Don't bind your online identity to Apple or Google or Microsoft, in particular not the email addresses you use for accounts. That at least limits the damage they can do.
Fundamentally it's going to be be bound to someone though. If you run your own domain to host your main email address, you're now bound to the registrar's login to manage that domain name, and also the cloud provider you're using to host the mail services (unless you run that off a machine you have physical access to).
Sure, but I'd much rather be bound to a domain registrar, where I'm paying them for a small, well-defined, self-contained service, where I have recourse if they do someone shady to me.
For Google/Apple/etc., I'm either not paying them at all (in which case they have very little incentive to help me off someone goes wrong), or I am, but for a basket of services. The identity portion of those services is probably not what that company is focusing on providing, and any weirdness with any other service in that basket could cause me to lose my access to the identity bits, often without recourse.
Yes, but you can choose a medium-sized, established registrar with a functioning human support desk, where you are the customer instead of the product driving hyperscale ad revenue. The hosting provider is not an issue, because you can switch very quickly to a different one if needed, and only have to change your DNS entry at the registrar, or whatever you use as your nameservers. Depending on your country’s jurisdiction, you also may have some legal rights to the domains you acquire under the country TLD and are not exclusively at the mercy of the registrar.
You're missing my point that you're still beholden to the domain name registrar that manages your domain name on your behalf. That account getting permanently locked out will have all the same bad consequences for your online life as your Google account getting locked out.
And keep in mind that being a domain name registrar is a low margin business (typically they're only grossing a few bucks per domain per year, before accounting for any other expenses like staffing and systems), so you're not gonna get great support.
My understandingis is that legally you own the domain and the registrar is only managing it on your behalf and they are required to transfer it to another registrar if they terminate you as a customer. As recently happened for russian users on namecheap for example.
This. My TOTP 2FA for Namecheap just stopped working one day, despite nothing changing. I was totally locked out. I got lucky and their support was helpful and we reset it after a few hours, but it made me realize that there is no way to be 100% safe.
(My Google account is dead even though I have the username, password and recovery email which forwards to me since I don't have the phone number)
At some level, every business has incentives to minimize what they provide you vs what you provide them. But even low margin businesses where you’re the customer are more likely to have incentives and structures built around paying attention to you than low margin per user businesses where users aren’t the customer but part of the product.
I host my own email service and several times have had the registrars get sold and once sold and then the purchasing registry discontinued the registry service, or maybe the secondary DNS. They generally have support that at least understands how DNS works, which I find surprisingly rare among tech folks.
However the big problem is I am frequently banned from emailing gmail or office365. Never Apple for some reason. So I can read email but I can’t that well send it. But I don’t really care much, mostly people have to tell me out of band to check my email if they have sent me email. My email sessions are mostly a review of current spam practices and questionable emails from firms I have done business with.
Registrars are beholden to the registry and ultimately to ICANN rules (for classic TLDs at least. They can't just fuck you over whenever they feel like in the same way that Google/Microsoft/Apple can with their services.
Some failure states are unique to people who exist in these weird edge-case states though. Like the person who had their luggage stolen, the person registered the laptop to their own account, then returned it still paired. And apple wouldn’t un-pair it from Find My even with a police report documenting it all, therefore it’s bricked.
(And to be fair to apple here - they didn’t do anything wrong here, strong end-to-end security inherently means allowing these states. Otherwise the cops could order apple to unlock it too, and apple wouldn’t have a moral ground to object if they’re regularly performing the task in other circumstances. Otherwise people could social-engineer apple support to unlock a stolen device, or their partners. To a certain mindset, google and apple not having any real support is a strength because there’s no way to social-engineer your way past the actual security. But people want both the idea of E2E security and the convenience of being able to remotely un-register a laptop from someone else's account...)
Anyway, that failure mode wouldn’t exist if they were logged in to their account, and e2e encryption makes that a very low-risk thing overall.
Apple can’t see where to it devices are anyway, without doing a song-and-dance to authorize the session on a pre-authed device. Airtags and iphones have a rolling hardware identifier for bluetooth and wifi based on a cryptographically strong pseudorandom sequence, and apple can't correlate the identifiers back to an actual device without a pre-authed device relaying the sequence from your account. Etc etc.
Apple have actually done the legwork to make sure they can't see anything (or be forced to reveal anything) if you don't want them to (by enabling E2E), and that actually does drive a lot of "user-unfriendly decisions". And sure, android people will say "that's awfully convenient", but, the end state is still a lot stronger than any other major offering regardless of why you think they're doing it.
Buying a domain is not difficult, nor is configuring it with a mail service like Fastmail. Yes, it’s slightly more involved than signing up at GMail, but it’s less complicated than doing your taxes (YMMV). The more people do it, the more helpful resources and service would appear for it. The problem is most people don’t care until they get unlucky and their account gets cancelled for inscrutable reasons. It would be better to have regulation that protects users.
The risk of an average person forgetting to update their credit card details and irrecoverably losing a personal domain is almost certainly thousands of times higher than them being accidentally and permanently locked out of a Google or iCloud account.
Where I live, the most common payment method for such services is direct debit from your bank account, where the details never change unless you switch banks; and in the rare event that you switch, you can make use of a service that banks are legally required to provide for transferring debit mandates to the new account. I bought my first domain about twenty years ago and never had to change anything regarding payment.
A lot of people live paycheck to paycheck. I’d wager even more people on average would lose their domains with this approach either by forgetting to or being unable to put the necessary funds in their account, and having the payment declined.
Losing your entire online identity because you didn’t pay on time is an absolute show stopper for an enormous number of people.
Most people are not tech people. They do not know or car, or even care to know, about the details and importance of maintaining and protecting an online identity. They won’t remember to update payment details until things start failing. They won’t check their email frequently enough to notice before this happens. They will ignore text messages, either assuming they’re scams, spam, or unimportant.
You’re in the US, presumably? Is it really that common there for people to overdraw their account to the extent that direct debit in the $10 range would fail? That would be a very rare occurrence here. And you wouldn’t immediately lose your domain just because the payment failed once. It would be a much longer process.
People also have a mobile phone number with a plan they have to pay for. I don’t see why a domain should be any different, and it isn’t actually that different in my country.
In the current state, the majority will need some help, similar to how they need some help when something goes wrong with their laptop. But as I said, if this would become a more widespread practice, more services would become available that make it easy and that help in case of trouble.
The biggest impediment is probably that most people aren’t willing to pay (say) $10 per month for a domain and email hosting like they do for streaming services, because they’re used to email being free. So they remain at the mercy of the big providers.
But I can at least encourage the HN crowd here to move to independent services and to use their own domain.
You’re first two sentences prove my point that this is not adoptable by most. Cell phones are ubiquitous and permeated all tiers of society. Hosting your own domain and email isn’t. I get the limitations but my point was that this isn’t practical by most for technical reasons. Ignoring the financial challenges of convincing people to spend money on something that has been free for their entire life.
You can use your own domain with Google at least, and I’m guessing Microsoft as well. It could be a good middle ground where you control your email and just let google,etc use it for the time being. It looks just like gmail but you can always get out if you have to.
I'm thinking of Microsoft Accounts on PCs and how you need to know how to jump through hoops to avoid them at OOBE. And about how this is about AppleIDs and losing them - it's my understanding that Apple is less aggressive about AppleIDs than Microsoft is about Microsoft accounts, but also, TFA. Google has similar levels of fuckery especially if you're on Chromebooks but Google's sin is nonexistent customer support. I wouldn't want my most important email address to be tied to any of these three, although I speak as a gmail-using hypocrite who plans to change that soon.
The thing that really bugs me about Google is you can make an account tied to an unrelated domain, but then they don't let you use that for a lot of things, so you're forced into a gmail account.
iTunes didn't even allow you to add your own album art. To do so you had to be signed in with Apple ID, so Apple could look up the album details on the iTunes store and set the image that way.
This was in 2008, so the software ecosystem lock-in strategy was already well-established back then.