a google horror story: what happens when you are disappearedEarlier this week, an acquaintance of mine found himself trapped in a Kafka-esque nightmare, a nightmare that should make all of us stop and think. He wants to remain anonymous so let's call him Bob. Bob was an early adopter of all things Google. His account was linked to all sorts of Google services. Gmail was the most important thing to him - he'd been using it for four years and all of his email (a.k.a. "his life") was there. Bob also managed a large community in Orkut, used Google's calendaring service, and had accounts on many of of their different properties.
Earlier this week, Bob received a notice that there was a spam problem in his Orkut community. The message was in English and it looked legitimate and so he clicked on it. He didn't realize that he'd fallen into a phisher's net until it was too late. His account was hijacked for god-knows-what-purposes until his account was blocked and deleted. He contacted Google's customer service and their response basically boiled down to "that sucks, we can't restore anything, sign up for a new account." Boom! No more email, no more calendar, no more Orkut, no more gChat history, no more Blogger, no more anything connected to his Google account.
::gasp:: My heart threatens to attack my throat at the mere idea of losing four years worth of email. ::shudder:: Or what if this blog disappeared? Like, OMG. {insert horror film music here}
Luckily, Bob is well-connected. His friends in high places forwarded his story to powerful people inside Google. Today, his account was restored. While such a restoration should provide a sigh of relief, it's also a bit disconcerting. What if Bob hadn't been so well connected? What other kinds of damage can phishers do to people who have so many of their key tools linked together under a common account?
Most tech companies blame phishing victims. Basically, the general sentiment is that if people weren't so stupid, there wouldn't be a problem. Yet, there is great research on Why Phishing Works that shows that even sophisticated users can be deceived. While education is important, it is unrealistic to expect all users to keep up with the developments of scammers' deceptive techniques. Consider the story of Clementine, a 13-year-old citizen of Gaia Online who fell victim to a phishing attack and had her account deleted without recourse. Once again, Clementine's saving grace was that she had connections, but it took a long time and she was written out of her primary social space in the meantime.
When companies host all of your data and have the ability to delete you and it at-will, all sorts of nightmarish science fiction futures are possible. This is the other side of the "identity theft" nightmare where the companies thieve and destroy individuals' identities. What are these companies' responsibilities? Who is overseeing them? What kind of regulation is necessary?
There's also a flip-side to this story. Google was able to restore his account because they kept everything on backup servers. In this case, Bob didn't want to have all of his content deleted. But what if he had deleted it himself and expected it to be deleted permanently? Who should have the right to recall his data and under what circumstances? I find it particularly haunting that there is no way to delete your Facebook account. You can only "deactivate" it, but you can reactivate it at any time and everything will come right back. What if you don't want to go down on Facebook's permanent record?
These are the issues that worry all sorts of privacy and identity types. They are the cornerstone of books like Daniel Solove's The Digital Person and Simson Garfinkel's Database Nation. Yet, as with identity theft, few people stop to think about data loss until it happens to them. But perhaps we should. How would you feel if the company hosting your email suddenly decided to disappear you? Or if Facebook/MySpace/Flickr/Xanga/etc. decided to delete your account right now? (There are plenty of examples of this one too. For example, many celebrities have found their accounts obliterated because company reps think that they're fake. And then there was Friendster...) Imagine if you had no path of recourse. Talk about disempowering!
In thinking about this, your first response should be to back up your data. (And grumble loudly about all of the places where this isn't possible.) But what's your second step? What kind of legislation is necessary to address this? What kind of data recovery (or non-recovery) policies should companies have?
As more universities (including my own) abandon home-grown email systems and move everyone to GMail, will such issues spread? Should companies be forced to establish and follow policies that deal with such situations?
RSS Feed
Comments (5)
Really? This isn't even a sophisticated analysis of the ethics and responsibilities, let alone the technical issues involved. What can you expect a company to do when stupid users lose their data? Sure, they back it up, but no, it isn't just flicking a switch to have it come back. Try asking your university's IT staff to retrieve your data: they'll dust off the TAPES and then make you specify each and every file missing. Don't have that information? You are pretty much out of luck. Of course, it sucks to lose your data, but other than getting your account hijacked (and prudent users should be able to avoid this, although it surely happens to everyone sometimes), data located on enterprise-grade redundant servers (of the sort that Google has) is WAY more safe than your home-grown infrequently-used backup system (assuming you even have one). Don't like the idea of Google having access to that data, and being unable to truly delete it? Try encryption, there are a number of ways to lock these things up (obviously, not everything though). I think an analysis of these issues needs to be discussed, but it shouldn't be Danah Boyd doing the analysis: it should be someone that understands the theory and/or the technology. Here's a place to start, Latour's thoughts on black boxing the ethics, or making ethical agents out of these systems (as in, do the Google servers become ethical agents involved in protecting your privacy?). There is a lot of hay to be made here, let's do it, and kick Danah off the island.
The reason why universities stop supporting emails has to do with security reasons. If you think your email is safer with a univ.
And why do you account Google or this?
1. it's the users own fault this time
2. it's not just google who is victim of phishing and
3. I am not much of a google fanboy, but when it comes to security, I trust google more than my univ. tech department. What they do with my information is a different matter...
Quinn - thanks for kicking me off the island. I'm not arguing that I should be the one doing the analysis, nor was that my goal in my post. Rather, I wanted to showcase a real story that real people are experiencing for folks like Siva who should be doing the analysis. (That said - I do understand the theory and the technology; it's just not my expertise or interest.)
Three of my email accounts were hacked at the same time. A primary gmail, a secondary hotmail (secondary to gmail that is) and another gmail account that I used for related services like Orkut (too much spam mail to handle for the primary email). I had been using the gmail account for over 3 years... And the hotmail for maybe 6-7 yrs. I wrote to Google and waited for them to get back in touch with me. Meanwhile, I tried to send a password change request to hotmail... and oddly enough, they kept sending the instructions for the same to my hotmail account itself! I don't think I even want my hotmail back after that kind of shoddy service.
Anyway, I held Google in high esteem. I was a great fan of gmail too. So I waited. It seemed rather odd to me that Google Support team was taking so much time, but I reasoned to myself that it must be because of the weekend (which is silly I know!)
After waiting for almost 5 days, I started spreading the word! There was no way I was willing to let a hacker walk away with all that data! Luckily, a friend knew a friend who had a friend in Google! I got my primary gmail back. One account out of the three. The other gmail has gone. I did get my main account back, I agree. But nepotism? For a global company like Google? Its left a bad taste, it really has! What's the point of introducing new products and services everyday when you can't manage the older ones ?
I have now switched to using my univ email. In case of any trouble, it can at least be handled at a local level!
Cry me a river. You use these FREE services, you are effectively timesharing on other people's computers and you whine when they screw you? You gave up all that dirty information for free. Take some goddamn responsibility for your actions. Time sharing means you are relying on OTHERS, not yourself. This is a weakness.