A couple of months ago I stumbled across Google One; I thought it was a replacement for Google Drive. I got a popup chat and talked with a Google Rep, asking for clarity. The fact that it wasn't easily understandable from the site wasn't a good sign. Once I learned it was just the latest new way to upgrade Google storage, something I did not need, I ended the chat and went about my business. A few days later I received an email from the Google Play store confirming my purchase of additonal storage through Google One, something I had not requested or purchased, although somehow just being on the One site triggered that purchase. I was really taken aback because I didn't even realize Google had my purchase information. I've never purchased anything from/through Google. I had to go back to the One site, open a chat and then spend the better part of an hour trying to get the charge reversed, which is something they don't usually do.
So basically what I'm trying to say is this: Do not click through to the Google One site.
edit: I should also add that I originally had 17 GB of Google Drive storage (15 GB all users get plus an extra 2 GB for doing some Google survey or something some years ago) but after the Google One storage grift was reversed, my storage went back down to 15 GB. I guess there was a 2 GB penalty.
I didn't get a discount on my stadia preorder, purchased in July. Of course, it hasn't shipped yet either and the originals release/delivery date was supposed to be the 19th iirc.
>The reason, cos Google don't employ any decent usability experts. //
They must, surely?
It seems more likely to be the "one-button mouse effect" where leadership dictates something like "minimal interface" to be king and refuses to believe anyone could possible not understand their product?
Statistically speaking, if this post was made 6-12 months in the future, the discussion here would likely be lamentations regarding yet another product Google decided to kill.
As someone who pays for multiple Google services this is not something I'm interested in at all.
I would be very interested in something that gave me the paid features in all of their services: YouTube red (no ads + custom content no one likes), Google storage (one), Google Plus Music (or whatever they're replacing it with) for "infinite" music, YouTube TV, Stadia, and my Fi account.
If Google integrated these billing systems and made a cohesive feature set that was constantly expanding it would be a no brained to spend like +$50/month on this bundle (phone + backups + entertainment).
I'm assuming they don't do this because of fragmentation across product teams or anti monopoly stuff.
Funny, I'm the exact opposite -- the only thing I'm interested in is storage, so I'm glad I don't have to pay for the rest.
But the products you list all serve mostly dramatically different markets. I would assume they don't offer a bundle because the venn diagram here would actually be quite small. I don't think the main reason is internal politics or anti monopoly.
YouTube red already gives you access to everything music-related, last time I checked: It includes YouTube Music premium (which in turn apparently is the successor of Google Play Music).
The branding is pretty messed up there (as usual for Google), but the service itself is actually decent, and if I wasn't already on Spotify I would seriously consider switching. 2€/$ more for ad-free YouTube would definitely be worth it.
That actually outlines one problem I'd have with such an "everything Google" bundle: Very likely, I'd already be paying for one or more of the components of one of its competitors, and the deal would be much less attractive as a result.
That would be the "hook". You may have 1 to 3 of the things already included but the remaining things would get you to say "well..m overall it's less money than having both."
It's like Apple products. I already have a chat app but if I have an iPhone iMessage is pretty amazing
That would work in getting me "hooked" only if the existing, 3rd party service is not ver sticky in some way. Spotify definitely is for me (integration with my home stereo, playlists shared with friends etc).
It would definitely convince me to give the bundled product an honest chance that I otherwise wouldn't, I suppose.
It’s also because Google Accounts is such a complicated mess by now that no one inside Google knows how it works: https://grumpy.website/post/0PU1U2r3v
Tell that to someone using G Suites! I don't know the real internal structure, but I've experienced a frustrating number of "unsupported features" or "unexpected errors."
Those UX complaints wouldn't exist if Google Accounts were as internally unified as you make them out to be. With a unified set of internal tools and APIs for teams to work with and make sure their product works.
Meanwhile, it took YouTube more than ten years to be able to support not just the default user. BigQuery is 9 years this year, and can't support multiple users in the browser etc. etc.
It gets worse than that.
Because they are still kinda unified. You get blocked for whatever reason on YouTube? Oh. Say goodbye to the rest of Google properties: play store, your dev account etc.
Actually, compared to all of my other gripes with Google services, I've always found their account management to be pretty coherent and easy to understand lately.
SSO on iOS across the browser and Google's native apps, and "sign in with Google" in 3rd party apps, works flawlessly for me.
The only thing I'm missing is a "sign me out" button (per device or even on all devices) that actually works.
As a person who uses at least two accounts (personal and work), and a third account on YouTube (I've had it since before Google Accounts), the number of Littles things that way consistently don't work is baffling. Well, you can see just one day's worth at the link :)
From looking at Google's privacy policy for this product, it seems to me that if I have a file called all-my-deepest-secrets-fears-and-desires.txt stored in Google's cloud, then nothing stops Google from sharing what they learn from this file as long as it is "non-personally identifiable information". That sounds like they can do whatever they want, as long as they don't attach my actual name to it.
The irony of "non-personally identifiable information" is that there is no such thing. Just show me your regular everyday travel destinations, i.e. mostly home -> work -> home and I will identify you. Not to mention card purchases (Google bank accounts to the rescue!) that contain more information than you know about yourself.
Or if you are a software engineer, show me enough of your source code with file names etc. (including your commercial work) and I might be able to match you against the full LinkedIn database for example, although I probbaly won't be able to automate this one. Etc. etc.
Nothing is ever completely anonymous unless you get to the level of elementary physical particles which as we know don't have an identity :)
The price jump from 2TB to 10TB is weird. 5x storage for 10x price. The other storage/price increments give you a "quantity discount" (e.g., twice as much storage for a 50 percent price increase) but that one is the opposite. Any guesses as to why they chose to do that?
If you need more than 2TB it's quite likely that you are using the product in a professional context. Thus, they are able to charge more. The smaller tiers are cheap to be attractive to end consumers.
That's something I also worry a bit about. They do have Google Takeout, and I recently used that to download the 120GB-ish worth of stuff I've got in there, and it worked very well. I guess I should set up a job to back that up to B2?
Not enough. I would pay only if they served me attention un-optimized results. No more 'Peterson DeStRoYs some random host somewhere' 'you wont believe number 4' videos in YT recommendations, no more AMP first, current news, trending, volume over quality search result prioritization, no more 'you searched X, didnt you mean Taylor Swift instead?'.
Ads on YT pay for YT, you need to produce some common denominator shitty content to stay on top of that game.
Also the way creators are treated (demonetization, copyright-claim-fuckfest, no-appeal because there is no way to get human in the loop on YT side unless your case gets viral) shows to me that creators are being sold to ad companies, not the other way around.
If you want to support someone, become a patron or send them cash.
Yep - if you block youtube ads in the browser, google doesn't pay out to the maker.
Sure, it's only tiny fractions of cents - but I consider it stealing.
I didn’t agree to watch ads or see to it that you were paid for putting up a video that you put up for fun or art or habit or hope.
I don’t think you should be entitled to be paid for content you voluntarily put up on someone else’s computer. You didn’t agree to contract that asked you to produce content.
If all art was thought of like this - there would be no art. Guess what, sometimes you’ll make something and won’t be paid back for doing that. You do it anyway because you want to improve your art, you want to get better, or express something else even if no one receives it, you do it “to put in the work, son.”
If you want to post YouTube videos, do it! That’s cool and maybe I’ll enjoy them, but I’m not stealing by not engaging in the system of their choice to make money that you hope they share a tiny fraction of with you.
Sorry, but no. I choose not to participate. If you think that’s stealing; well, I’m glad that you’ve never had anything actually taken from you to allow for such a misuse of the word.
I upgraded a few months back, as I'd exceeded by drive limit and the upgrade to 2Tb storage dumped me into this new "Google One" thing.
I'm actually pretty happy with it, as I just entered into it as the next storage tier. First up, it gave me a "click here for a free google home", and you get a 10% credit back if you buy hardware from them. Not deal-makers, but nice bonus when I just came for the storage.
What I did find useful is that you can now share your storage with other people. I can just add my aged family members and relax a bit knowing they have actually got some running backup in place.
I would like it if it was combined with Youtube Premium/Red which I also pay for, even though I use Spotify over Google music.
Love that the front page shows me how much storage some hypothetical user needs yet I’m logged into google (can see my icon at top) and it doesn’t show how much storage I need.
Let me guess: doesn't work with google apps accounts, because google really wants people to stop using them but isn't dumb enough to straight pull the plug quite yet.
I mean, it doesn't, but this time it actually makes sense: If you want more storage as part of a GSuite account, you just buy it. There's no reason to buy a consumer-focused package for a business offering that has the same thing already available as part of its billing.
> google really wants people to stop using them but isn't dumb enough to straight pull the plug quite yet.
I have my Google life spread out across a couple of (grandfathered) Google Apps account, and don't use any @gmail.com accounts for Google services, so it would suck if they pulled the plug.
I've used the "One" "Family Plan" for a couple years, whatever it was before One. It's nice, but I do worry about the non-linear pricing. For 200GB at $3/mo, that's fine. Then for 2TB it drops per GB to $10/mo.
The next jump is 10TB for $100/mo (double the per/GB). But my storage consumption doesn't jump like that, I won't go from 2TB to 10TB (probably). Which makes 3TB feel like $33/GB/mo...
S3 is linear and drops. B2 is linear. Google Fi refunds me for actual usage below what I've paid for. Why is storage so weird?
I've heard, but can't confirm, that photos and videos stored on Google are used to train ML models at Google. So I'm surprised that Google would want to charge at all for this service if it's important.
Were any other company able to get you to store your photos and videos, I wonder if that could dent Google's ML capabilities a bit.
> To use people's random images for training, they would have to be manually annotated by a human (e.g. facial boxes, eyes, nose, mouth, ears drawn in).
That's not true. There is a large and growing body of research on semi-supervised, self-supervised, and unsupervised learning that can take advantage of these unlabelled images.
Different learning techniques have different applications. I do not believe those techniques are applicable to the hypothetical use-cases of this dataset.
Perhaps semi-supervised could be utilized, which reduces the required annotation by some factor k, but still leaves it as a function of the dataset.
Self-supervised basically replaces human annotation with machine annotation, making it only applicable to a small subset of tasks in which this is possible (e.g. you could train "guess time from picture" using EXIF timestamp).
Unsupervised is only applicable to very specific tasks.
That sounds like a conspiracy theory. Training how? It's not like people are uploading tagged photos. And what value is that over Google Images (or other services)?
About a month ago, a hacker guessed a weak password on one of my seldom-used Google accounts. They changed the password and the recovery email.
I attempted to get the account back, including telling them the old password, old recovery email, and the month and year I opened the account (like 10 years ago) but no, they said they “couldn’t” do it.
So I’m sunk. No recourse, no one to appeal to.
So why would I put my whole life into Google? When it can be taken away so quickly, and there is no appeal process?
On my main Google account I do have a recovery email (that I host) and 2FA. But I do not feel secure that the same thing couldn’t happen there too.
If it does, you are sunk.
I’m actually in the process of moving everything off of Google.
You could be the hacker who got hold of the old recovery email. :/
There's no safe way to do these recovery processes.
Weak/lost/compromised password means that, the account is gone.
Sure it'd be nice to have a fallback that ties recovery to visiting an office, where you establish some shared secrets, biomarkers, etc. But big companies are not into that because probably too few people pay for this. (As they also don't want to depend on a 3rd party for identity management.)
A TOTP-based phishing attack can start entirely from a false origin. The user can enter the offline-generated secret into that false origin and never realize the phishing even happened.
SMS MITM is harder to pull off, as the normal UX flow assumes the origin knows the user's phone number, which is a weak measure of authenticity on the part of the origin. If a user is taken to a false origin to begin with, then it must somehow either prompt the user for a phone number (which is likely to signal to the user that something is amiss), or else have an actual communication conduit to the true origin so that it can trick it into initiating the SMS challenge.
By the way, we're misusing the term MITM here, but I went with it to keep the conversation going. I believe OP meant phishing.
Edit, since we're in a reply war that HN code is properly stifling: of course we're talking about the TOTP generated secret (what you're calling the six-digit PIN), not the shared secret that's transmitted from the origin once at setup time. SMS and TOTP are both atrociously susceptible to social engineering, and SMS has the additional feature that the engineering can happen without any involvement of the user. Your downvoting suggests there's a significant difference between the two, but phishing studies show that all of us, even those of us who consider ourselves experts, are vulnerable to phishing.
> The user can enter the offline-generated secret into that false origin and never realize the phishing even happened.
That's pretty far-fetched, never heard of a phishing attack that tricked the TOTP secret from users. I bet 99.99% of TOTP users don't even have access to the secret. You can only trick the six digit code out of them, valid for 30 seconds, which you then feed into the actual login form / API.
The SMS code phishing flow is the same. You trick the username and password out of the user, feed it into the actual login form, trigger the SMS challenge, and once again trick the six digit code from the user (which is usually valid for longer than 30 seconds, btw).
Except with SMS there are many ways to intercept.
Re edit: “Your downvoting suggests there's a significant difference between the two, but phishing studies show that all of us, even those of us who consider ourselves experts, are vulnerable to phishing.” With SMS you don’t even need phishing, you can combine leaked credentials (e.g. from other breaches) and SIM jacking to hijack accounts. Plenty of high profile cases posted here before. That’s the scary part: no phishing at all. And you never backed up the “TOTP is the one that is more trivially MITMed” claim.
> There's no safe way to do these recovery processes.
Imagine if banks said the same thing. "Oh someone changed the password and email on your bank account, sorry you permanently lost access to all that money."
If you signed up with your real name, some combination of government id, proof of physical address etc should be enough for recovery. If it's good enough for banks, shouldn't it be good enough for email?
Your comment seems a little aggressive, but that notwithstanding, there is the option of letting users allow it only if they wanted some extra security. 2FA and other safety-related items are optional...so why couldn't this be?
It doesn't even need to be government ID. As soon as you pay for something, like starting a Google One subscription or buying an app on the Play Store, your billing information should establish your identity. Later when you need to get your account back, you may need to present some sort of government ID and/or proof of address that matches your billing information. It's not bulletproof but it's better than losing access to a paid account forever.
A paid account, sure, I assume that might already be the case? I certainly don’t expect to lose access to my GSuite account or Google Fi account if I forget my password. However, ggp seems to be talking about a free account, as the vast majority of Gmail accounts are.
Yeah, that's unfortunate. But I wouldn't expect a free account to be recoverable. You need to have put something on file, whether government ID or billing info, in order for anyone to verify whether someone who claims to be you is actually you. Americans are weirdly averse to using government IDs, so billing info is really the only option.
But that starts with first establishing your identity at the bank. And who knows what would really happen if someone really targeted you and/or your account at that bank.
I mean banks I have some dealings with try to match my signature (after checking my gov issued ID cards), but if it doesn't match they just let me look at the screen so I can try something similar.
So what would happen were someone walk in with fake ID cards? Probably they could just walk out with my money, and then it's up to the CCTV tapes to maybe "prove" that it wasn't me.
If there were truly properly secure and cost effective physical identity assurance services big Internet companies would probably use them.
Companies really need some sort of rollback to prior recovery email option. I had this happen with an old skype account I hadn’t put 2fa on.
I was able to get back into the account, but since the attacker had added their email, any changes had to be confirmed via that new email address! I re-entered a few times but eventually just gave it up to them. Microsoft was no help.
That's exactly what caught me I think! Because the user changed the email, I couldn't change it back for 30 days.
I may have been an edge case: I had no email on the skype account, only a recovery email. Eg:
Account email: null
Recovery email: myemail@example.com
The hacker changed it to:
Account email: hacker@example.com
Recovery email: null
My account was old enough they hadn't required an account email on creation.
My ownership of the old recovery email was not persuasive to microsoft. I was even telling them about it while the hack was happening. They let the hacker take over fully, send spam, and shut down the account for spam.
Basically I couldn't change the account email for 30 days, and the hacker had been able to remove the recovery email.
I don't see how you could do that without opening up another risk. Suppose your recovery email account is compromised. You don't want it as a recovery email anymore because then the attacker can use it as a foothold to get into this account. If you can roll back removal, then you can't protect against that.
The only way I can see around that is if there are conditions on rolling back. But then if you're going to require authorization to roll back, you need to authenticate that request, and the whole reason you're trying to do this is because you are trying to reestablish the ability to authorize.
Think of it the opposite way. You just changed your recovery e-mail and password because your recovery e-mail was compromised, and you also used the same password. In other words, you secured your account. Maybe you setup 2FA and a bunch of other things... good.
Now take the place of the attacker. You look at the compromised inbox, see a confirmation email from Google. Nice, you now have an account login, the creation date, and a good password candidate. If you could simply call Google, give the info you already got by reading the compromised mail, and get access, no amount of securing done by the victim could work.
There are two contradicting goals here: keeping your data secure from hackers, and allow some mistakes to be made on your side without you getting screwed (using a weak password is a mistake). Google is constantly juggling between the two and sometimes, the outcome is not what you want it to be.
The solution is not to hold on your personal data too much. Google doesn't ask for it only so that they can target you with ads, even though it is a very important reason to them. It is also used to secure your account.
If you don't want to use Google, good, however, there is no perfect solution, especially if you are not flawless yourself. Keep data on your own machine? Do you have offsite backups? End-to-end encrypted, privacy focused services provide no form of password recovery whatsoever. And services that are a bit too loose may give anyone access with a bit of social engineering. Pick your poison.
Well you are using free resources that is why. If you had paid account with them then they will of course help you get it back. Google one is different then getting free inbox.
So basically what I'm trying to say is this: Do not click through to the Google One site.
edit: I should also add that I originally had 17 GB of Google Drive storage (15 GB all users get plus an extra 2 GB for doing some Google survey or something some years ago) but after the Google One storage grift was reversed, my storage went back down to 15 GB. I guess there was a 2 GB penalty.