[jarland]

Hey friends! My name is Jarland and I'm on the support team at DigitalOcean. We do have a number of fraud and abuse algorithms, and when we are alerted to potentially fraudulent activity, we take appropriate action, which includes notifying and communicating with individual users. I also want to confirm that we are fully compliant with GDPR.

[drchiu]

Thanks @jarland for chiming into this thread. I love how DO has evolved over the past several years and want to comment about that.

I use DO for production and have gradually migrated my infrastructure away from AWS and Linode to Digital Ocean as the platform improved.

Just a quick question: If the algorithm is triggered (regardless if it is a false positive or not) and the user is notified, what happens with the droplets in the meantime? Is there a grace period for the user to act before DO takes action? And is the whole account frozen or just the offending droplets?

It seems the major concern amongst commenters here is the sudden lost of service.

Thanks for the great service, and I look forward to your insight on this.

[raiyu]

Depending on which items are flagged the account is put into a locked state, which means that access is limited. However, the droplets for that account and other services are not affected at all.

The account is also notified about the action and a dialogue is opened, to determine what the situation is.

There is no sudden loss of service. There is no loss of service without communication. If after multiple rounds of communication it is determined that the account is fraudulent, even then there is no loss of service that isn't communicated well in advance of the situation.

[jarland]

The answer depends on a variety of factors, but in general, when we're alerted to something that could be a violation of our Terms of Service, we attempt to engage with customers. In some cases, we may take actions against the resources running against an account and a vast majority of the time, there is a grace period before any permanent action is taken. If you have questions about specific cases, we recommend contacting our support team directly.

[donmcronald]

Yeah, I want to know if the execution is before or after the trial. Part of DO's appeal to me is the simplicity and predictable (low) cost. It would be really great if they published well defined account termination procedures. Do I get a phone call? An email? Do I get to respond before being disconnected? Is there an appeals process?

[raiyu]

As anyone who runs a service that provides full root access to servers understands there is a tremendous amount of opportunity for potential abuse. It becomes a game of cat and mouse to catch the abusers and prevent them from creating numerous accounts which ultimately impact system performance and can lead to potential problems for real legitimate customers.

Those guidelines aren't published specifically because if they were, then the abusers would immediately begin to route around them, so it's meant to be opaque for a reason, but that is against fraudulent use, not legitimate use.

[geetfun]

@raiyu, this is excellent and thank you. It’s reassuring to see DO’s leadership come out and explain things.