A Proposal for “Enhanced Recovery Services” for Locked Out Google Accounts

This post could get very long very quickly, so instead I’m going to endeavor to keep this introductory discussion brief, with an array of crucial details to come later. 

In my recent posts:

An Example of a Very Sad Google Account Recovery Failure — and How It Affects Real People

https://lauren.vortex.com/2023/05/17/google-account-recovery-failure-sad

and:

Potentially Serious Issues with Google’s Announced Inactive Accounts Deletion Policy

https://lauren.vortex.com/2023/05/16/google-inactive-accounts-deletion

(and frankly, in many related postings over many years in this blog and other venues), I discussed the continuing problems of honest Google users being locked out of their Google accounts, often with a total and permanent loss of all their data (Gmail, photos, Drive files, etc.) that they entrusted to Google.

These lockouts can occur for an array of reasons — problems with login credentials, third-party hacking of accounts including (but not limited to) malware, Google believing that violations of its Terms of Service have occurred, and many other events.

Each of these is an entire complex topic area that I won’t detail in this post.

But the bottom line is that many Google users who feel that they have done nothing wrong find themselves locked out of their accounts — and crucially — their data at Google, and are unable to successfully navigate the existing largely automated account recovery procedures that Google currently provides.

Generally speaking, once a user who has been locked out of a Google account reaches this point, they are, to use the vernacular, SOL — there’s no way to proceed. Usually their data, no matter how important and precious to their lives, is lost to them forever.

To be sure, sometimes the failure to recover a Google account is rooted in the failure of users to provide or keep up to date the recovery information that Google requests for the very purpose of easing account recovery paths.

But the reality is that many users forget about keeping these current, or are reluctant to provide phone numbers and/or alternative email addresses (if they even have them) in the first place. That’s just the way it is.

And ultimately, even at Google’s enormous scale of users who use its services for free, there is something inherently wrong about honest users who lose so much of their lives — that Google has encouraged them to entrust to Google — when an unrecovered account lockout occurs.

Over and over again — in a manner reminiscent of the film “Groundhog Day” — desperate Google users who have been locked out have asked me if there was someone they could pay to help them? Isn’t there some way, they ask, for Google to do a deeper dive into the circumstances of their lockouts, the users’ official government IDs for proof, and other methods to authenticate them back into their Google accounts — as can be done at virtually all financial institutions and most other firms.

Right now the answer is no.

But the answer should be and could be yes, if Google made the decision — by no means a trivial one! — to provide the means for such “enhanced recovery services” for Google Accounts, which in some cases (e.g., when a user is indeed at fault as the root cause of the lockout) could be chargeable (that is, paid) services as a means to help defray the additional costs involved.

This is a very complicated area with an array of trade-offs and nuances. It’s likely to be highly controversial. 

But as far as I’m concerned, the status quo of how Google account recoveries work (or fail) is no longer acceptable, especially in the current regulatory and political environment.

In future discussions, I will detail my thinking of how “enhanced recovery” for Google accounts could be accomplished in practice, and how it would benefit Google’s users, Google itself, and the wider global community that depends upon Google.

Take care, all.

–Lauren–

An Example of a Very Sad Google Account Recovery Failure — and How It Affects Real People

UPDATE: 24 May 2023: A Proposal for “Enhanced Recovery Services” for Locked Out Google Accounts

– – –

All, I am doing something in this post that I’ve never done before over these many years. I’m going to share with you an example of what Google account recovery failure means to the people involved, and this is by no means the worst such case I’ve seen — not even close, unfortunately.

I mentioned yesterday in my other venues how (for many years) I’ve routinely tried to informally help people with Google account recovery issues, because the process can be so difficult for many persons to navigate, and frequently fails. The announcement yesterday of Google’s inactive account deletion policy that I blogged about then:

https://lauren.vortex.com/2023/05/16/google-inactive-accounts-deletion

triggered an onslaught of concerns that for a time made my blog inaccessible and even delayed inbound and outbound email processing.

I’m going to include below most of the text from messages I received today from one of my readers about a specific Google account recovery failure — and how that’s affecting a nearly 90-year-old woman. I’ll be anonymizing the message texts, and I’ve of course received permission from the sender to show you this.

Unfortunately, this example is all too familiar for me. It is very much typical of the Google account recovery problems that Google users, so dependent on Google in their daily lives, bring to my attention in the hope that I might be able to help.

I’ve been discussing these issues with Google for many years. I’ve suggested “ombudspeople”, account escalation and appeal procedures that ordinary people could understand, and many other concepts. They’ve all basically hit the brick wall of Google suggesting that at their scale, nothing can be done about such “edge” cases. I disagree. In today’s regulatory and political environment, these edge cases matter more than ever. And I will continue to do what I can, as ineffective as these efforts often turn out to be. -L

 – – – Message Text Begins – – –

Hi Lauren, I tried to help a lovely neighbor (the quintessential “little old lady”) recently with her attempt to recover her legacy gmail account. We ultimately gave up and she created a second, new account instead. She had been using the original account forever (15+ years) and it was created so long ago that she didn’t need to provide any “recovery” contacts at that time (or she may have used a landline phone number that’s long been cancelled now). For at least the last decade, she was just using the stored password to login and check her email. When her ancient iPad finally died, she tried to add the gmail account to her new replacement iPad. However, she couldn’t remember the password in order to login. Because the old device had changed and she couldn’t remember the password and there was no back channel recovery method for her account, there was no way to login. I don’t know if you’ve ever attempted to contact a human being at google tech support, but it’s pretty much impossible. They also don’t seem to have an exception mechanism for cases like this. So she had to abandon hopes of viewing the google photos of her (now deceased) beloved pet, her contacts, her email subscriptions, reminders, calendar entries, etc.

I understand the desire to keep accounts secure and the need to reduce customer support expenses for a free service with millions of users. But it’s also frustrating for end users when there’s no way to appeal/review/reconsider the automated lockout. She’s nearly 90 years old, so I find it remarkable that she’s able to use the iPad. But it’s difficult to know what to say to someone like this when she asks “what can we do now” and there are no options…

I recognize that there are many different kinds of google users. Some folks (like journalists, dissidents, whistleblowers, political candidates, human rights workers, etc.) need maximum security for their communications (and their contacts). In these cases, it makes sense to employ multifactor authentication, end-to-end encryption, one time passwords, and other exceptional privacy and security features. However, there are a great many average users who find these additional steps difficult, frustrating and (esp. in the case of elderly people who aren’t necessarily very technology savvy), sometimes bewildering. It’s tough to explain that your treasured photos can’t be retrieved because you’re not the sort of user that google had in mind. Not everyone is a millennial digital native who finds this all obvious.

 – – – Message Text Ends – – –

–Lauren–

Potentially Serious Issues with Google’s Announced Inactive Accounts Deletion Policy

UPDATE: 24 May 2023: A Proposal for “Enhanced Recovery Services” for Locked Out Google Accounts

UPDATE (17 May 2023): An Example of a Very Sad Google Account Recovery Failure — and How It Affects Real People

– – –

Google has announced that inactive personal Google accounts will be removed and all of their data deleted after two years, after a number of emailed reminders:

https://blog.google/technology/safety-security/updating-our-inactive-account-policies/

Right now I’m only going to thumbnail some potentially serious issues with this policy. They deserve a much more detailed examination that I will address when I can, but there are many associated concerns that Google did not address publicly, and these matter enormously because Google is so much a part of so many people’s lives around the planet.

– Will account names become available for reissuing after an account is deleted? Google policy historically has been that used account names are permanently barred from reissuing. I am assuming that this is still the case, but I’d appreciate confirmation. This would be the best policy from a security standpoint, of course.

UPDATE (17 May 2023): I’ve now received confirmation from Google that account names will not be reissued after these account deletions. Good.

– Given the many ways that users can lose access to their Google accounts, including password and other authentication confusion, lockouts in error due to location login issues, and many other possibilities related to authentication and account recovery complexities, I am not convinced that deleting user data after two years of inactivity is a wise policy. While keeping the data around forever is impractical, two years seems very short from a legal standpoint in an array of ways, even if routine user access is blocked after two years of inactivity. While many users locked out of their accounts simply create new accounts, many still have crucial data in those “trapped” accounts, and most users unfortunately do not use the “Takeout” facilities Google provides to download data while accounts are still active.

 – The impact on user photos and public YouTube videos are especially of concern. Many popular and important YouTube videos are associated with very old accounts that are likely effectively abandoned. The loss of these public videos from YouTube could be devastating.

UPDATE (17 May 2023): While their original announcement yesterday said that YouTube videos would be deleted when accounts were deleted under this policy, Google has responded to concerns about YouTube videos and has now made a statement that “At this time, we do not plan to delete accounts with YouTube videos.” Obviously this leaves some related open questions for the future, but is still great news.

– Many people use Google accounts for logging in to non-Google sites via federated login (“Login with Google”) mechanisms. While Google says these logins will continue to constitute activity, many of these accounts are likely fairly old and their associated users may not have used them for anything directly on Google for years (including reading emails). If they also have not been logging on to those third party sites for extended periods, when they do try again they’re likely to be quite upset to find their Google accounts necessary for access have been deleted.

I could go on but for now I just wanted to point out a few of the complex negative ramifications of Google’s policy in this regard, irrespective of their assertion that they’re meeting “industry standards” related to account retention and deletion. 

As it stands, I predict that a great many people are going to lose an enormous amount of data due to this Google policy — data that in many cases is very important to them, and in the case of YouTube, often important to the entire world.

–Lauren–

How Google Broke Chrome Bookmarks Sync

UPDATE (15 May 2023): And … about 48 hours after this original post, bookmarks starting successfully syncing in full to my tablet, after months of failing totally (despite my many best efforts and every sync trick I know). Coincidence? Could be. But I’ll say “Thanks Google!” anyway. 

– – – – – –

Greetings. Recently I asked around for suggestions to help figure out why (after trying all the obvious techniques) I could no longer get my Chrome bookmarks to sync to my primary Android 13 tablet.

Now, courtesy of a gracious #Mastodon user who pointed me at this recent article, I have the answer as to the why. But there’s no apparent fix. Bookmark sync is now broken for power users in significant ways:

https://www.androidpolice.com/google-chrome-bookmark-sync-limit/

In brief, Google appears to have imposed (either purposefully or not) an undocumented limit to the number of bookmarks permitted to be synced between devices. If you exceed that limit, NO bookmarks appear to usually sync — you can end up with no bookmarks at all on most affected devices.

In my case, my Android 13 phone is still syncing all bookmarks correctly, while my tablet has no bookmarks, and shows the “count limit exceeded” error in chrome://sync-internals that the above article notes.

The article suggests that the new undocumented limit is 100K for desktops and 20K for mobile devices. It turns out that I have just over 57K bookmarks currently, so why the limit is exceeded on the tablet and not on the phone is a mystery. But having ZERO synced bookmarks on the tablet is a real problem.

Yeah, there are third party bookmark managers and ways to create bookmark files that could be viewed statically, but the whole point of Chrome bookmark sync is keeping things up to date across all devices. This needs to work!

And if you feel that 57K bookmarks is a lot of bookmarks — you’re right. But I’ve been using Chrome since the first day of public availability, and my bookmarks are the road maps to my use of the Net. For them to just suddenly stop working this way on a key device is a significant problem.

I’d appreciate some official word from Google regarding what’s going on about this. Have they established new “secret” limits? Is this some sort of bug? (The error message suggests not.) Please let me know, Google. You know how to reach me. Thanks. 

–Lauren–