Google acts as judge, jury and executioner after it falsely accuses breach of its "guidelines"
#^Google Dystopia – the danger of unbridled concentrated powerI am taking the time to write this article while waiting for access to my Google account to be reinstated after the company
unilaterally decided to deny me access this morning.
This article will demonstrate
three principles to be taken to heart:
- The true idiocy that hides behind Google’s claims to have advanced “Artificial Intelligence†(AI)
- Why you should NEVER rely on a cloud based service provider to store or process data that has value to you
- An example of being hacked without your login ID having leaked – but due to bugs in the cloud provider’s software – or more likely deliberate or negligent behaviour of staff inside the company
Along the way I will touch on issues such as who
owns and controls access to
YOUR data and what exactly did you buy when you signed a contract or just laid out real, hard earned money for a shiny new phone – that can be turned into a lump of scrap at the whim of Google or [insert name of any other high tech provider here].
How many realise that – like it or not – we have all become “digital citizens†whose lives depend upon access to services (paid or “freeâ€) and whose digital existence can be wiped from view at the whim of a faceless corporation?
Even those of us who take care to guard our privacy, keep our data and “digital selves†safe are subject to the whims of a company that has appointed itself gatekeeper to everything else and at whose despotic whim we are all forced to kneel.
So, what happened?
Yesterday I received three emails – identical apart from the link to a video – which looked like this:
This is the
fifth time I have received such emails from Google. The only difference is that this time, the company promised
not to take action against me just warning me not to do it again. Note the
assumption throughout all of this that I and I alone was responsible for posting the objectionable material. Anyone else wondering at this point what happened to “innocent until proven guilty� Me too.
On the previous occasions the company
immediately (before I could even respond) suspended my entire Google account.
Like all such idiot companies, the only means of contacting them to contest the accusation was via a web link embedded in the email:
Pretty clear – a promise not to close down my account access and a simple link to a web page.
Let’s take a moment to step aside and ask ourselves if these emails were sent by a
human being member of “The YouTube Teamâ€.
The answer is no – the mails are generated by a crude piece of software – an alleged “AI†– with all the intelligence of a gnat. It has performed some pattern recognition on a video that
someone or something has posted to a YouTube channel
that I have never posted a thing to containing material that I genuinely thank Google for not allowing to appear alongside my name as the responsible party.
Which is a different statement from saying I am grateful to Google for sending me such accusatory emails and then – despite (a) promising not to and (b) me following all the procedures they specified –
disabling (that means “locking me out ofâ€) my account without further discussion.
Google account suspension these day affects not just a Gmail account (if you use one) but also your phone (if it is Android based), and denies access to any and all files, photos, work documents or other data you have been foolish enough to commit into Google’s hands.And, of course, if you rely on GooglePay to buy your coffee, pay for your transit fares etc. – sorry – you have just been denied access to your own money. You can’t have a drink or get on a bus to go to work.As account suspension has such
very serious impact on a (Google trusting) person’s ability to go about their daily lives and business you might expect that the company has the alleged infraction not just reviewed by a real human being with some real intelligence but also that person looks at the context surrounding the issue.
You’d be wrong.
Because a human being (you know, somebody with half a gram of common sense) would notice:
- My account at Google has been open and in good standing almost since the company opened its doors. Scammers and people who truly post material that breaches Google’s policies usually use accounts that were opened last week. Facts of which Google is well aware.
- If you look back at the email Google sent me to accuse me of posting illicit material the video link it provides (and all the embedded links to websites that would almost certainly infect your computer and network) is written in Cyrillic. Now, if you believe Google does not scan every message and attachment flowing through its email and storage servers you also believe in unicorns. Read the form you MUST complete (any European GDPR officers reading this?) if you are to make any progress toward restoring your account you MUST give Google the right to access your entire account! European GDPR officials will have a field day. So, Google reads everything and anything anyway and – by forcing you to say yes while holding you over a barrel – thinks it has gained the right to do so legally. I think the company has a lesson heading its way.
- Not only do I not speak nor write nor read any language that uses Cyrillic characters no email or attachment associated with me that has ever flowed past Google’s ever-watchful eyes has contained any Cyrillic characters. A fact of which Google is well aware.
- As mentioned at the start this is the FIFTH time somebody (or something) has posted graphically sexual videos to a YouTube channel I never use and have never posted to. On ALL previous occasions I have danced through and around the multiple hoops and loops of Google’s account restoration procedure and my account has been restored without explanation or apology. A fact of which Google is well aware.
Anyway, I took the following steps:
- Immediately changed my Google password (from an already real-world-uncrackable 12 character string of mixed gibberish to a 16 character string of mixed gibberish
- Clicked the “appeal†link on the accusatory (actually defamatory, but not let’s get legal – yet) email Google sent me – which produced this web page form:
Note that the only way of making progress is to enter
another, separate email address. I am guessing here (though happen to know many people I am about to describe) that the majority of Gmail / Google account holders will have no email address other than their Gmail address … the one Google just blocked and is now inaccessible to them. What are these people to do?
- Use their work email address (assuming they have access to one) – probably breaching their terms of employment that ban use of company email accounts for personal use
- Spend half the day opening up a new email account (way to go Google – gifting customers to Microsoft or …)
- Give up – as there is no other way offered of engaging with Google’s dispute process other than writing to the company – by which time Google will likely have carried out its threat (see below) to wipe every bit of data, photo, email and contact held in your account.
Lucky for me, I have run my own email servers since the dawn of the Internet (that’s before Sergey and Larry were making their way toward college) so can provide my personal email address (hosted on my own servers – which I do not intend to deny myself access to any time soon)
and which is the secondary (security) email address Google already has associated with this Google account.So, I can enter a valid email address and hit “Next†to be confronted with:
OK – here is an opportunity for the pre-judged “guilty party†(they have already been sentenced – see that big
Account disabled headline?) to spend time proving themselves innocent.
All without having the foggiest idea who or how somebody gained access to a part of Google they have never used and never want to use.
But Google doesn’t let this stand in the way of allowing its “AI†to trample and trash the lives of its customers – already judged guilty.
I went round the circle of (eventually) submitting yet another plea to regain access to MY data held ransom by Google yesterday.
I woke this morning to discover this:
and this:
“
Graphic sexual contact that is meant to be sexually gratifying is not allowed on YouTube†(grammatical and sense errors all the responsibility of Google).
I have been judged, found guilty, sentenced and subjected to the harshest possible penalty … by a “robotâ€.
Judge, jury and executioner all programmed into one conveniently mindless package.
Dystopia, anyone?
It is now for me to spend my (somewhat valuable) time running in circles and exhausting the mindless “AIâ€s (huh!) until some human finally gets round to looking into this … and discovers what was obvious from the start:
- GOOGLE allowed somebody or something to hack in to my account
- That access was GRANTED BY GOOGLE without either of my email addresses or my then current password being subject to any form of data breach – ie; my 12 character gibberish password was known only to me and Google.
How can I be so confident in saying my passwords are secure?
Troy Hunt runs the hugely useful website HaveIbeenPWNED? (
https://haveibeenpwned.com/). A quick trip to Troy’s website and check of my
Gmail address (ie; Google ID) tells me that ID has never been found in any data breach. EVER. That might be coincidental with the fact that I do not use Google or Gmail as my main email account, use very few of their services and do not use my Google ID to login to or communicate with any other web or cloud based services (despite Google’s oft repeated blandishment to do so).
My personal email address has been found in 15 major data breaches (which is a very low number for somebody who has been active on the web using the same email address since the Internet came into being). Of these 15 data breaches a full 10 leaked passwords associated with the email address. How does this happen (I hear you ask)? The answer is sloppy programming and poor practice by BIG web sites that should know better – sites like Adobe, 500px, LinkedIn, Yahoo, Trillian and others. These sites are guilty of either storing their customers’ passwords in plain text or using outdated encryption algorithms which by various methods can be easily cracked – and have been known to be broken for decades. And then negligent enough to (eg) post copies of their entire customer database on an open cloud instance – unprotected by any password whatever.
But, as irrelevant to this matter and article as it is, all of those affected websites have long ago been repeatedly password-changed or accounts closed down (
after passwords were changed) and none are in anyway relevant to the matter here – my Google ID and password having nothing in common with any other ID I have ever used.
Troy also provides a very useful web page at
https://haveibeenpwned.com/Passwords where you can enter a password you use and the site will tell you if that password has ever appeared in any data breach. Having changed my Google password to something new and even stronger than it was before I entered my previous Google password (the one in use at the time the objectionable videos were allegedly posted):
and received this:
Great news! Not only has the password I used to access Google never been released or discovered in connection with Google, it is entirely unique and not among the 555,278,657 passwords that have ever been discovered and released.
In other words only I and Google know my Google account password.
So, how did someone gain access to Google and post banned material in my name?
I have asked Google this question each and every time this same event has happened.
I have yet to receive so much as an acknowledgement let alone a reply to the question.
So, let’s look at the possible ways this might happen. In order of probability:
- Human error or deliberate human action within Google. I have just shown that only I and Google know my Google account credentials so, as the majority of account access breaches are the result of human stupidity or deliberate human action, the most likely cause is that somebody within Google either gave my password away or used it themselves to access a part of Google I never use.
- Direct database access inside Google abusing administrative privileges. Basically, a slightly different slant on the most likely. But a Google system admin with sufficient privileges could easily place videos directly wherever they chose without logging in to Google via a normal (ie; web browser) route – this would leave no trail (unless the crafty sysadmin also forged the access logs) but there are always forensic trails left – which is why it is so important that Google provides information about the how and where these videos appeared from.
- Unreported breach and theft of easily decrypted password cache from Google. No such breach known or disclosed.
- Software fault allowing a “back door†entrance. This is the criminal hacking beloved of many a Hollywood film – where somebody discovers a flaw in the software protecting a computer service (in this case YouTube) and uses it to gain access to all or parts of the system he/she should be nowhere near. Such cases do happen (an entire website is devoted to documenting and monitoring such bugs – across ALL computer system types) but, Google, do you really want to take the crown for allowing zero-day exploits into the wild from Microsoft? One back door hack of YouTube against my account would be bad. But FIVE? Honestly Google, are you going to claim this?
- I let someone gain access to my Google credentials. No. My Google password (was 12, now 16 characters of gibberish) is known to (a) Google, (b) me.
- A passing Russian speaking nogooder gained access to my home and entered my study, logged in to my workstation (the only computer that has access to passwords and the ability to post to websites like Google) and spent time uploading three illicit videos using credentials that aren’t even available on the machine unless you can crack an entirely different set of credentials (including the requirement to possess a physical 2FA key after entering my complex access password). Confession time: I, an IT “expert†since before the pre-dawn of the Internet now live in a remote spot in rural France where there exists not even the possibility of an old modem dial-up Internet connection. My Internet connection comes via a useless, bandwidth limited satellite feed (more often down than up – and FULLY bandwidth clogged overnight) plus a WiMax connection .. with an upload data rate of 512kbps – yes, you read that correctly a MAXIMUM of 512 kilobits (about 50 characters or bytes – oh for a telephone landline and an old modem) per second. So, our Russian hacker would have had to sit here for about a week (maybe two if the line is as slow as it normally is) to upload just one of the alleged videos. I think I would have noticed a Russian sitting at my desk – and the combined weight of my powered wheelchair and I (about a quarter of a ton) would have made short work of shifting him/her from their position. This is not a very likely way these videos ended up on YouTube – whether posted by a Russian hacker OR ME – Truth is I just don’t possess the upload bandwidth to go wasting it on posting videos to YouTube, especially porn that so clearly breaches Google’s “Guidelines†that it is taken down before it even appears on the site.
But try explaining that to an AI programmed to only look at “Guidelinesâ€.
We are left with the most likely route this material took on to a YouTube channel attached to my name is
with the collusion of a Google employee or employees.It is perhaps relevant that no other Google service in my name shows signs of hacking. Google generously gives (forces) all its services on you as soon as you purchase an Android phone but, though I can no longer say for certain (somebody blocked my account, D’uh!) I have zero indication that anything else nefarious has been done via my Google account.
Remember, my password consisted of 12 random gibberish characters. The only known ways to access such a password are (a) access a database in which they lie unencrypted or easily decrypted or (b) brute force.
A quick search of Troy Hunt’s site rules out (a).
To assess (b) head over to
https://random-ize.com/how-long-to-hack-pass/ . I just generated a few new 12 random character gibberish passwords and tested them. By “random gibberish†I mean that I am using 62 characters (A-Z, a-z, 0-9, !â€Â£$…) so a 12 character password comprising this character set provides 6212 possible combinations – or
3,226,266,762,397,900,000,000 which (without going through all the stats and assumptions) the random-ize site estimates would take 5,389,762 years, 2 months –
call it 5.3 million years – to guess using the fastest computer known to exist today. A 16 random character gibberish password provides
47,672,401,706,823,500,000,000,000,000 combinations which random-ize estimates would take today’s computers a mere 420,805,123,888,006 years, 6 months –
call it 420 trillion years to crack.
And those figures assume the cracker knows which of many currently used encryption algorithms was used to encrypt the password in the first place. If that information is not known multiply the above time estimates by
x where
x is the number of possible encryption algorithms used (hint: it’s a large enough number to cast the problem beyond the lifespan of the universe).
It is inconceivably unlikely that anybody happened on the combination of my Gmail address and 12 character password by chance.
While I would be flattered should somebody devote the entire compute power of the world’s most powerful computer to me for even 5.3 million years I would feel compelled to tell them I am not worth the effort.
It is inconceivable that somebody gained access to the encrypted password and brute-force decrypted it.
As I haven’t heard of a working quantum computer with enough qubits in its innards to so much as attempt to calculate the prime number sequence (the basis of almost all forms of computer based encryption) I believe I can safely say that my passwords are all safely locked away.
It follows that these videos were not posted using my login credentials and, therefore, Google has an awful lot of questions to answer.
How would Google’s denial of service affect someone who used many of Google’s services?
An incident eerily similar to this one recently happened to an acquaintance who turned up on my doorstep in tears. A user of Gmail, Google Calendar, Google Contacts, Google Cloud and Google Docs, Google Pay (among fripperies such as Google Music, Google Books and Google Movies) for personal use
and business this person had their entire life wiped out overnight.
- No more contacts – so couldn’t phone or email anyone.
- No more calendar appointments – so had no idea what meetings were due, flights or hotels were booked and had no proof of the bookings anyway as all the reservations resided in email or PDFs locked inside Google.
- No more email – so no way of receiving new emails or accessing past emails and continuing conversations with important clients and contacts.
- No access to all the thousands of photos and documents entrusted to Google Cloud – entire life’s records and all current and past business documents – including documents required for tax and other regulatory purposes – wiped out in the blink of an eye.
- Without so much as a euro in the pocket and without credit cards – everything purchased from the morning coffee to the train ride home was just a swipe with GooglePay … until Google decided to stop honouring his account.
It was worse. I asked about backups. “Why do I need backups – Google does all that stuff – isn’t that the purpose? I
back up my photos
to Google!â€.
Like me, they had done nothing wrong but received an email from YouTube
stating they had breached Google’s guidelines – followed very quickly by an email telling them their account was disabled.
I was unable to help … beyond pointing them to the appeals procedure described here.
They remain locked out of their former life.
Lessons for businesses
Quite simply, if a business places its data (which evolves second by second (millisecond for a large enterprise) in “the Cloud†and relies on a third-party supplier to safeguard that data and keep it accessible and that business has no real-time synchronised copies of data and processes within its own premises under its own control then that is a business heading for disaster.
What can happen to an individual can be done to a business – scaled accordingly. It is not for me to name them here but if you are responsible (as owner or director of any size of company) research the number of cloud businesses that have suddenly declared bankruptcy and left all their customers high and dry overnight. Look at the number of “accidental†errors that have denied businesses access to their own data held on the cloud services of the biggest providers.
The modern lesson that no data = no business suddenly hits home.
How has this affected me?
I could care two figs for a YouTube Channel – I have already thanked Google for so rapidly removing material I certainly do not want associated with my name and reputation. I wrote my own video making and broadcasting channel so have no need of Google’s paltry effort, thank you.
I have no messages stored on Gmail I could care tuppence about.
None of my contacts are stored on Google.
I have no calendar appointments, documents, photos, business records or anything of value to me entrusted to Google’s unreliable embrace.
Because I have long known this day would come (again) – and whether it was Google or any other Cloud provider – not only does all data entrusted to them become theirs (read those long boring EULAs some time) but when the tap is suddenly turned off a sharp lesson is suddenly learned that in modern society – with a change that has happened so fast nobody seems to have noticed it – we
all are our data.
Even those of us who spurn the embrace and enticements of “the Big Four†as far as humanly possible in the 21st Century.
My one and only concern is that I have several Android based devices (my main mobile phone, a tablet and an old phone I use as a reader) that are effectively now lumps of junk. Very expensive lumps of junk as my phone alone cost around €1,000 and can no longer even access the Play Store. So, when new disability apps (for which there is a thriving community of developers) that might help me comes along I will have no access to them. I have yet to test whether I still have access to existing apps on my devices … because many will have been tied – by Google – to my Google ID.
Which Google has just disabled.
As I wrote in another article, there is no such thing as a free service. If you use a free service you are paying for it with your very soul. If the company decides to eliminate your data they are as good as killing you. Scrubbing you from the digital world.
It seems that if you – perforce – MUST use a free service after having paid to purchase some very expensive hardware and software you are at just as much risk of having your property turned into junk and your life disrupted.
Google is guilty
Where do I start, for the list is long.
First the company jumped to the conclusion that I posted videos that breached its (mostly reasonable) guidelines. I did not.
Second it ignored copious evidence right under its nose that I most definitely did no such thing. I am not the guilty party here –
Google is for allowing my account to be breached and allowing the material to be posted in my name. Listen hard Google – in Europe (especially the UK) such an action, accompanied by your accusatory worded emails, is cause for defamation and is taken very seriously indeed. You may have ignored my requests to answer how somebody/thing is repeatedly posting objectionable materials to an account
YOU have opened in my name but you will find it more difficult to refuse to answer a court of law.
Third it followed no acceptable process to establish the facts of this matter – merely followed its own “guidelines†and with effectively no notice at all – the original emails arrived here in Europe late last night and the decision to block my entire Google account was taken while I was sleeping – so, while arrogant corporate America was awake.
Fourth it has provided no evidence of how the objectionable videos were posted – and continues to refuse to do so. It could, for example, provide information as simple as the IP address from which the videos were posted. It will not. It could say definitively whether the material was posted using my login credentials or was somehow inserted in “my†YouTube channel by other means. It will not.
It has issued judgement and sentence based on assumption alone, providing nothing that might remotely stand up as evidence and refusing to engage in the slightest of conversations (it has not responded to a single point I have put to it).
Ultimately the company has leapt to guilty without so much as looking at a fact – just an assumption made by an AI that is in reality just another computer program written by fallible, biased humans. Not a scrap of artificial intelligence in sight. Which accompanies the total absence of any human intelligence.
Current status
As I finish this article (for now) I have just received the following email from “The YouTube Team†– I include my appeal submission (as much as the form allows you to type) to show the evidence I gave:
“
Hello,Thank you for your account suspension appeal. We have decided to keep your account suspended based on our Community Guidelines and Terms of Service. Please visit http://www.youtube.com/t/community_guidelines for more information.Sincerely,
The YouTube TeamOn March 7, 2020 george@xxxxxx.xxx wrote: I assume this was because somebody – not for the first time – gained access to the Youtube channel (which I do not want and have NEVER posted to) and posted the three examples of sexual material I saw yesterday. I immediately (a) changed my Google account password for another – 16 random character – password and (b) responded to Youtube in the only way possible (by replying via Appeals) stating that I had NOT hand any part in the action and asking (again) how it is that somebody is able to post Youtube videos in my name without access to my login. I also provided the information that I am Fellow of the British Computer Society (with a hand in bringing the Internet to life) and Fellow of the Institute of Directors (ie; senior businessman). I provided the SAME signature I use on every email sent through Gmail which contains a link to https://www.biznik.co.uk/about which has a potted bio and links to my presence on Linkedin and Twitter as well as some of my other websites.â€
Is any further proof needed that the Google account suspension and deletion process is run by bots? Kindly note that nothing in my appeal addressed Google’s “Community Guidelines and Terms of Serviceâ€. Seriously – that is because I could not address those guidelines – I had done nothing to contravene them. But the “AI bot†pretending to be “The YouTube Team†has only been programmed to respond to pleas relating the the “Guidelines†so does nothing more than spit out anything coming from a real, intelligent human being discussing the real issues at hand.
Did I say that Google is far, far away from delivering any form of Artificial intelligence. If not, I apologise. But offer here an excellent example of just how far away they are from achieving a goal they claim to have surpassed.
The email above is
PRECISELY the same email I received on each of the previous occasions this kind of event has occurred.
Business advice
I am a mere white-haired old businessman and modest IT specialist with decades of business experience behind him – naturally including the field of customer retention and growth.
From where I sit the people running Google are children learning how to walk.
So I will offer some simple guidance.
- The quickest way to lose a customer is to so irritate them that they take their business elsewhere.
- The quickest way for even the mightiest company to come crashing to its knees is to lose the customers who feed it.
And Google, just in case anyone of your minions reads this and wants to know who it is they have just snubbed they can look me up in the public register of the British Computer Society at
https://www.bcs.org/membership/register-of-bcs-members/Try looking up Sir Tim Berners-Lee, Bill Gates (both elected to Fellowship several years after me) and, while there look up Sergey Brin, Larry Page or other names familiar to you from Google’s ranks. After all you employ enough people from around the globe – surely
somebody has achieved enough in the field of computer science and application to justify election by his peers?
No? It looks like you have to do more than rehash a search engine or pretend to develop artificial intelligence to qualify (
https://www.bcs.org/membership/become-a-member/membership-grades-and-fees/fellowship-criteria-checklist/).
Either that or they couldn’t find another BCS Fellow to sponsor them.
Your company and its nefarious behaviours cannot be exposed and broken into a million shards soon enough.
Sergey, Larry – keep at it lads. When the backlash comes it could well be you who loses everything you possess.