Proposal: “Shared” Accounts to Avoid Google Access Nightmares

Greetings. As I’ve noted in posts such as:

The Google Account “Please Help Me!” Flood:

Protecting Your Google Account from Personal Catastrophes:

and in various other associated missives, I’m nearly constantly being approached for informal assistance by Google users who are having problems accessing their Google accounts. Many are in a panic. Some call me on the phone and are literally crying — their whole lives are pretty much on Google and they’re desperate. Sometimes they find me from articles I’ve written or from radio discussions, in other instances via word of mouth.

I try to help when I can. I can offer direct advice to some of them (especially if they haven’t been “hard” locked out of their accounts through continued “thrashing” around on their part), for others in some situations I’m able to help them reach Google support personnel for their issues.

But I’m just one guy here in L.A. — I don’t scale well to the scope of these problems — nor do I have any official connection with Google these days.

While Google indeed offers various proactive means to protect your Google accounts, the plain truth is that many users don’t use them. In many cases, they’ve never even heard of them — or they don’t understand them.

With so much of so many people’s personal lives now dependent on Google’s great services, loss of access to your account can be devastating, and regaining access — especially if you don’t fully understand what’s going on, can be a frustrating exercise in futility.

I’ve talked in the past about the shortcomings in Google’s account recovery flows and how they affect ordinary users — it’s a very complex area. Let’s leave this aside for the moment.

Let’s instead ask the more fundamental question — how can we help Google users of all sorts — not just relatively young techies — avoid problems with their Google accounts in the first place? Remember, all sorts of persons from all walks of life, including growing numbers of the elderly in a rapidly aging overall population, are very much dependent on Google these days.

The most common ad hoc “solution” to this class of problems is telling someone else — for example a family member or friend — your Google username and password credentials. This is not at all uncommon. But from a security and privacy perspective, it’s awful.

Someone else who has your credentials has total access to your Google account and all related services, at identical privilege levels as yourself across the board. Good security practices strongly suggest that only providing minimum necessary access to third parties is by far the desirable procedure, but in the current context of Google accounts that really isn’t possible — it’s all or nothing.

Still, as an alternative to a user getting confused and losing data or getting locked out of their account (or otherwise disrupting their essential Google services), handing someone else your Google credentials is frequently seen as the only practical course of action.

In fact, there’s a significant number of Google users who have given me their Google credentials for this purpose — for some I also act as their account recovery address and I deal with their 2-factor verifications as well.

I don’t like doing this. Again, it’s awful from a privacy and security standpoint. But I won’t leave these users out in the cold.

To be sure, none of these problems are trivial to solve, especially at Google scale.

There is a better way though, that would be extremely useful for Google to implement — a concept that various other online services should consider using as well.

I propose that Google seriously explore solving this class of problems in a more controlled and structured manner, by creating a formal “Google account delegation” system.

Such a system would permit a user to delegate (that is, share with third parties in a controlled manner) specific permissions and capabilities (either individually and/or in logical groupings) for access to various aspects of the user’s Google account.

This would allow a designated third party to provide the kinds of ongoing assistance that many users desire and require — including but not limited to helping the user avoid errors that could disrupt their account access or usage in various ways — but without the need to share their primary, full Google credentials with those third parties as would be necessary today.

Delegated capabilities and permissions would be revocable by the user at any time.

I won’t in this post get into the details (to which I’ve given quite a bit of thought!) regarding what would be involved in making a concept like this deploy successfully in practice — it involves various layers ranging from upper level account capabilities down through specific Google services permissions. It’s certainly not simple but is wholly within Google’s abilities.

Given the vast numbers of persons who now depend on Google in so many ways, it makes enormous sense that these users should — if they so desire — be able to delegate specific aspects of their Google accounts to trusted individuals who could help them to manage those accounts and related services effectively, and in particular help them to avoid mistakes that can cause extremely upsetting situations such as accidentally deleted data and account lockouts, to name but two common scenarios.

Google account delegation options would be great for Google’s users, for Google itself, and for the broader community.

Google can do this.