It's true that every service has to deal with the same policy and lockout problems, but that doesn't lead to the conclusion that the risk is the same. I pay for FastMail because
1. if something goes wrong, I can reach a human without needing to write a viral blog post first. Other services pay for a customer service department.
2. I trust FastMail more to not shut down their product because they got bored. Sure Gmail will probably not go away, but I'm honestly not as confident about Google Workspaces or whatever it's called now for individuals.
3. I'm tired of acting like using products from an ad company is a good idea. People happily use an email service, browser, OS, and more from the modern DoubleClick without a second thought.
Any company with a business model that takes your money and gives you service is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff. The former companies have a direct incentive to keep giving you service as part of their core business. The latter are really only paying attention to the money they get from advertisers.
>Any company with a business model that takes your money and gives you service is inherently more secure than one that sells your eyeballs to advertisers in exchange for giving you free stuff.
If anything, companies try to double-dip and serve multiple masters. See: the security and privacy mess in smart TVs. Last I checked, LG wasn't giving their TVs away.
> If anything, companies try to double-dip and serve multiple masters. See: the security and privacy mess in smart TVs. Last I checked, LG wasn't giving their TVs away.
This is true, and you transition from customer to eyeballs once you take delivery of the product, but it is also tempered by the fact that they would like to sell you your next TV as well.
Google has the same incentive to consider users. If your eyeballs go away they have no recourse for tomorrow. This is no doubt why they give their services away. If they thought they could achieve similar market share while also charging you they certainly would. (And they do whenever they see the chance.)
Google certainly could charge a very small fee for existing gmail, youtube, etc, accounts and make a bunch of money.
In fact there is a pretty strong argument that they are leaving money on the table by not doing so.
Imagine you like your gmail and you have had it for the past decade. If Google charges only $1 per year across say a billion users that is a billion dollars.
Even if they lose some users at the margin it may makes sense...
According to wikipedia gmail had 1.5 billion active users in 2019.
As internet services mature and stop growing exponentially it makes sense to charge for them.
Yes it is true that some might switch but what makes more sense from the perspective of most users?
While I agree with your premise, once you charge someone for something, even if it is $1/year, then they start expecting something for that money above and beyond what you provided earlier. In other words, now you've got to budget for real customer support and that will undoubtedly cost you more than the $1/year you're receiving as payment from that customer.
Funny enough advertising was relatively small part of the economy until the last several decades. Now it is an "industry" in the multi-trillion dollar range.
Even funnier, if Google search worked effectively for product discovery the vast majority of advertising would not be necessary.
Good point. Maybe the death of advertising comes when some entity knows us so perfectly well it automagically provides the exact thing we want/need exactly when we want/need it.
Google used to for me at least from around 2010-2015 +/- a few years. It was incredible. Now it is usually very hard to find anything I want via search. I suppose a certain amount of defect in search results is optimal for the ad business.
The amount of nonsense on my LG C1 is nonsense given what I paid for it. Seriously considering getting an Apple TV or Nvidia Shield to run all my stuff on. Their UI is so bloated with crap.
Have you looked into displays built around the raspberry pi compute module? I don't have experience with them but I've heard them mentioned (here iirc but it's been some time). I don't know much about them so I'm sure the implementation varies between manufacturers.
An example from Sharp: https://www.sharpnecdisplays.us/system-on-a-chip
I started with the no wifi plan for my Sony. They would put popups on screen warning me that I wasn't connected to the internet, even when using a streaming device or blu-ray just often enough that they got me to connect it to the internet. I don't use their apps and turned off the data sharing. I haven't noticed an uptick in personalized ads anywhere. If anything, my Facebook ads are worse than they were before. Just a bunch of crap I'm not actually interested in.
Unfortunately, the Nvidia Shield hasn't been the community darling for some time. Ever since there was an OS update that started putting ads on the homescreen.
I stopped using the Shield when I realized that my LG C9 runs the streaming applications much better than the Shield. The Shield has always been slow for me and Hulu on it never worked right. Every time it went to the next episode of a TV show, the screen would be black while the audio played. I don't think it was consistent how long it stayed like that for but it could be up to a few minutes.
I'll just let LG collect my viewing habits if that's what it takes for a good experience. But I did decline all of the agreements that have anything to do with data collection, so hopefully they're not being overly intrusive anyway.
I just hate that I can only download a few apps unless I make an LG account. I don't want an account to log into my tv so I can access my accounts I log in to. That's some Xzibit nonsense.
These days I get better performance out of my $25 Fire stick than the Shield. The ads are a bit worse, especially since I don't even have Prime anymore but I'll stick with it until it gets to be too much or too slow and then probably buy an AppleTV.
gary_0 seems to be using "security" to mean "sureness of their continued existence", as in "food security". I don't think there's any question that Gmail is more secure in the computing sense.
> Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.
Iirc, Google reads your email, but explicitly says they do not use what they read to personalize your ads.
> To provide you features like smart inbox categories, Smart Compose, and spam detection, we use Gmail data to provide a more intelligent email experience and keep you safe. - https://support.google.com/mail/answer/10434152?hl=en
Famously, a while back, at some Google subdomain, you could see a list of all of your payments extracted from your emails, but I'm not sure that still exists.
> I suggest that Google is probably 'more secure' than FastMail
The overused phrase "more secure" doesn't mean anything without context.
To evaluate the security of anything you first need to identify all the threat models that concern you (and perhaps call out the ones you don't care about). Then evaluate each solution against every threat you identified.
For instance for the threat of the vendor itself sabotaging my access to my account, I'll score FastMail far better then gmail.
>> Except for the bit where they read my email and advertise to me on that basis, which is admittedly an ugly tradeoff.
If you are paying for google apps this is not a trade-off. I dislike how (as a paying) customer they continually push me towards google-only <everything> but they don't require it.
that didnt stop them from having vulnerabilities in gmail that allowed anyone to fake the dkim verification and pretend to be the CEO of google, which they then ignored until someone did in fact do this, to prove it :)
> Any company with a business model that takes your money and gives you service is inherently more secure
I just finished reading Postmail For Dummies. Since I'm charging $5/mo for email accounts, you'll obviously want to migrate your gmail over since my solution is so much more secure.
This comment is so ironic considering that Apple has just lost their lawsuit in the EU for doing exactly the same.
Wherever you paid for the product seems to have little impact, the reality is that all tech giants carelessly invade your privacy with no recourse for the user.
Humans executing security policy (inherently imperfectly) versus ML algorithms executing security policy (deliberately imperfectly) is not the main issue. The real problem is that the industry hasn't purposefully sat down and hammered out the full contours of user verification. Each company just starts off with simple passwords, bolts on a few other arbitrary mechanisms, and then forces that on their customers - residual probabilities and collateral damage be damned.
Strong passwords, hardware security keys, shared secrets meant for offline storage, SMS challenge, other accounts, snail mail address verification, notarization (governmental identity), voiceprints, time delays, etc. Each one represents its own tradeoff of convenience versus reliability versus forgeability versus privacy.
Users should be able to pick their own policies. For an email account where I've already provided my real world governmental identity, I'd most likely prefer snail mail address verification plus notarization (combined with notifications to the account and a waiting period). Whereas for another where I've deliberately avoided spilling my governmental identity, I should be able to express that a password plus hardware security key is the highest level of verification there will ever be.
Furthermore, companies need to make their own rules for falling between everyday access to account recovery explicit, and allow users to express preferences there too. There should be no cases of the wind blowing from the east so we require account recovery today, forcing users to be policed on what IP addresses they're coming from, etc.
I can't find any information on what happens if you stop paying for a Fastmail account. 1Password for example freezes your account in read-only mode. It's documented that Fastmail will re-use addresses for free trials and when a user requests to cancel [1]. It isn't clear what would happen if for some reason your card expired, they stopped accepting it [2], or your bank messed up and blocked the transaction [3].
To me, this introduces a new way to lose your account that isn't there with a free email service like Gmail.
I had an issue with the credit card used to renew a Fastmail account. Fastmail sent me emails about the issue, but it took a couple days to fix everything on my end. Even after the renew date passed my email functioned as normal, so there seems to be, at least, a grace period. Not sure what would have happened if it went on for longer though.
>Not sure what would have happened if it went on for longer though.
When I missed the payment they sent me this:
"You can still use your account for now. If the subscription is not renewed soon, sending and receiving email will be disabled.
If the subscription is still not renewed after a few weeks, access will be disabled. Eventually, the entire account will be deleted, including all stored messages."
Specific timelines would be nice to know, but otherwise this sounds reasonable. If you stop paying, you have a grace period to download all of the messages before they stop you from using their service as a read-only archive. Then you have another grace period to pay before they clear out your data so they're not wasting space holding onto your junk and to avoid maintaining any liabilities that come with having your data stored on their servers.
This is why paying for your own domain is so important. I keep mine prepaid for multiple years and my registrar sends me at least 5 emails before I would ever be at risk of losing it. My email address won't be getting reused until either emails are no longer relevant or I'm dead.
The only time I've been locked out of e-mail is when my credit card company incorrectly labeled the payment to the provided as fraud and the so called company that you can call and reach a human to discuss issues with, was not very sympathetic to my case and I didn't have e-mail access for 4-5 days until the issue was resolved.
Just an interesting data point. It wasn't my intention to label the payment that way. It is what it is, but, just as OP seems to be believe, I would expected the issue to be resolved faster. Though, perhaps if I were to receive a "fraud" label on a non-paid account maybe I would be blocked to this day.
> I pay for FastMail because - if something goes wrong, I can reach a human
You can do that with GMail too, upgrade to the workspace account. I had some issues with it last week, and I was able to reach a human and get it resolved soon.
This is regardless of Google. Reaching humans is impossible with "Outlook" free email accounts, but amazing with Microsoft 365.
Good it's a paid product. I had an account with a free email provider openmailbox.org, which closed down. I lost my mail box and, together with it, a valuable domain I bought in 1995.
I've been on Fastmail for almost a year, and I get spam/obvious phishing attempts in my inbox. Compared to my experience with GMail before switching to Fastmail, I found Gmail to be noticeably better at spotting and filtering both spam and phishing emails.
Having said that, I'm still not going back to Gmail.
What I'm hearing is that PM's spam detection is so poor that you don't feel like you can freely share your PM email address, out of fear that you'll get spammed. That's not a very convincing pitch for their product.
2) Why in the world would Gmail get shut down? The veins of treasure to be mined from within the user's emails are vast and endless. It is quite simply a mother lode. The only bigger source within their direct control is the search input screen.
Your link describes how security lockouts are probabilistic, yes, but it doesn't get into what the probability is. The article we are commenting on does try to get there, by looking at how often ending what scenarios HN users report getting locked out.
Your link is also talking about the no 2FA case, while the article is recommending 2FA with (multiple!) hardware security tokens.
I think they are talking about some change to workspace effectively breaking the service for them. This has some precedent (with the old “dasher” personal accounts having growing pains for some people migrating IIRC) but also seems like a very low risk.
That was the internal name for personal paid gmail - I honestly cannot remember the nondescript word combination they called it publicly, but it was rolled into Gsuite which is now google workspace and google decided they wanted to focus on business users instead.
Anyways, basically agree that gmail isn’t going anywhere, just a gmail-related story of people depending on a new flavor of gmail/ google identity that was being migrated messily.
I used this for 10 years or so before realising they'd moved the backends as they were planning the workspace thing and they were separate - you couldn't share between the two, loads of features missing etc .
OP specifically mentioned Google Workspace for individuals - that's what I used to use so I can use my own domain and so "own" my email address. There's a good chance that gets shutdown. Google Workspace for large orgs or Gmail does not have the same risk.
Having read some 'digital archeology' where people gather data off old MainFrames and Minis, that at some point someone could just buy all of @NetZero.com, netscape.net or ZipLip's email servers and opening up all of the stored email for a fee ($99 per email address). How much would you pay to read your former business partner, ex-girlfriend/boyfriend, or that person you crushed on email?
I agree, but I do worry about it being ruined some other way - forcing me to use Chrome, censoring emails, bundling it with a paid service, ad-blocker-blocker, something else...
This is more the truth of it. It isn't some quantifiable probability
that a big-tech service night disappear. It's that they're such clumsy
lumbering beasts, and so insensitive to humanity they will steamroller
over your rights and needs like crushing an ant. You mean nothing to
them. And in turn their pledges and promises mean nothing. A cow is a
dangerous animal not because it has claws and teeth, but because it's
big, fearful and a basically a bit dumb.
I'll take the limited risk. I've had to contact Fastmail support and it was a breath of fresh air. It's a bit absurd that something so fundamental as email has essentially no support from a company as large as Google; it's not a bug-free product.
I suppose eliminating humans is a security win, but HN is full of stories of AI systems failing and banning accounts for essentially nothing. Not having a human to appeal to is far riskier to me. It's not like these AI systems can't be gamed to knock people offline. I'll take the risk of having humans involved -- it's far less stressful.
> It's a bit absurd that something so fundamental as email has essentially no support from a company as large as Google; it's not a bug-free product.
I'd be willing to bet that gmail has a couple of orders of magnitude more users than fastmail while also providing a substantially bigger inbox (than the cheapest fastmail option), and providing the whole thing for free. I dont think it's surprising that they make trade-offs to support that model. Just think of how many support staff you'd need to support 1.5 billion users!
> HN is full of stories of AI systems failing and banning accounts for essentially nothing. Not having a human to appeal to is far riskier to me. It's not like these AI systems can't be gamed to knock people offline. I'll take the risk of having humans involved -- it's far less stressful.
I don't think the trade off is that simple. There are plenty of stories of support staff getting scammed in to incorrectly providing access to accounts. Is one better than the other? It's not a clear choice imo.
>> I dont think it's surprising that they make trade-offs to support that model. Just think of how many support staff you'd need to support 1.5 billion users!
Google has a shitload of money, they can afford hiring enough staff. Cost is a lame excuse here.
The provide support for users that pay them, and for advertisers. Their business model is to sell things, and it is working pretty well. They can certainly 'afford' it, but they don't want to, and your complaint as a 'free' tier user means little to them.
What is needed is legislation or some practiced standard regarding real-person online-id so that losing access to your email account doesn't nuke your ability to operate online in a way that requires you to verify your identity even pseudonymously.
I've managed a Google Workplace account (~30 paid users) for over a decade and have never had support respond in less than a week. And each time I got a canned response. I just don't even bother anymore, which is likely what they want. I don't think this is a free vs paid thing. It's just the way Google operates.
That's weird, I have a Google Workspace account with less than 10 paid users and had several in-depth conversations with support personnel on SMTP and DNS setup issues. It was outsourced to an overseas call center, but they did respond to my queries.
That said, I have issues with spam being delivered to my organization's group aliases and I can't report the spam because it flags it against my group alias not the original sender (!) I can't turn spam filtering on the group alias because it flagged legitimate emails from our customers. So I'm kind of stuck between a rock and a hard place, with no one at Google to talk to about it.
It depends how much money you spend with them. If you shell out for expensive support in GCP you get guaranteed response times, dedicated account reps and so on.
I'm paying $10 a year for my email and the one time I had an issue I got a response within 8 hours and a follow-up after everything was resolved. It shouldn't require Fortune 500 levels of spending to get basic service.
Not really. It sounds like you don't have a sense of how much it costs to hire people, how many people are needed to provide oncall support, and the scaling cost of managing and training people.
My main email account was through Hotmail in 2000, and it got shut down that year due to a social engineering attack. The guy who did it even told me he was going to do it first. I didn’t get to have it covered in any mainstream news headlines either :P
> AI systems failing and banning accounts for essentially nothing.
The strongest statement you can make about the standard HN Google account outrage post is that the complainant is unaware of or unwilling to admit to the behavior that got their account suspended. Drawing the conclusion that all such complaints are false positives is not warranted by the evidence.
Unless you're implying that the false positive rate is 0%, then it's still a concern for me. I've seen cases where the user obviously did something in error but had no chance to appeal. E.g., they uploaded a photo that got flagged and then lost access to their email, domains, YouTube content, any form of social login, etc. My email account is too important to me to risk with an automated system without an option to appeal to a human. That risk is much higher to me than someone social engineering their way into my Fastmail account.
To me, this is analogous to backing up your BitLocker key with your online Microsoft account. Is it the optimal approach to security? No, but the far more likely risk factor is losing your key locally and then losing access to all of your data. I'll take the peace of mind that comes with knowing I can speak to a human if things go sideways. As an added benefit, I've been able to speak to a human when routine service issues have come up and it's been a pleasant experience.
An extremely underrated (and insightful) point to consider.
More generally, how do you actually get a measure of risk between two providers, when the absolute frequencies of measurable events are very low?
It seems plausible to me that FastMail could have 10x or 100x the level of security incidents as GMail, and it would still net out to an undetectable difference in the number of public complaints.
When I worked in the anti-abuse business, account security was tracked by lurking in organized crime fora and determining the market price for stolen accounts. I don't know what it looks like for FastMail, but I do recall that the range between good and bad platforms was huge. A stolen Google account was like $10, but stolen Yahoo! Mail accounts were more like a nickel per thousand.
(Architect of Fastmail's login/account recovery protocols here.)
Firstly, I will say this incident was unacceptable, and we were deeply sorry about it. However, it is also the only time it has happened in our over 20 year history (to the best of our knowledge of course). We already had several projects underway to improve the security of account recovery at the time, which unfortunately hadn't quite landed yet. Since then we have introduced an automated recovery tool with a very carefully designed flow (more info: https://www.fastmail.com/blog/security-account-recovery/) that securely handles most common cases (e.g., forgotten password, or user's account stolen due to password reuse/phishing). Human support is still available, but any account recovery request can only be handled by senior support agents who have undergone rigorous training, and in the case of any doubt are escalated all the way up to our senior security engineers.
Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account. We provide some flexibility here. If a user has 2FA enabled, we must verify two separate means of verification to grant access, whether via our automated tool or support-assisted recovery. Users can also submit a support ticket to request we add a note to their account to never do human-assisted recovery.
I realise it's very hard to assess the security competence of an organisation from the outside, and for what it's worth, we think the Google security team also do an excellent job. But overall I think we do a very good job of keeping users secure while not locking them out of their own account.
> Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account
Thank you, this is the most important observation.
Service providers should be providing flexible mechanisms to meet different needs, they should absolutely not be imposing a one-size-fits-all policy. That's the fundamental wrongness with google/facebook and their ilk.
Only I know what the security levels I need for any given account I own. I must be able to configure the policy.
Sometimes, I value my access above all else. With some other account I may value preventing access to others even at the risk of losing access myself. Other variants are possible. Only I know what the correct policy is in any given case.
On the contrary, I would argue this is the exact mindset that makes Google so bad at securing their systems. Every single large Google platform is also the leading distributor of its kind of malware, ultimately because computers are stupid and once you understand what they are programmed to handle you can work around them. Humans can become suspicious and can be held accountable, computers do what they're told and nobody is taken to task when something goes wrong.
I would contend that if you cannot reach a person, you cannot trust a system. And that has generally held in the entire history I've been on the Internet. I chose my web hosting by who had phone support, I've had the CEO of Fastmail respond to my support tickets before. I have yet to be betrayed or compromised by a single platform where humans were involved, but automated systems have failed me regularly.
This is true of offline systems as well. If you want a security system to protect your business, you may have keypads and sensors and things, but you also have a monitoring center staffed by people who can see events in real time.
I think our industry has had a fantasy that complex enough math problems can provide real security, but I would hope by now the cryptocurrency market would've put that silliness to bed by now.
I'm not sure how you can make that judgement without extra context (that is almost certainly tightly held within google). For example, what actually is the error rate? How does that compare to improper access that is successfully prevented?
Obviously any real person losing access to their account is a rubbish experience for that person, but an error rate of 0% is not possible with any system (including those with plenty of humans involved) when there are billions of users involved. I think a much more interesting question is "what's the acceptable error rate?"
I highly doubt that Google even tracks the error rate. I mean that you somehow need to make a viral post on HN to get your account back is evidence of that, they don't even know they made a mistake. Also based on the number of posts that we see here it's a nonneglible error rate. How many users does HN have a couple of 10thousand. So 32 posts makes it maybe 1 in a 1000, even if it is a 1 in 10000 or even 1 in 100000 error rate that's a pretty high probability to loose your online identity.
So if there is no way of contacting a human if you have been locked out of your account, how do they determine a false lock out? I am serious, every thread here on HN about being locked out said that the affected person tried all other avenues and did not get anywhere near a real human. So that would make all research flawed wouldn't it? Because it simply checks that the algorithm is consistent. Let's not assume malice. However, that doesn't make it much better because it means the account abuse quality research team is borderline incompetent.
> So that would make all research flawed wouldn't it? Because it simply checks that the algorithm is consistent. Let's not assume malice. However, that doesn't make it much better because it means the account abuse quality research team is borderline incompetent.
I don't think it follows that you need to speak to an affected user to confirm they were improperly locked out of their account. You could have a human review the account history and the steps that led up to the suspension and so on to make a decision about whether it was a good decision or not. No doubt you'd get more info if you spoke to the affected user, but that in itself is not perfect (a scammers whole game is trying to convince google they're someone else, after all.)
I guess what Im getting at is that I think there is a lot of grey areas when you're trying to do account recovery at scale. No doubt there are cut and dry cases where people are locked out of accounts they've used for a long time (and that's shit for the people affected), but there are also plenty of scammers who'd put a lot of effort in to convincing a support person that they should have access to an account. I just don't think having support staff is the panacea it is often portrayed as.
One can easily make that judgment. The absence of extra context is a good reason to make that judgment. Google has a reputation for closing accounts and refusing to communicate. Google does not contest this reputation. They give no numbers and share no rate. "What's the acceptable error rate?" isn't an interesting question if you have no numbers. We do, however, have other companies and service providers.
> How does that compare to improper access that is successfully prevented?
Last year I had an email from immigration services and I had to reply within 10 days. If I lost access to my email, I would be deported right now. They don't call, they just email. Why? I don't know, but that's what it is.
On the contrary, if someone get's access to my email, what can they do? Send random porn to my contacts? No-one will care.
As long as I can call the provider and fix the problem, it is irrelevant.
* For your own security (from theft) we'll hardware lock your phone. Best to throw it in the dumpster if you forget the password.
* Can't allow people to repair their own hardware. What if kids try to do it and end up burning the whole apartment block. Best to forbid it for security.
* You can't film public institution: it's a security issue.
* And now: can't allow humans to operate business decisions. What if they're socially engineered? Best leave everything to automation and fuck you if you slip through the cracks.
It's funny because in the airplane industry, even though planes basically fly themselves, companies still want pilots, because that's what people are best at: solving unique problems as opposed to repetitive issues.
A critical question is what threat models you're worried about:
Are you worried about an individual interested specifically in you, Jeff B, to get something worth many thousands of dollars that they know you have? Don't put a human in the loop, they're going to track you across Facebook/LinkedIn/local government resources, they're going to know more about your car registrations and when you bought your home than you know about yourself, and they're going to be able to very convincingly social engineer a human in the loop if one exists.
Or are you worried about a group of hackers continuously crawling the web for a database dump from some service you and ten thousand other people signed up for, or some flaw in the authentication sequence to automatically sign everyone in the database and all their contacts a spam network for pennies per person? Their scheme falls apart if they have to call a human, because it's just not worth the time to look up your public records and talk to a human about you.
Second, what happens after you get hacked? Are you more concerned whether you no longer have access to something very important to you? For example, if you've distributed business cards or have contacts stretching back decades with jeffb@gmail.com, losing that account might mean an old friend or business contact fails to find you again. Having a human in the loop for the last-resort password reset can prevent completely losing access.
Or are you more worried about someone getting access to the data behind your login? You've presumably got backups, so you'd rather no one ever had access again than some malicious third party got the password to your crypto wallet, SSH keys to your website, or other private data.
Those have very different ideal responses. Unfortunately, most people tie both categories together in their single Google account, or in an Amazon account tied to both shopping and AWS resources.
It is a fantasy that you can have humans adhere to procedures. That's the whole underlying problem of social engineering. Just take the human out of the loop.
"I don't know if you wanna entrust the safety of our email to some silicon diode."
All joking aside:
I mean... we already know that taking the humans out of the loop leads to undesirable consequences (like losing your Google account with no recourse). So the only question is whether or not the consequences of one scenario or the other is particularly worse.
See, that's the fundamental hubris/weakness of the "Silicon Valley current ethos" (well, most tech ethos today) taken to the extreme: taking the human out of the loop. Then who/what does it actually serve?
(or maybe, they perfectly know it, but don't saying out too loud)
1. if something goes wrong, I can reach a human without needing to write a viral blog post first. Other services pay for a customer service department.
2. I trust FastMail more to not shut down their product because they got bored. Sure Gmail will probably not go away, but I'm honestly not as confident about Google Workspaces or whatever it's called now for individuals.
3. I'm tired of acting like using products from an ad company is a good idea. People happily use an email service, browser, OS, and more from the modern DoubleClick without a second thought.