereas some aspects of this process (DNS / HTTP / Mail) verification or similar were processed directly on the GCP.
I could not get from the OP what really happened and what was the claim / explanation from Google side.
Google said "general terms of service violation" or unspecified "abusive activities". Google is only involved in the publication of DNS records, not the deployment of certificates. Note that they didn't require us to take any action after the suspension in 2024 to correct this alleged abuse; they just re-enabled access without any further explanation.
If scammy GCP users use SSLMate, then GCP should probably ban the scammy users instead of SSLMate?
This is very similar to how DoIT manage their client projects. I needed to add one of their service accounts to my organization's IAM policy so they could have complete visibility over all resources for monitoring / cost reporting purposes. The only potential difference being that DoIT is a Google Cloud Premier Partner™
No people to interact with. Only AI and automated systems. Engineers/PMs/leaders/etc are incentivized to develop something new (more bonus, RSU, promotions) and move on. Nobody gets rewarded to improve things already developed.
The Great Decoupling of Labor and Capital: https://www.mbi-deepdives.com/the-great-decoupling-of-labor-... explains this with numbers: Alphabet required 76k employees to get to their first $100 Billion. Their most recent incremental $100 Billion? Just 11,000! (assuming they add another 3k employees in 4Q’25)
Sometimes I think what's the worst it could happen if Google decided to delete my main personal account that I use for everything: banking, utilities...
I guess it would a hassle to go to the bank but loosing some images or old emails wouldn't be so catastrophic TBH. Maybe being somewhat nihilistic/minimalist I think that it all will still be lost when I die, so why trying to grasp those things? In some sense it's kind of liberating not depending too much on these kind of things.
Google offers takeout to download your data so you can keep a backup. I run it twice a year and keep a backup copy local and remote.
It's important to keep in mind that many (if not most) people ad-blocking google ads do so because of the fear of malware (usually from youtube).
So to Google, killing accounts of malicious actors is a primary concern, and obviously you can wield a lot of damage to people through google's services if unchecked. And even with checks, every bad actor wears the mask of innocence when appealing.
So this puts Google in a rather intractable position. Without numbers it's hard to say whether they are leaning to hard towards stopping fraud (many false positives), or too hard towards giving accounts freedom (high levels of malware served).
I think the best reason to block ads is that ads are ugly and annoying and there's no law that says you have to watch them. I think people assume you have to watch them, when they're actually completely optional.
I don't use Google cloud but the seven step OIDC configuration process is the kind of thing that can be scripted quite easily in Azure, e.g. using the az CLI tool. When a step creates a new object the command can return its ID so you can save it in a variable and use it in a subsequent step.
If Google has something similar this seems preferable to the alternatives.
Honestly, many companies are suicidal to put "everything" in the hand of AWS or Google, thousand of accounts are banned everyday, a simple accidental VPN/Tor connection can lead to losing everything (at least temporarily) and their rules aren't transparent so we can't really anticipate it.
There's a reason Google has a reputation of "Don't use it for anything that you can't afford to have disappear with no notice or recourse."
You also can't expect it to get any better, both because Alphabet has never shown any interest in improving things and because you and the services you've been using them for aren't the new AI hotness. Even if you're absurdly profitable for them (and you're clearly not) you're not in an area that their internal people are competing to serve.
I can't help but think that the mass layoffs at Amazon will produce the same culture soon. And I wonder how much is downstream of Google "defeating" antitrust.
It's open season for customers, employees, suppliers and contributors.
Secret to Azure success: Just wait for the others to f it up.
As certain youtuber says - go where you're treated best.
Google ain't it.
The google docs they point to say
> You can access data from your users' Google Cloud projects by creating a service account to represent your service, and then having your customers grant that service account appropriate access to their cloud data using IAM policies. Note that you might want to create a service account per customer if you need to avoid confused deputy problems.
If you look at most SaaS services, they rarely use a service account per customer. IMO it's no different than any part of your own services where you need to handle multiple customers. Creating multiple service accounts is just overhead.
The text you quoted explains why you wouldn’t want to create a single service account for all customers. It’s a security decision, which yes adds overhead.
I'll note that the overhead is only on the provider side; from the customer's perspective it's all the same. In contrast, OpenID Connect puts overhead onto the customer (in addition to the provider) which I find unfortunate since I want to provide a good experience.
The problem is that they manage customers through automation. If the system flags you, you’re out. By using their products, you accept the risk of being cut off.
Which makes it utterly useless for important use cases. Crazy way to do business but I guess Google doesn’t care
Gcp still can’t change our street address because of the d-u-n-s validation (of course d-u-n-s actually uses our new address… and all other vendors are fine with it). How bad must their service be that they can’t change a fucking address. Oh and the free billing support is horrible, always the same response like ‘a special team is working on it’.. yeah sure and they can’t fix an address for like a month. It’s worse since all our invoices use the old address which in Germany is a fucking problem. Time to make a migration plan.
This is why using Google Fi Wirelessis a really bad idea since you can lose your phone at any time for no reason.
This pattern is a big part of why Google is a poor company to buy infrastructure from. They are horrible at customer support, and have made it clear over the years that they have no intention of changing that. That's simply unacceptable for production infrastructure.
I hated it. Much better from akamai, tornado, kamatera, others.
I gave it a try -- Google offered a free tier vps which was a no brainer. It worked but the ui seemed jank and somewhat confusing. The cost wasn't particularly compelling, so I never deployed. I kept the free tier VPS running for a while to continue evaluation since I value a diversity of services.
However, google charged me like a dollar, and i never saw the charge since i never logged into the webui. I never got an email saying I owe them a dollar so they canceled my GCP access and blacklisted my google account from GCP.
There was a lot of friction here, and the fact that i "feel lucky" I didnt lose my very old gmail account over $1.00 makes me laugh...a very nervous laughter.
I like a lot about google. I cannot depend on google. I use google's AI offering and I am slowly becoming concerned it could affect my legacy email account. Like, everything gets locked and my doctor cannot email me.
You're going to need to buy your own domain and move to a solution that has you being responsible for your own email.
Note that doesn't mean you have to do it all yourself, there are plenty of hosting places that you can just configure with your own domain name details.
I have all of this. You need a google account to use GCP and I used my google account which was created with a gmail invite code shortly after gmail was released.
Some things are still using this email. Hey, I'm not perfect. Sometimes I exceed posted speed limits, too.
Edit: I have to choose a tech giant to get a phone app with decent push notifications as far as I can tell (I haven't scoured the earth for this .... yet) The gmail app is pretty good.
Here are options I can recommend: Proton Tuta Apple (iCloud)
All of these withh be your MX with DMARC/SPF. If you use an android cellphone you'll almost certainly need a google account anyhow. The tuta experience is not as advanced as the others, but is servicable and likely offers better security guarantees than the others. You get a lot of bang for your buck from Proton (personal wireguard tunnel vpn included), and apple is apple.
I've always felt like Google's confusing UI is completely intentional. Making a user feel lost is a great way to make your product seem larger than it really is. If they boiled down their settings and workflows into easy-to-understand screens then your understanding of the entire product could be conceptualized.
Simple example - in the early days of Microsoft Office, every new release would cause office confusion. I learned to say "it's the same product, they just moved things around". My conspiratorial sense was that the confusion was intentional to make users feel lost.
Once again: Do not use Google for anything important. "An ant has no quarrel with a boot."
So, we all know Google is pure Evil - pure greed. But people said this in the past too: don't become dependent on these giant mega-corporations, be it Google, Amazon/AWS and so forth. The cake is a lie - this is another example we can add to the "never trust Google" meme.
Google paid $32B for Wiz to try to sell GCP into every org Wiz is embedded in, expect this to continue until those making procurement decisions stop buying Google, which could take...some time.
If you use Google at this point for commercial services, you get what you deserve when they nuke your resources (caveat being services you cannot go elsewhere for, like an Android dev account). The evidence is robust they cannot be relied upon as a commercial services provider. Stop. using. Google.
(thoughts and opinions always my own, I am aware and understand in this context OP needs Google Cloud to integrate with customers in Google Cloud, which is very unfortunate, and so their Sisyphus task continues)
The question is “What else”. I’ve struggled for years with Fastmail and I’m not competent enough to buy O365.
For personal or family, I think Fastmail is fine. I use it for a family account (paid years in advance), and admin other Fastmail tenants "family office" style for those who trust me to and offload the responsibility. I can get ahold of someone at Fastmail easily when issues crop up, which is rare. O365 is what I recommend for anything SMB and up. You can at least get support from Microsoft when needed. AWS is fine for cloud resources and infra, again, you can get support from a TAM or similar. But Google? I have never once had a good experience attempting to get in touch with a human when resolution is needed, hence my position on the topic. You cannot self serve critical business infra (imho), and Google is allergic to providing human support.
Buy your own domain and run mox (https://github.com/mjl-/mox) on it. In the setup it provides details on the DKIM info you need to put into your DNS records. Get a PTR record from your ISP (if hosting at home); periodically check your blocking from spamhaus etc.
I run mine on a Pi4 no problem whatsoever, but I guess a VPS could also be used, although the scamalytics analysis will show it's a server or an IP shared with an anonymising VPN etc. if it's a shared IP on the host.
I have run my mail there for 10 years and it was smooth sailing. Until they've raised prices two-fold but I digress…
For me Migadu has been good
did you pay for any ads to google? otherwise no wonder you get suspended
Until people stop building applications with hard dependencies on "other people's computers" this is going to keep happening.
I'll tell you the problem with Google (in my experience). They've moved to Big Company cash cow mode. They even use SAP Ariba ... which dictates that their teams are silo'd and ultra rigid ... and so dealing with them is a nightmare.
N=1
Fool me once shame on you, fool me twice..
> Clearly, I cannot rely on having a Google account for production use cases. Google has built a complex, unreliable system
You cant use anything from Google. I only use gmail, my mail account only got banned one time for a week. For years I thought the punishment for using gmail was just a mater of time. I tried to imagine what weird things could trigger it. Maybe they will one day just end the service because it isn't profitable enough?
I decided the most likely would be that the mail account gets banned as a punishment for using any of their other services.
Then I made the "mistake" to switch from iphone to android. It almost immediately started complaining that my mailbox was full. The new reality is that each and every button I press on the phone could potentially end my mailbox.
Now that they [also] have very sophisticated LLM's the crappy customer service seems intentional.
GCP is a terrible idea for anything important unless you're big enough to have an executive team and yours knows theirs - was the quote I heard somewhere but am struggling to attribute.
fool me once
fool me twice
fool me thrice
They explain in the article why they still have to have a Google Cloud account. I am sure that they would gladly not deal with Google at all if they could...
[flagged]
[flagged]
Unfortunately, one doesn't get to chose who their customers make business with.
Maybe it’s time to ditch google cloud?
After the third occurrence of this i’d blame this on you, honestly.
As noted in the article it's hard to ditch Google Cloud when the reason you keep the account is for integration with, well, Google Cloud.
I'm sure they'd be happy to not have rely on having a Google Cloud account for integration with Google Cloud if possible.
Right, and we will be ditching our Google Cloud account this time, but as explained in the post this will come at either a security or a usability cost for our customers, which is why I did not ditch after the first suspension.
I can understand you not ditching after the first suspension but the second suspension should have been the point where you took the choice.
First time is a fluke, second time is a serious wake-up call, third time it's your fault.
Do you really want to reach the point where all your customers have an outage, you have to rush implementing something else (oidc or api keys) AND rush your customers to change your settings?
Second and third suspensions are a week apart. Wouldn’t be enough time to shift customers to a new auth format, specially when most of the burden is on them.
Those are negligible compared to a 100% availability / uptime cost to your business incurred from being a serf to a feudal tyrant with no name or face that enjoys abusing you.
Using GCP, AWS, or Azure is like volunteering to use your own money to rent heavy construction equipment to construct your own jail cell and excavate your own grave.
But hey, at least you get to avoid the capex on the heavy construction equipment, and it's always¹ available!
¹ except for when human error takes it offline for 14 hours straight
You're not just dealing with a massive bureaucracy, you're dealing with a massive automated bureaucracy whose rules aren't explicit, whose algorithms are buggy, and which can destroy your business on a whim with no recourse, without even noticing.
At some point it’s not worth supporting google cloud.
Have you bothered reading the post where the author stated why they cannot simply ditch GCP?
yes.
If you had actually read the post you would have understood there are ways to ditch GCP, but they are perceived as cumbersome.
The exaple is OpenID Connect. It works well with Azure (according to the post).
I'm sorry to say this, but the author is choosing something easy but unrealiable over something a bit more complicated but reliable.
It's really the author's fault. They are choosing their comfort over the service reliability (and keeping promises made to customers).
Heck they might even go with api keys. They could give explicit direction on the minimal amount of permissions the api key would need and they could ping the users each 3-4 months to rotate them.
But no, I guess we'll have another post at some point about the fourth (definitive?) account suspension.
> The exaple is OpenID Connect. It works well with Azure
That's nonsense. It requires a 7 step setup process that customers will mess up.
I think his problem with this is that his customers use Google Cloud.
If you are a business, I am not sure why on earth do you want to deal with the world’s worst customer service company: Google.
They got used to ads money, where they control the entire board. They never got good in other types of businesses. Especially not in customer service.
> If you are a business, I am not sure why on earth do you want to deal with the world’s worst customer service company: Google.
The answer is extremely simple. People aren’t businesses. You are right, no business should choose Google. But people do, for their own reasons. And businesses can only act through people. And people have their own priorities which override the interest of the business, like “What should I choose to never be blamed if/when it fails?” Google is an extremely safe bet there, like IBM of old.