People complain a lot about Gmail, but honestly I kind of understand Google's plight here.
They've essentially gotten roped into maintaining a huge chunk of internet infrastructure, for free. If they ever shut it down the whole world would end up rioting because it's so widely used.
But it's expensive, complicated and time-consuming to maintain - and both a source of and recipient of endless waves of spam and scams. It's an endless pile of data to hold onto, FOREVER, as well.
I enjoy hating on Google when appropriate. But when it comes to Gmail, I understand what they're dealing with.
It's honestly why I believe the idea of free e-mail is just bad, fundamentally. You can't expect a free e-mail service to be good or have any kind of support. The fact that it still exists is more out of shear fear of the repercussions than any good will on the owner's part.
Just get a paid e-mail service. They're better, and offer a lot more peace of mind.
Do you have any idea of how much they can datamine from an email service? Just making a special parser for amazon emails can give google a realtime insight on the ecommerce space.
> They've essentially gotten roped into maintaining a huge chunk of internet infrastructure, for free. If they ever shut it down the whole world would end up rioting because it's so widely used.
Not even remotely true. They regularly shut down products and services with impunity. If Gmail cost more than the data they directly or indirectly mine and sell from their users, Gmail wouldn't exist either.
Yes it is remotely true. Name one thing they have shut off that a large number of people actually used and it was important. We all joke about Google dropping things and yes they have, but saying they can just drop Gmail is.. well, insane.
I get the difficulty of fighting spam, just wanted to say that Gmail is probably making them money too. It's still free to make an account, which means they have to be careful who they give it to.
> But it's expensive, complicated and time-consuming to maintain - and both a source of and recipient of endless waves of spam and scams. It's an endless pile of data to hold onto, FOREVER, as well.
They should let others do email. The more email service providers we have the better it is for everyone
I am not sure the backslash would be big if Gmail said that a year from now you would have to pay $9.99 per month to use your Gmail ($12.99 ad-free). I mean people would complain, but would that actually give a backslash? Especially if they made it easy for people to move their account elsewhere? People are used to paying a lot more for things outside of tech.
I suspect what is really holding them back is the loss of data, and the loss of the assumption that ~everyone has a Google account that they are logged into, which means they can be traced around the web. Google also benefits from this, since its anti-bot tool will be more accurate and less fustrating to users.
> They've essentially gotten roped into maintaining a huge chunk of internet infrastructure, for free.
Lol, what? One of the biggest company on Earth is being pictured as a victim for creating services that siphon data out of half the planet's people? Don't take it personally but I can't fathom how you think this is FREE. It's literally the most lucrative business there is and it's only going to get worse—and not for them.
You think goole is the victim here? Poor google, owning gmail.
You know, if it's such a bad deal they can stop owning it any time they want. They already lied about it - I was told I would never have to delete email, and turns out I had to.
I don't care either way, I moved to tuta last year.
Spam is getting horrible lately. I get all sorts of new techniques including:
- using legitimate sites to bypass filters, like sending you a bill through a legitimate bill-creation site
- pretending to be a tracking service for something you supposedly ordered, then over the course of days pretending the package got lost on the way and offering a discount code for the 'purchased' amount, expecting you to use it on their phising site.
Gmail not only fails at spam classification, they classify these messages as important and nag you with first priority notifications and summaries.
I can’t prove it, but it feels like the world recently decided that spamming/scamming is acceptable, so the number of spammers/scammers has increased dramatically.
The number of spam calls, texts, emails, iCloud account unlock requests, etc I’ve received in the last year is insane.
Lack of accountability for the companies that allow their services & platforms to be used for spam/scamming.
Take DocuSign for instance. Still, this many years later, is a major source of phishing emails from their free trials. DocuSign could easily shut this down today by either requiring a CC for the trial, or forcing a call with a sales rep to start a trial. But they don't, they continue to allow their service to be used for wide scale phishing.
Atera, an RMM, is another one that has been a big source of malware delivery, also via the free trials.
Shutting down the trial accounts after the fact does nothing, the emails already went out.
I feel like there's no way for them to win, though. The kind of accountability you're talking about what require them to do essentially tons of KYC/AML vetting, and HN would be equally outraged about that.
I believe that these spammers now concentrate their efforts towards e-mail addresses hosted by major providers, like Gmail.
The reason is that I have an opposite experience, during the last couple of years I have received much less spam messages than before.
I have hosted my own e-mail server for more than 2 decades. Previously, I had to filter large quantities of spam messages, but lately the number of spam messages is much less than 10% of the total number of received messages.
In addition, it feels like the past 5 years have brought on more marketing spam. I've been slowly reappearing onto marketing lists that I either never signed up for or unsubscribed from. They're coming from legitimate companies that I've done business with.
It's AI that's doing a lot of it. For a lot of spam, scammers would want to exclude anyone who may not fall for the scam due to the costs associated with dealing with people who won't pay you. Now that AI decreases the need for a human scammer to scam, expect them to start to widen their scam nets.
Yeah this feels like one of those cases where the term "AI" gets broadened out so far it becomes meaningless.
This stuff is automated. The ability to automate spam calls (using the same form of APIs developers love, like Twilio) make it absurdly easy for one person to set up a spam machine. No AI required.
The lead generation was automated ten years ago ("Hello?"), but the actual scam conversation was not. Until recently, you still had to pay somebody in South Asia better than the prevailing wage of ~$1/hr to have these conversations, as well as set them up in an office with computers and managers, and bribe local police (call it $5/hr of fully burdened work product). If your success rate is ~1% and the average human portion of the scam lasts 12 minutes, you're getting 0.05 successes per hour, and you better be netting an average of $100 per successful scam (accounting for financial clearing issues / reversals!) or you're losing money on every hour worked.
You're correct about the calls, but the ability to talk with the people was the rate limiter. Even if you have many people in Cambodia or India, the scammers still needed to scam more than they paid out. Now you can have AI bots that do the first level of filtering.
Unfortunately scamming is a business and if certain actions become less expensive, I would expect more of them.
I think part of it is AI allowing sophistication at scale, but there's also a generational factor. The techbro + business shark culture, influencers who manipulate people being role models, and so on.
Oh no - you can definitely 100% prove it, this is the direct consequence, the exact intended consequences, of Trump gutting consumer protections - across the board, not only online but with food and laws about not dumping chemicals in rivers.
The man is the absolute worse person - unless your a rich guy, who wants to make more money by screwing over people who mostly don't even know it.
Anyone who reads this, I dare you to find out why that thing in your life you hate so much, sucks so bad - nothing is ever by accident or unintentional.
The United States, and its People, will be discovering/realizing different ways we have been absolutely f-d by that grifter for likely the rest of my millenial life, thankfully (silver lining!!) US life expectancy has dropped substantially for the 150 million Americans in the bottom 50% of income - rich people in America have to deal with this bs for almost 8 more years than we do
Oh yeah, if you want a faster out even yet - just make 30k or less per year, your life caps at 71 then.
I joke but I hate so much that people will read this and then promptly go back to sustaining this system at their job.
We work our lives away so the rich dont have to and they get to live 14 more years on average than poor people.
If I put on my tinfoil hat, it seems to be something deliberate, to push us all towards accepting hardware / software attestation and better "online id" stuff - "Don't you want to identify and stop the spammers and phishers?".
Email scanning and file scanning (on our computer) became acceptable when the level of spam and malware became intolerable. But it was at cost of our privacy. Today, Gmail scans all your mails and makes money from it. Both Windows and macOS have built-in anti-virus or malware scanners, and file indexers, and thus know all the applications and files in your system (which provides for more data on your profile with them). Now with both OSes, and even browsers like Chrome and Firefox, including AI, they will now use our own computers to not only collect our personal data, but even process it on our system and use it to build even better profiles to more profitably exploit us.
It doesn't have to be deliberate; it's just the economic incentives at work. AI providers are inclined to sell AI to everyone with a pulse, and it just so happens that a lot of its use will for towards spam generation.
It also just happens that they're the ones best positioned to provide attestation and identity services.
> pretending to be a tracking service for something you supposedly ordered
There’s a leak or someone is selling the data in a lot of the delivery companies in my country. I order something then without fail the fake text message pretending to be the delivery service. Only thing they screw up is claiming it’s failed to deliver too soon and the weird urls.
Messed up these companies are either selling it or being irresponsible with data.
Gmail spam filtering is so bad that I believe it has to be intentional. I think they see email as a long term ad revenue opportunity and want to desensitize people to the spam.
I wonder how come I have such a diametrically different experience. I don't remember the last time any spam email got through the automatic filter into my inbox, and I had a gmail account for 20 years now.
Google is fine with everything if it's their service. I've completely blocked *.bc.googleusercontent.com, because it's basically used as a spam farm for years now, but Google couldn't care less as they apparently can't be bothered to even slightly inconvenience their compute engine users.
That doesn't really change the fact that it's hard. Do you know how many full movies are on YouTube that infringe on copyright? How many pirated streams are hosted on S3? How many piracy sites are behind Cloudflare. It's just very hard to police at scale and if something is flying below the radar it will be there for a while. They probably spread out their assets over many accounts, or even use misconfigured buckets with write permissions to drop some files in there.
Google's inability to scale their services should be a regulatory issue.
If their platforms (Gmail, YouTube, DoubleClick) are being used to launch scams, they're failing at scale and governments are failing at legislating / regulating.
The only way to use Google services somewhat safely is with hefty ad (and the rest) blocking.
All this ID and surveillance and privacy invasion and metadata retention and yet all these scams only seen to grow. It never seems to end up protecting anyone deserving of protection.
This argument actually doesn’t work in Google/your-point favor since finding pirated content on Google is now practically impossible.
The reality is, Google is driven strictly by incentives and there are no consequences for letting spam/scams run wild vs. pirated content which gets automatically removed when a DMCA notice is received.
There is 100% pirated content on Youtube - not too much from Hollywood and you won't find anime on it - but if you watch foreign language media, there is very often the Official account and then like 4-5 others just blatantly providing the identical content, which is promoted alongside the legitmate content, so its fairly easy to start watching legit stream and find yourself not watching legitimatly a few episodes later, playlists are huge to prevent that.
The problem with this is the piecemeal enforcement all but proves they only care about stuff they get a cut of and that fact became more clear to me recently when I was watching a random drama made in Asia that I wont name due it being one of the best historical and educational shows I've ever watched - but there was a scene (this was made in the 90s btw) that was entirely innocent, not sexualized - it was done humorously, but I'm not a pdf file either so - anyways, there were fully naked children, with absolutely no censorship, on Youtube - 100% long enough to be noticed by their trackers - they obviously just are not reviewing certain content, at all.
I don't care about piracy at all - I'd still use Youtube if it was the primary source for pirated content, the idea that there may be some obscure content, that seems totally fine, in a language nobody really uses - except for Epstein types, if ever that was discovered - that Youtube had become a haven for pdf files bc of lax application of standards - I would want Youtube split away from Alphabet and force sold on the cheap to a more responsible owner (like Tiktok minus the responsible owner part) - plus an enormous fine.
I didn't believe that such content could exist at all on the platform - until I literally saw with my eyes that it obviously can.
"It's so easy when you don't know how". I'm not sure if this phrase is in common use at all, or if I just misheard it once and attributed it to mean that when the details of a problem aren't obvious, its easy to conclude the solution is simple. "Why don't they just do ___?"
At the companies I've worked at, I refer to this as the "well, can't you just...?"
Yeah, I can "just" after I "just" do A, and B, and C, and D, and E, and F, and G.
Drives me batty on top of being insulting. "Surely you realize I thought about that weeks ago, and if it were that simple, we wouldn't be having this conversation."
Ah! I have no answer for it, but am happy, Virgil-like, to now have a theory why the same stupid, obvious "Costco" spam from an @gmail.com address keeps showing up in my inbox no matter how many I mark as spam.
They seem unable to prevent phishers from using their acquisition, AppSheet, to send relatively convincing, targeted (to nobodies like me) emails that make it to primary inbox.
So, pleas ignored, forward these recruitment scam emails to the legal/fraud/phishing teams of the impersonated brands. For a company without the appearance of caring (in my opinion), perhaps law firm letterhead can encourage necessary prioritization.
This is an underrated distinction. Sadly, the line is so much more blurred now than even when I was a kid in the 90s.
There are so many businesses now which exist mainly to cheat you, operating at the very edge of what’s technically legal, and relying on their customers not really understanding the full terms of the deals they’re agreeing to. It’s sickening.
Yeah, but junk mail funds the USPS, without it Republicans would've killed the postal service long ago, See the Pension requirement that they pushed in a vain attempt.
> Supposedly, using the QR code on the smartphone triggers an SMS sent from your phone to Google in order to verify your phone number.
Does anyone have a better source of information than this one forum comment from someone who thinks scanning a QR code is enough to get your phone to send a text message?
EDIT: It’s just an SMS URI. It doesn’t automatically send anything, just opens a text message for you to send.
This is just the old phone number verification with a QR code convenience method.
Exchanging SMS messages with any sort of reliability (like not losing your messages when you go through a tunnel) requires running an SMSC. That costs money.
Furthermore, carriers still charge each other for exchanging SMS traffic, though many of them just charge the difference rather than sending each other bills.
This approach is quite costly if you're out of the country, though. Sending an SMS is hit and miss when roaming in foreign enough networks, and each SMS can cost you a significant amount for exchanging 10 characters. Even receiving SMS messages far away from home can cost you money, which is a pain if you have a relative that could never get used to modern messaging services.
Technically if you can copy paste the qr code into any qr reader website and manually do it, I think it's possible? Assuming it doesn't change the code very rapidly every few seconds.
I think it's probably enough to get your phone to open your texting app with a pre populated number and message body, then all the user needs to do is hit send.
I wish it was. I've looked everywhere for several years for anyone offering this service so I can get into my 2004 Google account that they enabled SMS 2FA on one day, without any notice, but it has the wrong phone number. I have the username, password and the recovery email address is set to another I own too, but without the SMS code I'm hosed.
You should just determine which carrier hosts the phone number and then go get a job there as a customer service agent or store employee. You'll get full permissions to change accounts, so you'll be able to make the change, fix your gmail, then change it back.
You probably risk some legal fallout though, so be cautious.
I recall reading that twitter was getting "scammed" because there were some phone services that cost money to receive texts (and possibly some of it was being passed on to the customer of said phone service) and they were getting spammed with phone verifications to get the payouts. I guess when twitter extorts your phone number out of you under false security pretenses and then uses it for advertising that's legit but if some one tries to a get a cut for themselves it's a big problem.
It occurs to me this "force you to send the sms" might be a way to avoid exactly this sort of thing.
They used to do just that, though people could pay about $25-30 (in like, 2008 dollars! So that’s closer to $47 today) for ‘unlimited text plans’.
I know you mean charge just these bulk senders, but if they didn’t charge consumers a similar rate too, whoever wants to spam SMS can just set up farms of consumer SIMs and dump them onto the network that way. In fact, they already do this.
Recently helped a small business set up a Google Workspace account and we hit a wall during registration.
Told the owners that if Google is already being difficult during signup, imagine being locked out later with client work on the line. Pulled up a few horror stories about Google lockouts to drive the point home. They ended up with another workspace solution.
When trying to upgrade from the Business Standard to Business Plus plan, Google will reduce your workspace storage from 2TB/user to 0 bytes for up to 24 hours while it upgrades you.
These are actual quotes from support:
> Upon checking, I see that the storage is showing as 0 bytes, because of the upgrade that has been done from business standard to business plus. Not to worry as this is very normal.
> I understand your concern and how important it is for the storage to be updated due to the business requirements.
>
> To give you full transparency into what is happening: when a Workspace subscription is upgraded, our backend systems must first detach your previous Business Standard storage allocation before provisioning the new Business Plus limits. During this transition window, the quota temporarily defaults to zero.
> Now please turn ON user storage limit nor shared drive storage limit. Once you turn ON, please wait for 5 minutes and then please turn it OFF.
^ That last attempt to try to force storage quotas to reset faster didn't work, btw. Still took hours.
Google Workspaces are just like Windows 11 on the network, and constantly running Windows update. You never know what changes, installed/uninstalled, or breaks.
I feel like I must be using a different gogole workspace. I've used it every day for the last 10 years and just don't seem to have these issues? Stuff just seems to work for the most part? It's all way more stable and low-admin than any other desktop software I've used at least!
This is why I have I have started planning to transition away from Gmail for all domains I manage. Gmail doesn't actually get any better as a product - just more annoying as they try to upsell me on crap I don't want or need. It gets a bit more shitty every year.
The sheer size of Gmail means I have zero chance for support even though I pay for a service. The risk is too great to be acceptable.
What do they use instead? Grass tends to be greener on the other side. Though it wouldn't surprise me if Microsoft offered better support despite having a worse product.
Everyone hates on Microsoft, but their platform is 50x better than Google. Personally nowadays I would be looking at Proton if I was going to setup a workspace for my company.
We are 365 shop… I cannot think of one single time the 365 being down has affected us at all. Maybe you’re right I don’t know. Maybe your region is worse than my region.
Maybe MS actually has support. The UI is so much worse than Google's (which is bad enough for communication compared to Slack) that you just cannot win though.
I have to say, I’m finding the “New Outlook” deeply unsatisfying coming from a GSuite company the past 4 years. MS was better in 2021 than it is now. The new one reeks of Jony Ive style minimalism. I constantly can’t find anything I need, and it takes a lot of fiddling to do simple things.
I generally have rooted for MS over GOOG on this type of thing, so I am not saying this out of fanboyism.
This could well be to help prevent sms pumping — where someone makes money by receiving smss to a particular set of numbers. Requiring the user to first send an sms breaks the economics that type of fraud.
I went through it to register just now. No QR code required. Same flow as it has been for years:
1. Personal/Child/Business
2. First/Last
3. Pick email
4. Date of Birth
5. Backup email / Skip
6. Password
7. Enter phone number
8. Confirm with 2FA code
9. Done.
I just made the email [email protected] and have since forgotten the password. So that’s one burned. But feel free to try [email protected] and see if it works without a QR code.
The headline is clearly a misstatement of what is a specific flow for someone to make many Gmail accounts programmatically.
Probably depends on how "trust worthy" you seem to Google for them to trigger this requirement. Things like using Linux, using Firefox, using a VPN, etc.
Not without some kind of delay function and probably filtering/evaluation of which new accounts get this capability...
Everyone here should be familiar with exponential growth of n-ary trees. If you can get one of these accounts and each new invitee gets to invite 2 more, you can already have accounts gone wild.
That's certainly an interesting idea - mostly everybody should know someone who has a gmail account, so if you get a couple invites a month, that should be plenty and the setup would
Well I was about to say destroy scammers, but I just realized that they would send out spam to places where you could gamble your invites for Real Cash(TM) or just straight up buy them.
This would lower the creation of accounts, but then they would be rarer and worth more to spammers, since a spamming gmail would be rare.
And we would hear sob stories of people getting their accounts closed for inviting spammers.
Not really, even "legit" marketing providers have massive automation rigs to warm email addresses, make them behave naturally and email each other in rings for a bit before using them for cold outreach.
So they'd just do this to farm invites if they needed
Is this the reCAPTCHA crap I just ran into minutes ago? It’s the Cloudflare “verify your humanity” thing, and the checkbox isn’t good enough, so now there is a “mobile verification, the support page for which (that I briefly skimmed) talks about scanning a QR code.
(EDIT: TFA didn’t clear it up for me, but it sounds similar.)
There are services online dedicated to temporary account activation phone numbers to bypass Google's requirements, but most of them can only receive messages. Requiring the user to send an SMS seems like an excellent method to get rid of those services so that bots can no longer use them.
I don't really see the point of a privacy-preserving workflow when it comes to a Google account. It's not like they need to know your phone number to track you.
They might adapt and support sending sms (hopefully) in addition to receiving them.
I guess all other services which send sms verification code will switch to ask the user to send the sms, like google.
>>don't really see the point of a privacy-preserving workflow when it comes to a Google account. It's not like they need to know your phone number to track you.
Because it is. Total surveillance only works if the people are forced to wear the tracking collar. The next steps are tying it to CBDC, that require a phone number to access your wallet, and tying it to realid/passport to restrict travel.
2FA has become the wedge to break privacy into a million shards.
Register your own domain and use that for your email, and you'll no longer be held hostage by Google. Takes almost no effort and will cost you a few dollars a month.
But what do you actually use as the email host? If you just set up your own mail server, you're almost certainly going to have everything you send go straight to spam.
You still need to register with someone like google, or Proton, etc.
Yeah, but you're not beholden to them. There are 100 different hosts you can use if you own your own domain. If a host changes in a way you don't like, just move your domain elsewhere. If you're using Gmail, you're stuck with Google. Being independent of any one host is the important part to me.
Personally I have my own mail server and use smtp2go for sending which handles the deliverability issue. I'm not sure it's worth it going this way but I found it fun and its been 0 maintenance
I have done as OP suggested and the main benefit is that I can move my email elsewhere.
For now my email is with Apple, since they offers email hosting as part of the icloud+ (or whatever its called). If they decide to die/enshittify, then I can move to another host without having to change any contacts.
One the other hand, since I did use my bare gmail for some years, I am still stuck with it, in case I have some service that depends on it.
I know this ^ seems unreasonable, but I know you’re right.
Mostly because of conditioning: it’s been 25 years now that free webmail is the way Gen-X, Y, Z, and future generations do email. Boomers and the older Gen-Xers may still be hanging onto an ISP address, if they haven’t moved too much since the 1990s.
After all that, plus with their email addresses being the opposite of portable, there is no limit to how much crap people will take, when the alternative is learning a little bit about domain registration and DNS, and paying $60 a year for Fastmail or whatever. Email, they believe, is supposed to be free as in beer.
Sad but true. Also, confession: I used to use first name @ full name . com and got tired of the confused looks and typos when I had to give it out, so now I use a six-character Gmail with numbers so that it’s just like people expect.
Democracy is the style of ruling where majority's ignorance dominates over the vulnerable. You will be eventually forced to use internet and forced to use the way your government wants you to use it.
Yeah, fair point. They're certainly trying to push it in that direction but so far there are still alternatives. I've seen age verification get a hell of a lot of pushback so that's encouraging.
Because when most people use the one email host, they neglect all other users. Even my yahoo email is regarded as second grade citizen now. A hospital straight told me they refuse all yahoo addresses.
I got this a few weeks ago, it was a URL like "sms?:number" which tries to pre-fill text in app. Didn't work for me (Fossify) so I had to copy the number and verifier text from that URL and send it manually. It's for saving money spent on providers like Twilio.
I tried to create a new gmail address recently because my primary gmail address is my name, and it's quite common, so I get more email for other people than I get for me.
My phone number - which I've had for about 15 years and have only ever used for personal purposes (minimal SMS, mainly just an iMessage/Whatsapp ID) - is apparently "not eligible" to create a new gmail account. Which is quite strange.
For something as central as a Google account, it feels pretty unreasonable that a long-held personal number can be silently rejected with no appeal path or explanation
Phone number, it’s not tied to any piece of HW because is portable. I’ve had the same phone number equally as long, but I’ve transferred it to multiple devices over the years.
Gmail has been evil both for client privacy as they use email scanning for marketing purposes, and for 'spam' filters that reject legitimate emails.
The fact that they're introducing QR/SMS/MMS/whatever they want is actually an interesting signal, because it will harm the customer experience, which might result in the growth of responsible paid email services.
It is good to realize that it has never been "Nice Uncle Google" and always an advertisement moloch offering tools to hook their product. All that trust that was bestowed was never warranted.
This seems pretty optimistic. If you ask 30 random people on the street if they’d rather give Google their phone number and jump through whatever dumb SMS hoops, or switch to a new email address and pay a few bucks a month for it for the rest of their lives, I’m thinking Google is getting all 30 phone numbers. Sadly.
The only “real” competition for Google Workspace is Microsoft if you need a full collaboration solution beyond just email, and 99.999% of customers of such hosted solutions need that full solution. It’s why Dropbox worked even though hacker news users probably roll their own sync solution.
His point was just that many business users can only purchase Google’s solution or Microsoft’s solution, because they’re the only services that will offer interoperability with many other security and compliance services and advanced functionality like SSO, third party email scanning, compliance journaling etc. The email market is essentially a duopoly as soon as you need any functionality beyond basic email.
The simple fact that you believe this is insane to me. Microsoft?Security and compliance? Ahhh, yes the north star of security!
No, you don't need either of these companies if you need a corporate stack for communication and collaboration. And anyone who believes Microsoft or Google is doing anything out of the ordinary to protect their users or data is out of the loop.
It's not about actual security; it's about the appearance of it. It allows CTOs and such to check a box to say "Why yes, our vendor is secure! Look at all their claims! Look at how many other companies use them!" That's it. Safety in numbers for clueless CTOs.
Reminds me of Telegram that forces you to pay premium to login to a new device depending on the country. Login, not registration. This is all due to the cost of SMSes of course.
You can bypass this if you have a passkey, but phone and password isn't enough. No idea why they opted to do that, it's not like passkeys are indicative of any device binding.
Last time YouTube wanted to verify my phone number it was easier to find a free service to receive SMS than for Google to deliver it to my actual phone. And Google didn't care I "verified" a number assigned to other side of the world.
Be careful. Google once locked me out of an account that I've owned for over 10 years one day. My username and password were correct, but they randomly flipped 2FA on (without my consent) and sent the recovery code to a phone number that I switched away from years ago. It was completely unrecoverable. There's absolutely no way to get in touch with customer service. Never make an account with them unless you're not willing to lose it randomly to automated bureaucracy.
If you create an account from another country, since you can only send the sms verification from that country, locks your account to that country for at least one year. I created a US account years ago and it still is US. I don't even spoof my location.
It's becoming increasingly hard to find a service that lets you see verification messages, and even then google doesn't like a lot of the numbers those services use
In my country there are several telco operators that will send you basically an unlimited number of SIM cards for free (as in free beer) that you can use for getting the verification SMS and then immediately throw the SIM away. The only "cost" is that you have to wait a day or two for the SIMs to get to your physical mailbox.
I can say that this QR code could be requested if IP is suspicious and/or associated with unusual activity. Recently I did register a new google account from my own residential IP and it did not request any additional confirmations, not even SMS verification.
There is one way to sign up for a gmail account that does not require this: get an old chromebook out of the trash or for $20, then go through the account setup process on ChromeOS. It will create a google/gmail account that does not require use of a smartphone.
fwiw I was able to set up a fresh google account without SMS via a used android device (with no SIM installed), 2 days ago. But I suppose on balance, having a second device is more onerous than having a second SIM.
Yes I had the same issue and wrote an hackernews comment[0] and was gonna write a blog post but laziness (but I am glad that privacyguides wrote an article!)
I also want to share a comment that someone (Velocifyer) added on my comment:
"If you make a blog post, make sure to also comment on how the audio reCAPTCHAs are nearly impossible and are blocked on public VPNs. The visual reCAPTCHAS have vauge instructions (they say “Select all squares with busses.” when they mean “Select all squares that have a bus or part of a bus and do not select any other squares.”. For 2 years I could not figure that out so I had to use the audio captchas but then Google blocked them on public VPNs and also made them almost impossible. I could only figure that out when Google Gemini clarified it for me."
Also another fact that I had discovered but to upload youtube vidoes more than 15 minutes you have to do this verification with sms and I found that its system of sending sms was quite finnicky and (too much limits is actually just one try)
Google and other tech giants's recent changes/lobbying are really impacting the open internet and it feels to me like we as people who have knowledge about these topics must do something to reform things as I simply cannot ask people who are technically unaware about these topics to fight for these changes unless we advocate and educate them about it
Most people just have simply way too much of other issues to fight for these things that they have almost taken for granted, but this to me means that the responsibility is on us people who are technically sound to fight against the attacks on open internet if we wish to preserve it.
I think my point is that we all might be waiting for other people to protest against these tech giants but I think that the world is looking at us people for such protests, Let's hope that we are able to educate more people and the open internet is preserved.
Our small steps might mean a lot in the future and so to not be dis-illusioned to make small steps thinking that they might be too small but we have to fight tech giants if we wish to preserve open internet. Every step is meaningful no matter how small
They do all this and meanwhile, in between startups and a few personal accounts, when I try to register a new Gmail account and do the text message verification (the old/current TOTP style) I get "This phone number has been used too many times."
Meanwhile the amount of spam from Gmail I'm getting goes up and up and up.
Everything is going to get so much worse and AI really is to blame. So many websites now have these verification pauses and CAPTCHs because of AI agents. Part of it is agents. Part of it is everyone running their own awful versions of Googlebot.
Years ago IIRC there was a "bug" where the Android emulator allowed you to create real Google accounts. This was found and I'm sure millions of these accounts were created. There's a whole black market for Google accounts. Whereas I lost a Google account I'd created for a relative because it hadn't been used in awhile and it was tied to a mobile number I no longer had.
I don't see how this ends without registering for a service like Gmail being tied to your government ID.
They've essentially gotten roped into maintaining a huge chunk of internet infrastructure, for free. If they ever shut it down the whole world would end up rioting because it's so widely used.
But it's expensive, complicated and time-consuming to maintain - and both a source of and recipient of endless waves of spam and scams. It's an endless pile of data to hold onto, FOREVER, as well.
I enjoy hating on Google when appropriate. But when it comes to Gmail, I understand what they're dealing with.
It's honestly why I believe the idea of free e-mail is just bad, fundamentally. You can't expect a free e-mail service to be good or have any kind of support. The fact that it still exists is more out of shear fear of the repercussions than any good will on the owner's part.
Just get a paid e-mail service. They're better, and offer a lot more peace of mind.
A year or two ago they returned to full detail. I've always wondered if it was customer pressure or a backroom deal with Amazon was reached.
I kind of doubt that Google would cave to the former, right?
Not even remotely true. They regularly shut down products and services with impunity. If Gmail cost more than the data they directly or indirectly mine and sell from their users, Gmail wouldn't exist either.
If that ceases to be true, goodbye (free) gmail.
They should let others do email. The more email service providers we have the better it is for everyone
I suspect what is really holding them back is the loss of data, and the loss of the assumption that ~everyone has a Google account that they are logged into, which means they can be traced around the web. Google also benefits from this, since its anti-bot tool will be more accurate and less fustrating to users.
Lol, what? One of the biggest company on Earth is being pictured as a victim for creating services that siphon data out of half the planet's people? Don't take it personally but I can't fathom how you think this is FREE. It's literally the most lucrative business there is and it's only going to get worse—and not for them.
You know, if it's such a bad deal they can stop owning it any time they want. They already lied about it - I was told I would never have to delete email, and turns out I had to.
I don't care either way, I moved to tuta last year.
More info here: https://news.ycombinator.com/item?id=46665414
- using legitimate sites to bypass filters, like sending you a bill through a legitimate bill-creation site
- pretending to be a tracking service for something you supposedly ordered, then over the course of days pretending the package got lost on the way and offering a discount code for the 'purchased' amount, expecting you to use it on their phising site.
Gmail not only fails at spam classification, they classify these messages as important and nag you with first priority notifications and summaries.
The number of spam calls, texts, emails, iCloud account unlock requests, etc I’ve received in the last year is insane.
Take DocuSign for instance. Still, this many years later, is a major source of phishing emails from their free trials. DocuSign could easily shut this down today by either requiring a CC for the trial, or forcing a call with a sales rep to start a trial. But they don't, they continue to allow their service to be used for wide scale phishing.
Atera, an RMM, is another one that has been a big source of malware delivery, also via the free trials.
Shutting down the trial accounts after the fact does nothing, the emails already went out.
The reason is that I have an opposite experience, during the last couple of years I have received much less spam messages than before.
I have hosted my own e-mail server for more than 2 decades. Previously, I had to filter large quantities of spam messages, but lately the number of spam messages is much less than 10% of the total number of received messages.
It's such a good tactic too to start the voicemail with the conversation already going people are like "what? who?"
It's been a _lot_ of years that I've hesitated to answer calls from unknown numbers.
This stuff is automated. The ability to automate spam calls (using the same form of APIs developers love, like Twilio) make it absurdly easy for one person to set up a spam machine. No AI required.
Unfortunately scamming is a business and if certain actions become less expensive, I would expect more of them.
The clear, unspoken message in the USA is now: "Enrich yourself in any way you can, as fast as you can. Buyer Beware is the law of the land."
The man is the absolute worse person - unless your a rich guy, who wants to make more money by screwing over people who mostly don't even know it.
Anyone who reads this, I dare you to find out why that thing in your life you hate so much, sucks so bad - nothing is ever by accident or unintentional.
The United States, and its People, will be discovering/realizing different ways we have been absolutely f-d by that grifter for likely the rest of my millenial life, thankfully (silver lining!!) US life expectancy has dropped substantially for the 150 million Americans in the bottom 50% of income - rich people in America have to deal with this bs for almost 8 more years than we do
Oh yeah, if you want a faster out even yet - just make 30k or less per year, your life caps at 71 then.
I joke but I hate so much that people will read this and then promptly go back to sustaining this system at their job.
We work our lives away so the rich dont have to and they get to live 14 more years on average than poor people.
Email scanning and file scanning (on our computer) became acceptable when the level of spam and malware became intolerable. But it was at cost of our privacy. Today, Gmail scans all your mails and makes money from it. Both Windows and macOS have built-in anti-virus or malware scanners, and file indexers, and thus know all the applications and files in your system (which provides for more data on your profile with them). Now with both OSes, and even browsers like Chrome and Firefox, including AI, they will now use our own computers to not only collect our personal data, but even process it on our system and use it to build even better profiles to more profitably exploit us.
It also just happens that they're the ones best positioned to provide attestation and identity services.
There’s a leak or someone is selling the data in a lot of the delivery companies in my country. I order something then without fail the fake text message pretending to be the delivery service. Only thing they screw up is claiming it’s failed to deliver too soon and the weird urls.
Messed up these companies are either selling it or being irresponsible with data.
If their platforms (Gmail, YouTube, DoubleClick) are being used to launch scams, they're failing at scale and governments are failing at legislating / regulating.
The only way to use Google services somewhat safely is with hefty ad (and the rest) blocking.
All this ID and surveillance and privacy invasion and metadata retention and yet all these scams only seen to grow. It never seems to end up protecting anyone deserving of protection.
I wonder what it's all been in aid of...
The reality is, Google is driven strictly by incentives and there are no consequences for letting spam/scams run wild vs. pirated content which gets automatically removed when a DMCA notice is received.
The problem with this is the piecemeal enforcement all but proves they only care about stuff they get a cut of and that fact became more clear to me recently when I was watching a random drama made in Asia that I wont name due it being one of the best historical and educational shows I've ever watched - but there was a scene (this was made in the 90s btw) that was entirely innocent, not sexualized - it was done humorously, but I'm not a pdf file either so - anyways, there were fully naked children, with absolutely no censorship, on Youtube - 100% long enough to be noticed by their trackers - they obviously just are not reviewing certain content, at all.
I don't care about piracy at all - I'd still use Youtube if it was the primary source for pirated content, the idea that there may be some obscure content, that seems totally fine, in a language nobody really uses - except for Epstein types, if ever that was discovered - that Youtube had become a haven for pdf files bc of lax application of standards - I would want Youtube split away from Alphabet and force sold on the cheap to a more responsible owner (like Tiktok minus the responsible owner part) - plus an enormous fine.
I didn't believe that such content could exist at all on the platform - until I literally saw with my eyes that it obviously can.
Yeah, I can "just" after I "just" do A, and B, and C, and D, and E, and F, and G.
Drives me batty on top of being insulting. "Surely you realize I thought about that weeks ago, and if it were that simple, we wouldn't be having this conversation."
But hey, I get paid every 2 weeks.
So, pleas ignored, forward these recruitment scam emails to the legal/fraud/phishing teams of the impersonated brands. For a company without the appearance of caring (in my opinion), perhaps law firm letterhead can encourage necessary prioritization.
There are so many businesses now which exist mainly to cheat you, operating at the very edge of what’s technically legal, and relying on their customers not really understanding the full terms of the deals they’re agreeing to. It’s sickening.
Some municipalities even make it opt-in so you'd need YES/YES to get mail without a name and address on it. (ie. not direct mail)
There are also laws to enable opting out of direct mail (with name and address).
In effect, junk mail is just gone once you slap a sticker on your mailbox. This is not an unsolvable problem if you just regulate things.
Does anyone have a better source of information than this one forum comment from someone who thinks scanning a QR code is enough to get your phone to send a text message?
EDIT: It’s just an SMS URI. It doesn’t automatically send anything, just opens a text message for you to send.
This is just the old phone number verification with a QR code convenience method.
It’s not something specific to a phone. It’s just a convenient method to enter your phone number.
So if there are any costs for sending this SMS it’s on you.
there shouldn’t be any remaining for the consumer today
unless you’re a real unfortunate soul.
Furthermore, carriers still charge each other for exchanging SMS traffic, though many of them just charge the difference rather than sending each other bills.
This approach is quite costly if you're out of the country, though. Sending an SMS is hit and miss when roaming in foreign enough networks, and each SMS can cost you a significant amount for exchanging 10 characters. Even receiving SMS messages far away from home can cost you money, which is a pain if you have a relative that could never get used to modern messaging services.
So many companies - such as electric car charging stations - require this without considering failure modes and alternative workflows.
You probably risk some legal fallout though, so be cautious.
It occurs to me this "force you to send the sms" might be a way to avoid exactly this sort of thing.
I know you mean charge just these bulk senders, but if they didn’t charge consumers a similar rate too, whoever wants to spam SMS can just set up farms of consumer SIMs and dump them onto the network that way. In fact, they already do this.
Told the owners that if Google is already being difficult during signup, imagine being locked out later with client work on the line. Pulled up a few horror stories about Google lockouts to drive the point home. They ended up with another workspace solution.
These are actual quotes from support:
> Upon checking, I see that the storage is showing as 0 bytes, because of the upgrade that has been done from business standard to business plus. Not to worry as this is very normal.
> I understand your concern and how important it is for the storage to be updated due to the business requirements. > > To give you full transparency into what is happening: when a Workspace subscription is upgraded, our backend systems must first detach your previous Business Standard storage allocation before provisioning the new Business Plus limits. During this transition window, the quota temporarily defaults to zero.
> Now please turn ON user storage limit nor shared drive storage limit. Once you turn ON, please wait for 5 minutes and then please turn it OFF.
^ That last attempt to try to force storage quotas to reset faster didn't work, btw. Still took hours.
The sheer size of Gmail means I have zero chance for support even though I pay for a service. The risk is too great to be acceptable.
What does this mean? The scanning a QR code and sending a text message from this article, or something else?
I generally have rooted for MS over GOOG on this type of thing, so I am not saying this out of fanboyism.
1. Personal/Child/Business
2. First/Last
3. Pick email
4. Date of Birth
5. Backup email / Skip
6. Password
7. Enter phone number
8. Confirm with 2FA code
9. Done.
I just made the email [email protected] and have since forgotten the password. So that’s one burned. But feel free to try [email protected] and see if it works without a QR code.
The headline is clearly a misstatement of what is a specific flow for someone to make many Gmail accounts programmatically.
Every account having the ability to invite an only small finite number of new accounts is one way to thwart scammers.
Everyone here should be familiar with exponential growth of n-ary trees. If you can get one of these accounts and each new invitee gets to invite 2 more, you can already have accounts gone wild.
Well I was about to say destroy scammers, but I just realized that they would send out spam to places where you could gamble your invites for Real Cash(TM) or just straight up buy them.
This would lower the creation of accounts, but then they would be rarer and worth more to spammers, since a spamming gmail would be rare.
And we would hear sob stories of people getting their accounts closed for inviting spammers.
So they'd just do this to farm invites if they needed
Google is probably doing A/B testing or they are using some sort of ML algorithm....
(EDIT: TFA didn’t clear it up for me, but it sounds similar.)
I don't really see the point of a privacy-preserving workflow when it comes to a Google account. It's not like they need to know your phone number to track you.
>>don't really see the point of a privacy-preserving workflow when it comes to a Google account. It's not like they need to know your phone number to track you.
More information is always better.
2FA has become the wedge to break privacy into a million shards.
You still need to register with someone like google, or Proton, etc.
Personally I have my own mail server and use smtp2go for sending which handles the deliverability issue. I'm not sure it's worth it going this way but I found it fun and its been 0 maintenance
For now my email is with Apple, since they offers email hosting as part of the icloud+ (or whatever its called). If they decide to die/enshittify, then I can move to another host without having to change any contacts.
One the other hand, since I did use my bare gmail for some years, I am still stuck with it, in case I have some service that depends on it.
Dead on arrival.
Mostly because of conditioning: it’s been 25 years now that free webmail is the way Gen-X, Y, Z, and future generations do email. Boomers and the older Gen-Xers may still be hanging onto an ISP address, if they haven’t moved too much since the 1990s.
After all that, plus with their email addresses being the opposite of portable, there is no limit to how much crap people will take, when the alternative is learning a little bit about domain registration and DNS, and paying $60 a year for Fastmail or whatever. Email, they believe, is supposed to be free as in beer.
Sad but true. Also, confession: I used to use first name @ full name . com and got tired of the confused looks and typos when I had to give it out, so now I use a six-character Gmail with numbers so that it’s just like people expect.
My phone number - which I've had for about 15 years and have only ever used for personal purposes (minimal SMS, mainly just an iMessage/Whatsapp ID) - is apparently "not eligible" to create a new gmail account. Which is quite strange.
Try Tuta, or Proton, or Fastmail, or Zoho.
The fact that they're introducing QR/SMS/MMS/whatever they want is actually an interesting signal, because it will harm the customer experience, which might result in the growth of responsible paid email services.
It is good to realize that it has never been "Nice Uncle Google" and always an advertisement moloch offering tools to hook their product. All that trust that was bestowed was never warranted.
And is not a US business, which is an important selling point to several companies and public institutions here in Europe.
My comment, as per subject, is about Gmail.
No, you don't need either of these companies if you need a corporate stack for communication and collaboration. And anyone who believes Microsoft or Google is doing anything out of the ordinary to protect their users or data is out of the loop.
A lot of corporate (customer) email sevices drop email from everybody except a very short whitelist.
You can bypass this if you have a passkey, but phone and password isn't enough. No idea why they opted to do that, it's not like passkeys are indicative of any device binding.
SMS also isn't free. Many contracts contain "free" texting, but that's just SMS being packaged into the subscription price.
Carriers charge each other for (excess) SMS exchanges, so SMS simply cannot be entirely free.
I also want to share a comment that someone (Velocifyer) added on my comment:
"If you make a blog post, make sure to also comment on how the audio reCAPTCHAs are nearly impossible and are blocked on public VPNs. The visual reCAPTCHAS have vauge instructions (they say “Select all squares with busses.” when they mean “Select all squares that have a bus or part of a bus and do not select any other squares.”. For 2 years I could not figure that out so I had to use the audio captchas but then Google blocked them on public VPNs and also made them almost impossible. I could only figure that out when Google Gemini clarified it for me."
Also another fact that I had discovered but to upload youtube vidoes more than 15 minutes you have to do this verification with sms and I found that its system of sending sms was quite finnicky and (too much limits is actually just one try)
Google and other tech giants's recent changes/lobbying are really impacting the open internet and it feels to me like we as people who have knowledge about these topics must do something to reform things as I simply cannot ask people who are technically unaware about these topics to fight for these changes unless we advocate and educate them about it
Most people just have simply way too much of other issues to fight for these things that they have almost taken for granted, but this to me means that the responsibility is on us people who are technically sound to fight against the attacks on open internet if we wish to preserve it.
I think my point is that we all might be waiting for other people to protest against these tech giants but I think that the world is looking at us people for such protests, Let's hope that we are able to educate more people and the open internet is preserved.
Our small steps might mean a lot in the future and so to not be dis-illusioned to make small steps thinking that they might be too small but we have to fight tech giants if we wish to preserve open internet. Every step is meaningful no matter how small
[0]: https://news.ycombinator.com/item?id=48042596
Meanwhile the amount of spam from Gmail I'm getting goes up and up and up.
Years ago IIRC there was a "bug" where the Android emulator allowed you to create real Google accounts. This was found and I'm sure millions of these accounts were created. There's a whole black market for Google accounts. Whereas I lost a Google account I'd created for a relative because it hadn't been used in awhile and it was tied to a mobile number I no longer had.
I don't see how this ends without registering for a service like Gmail being tied to your government ID.
And of course their database is leaked in real time.
It's like saying that the government has outsourced burger making to McDonalds.