[fauigerzigerk]

What I don't get is why the very first step in Google's automated process is to lock down the entire account. The debate is around the scalability of support, but that doesn't explain why the automated first response is so radical and so radically stupid.

The anger and rage Google provokes by not letting people log in and access their own data is totally unnecessary. They could just as well let people log in, view their data and receive email but prevent them from sending mail, publishing content, uploading more stuff, etc.

This is not simply about automation or no automation. It's about smarter automation and an intelligently staged response to any suspected issues. If algorithms are to be accepted as decision makers, they have to be gentle and not treat everyone like a criminal as soon as there is some suspicion.

[shabble]

I suspect it's for the same reason as they never reveal any details about their search ranking techniques or why some SEO or suspected fraud got your AS/AW account banned - it's an information leak which people will abuse.

The downside to running such a heavily automated ship is that without countermeasures, a sophisticated attacker could map out the thresholds of your fraud/misuse detection system, and then keep just below triggering point.

On top of that, there are actually situations in which you might want your account to be suspending quickly - ideally before an intruder can cause too much damage or access any valuable information.

Some sort of graduated response is clearly necessary, but the real issue is the complete lack of timely dispute investigation/resolution. And it's probably a hard enough problem to resist automation for quite a while yet.

Edit: This obviously only applies to situations where they might reasonably expect you to be malicious, or someone else to be in control of your account. Immediate irrevocable suspension over some tiny ToS violation is pure madness

[fauigerzigerk]

So we have two cases:

1) A suspected TOS violation by the legitimate owner of the account.

Trying to prevent this via obscurity is crazy and counter-productive as people cannot learn from honest mistakes. It also antagonizes people who become victims of bad algorithms. There is no reason why the kind of staged response I outlined couldn't work in this case.

2) A suspected security breach that puts ownership in doubt.

This should be handled by resetting the password and contacting the legitimate owner using contact information on file before the breach. It's really simple.

[andreasvc]

I imagine it goes like this:

1) attacker guesses your password or obtains it via phising.

2) attacker changes password, starts sending spam

3) google locks account

When you have arrived at 2), you have already lost the account for good, and 3) is only for damage control.

You should know that Google has no way to verify whether your account has been hacked, or whether you yourself are a spammer; therefore the best thing for them to do is just to lock the account.

[fauigerzigerk]

That's not the best thing to do, that's the most unimaginative thing to do.

I would do it this way:

1) Make sure that only the legitimate owner has access to the account by using previously entered contact data to ask him/her change the password.

2) Check if the suspicious behavior stops, which it will in most cases.

3) If it doesn't stop, put the account in read-only mode. If the kind of behavior may be an honest mistake, explain to the user what happened. Just take that risk, it's going to be worth it.

4) If it's a statistically active user with lots of regular looking data, let a human sort things out.

5) If the issue remains unclear, tell the user to download any data he wants to keep and notify him/her that the account will be closed.

[andreasvc]

Yes, that would be better for the user, but this is a free service, and Google has not much too gain from making the process more complicated (imaginative) and thus more error-prone. As a user you have the responsibility of keeping your password absolutely safe, if you do that (and better yet use 2-factor auth), nothing should go wrong.

Your option 1) boils down to adding more "passwords" by which the user can authenticate itself, so it's not a fundamentally better protection as they can be guessed by an attacker as well. Requiring a text message confirmation for password changes might be a better idea.

[fauigerzigerk]

All steps on my list are either fully automated or optional, so it doesn't cost them more.

Google has a lot to gain from people entrusting them with their data, that's why they provide a free email service in the first place.

It would be a mistake to think that trust is linear. You can't just treat a few people very badly without risking a major backlash against your business model.