I've had the same Google account since time immemorial. About a year ago, Google started hassling me to hand over my date of birth. I had long lived without access to "mature" Youtube content. But now Google began bombarding me with pop ups on my Android phone. I kept refusing. In retaliation, Google took my ancient GMail account hostage, blocking access behind an unskippable demand for my DOB. I had no choice but to cave and provide them with a date. I was livid.
Now that months have passed and my jets have cooled, I would like to take a moment and speak directly to Google:
Thanks Google. You finally gave me the push I needed to pack my bags and leave. I've completely de-googled my life and encourage everyone to do the same. You're an evil company. Anything positive you may have contributed to society has been long eclipsed by the damage you've done in your quest to subjugate the web. In short; good riddance and get fucked.
Google has to do this to comply with COPPA. They had to pay a $200m fine in '19 due to users that weren't age-checked.
Just read through some COPPA stuff. It looks like you could comply with a simple checkbox for "I am over <magic age>", which would be less information for the panopticon.
I'm no lawyer and can't say whether Google complied in a minimal fashion or not. But maybe not. [Edit: Checkboxes are insufficient, apparently]
Google used to allow you to do just that and it was determined to be inadequate and was partially why they were fined $200 million.
Any idea why that was deemed as inadequate? General lawyery assholeness or something genuine?
FWIW, I'm always happy to give my dob to these websites. Its the epoch of course. Memorable for me and boring for them.
Their implementation has to comply with laws in other countries too. Plenty of countries consider a checkbox too easy to accidentally tick, whereas asking for DOB requires a user to actively make up information, committing fraud if the information is false.
It might be fraud for a child to give a false birthday to get access to an adult service (or vice versa) but it's not fraud merely to give a bogus birthday.
Also, you know, since Google knows the account age and all other information about the user it should be able to give an educated guess about the users age
But apparently Google's knowing that you're a right-handed tae-kwon-do enthusiast that flies every month is not sufficient for them to maybe think you're not a minor.
Does it matter what Google knows? Is a state regulator going to accept "Trust us, the algorithm says they're adults" when they come knocking?
When you've had the same account for 20 years, they can probably assume you are an adult.
Google runs the play store. The play store requires a credit card. No one under the COPPA age can legally own a credit card. We should have been done there. And if we're talking purely gmail, a binding "please confirm you are over <age>. Note: this is a legally binding answer and Google reserves the right to delete your account if provided with incorrect information" should be more than enough. Google does not need a full date of birth. But boy howdy do they want it for advertisement purposes.
The Play Store doesn't require a credit card, at least not in the U.S. I have a Google account that I use for testing on an Pixel phone. When I go to install a new (free) app, it nags me to add a payment method to my account. But I can skip the prompt and download the app.
if you've never bought an app on the App store, you're not really using your modern pocket computer to its fullest. Most of the good apps, and good games, cost money.
(as they should)
Yep, and any other company he signs up for that doesn't ask for this basic piece of information is breaking the law.
Nonsense, "you must be at least 13 years old to use this service" has been standard T&C since time immemorial. It is not a basic piece of information either, it's a big piece of identity theft. So not that I'd even give any online service my real DoB anyway.
On YouTube they're now demanding a credit card number to verify I'm over 18. I guess someone said a swear word in the video I'm trying to watch. Yeah not giving them my credit card number.
If you live in the EU, I believe that YouTube is forced under law to ask for your credit card number as part of verifying your age. Thank your country's lawmakers and the Audiovisual Media Services Directive.
> ...ask for your credit card number as part of verifying your age.
and verifying that your financial/documentation circumstances permit you to qualify for a credit card in the first place, too. Nice way to gatekeep out the "undesirable underprivileged" user base not worth marketing to...
Use privacy.com to generate a debit card with a limit of $1 if you ever need to. But i understand it's also the principle of the thing and you might not want to even give a fake card with a $1 limit.
Whenever someone is searching for my name on Google they get my full birth date with year at the right side Google "knowledge panel".
It is incredibly unnerving to me.
By what source do Google claim to know my exact birth date?
The only way I can theoretically change this is if I "claim" this "knowledge panel" which involves sending more personal information to Google without guaranteeing anything.
A month ago I was asked in a surprise email to verify my age for YouTube with a credit card, which I did to avoid landing in support hell later on, because I publish browser extensions with the Google account.
I rarely log in, and I wasn't using the Google account at the time the email was sent, nor do I ever use the attached YouTube account. The card was saved in Google Payments without my consent.
I live in the EU. Their support page mentions that they will ask for age verification when you attempt to watch a restricted video, but I was not using the YouTube account.
Then there's also the question of creating a payment profile for the user without consent.
> If you enter your credit card info for age verification, Google will retain this data as necessary to meet legal and regulatory requirements.
https://support.google.com/accounts?p=age-verify
Meeting legal requirements is very different from saving your card in Google Payments, which then you can readily use to buy products in any Google service.
Note that some countries have prepaid SIMs that are regularly reassigned to new SIMs...as soon as 6 months after the last "refill" of the card.
This happened to a customer where their IT sysadmin got a prepaid phone and registered this as a recovery number in a critical system (read as: full control over infrastructure).
And yes, the company forgot to refill the SIM card only to realize a year later that some script kiddie got the phone number by accident and was curious enough to lookup where the number was being used. DNS entries and ASN entries were enough OSINT to form an attack strategy.
What you gonna do then? As it turns out, this was a shitstorm of problems to deal with through hours (probably days) of support hotline calls.
Remember folks: 2FA via SMS is useless. Avoid phone numbers like the plague, everywhere.
Couldn't agree more. It's baffling that we seem to be slowly moving away from email addresses as primary account identifiers, and less slowly from using them as the default 2FA reset channel.
- I can own my email address; I cannot meaningfully own a phone number.
- Email is international. Phone numbers aren't. (Edit: Often, not all countries/dial codes are accepted by sign-up forms, and it's usually not feasible to keep a phone number when moving internationally.)
- Email works with or without a cell signal/via mobile data.
- Many email providers offer 2FA, and domain name port-out prevention seems relatively robust these days. SIM swaps and port-out attacks still seem way too easy to pull off.
> - Email is international. Phone numbers aren't.
I agree with the gist of your email, but what is this supposed to mean exactly? The whole world shares a single phone (number) system, right?
It means if you move to a different country you can probably keep your email, but you will probably lose your phone number.
Being able to send an SMS to a US phone number does not guarantee the ability to send an SMS to, eg, a Chinese phone number. SMS isn't even widely used in a lot of locales outside North America. Email works the same everywhere.
Email is not delivered reliably either. There are many blockers. Either you are not allowed to enter a perfectly working address. They might use some list of domains they think they are bad (happens to me increasingly). The programmer might have hand-crafted their own regexp for "valid" email addresses. The email provider might not accept certain incoming mails. I am on several lists that say, sorry our emails are not deliverd on hotmail, yahoo, whatever. Harmless hobby stuff, nothing spammy or illegal.
Since you can have unlimited amounts of email addresses for free, they are not the ideal identifier for products for which there are "free up to a certain point" aspects or "we'd like to make sure we're dealing with an individual person" aspects? Though surely in the latter case something better than an email OR phone number is possible.
If "proof-of-x" is desired for spam account prevention: Sure, happy to provide that as a user.
Just don't also tangle it to my user ID and/or 2FA recovery.
> they are not the ideal identifier for products
They are a pretty decent identifier for users. Facebook demanded my phone number for "security" purposes then turned around and used it as a unique identifier to tie me to purchase records from various businesses (e.g. Ticketmaster - why am I not surprised?) that apparently have shady tracking/advertising deals with Facebook.
This sort of information misuse and tracking (not to mention spam) is precisely what "sign in with Apple" was supposed to fix in terms of e-mail addresses, but it's currently instantly neutralized by SMS "verification" since it's a huge pain to get a different phone number just to prevent Facebook from using it as a tracking identifier.
(I guess this reminds me why I have said "no" to multiple inquiries from Facebook. The thought of being told to implement a dark pattern as part of your job is extremely unpleasant. Facebook's confusing anti-privacy settings are another example.)
And it's not just Facebook. This is seeping into other completely unexpected applications; for example I bought a game controller whose driver software setup demanded a mobile number for "verification" purposes. No, just no.
The terms of domain "rental agreements" are much more standardized and user-friendly than those applying to phone numbers in the PSTN though, in my experience.
Many providers don't give you a choice. Many major banks default to using SMS for 2FA. I'm sure if they get breached the government will bail them out so why should they change?
Me too, but some banks/payment services don't allow that – ostensibly for security reasons...
Even when I did get a "real phone number" (that concept irritates me to no end), one of these first required me to send a phone bill as a "proof of me owning that number" before they would let me set it for 2FA.
I guess that's just what happens when blending/confusing the three distinct concerns of spam/fraud protection, 2FA, and user identification (for inbound P2P payments) into a single identifier.
Twitter won't verify phone numbers that are assigned to voip providers, even if they receive SMS.
I'm not sure how you get a number from Ma Bell anymore, and I'm not going to do it for Twitter.
FAANG isn't quite as bad as WeChat, but it's getting there.
What's more fun is that companies have bad databases and won't fix them. I have a Google Voice number that I ported to a physical device, and Discord won't let me use it as a 2FA backup number. The mistake they made is two-fold: 2FA is for me, so if the text message goes through, then it doesn't matter if it's VoIP. But they tied the system into their "you must have a verified phone to use this server", which has to reject VoIP for abuse reasons. (It's a bad abuse management mechanism of course, but having implemented similar blunt instruments myself, I get where they're coming from. There's a problem, how do you fix it in a day? Blanket out-of-date denylists.) Compounding the issue is that their database is simply incorrect. My number is a physical phone.
(Oh, and of course you can port your physical-at-the-time-of-registration phone number to VoIP, which I may or may not have done, and they don't go back in and check against the database. TOCTOU, a classic security vulnerability since approximately 1970.)
It grinds my gears because I have been a Nitro subscriber since it first became available, and they won't bend one millimeter for one of their first paying customers. I am looking forward to their death by greed.
The opposite is also true. I have a Google Voice number that originally came from a cell phone, so many sites that otherwise block VoIP numbers let me use it.
Really the only place that gives me issues is Chase Bank.
My bank tried this crap with my Google Voice number and I told them it was my phone number and had been for over a decade.
The rep was able to white-list my number.
I was using a number with Uber Eats and one day they decided they didn't like my provider any more. Needless to say their service wasn't worth trying to figure out why they have a problem. I swear it feels like some sort of conspiracy to make sure major telcos get paid.
In the USA, the cheapest option I've found is Tello (T-Mobile MVNO) - $5-6/mo for the absolute basic tier, real SIM with a real (non VOIP) number. Accepts number port-in after initial activation.
If you just need to receive the occasional text message, you can get a free one from FreedomPop.
Red Pocket has their cheapest plan at $30/year ($2.50/month) on T-Mobile. 200 min, 1000 txt, 200 MB per month. Real SIM card. Available only on eBay. No affliation, just a satisfied customer.
I managed to successfully register a Twitter account without having to verify myself with a phone number. Not sure how I managed to do that, but I have a number ready to provide them if they randomly decide to ask for it.
You can get away with using the same number for about five accounts (at least this was my experience).
IME, you can register. And then between a day and a week later, you'll get a demand to verify by phone.
Holy crap - I guess the days of just going online and making an account are over.
I hope it's not the case (and I am enjoying my alternate, non-google emails) - but it seems that "so goes Google, so goes the web" has happened often enough that I worry
It's awfully hard to establish any kind of online presence without a mobile phone number these days. Google used to have the option to get a confirmation code by voice if you couldn't receive texts, but they discontinued it, and nobody will accept a Google Voice (or most VOIP really) number as valid.
If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
> and nobody will accept a Google Voice (or most VOIP really) number as valid.
Apple will accept a Google Voice number as a trusted phone number on your iCloud account, and it even works with their SMS 2FA, in the few places where they still support that.
> If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
I have never had this problem with PIA.
VOIP has been ruined by the crooks (including the crooked extended warranty people who spam my phone from a different fake number almost every day); it was broken as designed.
How is that VoIP's fault?
The root of the problem seems to be that the POTS seems to demand a ridiculous level of trust of all participants, which does not scale beyond a handful of incumbent market participants.
I like being able to take my phone calls wherever I am, with or without cell signal. Don't blame the technology; blame the broken network.
iCloud Private Relay tends to work better than your average VPN, I suspect because it has a big enough non-technical userbase that just blocking it would lose customers
Discord told me the same thing: just use a friend's phone number if yours doesn't work.
What exactly is the point of phone verification of the official answer is "lie to us about your identity"?
> What exactly is the point of phone verification of the official answer is "lie to us about your identity"?
Phone number is not about identity, but about reducing spam (they're also not at all tied to your identity, at least not unless you buy data from service providers). The point is that you need something that is very easy for your normal user to do, but very hard for bots - effectively, it's just a glorified captcha.
I can accept that, but at least captchas offer an alternative, like listening to audio. With the phone number, if they've decided my number is VoIP, then I have no recourse except to borrow or steal someone's phone. It's a terrible system and they probably have no metrics on how many legit customers they are losing because of it.
Why do you think they wouldn't have metrics on it? When doing anti-abuse policies like that, you'd definitely first figure out the number of FPs during the analysis stage, and then verify it again when actually rolling out the policy.
How do you tell the difference between bot users and legit users who just give up? Especially if you do it during a high growth period, it could easily be masked by the growth.
There's tons of ways. What they have in common is that you don't wait for a user to fail the SMS challenge, and then try to figure out if it was a true or false positive. You work with differential behavior between populations of users.
Often you're not applying these policies to everyone, but only to small sub-populations with a high density of abuse. E.g. if 1% of your accounts are created via VPNs + VOIP numbers, and 99% of those accounts are deemed to be abusive post facto, and you restrict VOIP numbers for just signups for VPNs, the absolute maximum reduction in legit signups is 0.01%. You don't even need to know how many of the legit users would find another way to create the account; you already have an upper bound that's within the guardrails.
Or you can look at what actually happens after you roll out the policy. If it really is watertight, abusers will move away quickly, and all you're left with are the legit users. If that number is low enough, you might even keep the rules in place indefinitely even though all the traffic that is remaining is expected to be FPs.
If those approaches sound dodgy, the default option is to run an A/B experiment. Ban VOIP numbers for the experiment group and allow them for the control group. Then simply look the number of newly created abusive accounts vs. accounts with legit interactions in the two groups.
(A lot of requires you to have a way of distinguishing between abusive and legit users post facto, but if you don't, it's too early to add this kind of restriction in the first place.)
I get how this probably reduces spam a little, but it's another one of those things like capchas that can be a massive impediment for legitimate users, but barely a speedbump for actual spammers.
It's all about sybil attack prevention. They want to limit high rate algorithmic generation of accounts, so they need some verifiable ID that cannot itself be generated at a high rate. They're not using it to verify your identity - they're just making sure you can't generate a lot of accounts.
The fact that VoIP numbers are declined by so many services just reveals what phone numbers are really used for, these days: Spam account creation prevention.
If this was about security, SMS-2FA would be laughed out the door.
I wouldn't call it very practical. Not everyone has access to someone else's phone, much less someone who trusts them when they say "can I borrow your phone for a few minutes to send some verification codes".
> You don't need a mobile phone, you can use a friend's phone, or use a landline.
Sure, because what's the chance the friend also has a Google account? And who doesn't have a personal landline, especially these days?
Sorry to be snarky, but responses to the point of "sorry that our systems are horrible, nothing we can do, here are a few hoops to jump through to possibly deal with it" just get me. It's not just in Googles power to change something, it's literally a problem created by Google.
It's not even a Google employee replying, just some random person who spends so much time doing Google's job that they've gotten a pretty badge for it.
I don't know why Google thinks it's okay to have volunteers with official looking titles (like Diamond Product Expert) giving support when there's no validation that what they're saying is correct. There are thousands of votes on this question; it should merit an actual response at some point.
Agree. To go further, I find these "community-powered" support forums infuriating to read, when they are run by a huge company that should be remunerating support staff.
Why anyone would volunteer to answer queries for free in this context is beyond me. What do they get out of it? A flashy hat to wear and a few trivial perks?
Respect to those trying to help out, but when a question like this is posed in the forum, I would only be interested in hearing the response of a salaried Google employee, not a volunteer.
It's even worse when the response offers trite, generic information that doesn't relate to the problem, regrettably a common occurrence on this type of forum.
Edit: Note, these remarks are not applicable to the commendable people providing support in FOSS projects, and in other non-commercial contexts.
I mean in the context of users providing support for commercial products without being paid for it.
Stack Overflow is a general Q&A site, not a support forum for a commercial product. The context is very different. Also, while I'm at it, it has its own flaws, but people providing trite and useless answers isn't one, they get downvoted to oblivion.
Which companies use stack overflow as their one and only customer support channel?
Presumably the company would rather have something like Stack Overflow, but with total control over the moderation.
I think Stack Overflow used to sell this as a service. Don't know if anyone used it.
By the same token I don't know why jp88 thinks it's okay to spend their time volunteering on behalf of Google. Is there some angle that I don't see or is there a subculture of people who enjoy providing free services to huge highly-profitable companies?
That would cost money!!!
Google, as a company, has still not figured out customer support. It is evident in their Google Suite products, GCP and Pixel phones.
Just like Uber is using meat drivers as a temp solution until AI gets solved, Google must've had the same attitude towards support.
Anecdotal, but I've seen figures like "number 263 in line for representative, estimated wait time 8 hours" in the weeks after I got my lemon Pixel 6 and had to get it RMA'd. Even after I got through to a human, it took tons of effort to escalate away from the song-and-dance "troubleshooting support" to a person who actually had the ability to get a replacement mailed out.
Contrast with Apple, where I've gotten knowledgeable humans on the line within a minute or two, and scheduled a service appointment at a nearby store.
If Google wants its Pixels to be the iPhone of the Android world, then they should provide more than the bottom-of-the-barrel outsourced support they currently offer.
I literally smashed my Pixel XL with a beer bottle (it tipped into the phone, there's no way a phone can survive that), swapped my sim to my old phone and called their 1-800. Was on the phone with support within 15m, they overnighted me a new one (under the protection plan) without me having to send in the old one, and then the new one had an issue with the proximity sensor, so I used the on-phone support to have them call me instead of waiting on hold. Explained the situation and they overnighted a third one which worked great without needing to return anything. I then sent the other two back. It was very good support actually given the circumstances, and I used that phone for two or three years before getting the Pixel 3XL. After having the 3XL for a little less than two years, I randomly took off the case to show off how nice the phone was without one (it was the white model), and realized the battery was swelling a slight but noticeable amount. It was a day or two before the protection plan expired, I called them via the builtin support functionality, again in a few minutes to check if the claim would be honored, hopped off that call after investing about 15-30m of my time, did a pretty easy claim process (another 5-10m) and had a new phone delivered in about 3 days. Swapped my SIM in, transferred all of my stuff, and shipped the old one. It was seamless and easy.
In general, Google's support is mostly nonexistent. There are harrowing stories of Pixel support, but I have not had them, so ehh.
On the other hand, I have had humorous kerfuffles with Dell in trying to stop them from sending me a replacement unit that turned out to be unnecessary (even though the support rep had issued a replacement ahead of arrival due to a report of damage by UPS). They said we'll ship you one, just let us know if the one that arrives is not damaged and we'll cancel it. Despite me doing that in triplicate they still sent it to me. And then after I spent a bunch more time getting support to understand this, I was able to ship it back via FedEx, and about a month later I got a notice that I never did... Again, was able to remedy this with a chat with support and sending over some proof, but it left much to be desired.
I also have the Pixel 6 Pro from launch day, and though the software issues have been frustrating, the phone itself has been great.
Dropping updates for 3 year old phones isn't something I would call "good"
I agree here, but really only Apple is doing okay on this front, with Samsung very slightly better than Google.
Why pay for customer support when your userbase is so captive that you'll see your profits regardless?
I wish USA would take a stronger stance on mobile numbers being used for identity - either permanently assigning numbers to people which can't be reassigned or banning the use of phone numbers for identity verification entirely. Your life should not be identified by a sequence of numbers that are no longer yours if you don't pay your bill or somebody pretends to be you in a cell phone store.
That said, Google has allowed me to use my Google Voice number for account verification for a very long time now. It probably helps that I added that number before I ported it over to Google Voice but it's nice not having accounts tied to phone bill.
The problem is particularly common in China, where almost all services require a mobile number to register an account per the regulation.
Recently, a service has been established in some cities that allow a mobile number owner to delete the accounts related to the number at multiple services. [1]
1. https://www.ithome.com/0/600/098.htm (Chinese)
I had this problem when I was still using gmail. These days I have my own domain and pay for my email services, so I can create aliases without creating accounts. But when I was using gmail I had a few accounts for different things, and at around 5 I couldn't create more.
Which is perfectly reasonable to be fair. I fixed it by deleting some of the accounts.
If the authors problem is similar that would probably be the easy solution. If it's because the author has "inherited" a phone number that has previously been used by other people to create Google accounts then I think the author is going to depend on this HN post catching enough traffic for real people at Google to care. Because I sure didn't find any help through their support system back then, and simply fixed the issue as a "happy accident".
Their solution is to ruin someone else's access, too. I guess this is an important security alert: don't let people borrow your number to create a Google account.
It is fair to say that the answer came from a volunteer, although supervised by Google.
This is just a sad consequence of some merchants creating accounts in the thousands/hundreds of thousands and selling them to SEO/Marketing blackhats to use.
Google should simply have paid, in-person support for these issues. Cuts off the spam merchants, while still letting Joe Average create an account with their usual phone number once they've been verified as an actual person. That's got to have some value, even to Google themselves.
>While still letting Joe Average create an account with their usual phone number once they've been verified as an actual person.
so, how?
I don't think that would go over well. When Google asked people to share a national ID or credit card in the EU (age verification is legally required to be compliant with the new "think of the children" regulations in the EU's Audiovisual Media Services Directive), people online freaked out.
(disclaimer, work for Google but not on this)
I encountered this on Youtube even though my account registration and VPN endpoint say I'm in the US. I ended up fixing it with a browser extension.
And they will figure out ways around this, while the average user will get screwed out of being able to make a new account.
> The count cannot be reset.
Another reason why phone number login is a ridiculous idea. Now this user is locked out and has to contact the CEO of Google for support. (Since there is no Google customer support)
We haven't even gotten to talk about SIM swapping and SS7 attacks yet. [0] Complete hell-hole of account takeovers.
[0] https://news.ycombinator.com/item?id=27447206
I wonder if this is a potential denial-of-service bug?
There are two scenarios:
1. The expected use-case: Create account(s), assign number for verification, verify, account active, number remains assigned to account(s)
2. The unexpected: Attempt to create account(s), assign number for verification, ignore or fail verification, no account created
If the attempted use of the number in (2) is counted and remembered then there's an anonymous potential DOS against any number
you could use a lot of different cheap pre-paid sim card to burn a lot of numbers too.
Yes, but my thought with (2) is you can use someone else's telephone number without their permission or knowledge until it is permanently blocked as a method of verification and authentication.
Makes sense, but 1) Google still has a HUGE spam account problem and 2) this is going to hurt a whole lot of innocent people.
Phone number as unique person identifier is hugely problematic for a lot of reasons. I wonder how many accounts you could hack just by constantly acquiring new numbers in area codes where the supply is small and then trying to reset various things by phone number.
I'd also like to add that Google has atrocious customer service. In fact, the help forums are often just volunteers who don't even have the power to relay information to an actual support engineer. I recall seeing a few submissions here on HN about paying customers of Google's services getting banned or flagged by some algorithm by accident and then having no way whatsoever to actually get the situation straightened out. They even contacted Sales and those employees had no way of sending a ticket to anyone inside google capable of helping them.
So I sense some of the anger is due to google's reputation in this regard.
That's my impression too. This is a developer's forum. Readers here should have better undertanding than normal population that why this feature has been implemented. I am very surprised to see all these very negative and hostile comments. Instead a better discussion should be what's a better way to handle tricky situations like this, if there's any.
The negative reactions are not about the feature. It is about the crappy Google support.
> if there's any.
Have support.
Is there some sort of a common pattern in the authentication and authorization problem of the digital service:
1. I can associate a phone number/email to a bunch of online services, but to unbind any specific one, I need to visit that specific website to put a request.
2. Especially for recycled phone number: it is nearly impossible for the new owner to unbind and clean the connection made by previous owner.
3. Cancel the recurring payment on your card. You either go through the service provider or call your bank/credit card issuer. However, it is usually more complicated compared to the moment when you clicked yes button.
It is super easy to start a digital service, while the other way around is not easy, and more than usual, hard as hell.
These useless responses are pretty much all you'll ever get out of Google if you have any sort of problem that isn't trivial to fix. I've seen tons of these threads.
I once asked "hey, I know you can ignore single email addresses but is there any general way to prevent people from sharing porn to my Google drive or having bots message me in the gmail chat widget, because the default is anyone can do this to me regardless of privacy settings."
It seemed ridiculous to me anyone could message me out of the blue or share porn with my drive that shows up (thumbnails and all) in "recent". Individually ignoring the thousands of spammers isn't a solution.
The response was something like: "You can ignore individual users by right clicking their username and hitting ignore!" Thread closed. I can only imagine the responder didn't even read my question or just didn't care and was trying to make some quota or something. It's pretty clear they really don't care about supporting their products at all, and you'd probably be better served talking to a wall.
Get your own domain with a safe registrar, have your own email.
Not your domain not your mail.
I've gotten this message, but I also have ~8 Google accounts. I've deleted 2 so far, but 2 of the accounts have emails that are tied to one last important service that _will not_ let me change my email, no matter what I do.
I'm trying, but I cannot escape.
Zoho is even worse. They require that a phone number is used exactly once. Which is a bummer if you want to have non-personal emails, like "support@example.com".
Can you use an alias? I don't use Zoho email but I use lots of aliases on Fastmail for this sort of purpose.
Typical google policy in that it optimizes toward google scaling its efforts, and against customer expectations.
It's pretty much what you might expect from a company that makes its money B2B rather than through pleasing consumers.
Google is piggybacking cost-free on the ID verification efforts of phone carriers, so for whatever it's worth, this is a free solution — from Google's standpoint.
From a user standpoint, I know of no service that will perform ID verification for 'free' and certify that verification onto a third-party verification request. (Credit card verification, or mail-you-a-postcard verification, doesn't count, as there's no ID check.)
I believe this ends up having to be a government service, where the post office is obliged to certify third-party verification requests presented to it (for private parties, corporations, and/or government divisions), and this service is offered for free at personal-use volumes and for one postage stamp per request at for-profit volumes.
It's still possible a B-corp or non-profit could decide to offer this as a public service, but that would take a billion-dollar endowment and would duplicate the USPS frameworks already in place to check IDs and verify mailing addresses for Informed Delivery at every post office in the country, so I wouldn't bet on anyone taking on that cost without payment.
A security key wouldn't prevent spam since you can buy multiple. It would increase the cost of spamming, but it's unclear of the relatively affordable price of security keys would love the needle enough vs attrition from legit users
Security keys are typically $20, that seems pretty expensive to me if you are a spammer opening hundreds or thousands of accounts.
WebAuthn deliberately doesn't give relying parties a way to tell if two registrations are from the same device.
You can buy more phones too, though presumably the phone companies don't sell bulk phone numbers for short term use and make it prohibitively expensive and time consuming to do so. Basically seems like it works by outsourcing those spam combating efforts to the local phone companies.
See, you've gone and ruined Jenny's chance of legitimately getting any online presence. Hopefully, she never forgets her password and needs to verify her identity.
I remember hacking together a Twilio API script for registering multiple Google accounts (since they do phone verification for each account so I needed a pool of numbers I could register with). I managed to get about 20 accounts registered before they caught on, and banned each account. And there was a twist: my main Google account got caught up in the ban (which I tried really hard to keep insulated from the en-mass account registrations). But they somehow figured out it was me (even after using several proxies/VPNs).
But luckily I could appeal the ban of my main (personal) account and the copy read something like:
We want you to keep communicating with Gmail, so you can appeal to get your account reinstated here using this form.
Turns out Google is human after-all, and I learned my lesson.
For those wondering why I wanted so many Google accounts; well at the time Google+ was happening and I wanted to promote a bunch of SaaS products and side hustles. In truth, I wanted to spam G+ with links. But the takeaway from this is: Google does let you appeal and has your best interests at heart, despite any rogue/malicious intent.
I've had the same Google account since time immemorial. About a year ago, Google started hassling me to hand over my date of birth. I had long lived without access to "mature" Youtube content. But now Google began bombarding me with pop ups on my Android phone. I kept refusing. In retaliation, Google took my ancient GMail account hostage, blocking access behind an unskippable demand for my DOB. I had no choice but to cave and provide them with a date. I was livid.
Now that months have passed and my jets have cooled, I would like to take a moment and speak directly to Google:
Thanks Google. You finally gave me the push I needed to pack my bags and leave. I've completely de-googled my life and encourage everyone to do the same. You're an evil company. Anything positive you may have contributed to society has been long eclipsed by the damage you've done in your quest to subjugate the web. In short; good riddance and get fucked.
Google has to do this to comply with COPPA. They had to pay a $200m fine in '19 due to users that weren't age-checked.
Just read through some COPPA stuff. It looks like you could comply with a simple checkbox for "I am over <magic age>", which would be less information for the panopticon.
I'm no lawyer and can't say whether Google complied in a minimal fashion or not. But maybe not. [Edit: Checkboxes are insufficient, apparently]
Google used to allow you to do just that and it was determined to be inadequate and was partially why they were fined $200 million.
Any idea why that was deemed as inadequate? General lawyery assholeness or something genuine?
FWIW, I'm always happy to give my dob to these websites. Its the epoch of course. Memorable for me and boring for them.
Their implementation has to comply with laws in other countries too. Plenty of countries consider a checkbox too easy to accidentally tick, whereas asking for DOB requires a user to actively make up information, committing fraud if the information is false.
It might be fraud for a child to give a false birthday to get access to an adult service (or vice versa) but it's not fraud merely to give a bogus birthday.
Also, you know, since Google knows the account age and all other information about the user it should be able to give an educated guess about the users age
But apparently Google's knowing that you're a right-handed tae-kwon-do enthusiast that flies every month is not sufficient for them to maybe think you're not a minor.
Does it matter what Google knows? Is a state regulator going to accept "Trust us, the algorithm says they're adults" when they come knocking?
When you've had the same account for 20 years, they can probably assume you are an adult.
Google runs the play store. The play store requires a credit card. No one under the COPPA age can legally own a credit card. We should have been done there. And if we're talking purely gmail, a binding "please confirm you are over <age>. Note: this is a legally binding answer and Google reserves the right to delete your account if provided with incorrect information" should be more than enough. Google does not need a full date of birth. But boy howdy do they want it for advertisement purposes.
The Play Store doesn't require a credit card, at least not in the U.S. I have a Google account that I use for testing on an Pixel phone. When I go to install a new (free) app, it nags me to add a payment method to my account. But I can skip the prompt and download the app.
if you've never bought an app on the App store, you're not really using your modern pocket computer to its fullest. Most of the good apps, and good games, cost money.
(as they should)
Yep, and any other company he signs up for that doesn't ask for this basic piece of information is breaking the law.
Nonsense, "you must be at least 13 years old to use this service" has been standard T&C since time immemorial. It is not a basic piece of information either, it's a big piece of identity theft. So not that I'd even give any online service my real DoB anyway.
On YouTube they're now demanding a credit card number to verify I'm over 18. I guess someone said a swear word in the video I'm trying to watch. Yeah not giving them my credit card number.
If you live in the EU, I believe that YouTube is forced under law to ask for your credit card number as part of verifying your age. Thank your country's lawmakers and the Audiovisual Media Services Directive.
> ...ask for your credit card number as part of verifying your age.
and verifying that your financial/documentation circumstances permit you to qualify for a credit card in the first place, too. Nice way to gatekeep out the "undesirable underprivileged" user base not worth marketing to...
Use privacy.com to generate a debit card with a limit of $1 if you ever need to. But i understand it's also the principle of the thing and you might not want to even give a fake card with a $1 limit.
Whenever someone is searching for my name on Google they get my full birth date with year at the right side Google "knowledge panel".
It is incredibly unnerving to me.
By what source do Google claim to know my exact birth date?
The only way I can theoretically change this is if I "claim" this "knowledge panel" which involves sending more personal information to Google without guaranteeing anything.
A month ago I was asked in a surprise email to verify my age for YouTube with a credit card, which I did to avoid landing in support hell later on, because I publish browser extensions with the Google account.
I rarely log in, and I wasn't using the Google account at the time the email was sent, nor do I ever use the attached YouTube account. The card was saved in Google Payments without my consent.
I live in the EU. Their support page mentions that they will ask for age verification when you attempt to watch a restricted video, but I was not using the YouTube account.
https://support.google.com/youtube/answer/10070779
Then there's also the question of creating a payment profile for the user without consent.
> If you enter your credit card info for age verification, Google will retain this data as necessary to meet legal and regulatory requirements.
https://support.google.com/accounts?p=age-verify
Meeting legal requirements is very different from saving your card in Google Payments, which then you can readily use to buy products in any Google service.
Note that some countries have prepaid SIMs that are regularly reassigned to new SIMs...as soon as 6 months after the last "refill" of the card.
This happened to a customer where their IT sysadmin got a prepaid phone and registered this as a recovery number in a critical system (read as: full control over infrastructure).
And yes, the company forgot to refill the SIM card only to realize a year later that some script kiddie got the phone number by accident and was curious enough to lookup where the number was being used. DNS entries and ASN entries were enough OSINT to form an attack strategy.
What you gonna do then? As it turns out, this was a shitstorm of problems to deal with through hours (probably days) of support hotline calls.
Remember folks: 2FA via SMS is useless. Avoid phone numbers like the plague, everywhere.
Couldn't agree more. It's baffling that we seem to be slowly moving away from email addresses as primary account identifiers, and less slowly from using them as the default 2FA reset channel.
- I can own my email address; I cannot meaningfully own a phone number.
- Email is international. Phone numbers aren't. (Edit: Often, not all countries/dial codes are accepted by sign-up forms, and it's usually not feasible to keep a phone number when moving internationally.)
- Email works with or without a cell signal/via mobile data.
- Many email providers offer 2FA, and domain name port-out prevention seems relatively robust these days. SIM swaps and port-out attacks still seem way too easy to pull off.
> - Email is international. Phone numbers aren't.
I agree with the gist of your email, but what is this supposed to mean exactly? The whole world shares a single phone (number) system, right?
It means if you move to a different country you can probably keep your email, but you will probably lose your phone number.
Being able to send an SMS to a US phone number does not guarantee the ability to send an SMS to, eg, a Chinese phone number. SMS isn't even widely used in a lot of locales outside North America. Email works the same everywhere.
Email is not delivered reliably either. There are many blockers. Either you are not allowed to enter a perfectly working address. They might use some list of domains they think they are bad (happens to me increasingly). The programmer might have hand-crafted their own regexp for "valid" email addresses. The email provider might not accept certain incoming mails. I am on several lists that say, sorry our emails are not deliverd on hotmail, yahoo, whatever. Harmless hobby stuff, nothing spammy or illegal.
Since you can have unlimited amounts of email addresses for free, they are not the ideal identifier for products for which there are "free up to a certain point" aspects or "we'd like to make sure we're dealing with an individual person" aspects? Though surely in the latter case something better than an email OR phone number is possible.
If "proof-of-x" is desired for spam account prevention: Sure, happy to provide that as a user.
Just don't also tangle it to my user ID and/or 2FA recovery.
> they are not the ideal identifier for products
They are a pretty decent identifier for users. Facebook demanded my phone number for "security" purposes then turned around and used it as a unique identifier to tie me to purchase records from various businesses (e.g. Ticketmaster - why am I not surprised?) that apparently have shady tracking/advertising deals with Facebook.
This sort of information misuse and tracking (not to mention spam) is precisely what "sign in with Apple" was supposed to fix in terms of e-mail addresses, but it's currently instantly neutralized by SMS "verification" since it's a huge pain to get a different phone number just to prevent Facebook from using it as a tracking identifier.
(I guess this reminds me why I have said "no" to multiple inquiries from Facebook. The thought of being told to implement a dark pattern as part of your job is extremely unpleasant. Facebook's confusing anti-privacy settings are another example.)
And it's not just Facebook. This is seeping into other completely unexpected applications; for example I bought a game controller whose driver software setup demanded a mobile number for "verification" purposes. No, just no.
The terms of domain "rental agreements" are much more standardized and user-friendly than those applying to phone numbers in the PSTN though, in my experience.
Many providers don't give you a choice. Many major banks default to using SMS for 2FA. I'm sure if they get breached the government will bail them out so why should they change?
Me too, but some banks/payment services don't allow that – ostensibly for security reasons...
Even when I did get a "real phone number" (that concept irritates me to no end), one of these first required me to send a phone bill as a "proof of me owning that number" before they would let me set it for 2FA.
I guess that's just what happens when blending/confusing the three distinct concerns of spam/fraud protection, 2FA, and user identification (for inbound P2P payments) into a single identifier.
Twitter won't verify phone numbers that are assigned to voip providers, even if they receive SMS.
I'm not sure how you get a number from Ma Bell anymore, and I'm not going to do it for Twitter.
FAANG isn't quite as bad as WeChat, but it's getting there.
What's more fun is that companies have bad databases and won't fix them. I have a Google Voice number that I ported to a physical device, and Discord won't let me use it as a 2FA backup number. The mistake they made is two-fold: 2FA is for me, so if the text message goes through, then it doesn't matter if it's VoIP. But they tied the system into their "you must have a verified phone to use this server", which has to reject VoIP for abuse reasons. (It's a bad abuse management mechanism of course, but having implemented similar blunt instruments myself, I get where they're coming from. There's a problem, how do you fix it in a day? Blanket out-of-date denylists.) Compounding the issue is that their database is simply incorrect. My number is a physical phone.
(Oh, and of course you can port your physical-at-the-time-of-registration phone number to VoIP, which I may or may not have done, and they don't go back in and check against the database. TOCTOU, a classic security vulnerability since approximately 1970.)
It grinds my gears because I have been a Nitro subscriber since it first became available, and they won't bend one millimeter for one of their first paying customers. I am looking forward to their death by greed.
The opposite is also true. I have a Google Voice number that originally came from a cell phone, so many sites that otherwise block VoIP numbers let me use it.
Really the only place that gives me issues is Chase Bank.
My bank tried this crap with my Google Voice number and I told them it was my phone number and had been for over a decade.
The rep was able to white-list my number.
I was using a number with Uber Eats and one day they decided they didn't like my provider any more. Needless to say their service wasn't worth trying to figure out why they have a problem. I swear it feels like some sort of conspiracy to make sure major telcos get paid.
In the USA, the cheapest option I've found is Tello (T-Mobile MVNO) - $5-6/mo for the absolute basic tier, real SIM with a real (non VOIP) number. Accepts number port-in after initial activation.
If you just need to receive the occasional text message, you can get a free one from FreedomPop.
Red Pocket has their cheapest plan at $30/year ($2.50/month) on T-Mobile. 200 min, 1000 txt, 200 MB per month. Real SIM card. Available only on eBay. No affliation, just a satisfied customer.
I managed to successfully register a Twitter account without having to verify myself with a phone number. Not sure how I managed to do that, but I have a number ready to provide them if they randomly decide to ask for it.
You can get away with using the same number for about five accounts (at least this was my experience).
IME, you can register. And then between a day and a week later, you'll get a demand to verify by phone.
Holy crap - I guess the days of just going online and making an account are over.
I hope it's not the case (and I am enjoying my alternate, non-google emails) - but it seems that "so goes Google, so goes the web" has happened often enough that I worry
It's awfully hard to establish any kind of online presence without a mobile phone number these days. Google used to have the option to get a confirmation code by voice if you couldn't receive texts, but they discontinued it, and nobody will accept a Google Voice (or most VOIP really) number as valid.
If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
> and nobody will accept a Google Voice (or most VOIP really) number as valid.
Apple will accept a Google Voice number as a trusted phone number on your iCloud account, and it even works with their SMS 2FA, in the few places where they still support that.
> If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
I have never had this problem with PIA.
VOIP has been ruined by the crooks (including the crooked extended warranty people who spam my phone from a different fake number almost every day); it was broken as designed.
How is that VoIP's fault?
The root of the problem seems to be that the POTS seems to demand a ridiculous level of trust of all participants, which does not scale beyond a handful of incumbent market participants.
I like being able to take my phone calls wherever I am, with or without cell signal. Don't blame the technology; blame the broken network.
iCloud Private Relay tends to work better than your average VPN, I suspect because it has a big enough non-technical userbase that just blocking it would lose customers
Discord told me the same thing: just use a friend's phone number if yours doesn't work.
What exactly is the point of phone verification of the official answer is "lie to us about your identity"?
> What exactly is the point of phone verification of the official answer is "lie to us about your identity"?
Phone number is not about identity, but about reducing spam (they're also not at all tied to your identity, at least not unless you buy data from service providers). The point is that you need something that is very easy for your normal user to do, but very hard for bots - effectively, it's just a glorified captcha.
I can accept that, but at least captchas offer an alternative, like listening to audio. With the phone number, if they've decided my number is VoIP, then I have no recourse except to borrow or steal someone's phone. It's a terrible system and they probably have no metrics on how many legit customers they are losing because of it.
Why do you think they wouldn't have metrics on it? When doing anti-abuse policies like that, you'd definitely first figure out the number of FPs during the analysis stage, and then verify it again when actually rolling out the policy.
How do you tell the difference between bot users and legit users who just give up? Especially if you do it during a high growth period, it could easily be masked by the growth.
There's tons of ways. What they have in common is that you don't wait for a user to fail the SMS challenge, and then try to figure out if it was a true or false positive. You work with differential behavior between populations of users.
Often you're not applying these policies to everyone, but only to small sub-populations with a high density of abuse. E.g. if 1% of your accounts are created via VPNs + VOIP numbers, and 99% of those accounts are deemed to be abusive post facto, and you restrict VOIP numbers for just signups for VPNs, the absolute maximum reduction in legit signups is 0.01%. You don't even need to know how many of the legit users would find another way to create the account; you already have an upper bound that's within the guardrails.
Or you can look at what actually happens after you roll out the policy. If it really is watertight, abusers will move away quickly, and all you're left with are the legit users. If that number is low enough, you might even keep the rules in place indefinitely even though all the traffic that is remaining is expected to be FPs.
If those approaches sound dodgy, the default option is to run an A/B experiment. Ban VOIP numbers for the experiment group and allow them for the control group. Then simply look the number of newly created abusive accounts vs. accounts with legit interactions in the two groups.
(A lot of requires you to have a way of distinguishing between abusive and legit users post facto, but if you don't, it's too early to add this kind of restriction in the first place.)
I get how this probably reduces spam a little, but it's another one of those things like capchas that can be a massive impediment for legitimate users, but barely a speedbump for actual spammers.
It's all about sybil attack prevention. They want to limit high rate algorithmic generation of accounts, so they need some verifiable ID that cannot itself be generated at a high rate. They're not using it to verify your identity - they're just making sure you can't generate a lot of accounts.
The fact that VoIP numbers are declined by so many services just reveals what phone numbers are really used for, these days: Spam account creation prevention.
If this was about security, SMS-2FA would be laughed out the door.
I wouldn't call it very practical. Not everyone has access to someone else's phone, much less someone who trusts them when they say "can I borrow your phone for a few minutes to send some verification codes".
> You don't need a mobile phone, you can use a friend's phone, or use a landline.
Sure, because what's the chance the friend also has a Google account? And who doesn't have a personal landline, especially these days?
Sorry to be snarky, but responses to the point of "sorry that our systems are horrible, nothing we can do, here are a few hoops to jump through to possibly deal with it" just get me. It's not just in Googles power to change something, it's literally a problem created by Google.
It's not even a Google employee replying, just some random person who spends so much time doing Google's job that they've gotten a pretty badge for it.
I don't know why Google thinks it's okay to have volunteers with official looking titles (like Diamond Product Expert) giving support when there's no validation that what they're saying is correct. There are thousands of votes on this question; it should merit an actual response at some point.
Agree. To go further, I find these "community-powered" support forums infuriating to read, when they are run by a huge company that should be remunerating support staff.
Why anyone would volunteer to answer queries for free in this context is beyond me. What do they get out of it? A flashy hat to wear and a few trivial perks?
Respect to those trying to help out, but when a question like this is posed in the forum, I would only be interested in hearing the response of a salaried Google employee, not a volunteer.
It's even worse when the response offers trite, generic information that doesn't relate to the problem, regrettably a common occurrence on this type of forum.
Edit: Note, these remarks are not applicable to the commendable people providing support in FOSS projects, and in other non-commercial contexts.
I mean in the context of users providing support for commercial products without being paid for it.
Stack Overflow is a general Q&A site, not a support forum for a commercial product. The context is very different. Also, while I'm at it, it has its own flaws, but people providing trite and useless answers isn't one, they get downvoted to oblivion.
Which companies use stack overflow as their one and only customer support channel?
Presumably the company would rather have something like Stack Overflow, but with total control over the moderation.
I think Stack Overflow used to sell this as a service. Don't know if anyone used it.
By the same token I don't know why jp88 thinks it's okay to spend their time volunteering on behalf of Google. Is there some angle that I don't see or is there a subculture of people who enjoy providing free services to huge highly-profitable companies?
That would cost money!!!
Google, as a company, has still not figured out customer support. It is evident in their Google Suite products, GCP and Pixel phones.
Just like Uber is using meat drivers as a temp solution until AI gets solved, Google must've had the same attitude towards support.
Anecdotal, but I've seen figures like "number 263 in line for representative, estimated wait time 8 hours" in the weeks after I got my lemon Pixel 6 and had to get it RMA'd. Even after I got through to a human, it took tons of effort to escalate away from the song-and-dance "troubleshooting support" to a person who actually had the ability to get a replacement mailed out.
Contrast with Apple, where I've gotten knowledgeable humans on the line within a minute or two, and scheduled a service appointment at a nearby store.
If Google wants its Pixels to be the iPhone of the Android world, then they should provide more than the bottom-of-the-barrel outsourced support they currently offer.
I literally smashed my Pixel XL with a beer bottle (it tipped into the phone, there's no way a phone can survive that), swapped my sim to my old phone and called their 1-800. Was on the phone with support within 15m, they overnighted me a new one (under the protection plan) without me having to send in the old one, and then the new one had an issue with the proximity sensor, so I used the on-phone support to have them call me instead of waiting on hold. Explained the situation and they overnighted a third one which worked great without needing to return anything. I then sent the other two back. It was very good support actually given the circumstances, and I used that phone for two or three years before getting the Pixel 3XL. After having the 3XL for a little less than two years, I randomly took off the case to show off how nice the phone was without one (it was the white model), and realized the battery was swelling a slight but noticeable amount. It was a day or two before the protection plan expired, I called them via the builtin support functionality, again in a few minutes to check if the claim would be honored, hopped off that call after investing about 15-30m of my time, did a pretty easy claim process (another 5-10m) and had a new phone delivered in about 3 days. Swapped my SIM in, transferred all of my stuff, and shipped the old one. It was seamless and easy.
In general, Google's support is mostly nonexistent. There are harrowing stories of Pixel support, but I have not had them, so ehh.
On the other hand, I have had humorous kerfuffles with Dell in trying to stop them from sending me a replacement unit that turned out to be unnecessary (even though the support rep had issued a replacement ahead of arrival due to a report of damage by UPS). They said we'll ship you one, just let us know if the one that arrives is not damaged and we'll cancel it. Despite me doing that in triplicate they still sent it to me. And then after I spent a bunch more time getting support to understand this, I was able to ship it back via FedEx, and about a month later I got a notice that I never did... Again, was able to remedy this with a chat with support and sending over some proof, but it left much to be desired.
I also have the Pixel 6 Pro from launch day, and though the software issues have been frustrating, the phone itself has been great.
Dropping updates for 3 year old phones isn't something I would call "good"
I agree here, but really only Apple is doing okay on this front, with Samsung very slightly better than Google.
Why pay for customer support when your userbase is so captive that you'll see your profits regardless?
I wish USA would take a stronger stance on mobile numbers being used for identity - either permanently assigning numbers to people which can't be reassigned or banning the use of phone numbers for identity verification entirely. Your life should not be identified by a sequence of numbers that are no longer yours if you don't pay your bill or somebody pretends to be you in a cell phone store.
That said, Google has allowed me to use my Google Voice number for account verification for a very long time now. It probably helps that I added that number before I ported it over to Google Voice but it's nice not having accounts tied to phone bill.
The problem is particularly common in China, where almost all services require a mobile number to register an account per the regulation.
Recently, a service has been established in some cities that allow a mobile number owner to delete the accounts related to the number at multiple services. [1]
1. https://www.ithome.com/0/600/098.htm (Chinese)
I had this problem when I was still using gmail. These days I have my own domain and pay for my email services, so I can create aliases without creating accounts. But when I was using gmail I had a few accounts for different things, and at around 5 I couldn't create more.
Which is perfectly reasonable to be fair. I fixed it by deleting some of the accounts.
If the authors problem is similar that would probably be the easy solution. If it's because the author has "inherited" a phone number that has previously been used by other people to create Google accounts then I think the author is going to depend on this HN post catching enough traffic for real people at Google to care. Because I sure didn't find any help through their support system back then, and simply fixed the issue as a "happy accident".
Their solution is to ruin someone else's access, too. I guess this is an important security alert: don't let people borrow your number to create a Google account.
It is fair to say that the answer came from a volunteer, although supervised by Google.
This is just a sad consequence of some merchants creating accounts in the thousands/hundreds of thousands and selling them to SEO/Marketing blackhats to use.
Google should simply have paid, in-person support for these issues. Cuts off the spam merchants, while still letting Joe Average create an account with their usual phone number once they've been verified as an actual person. That's got to have some value, even to Google themselves.
>While still letting Joe Average create an account with their usual phone number once they've been verified as an actual person.
so, how?
I don't think that would go over well. When Google asked people to share a national ID or credit card in the EU (age verification is legally required to be compliant with the new "think of the children" regulations in the EU's Audiovisual Media Services Directive), people online freaked out.
(disclaimer, work for Google but not on this)
I encountered this on Youtube even though my account registration and VPN endpoint say I'm in the US. I ended up fixing it with a browser extension.
And they will figure out ways around this, while the average user will get screwed out of being able to make a new account.
> The count cannot be reset.
Another reason why phone number login is a ridiculous idea. Now this user is locked out and has to contact the CEO of Google for support. (Since there is no Google customer support)
We haven't even gotten to talk about SIM swapping and SS7 attacks yet. [0] Complete hell-hole of account takeovers.
[0] https://news.ycombinator.com/item?id=27447206
I wonder if this is a potential denial-of-service bug?
There are two scenarios:
1. The expected use-case: Create account(s), assign number for verification, verify, account active, number remains assigned to account(s)
2. The unexpected: Attempt to create account(s), assign number for verification, ignore or fail verification, no account created
If the attempted use of the number in (2) is counted and remembered then there's an anonymous potential DOS against any number
you could use a lot of different cheap pre-paid sim card to burn a lot of numbers too.
Yes, but my thought with (2) is you can use someone else's telephone number without their permission or knowledge until it is permanently blocked as a method of verification and authentication.
Makes sense, but 1) Google still has a HUGE spam account problem and 2) this is going to hurt a whole lot of innocent people.
Phone number as unique person identifier is hugely problematic for a lot of reasons. I wonder how many accounts you could hack just by constantly acquiring new numbers in area codes where the supply is small and then trying to reset various things by phone number.
I'd also like to add that Google has atrocious customer service. In fact, the help forums are often just volunteers who don't even have the power to relay information to an actual support engineer. I recall seeing a few submissions here on HN about paying customers of Google's services getting banned or flagged by some algorithm by accident and then having no way whatsoever to actually get the situation straightened out. They even contacted Sales and those employees had no way of sending a ticket to anyone inside google capable of helping them.
So I sense some of the anger is due to google's reputation in this regard.
That's my impression too. This is a developer's forum. Readers here should have better undertanding than normal population that why this feature has been implemented. I am very surprised to see all these very negative and hostile comments. Instead a better discussion should be what's a better way to handle tricky situations like this, if there's any.
The negative reactions are not about the feature. It is about the crappy Google support.
> if there's any.
Have support.
Is there some sort of a common pattern in the authentication and authorization problem of the digital service:
1. I can associate a phone number/email to a bunch of online services, but to unbind any specific one, I need to visit that specific website to put a request.
2. Especially for recycled phone number: it is nearly impossible for the new owner to unbind and clean the connection made by previous owner.
3. Cancel the recurring payment on your card. You either go through the service provider or call your bank/credit card issuer. However, it is usually more complicated compared to the moment when you clicked yes button.
It is super easy to start a digital service, while the other way around is not easy, and more than usual, hard as hell.
These useless responses are pretty much all you'll ever get out of Google if you have any sort of problem that isn't trivial to fix. I've seen tons of these threads.
I once asked "hey, I know you can ignore single email addresses but is there any general way to prevent people from sharing porn to my Google drive or having bots message me in the gmail chat widget, because the default is anyone can do this to me regardless of privacy settings."
It seemed ridiculous to me anyone could message me out of the blue or share porn with my drive that shows up (thumbnails and all) in "recent". Individually ignoring the thousands of spammers isn't a solution.
The response was something like: "You can ignore individual users by right clicking their username and hitting ignore!" Thread closed. I can only imagine the responder didn't even read my question or just didn't care and was trying to make some quota or something. It's pretty clear they really don't care about supporting their products at all, and you'd probably be better served talking to a wall.
Get your own domain with a safe registrar, have your own email.
Not your domain not your mail.
I've gotten this message, but I also have ~8 Google accounts. I've deleted 2 so far, but 2 of the accounts have emails that are tied to one last important service that _will not_ let me change my email, no matter what I do.
I'm trying, but I cannot escape.
Zoho is even worse. They require that a phone number is used exactly once. Which is a bummer if you want to have non-personal emails, like "support@example.com".
Can you use an alias? I don't use Zoho email but I use lots of aliases on Fastmail for this sort of purpose.
Typical google policy in that it optimizes toward google scaling its efforts, and against customer expectations.
It's pretty much what you might expect from a company that makes its money B2B rather than through pleasing consumers.
Google is piggybacking cost-free on the ID verification efforts of phone carriers, so for whatever it's worth, this is a free solution — from Google's standpoint.
From a user standpoint, I know of no service that will perform ID verification for 'free' and certify that verification onto a third-party verification request. (Credit card verification, or mail-you-a-postcard verification, doesn't count, as there's no ID check.)
I believe this ends up having to be a government service, where the post office is obliged to certify third-party verification requests presented to it (for private parties, corporations, and/or government divisions), and this service is offered for free at personal-use volumes and for one postage stamp per request at for-profit volumes.
It's still possible a B-corp or non-profit could decide to offer this as a public service, but that would take a billion-dollar endowment and would duplicate the USPS frameworks already in place to check IDs and verify mailing addresses for Informed Delivery at every post office in the country, so I wouldn't bet on anyone taking on that cost without payment.
A security key wouldn't prevent spam since you can buy multiple. It would increase the cost of spamming, but it's unclear of the relatively affordable price of security keys would love the needle enough vs attrition from legit users
Security keys are typically $20, that seems pretty expensive to me if you are a spammer opening hundreds or thousands of accounts.
WebAuthn deliberately doesn't give relying parties a way to tell if two registrations are from the same device.
You can buy more phones too, though presumably the phone companies don't sell bulk phone numbers for short term use and make it prohibitively expensive and time consuming to do so. Basically seems like it works by outsourcing those spam combating efforts to the local phone companies.
See, you've gone and ruined Jenny's chance of legitimately getting any online presence. Hopefully, she never forgets her password and needs to verify her identity.
I remember hacking together a Twilio API script for registering multiple Google accounts (since they do phone verification for each account so I needed a pool of numbers I could register with). I managed to get about 20 accounts registered before they caught on, and banned each account. And there was a twist: my main Google account got caught up in the ban (which I tried really hard to keep insulated from the en-mass account registrations). But they somehow figured out it was me (even after using several proxies/VPNs).
But luckily I could appeal the ban of my main (personal) account and the copy read something like:
Turns out Google is human after-all, and I learned my lesson.For those wondering why I wanted so many Google accounts; well at the time Google+ was happening and I wanted to promote a bunch of SaaS products and side hustles. In truth, I wanted to spam G+ with links. But the takeaway from this is: Google does let you appeal and has your best interests at heart, despite any rogue/malicious intent.