HACKER Q&A
📣 eth0up

Any Litigation Potential for Google's Account Lockout Policy?


Hello fellow HN readers. I am presently without power, in Florida, dealing with the aftermath of Hurricane Milton. There have been fuel shortages, but I have a small amount left for a very small generator. Last night, after a major cleanup operation, I fired up the generator, plugged in my computer and useed my phone as a hotspot (access point), processed and edited videos I took earlier which comprised a damage assessment, and before/after conditions.

I was already logged into both Gmail and YouTube, but upon attempting to upload the video, YouTube insisted I must prove it was actually me. I followed the steps without error, having an access code sent to my phone via text. Despite entering everything correctly, it was rejected, until multiple attempts resulted in complete lockout of both Google and YouTube. 12 hours later, I am still locked out.

I understand the principles of security, which is why I have a password consisting of non-dictionary characters. However, what is the point of a password if it is not sufficient as a credential even with multi factor text confirmation?

I've ideas of why Google has done this, and I'm furious. I've submitted FCC complaints and will proceed with FTC, State Attorney and more.

To target a user in a vulnerable situation, ie natural disaster by arbitrarily deciding that previously accepted credentials are now suddenly not acceptable is pretty evil. Is there anything I can do, not so much for restoring account access, but holding Google responsible for this ill-timed nonsense?

  👤 hollerith Accepted Answer ✓
I'm not interested in the legal aspect of this person's situation, but I am curious what a Google account holder can do to prevent such situations. Will enrolling a passkey for example make an account holder's access significantly more reliable?
👤 drpossum
I am not a lawyer and this is not legal advice, but the responsible answer to your titular question is "get a lawyer and listen to them". If you are asking for reliable legal advice from strangers on the internet, you have made a misjudgment.

> I've submitted FCC complaints and will proceed with FTC, State Attorney and more.

What is it that you believe you are entitled to? Free services like this are all typically offered "as is" and "without warranty". From the gmail terms verbatim

WE DON’T MAKE ANY WARRANTIES ABOUT THE CONTENT OR FEATURES OF THE SERVICES, INCLUDING THEIR ACCURACY, RELIABILITY, AVAILABILITY, OR ABILITY TO MEET YOUR NEEDS.

https://policies.google.com/terms?hl=en#toc-problems

From my reading, even if you were doing everything security-wise right to log in and their systems were entirely broken into perpetuity and no one could log in, they'd argue they don't have to and by you agreeing to the terms of service when you were using it you agreed with that limitation.

From a business-wise standpoint, a company considering offering services like these for free that carried liability for your grievances above would not offer these services at all. That's just inviting unnecessary loss on top of whatever value they extract from it.

No government agency or official is realistically going to start enforcing mandatory blanket support requirements for free products from private companies that were fairly represented as such. If they did huge swaths of the internet would go under because they're not sustainable, especially if litigation floodgates opened after a precedent.

tldr: You get what you pay for

👤 fumar
Can you provide more insight? Why would an online video platform block you?
👤 eth0up
I want to point out the absurdity of this for those overly technical, legalese/intellisleaze types capable of rationalizing anything. The types that think a 200 page agreement is necessary and fair procedure before saying "good morning" to a stranger.

For the human out there, untainted by this kind of thinking, I'll put it in perspective:

'To protect you from hackers and save your account, we'll hack it before they do, with a 99.999% guarantee that our efforts to compromise your account will be second to none. Thanks for playing Security Games LLC, subsidiary of Alphabet Inc. Please discard your credentials, as the game has now ended. To sign up for a new account and Play Again, please follow original steps. Good day, and rest assured, all your data is safe with us - and anyone we choose to give it to, except you... you get nothing.'

Sociopathically,

-Google Team

Your feedback matters! Please take a moment to tell us what you think of our game on a scale of [0-9] where 0 is completely ineffective and 9 is highly effective

* Portrayed an image of trust, reliability and security [7]

* Simulated real email services with gmail [9]

* Instilled a sense of continuity of services, in your case, 15 years [9]

* Genuinely surprised and caught you off guard when we terminated your account access [9]

* The level of randomness and unpredictability that ended the game [9]

* Google Z/LC's terms of service were challenging and not too easy to understand and did not spoil the fun [?] /Zero

* The losses you incurred when the game was over were very realistic, persuasively emulating or even exceeding those of real life [8]

* The game seemed very realistic [9]

* The concept of passwords and multi-factor authentication made things seem more real [9]

* Confidence that a password was actually a factor in "your" account access and security [8]

* Would recommend this game to a friend or family [0]

* Would recommend this game to an adversary [8]

* Would play this game again - if not, please explain in your own words why not [0]

[Because it wasn't made sufficiently clear that it was a game. Too realistic. No boundaries isolating in-game damage from real life. No option to export game progress. Game wasn't fun and seemed much more business and work related. And just because it's free doesn't justify going too far and causing real problems.]