You’ve not got mail
In June, the EU fined Google $3.8 billion in an antitrust case. After having his Gmail account hacked, Mark Broatch wonders: do the digital giants have too much power and not enough responsibility?
After having his Gmail account hijacked, Mark Broatch wonders whether the giant digital companies have too much power and not enough responsibility.
By bitter coincidence, my Gmail account was hacked 13 years to the day after Google launched its email service. And it was a tart reminder of corporate intractability that it took nearly a fortnight of persuading for the company to give control back to me. I’d gone to bed knackered on a Friday night, and when I went to log into my email the next morning, I was refused. Blearily, I thought what everyone does when they are rebuffed by their computer: I must have mistyped my password (it is alphanumerical and not obvious). I tried again, and again, and was refused both times.
Security questions popped up on the screen. “How long have you had this account?” For some reason, I’m dodgy on years; it seemed like forever, so I guessed – wrongly as it turned out. “We’ve sent a code to your backup email,” I was told. I tried that and was refused. Three times I got a code and three times I was rebuffed.
Each time, I got this message: “Unfortunately, based on the information you provided, we were unable to verify that you own [my email address]. We’re committed to returning accounts only when we’re sure that we’re giving them back to their owners.”
AN IC Y CHILL
This all seemed fair enough, except that I am me and that was my account. I felt an icy chill. In that account was at least a decade of my life, a decade of personal, professional and privileged official information: hundreds of contacts, thousands of things I didn’t need to remember because they were “on the email”. We all accept now that our computers and phones have become extensions of our brains and personalities. But it’s not until you lose access to digital services that you realise how much they do for you: they remind you to contact people, pay bills, go to things, pick up items. A few things you still use your brain for; the rest – the vast bulk of who, how, when, what, where – you outsource to technology.
Like many people, I’m well versed in notions of glitches in the Matrix and
“Having yr @gmail hacked and then have @ google not believe it’s you is like being burgled then have the cops go: this yr house? #politetweet.”
political and social-media attempts to make you think you’re going mad – gaslighting. So the chill I’d felt turned Antarctic when I noticed that the mobile number listed in the messages as backup security ended ***11. Perhaps foolishly, I had never had a mobile number backup, not wanting to give out more personal data than absolutely essential. And my mobile number didn’t end in ***11.
Having first established that the email account from which I’d been sent a message saying that I wasn’t me was actually monitored, I began emailing Google, from my backup account, with increasing amounts of information about the account and my use of it. It was circumstantial, perhaps, but it was stuff no hacker could know. Google’s response was silence. In utter frustration, I eventually tweeted at them, swearily. Reconsidering, I tweeted something milder: “Having yr @gmail hacked and then have @google not believe it’s you is like being burgled then have the cops go: this yr house? #politetweet.”
It did feel like a robbery. Later, I tweeted again. Four days later, I was direct-messaged by Google through Twitter: “Hey there. Please fill out this form and an agent will see if they can assist you further. Hope this gets resolved soon.”
“Hooray,” I thought. Finally, a) I’m getting my account back, and b) turns out Twitter has a use after all. Filled out the form. Waited. Computer said no, again. I messaged back, loftily: “Extraordinarily disappointed. With great power comes great responsibility.”
The next day, I got this message: “We’ve escalated this to another team for review. Thanks for your patience.”
How many teams do they have? A week after the hack, with sinking hope, I messaged Google again. I also asked people on Twitter to confirm they’d had email from me through my original account. Having seriously doubted I’d get the account back, I’d opened a new one. I messaged a final plea to Google asking if I had now lost the account.
During the wait, I had been sent a customer survey via my backup account. Needless to say, I was extremely dissatisfied. Some overqualified quality controller deep in Mountain View, California, would be dreading her performance review, I imagined.
Finally, 11 days after the hack, after endless emails, l og- i n attempts, tweets and direct messages and with no explanation, I got an exclamation-mark-studded message to my backup email:
“Hi there, Good news! You’re one step away from regaining access to your Google account. Just click below to reset your password.”
I was also to update my password recovery options and check for malware. It ended: “We’re glad to have you back! Have a great day! Regards, The Google Accounts Team.”
To be completely honest, I felt super-powerful regaining my account from hackers. Though, to be even more honest, I still wondered if I had done something wrong somewhere along the way.
Nope. There it was, in my log-in notifications, at 6.46 on that first Saturday morning: a new Windows sign-in (I use an ageing Apple laptop, which Google can detect) from – cliché alert! – Ukraine. Half an hour later, they had changed the password and added a recovery phone number. (Of course, it could have been spoofed from China or Turkey or Macedonia. My technical knowledge drops off steeply from here.)
How and why did Ukrainian hackers take over my email? Probably I had been “phished”.
WHY ME?
What did the hackers want? The Gmail inbox appeared as I had left it, but in the sent folder were emails to Microsoft changing details of an account. Confusing. I didn’t have a Microsoft account, don’t do gaming, hadn’t used any of its stuff for years. How could a hacker change details? The local arm of Microsoft found nothing of interest in the emails. It wasn’t until a few days later that I checked my dusty old Skype account (Microsoft bought Skype
in 2011) and was surprised to find I had become fluent in Russian and had been regularly messaging someone. I deleted the messages and changed the password and phone recovery details. Already my passwords for other accounts had been changed and mobile number backup added.
How and why did Ukrainian hackers take over my email? Probably I had been “phished”: I had clicked on a dodgy link or signed with a password into something that looked official but wasn’t (this is a straightforward trick in the hacker’s toolkit, I gather).
It wasn’t clear what they wanted, other than the Skype access. They may have probed my email for account numbers, copied my contacts list for spamming or further phishing, but on that score I’ve heard nothing.
Peter Gutmann, a researcher in the department of computer science at the University of Auckland who calls himself a “professional paranoid”, guesses that they wanted to use it for password resets – getting into accounts that use my Gmail address and changing the password. “It’s hard to tell unless they actually use the account to do something, but a typical use would be for password resets to get into all your other accounts, or at least the ones that can be monetised.”
Wasn’t it odd that Google was so reluctant to hand back my account, given my security log clearly showed Windows and Ukraine after years of Apple and Auckland? Gutmann: “Could be just bureaucratic inertia. I guess they don’t like to deal with anything nonstandard …”
BUSY BEHEMOTHS
Perhaps Google doesn’t have time to focus on one Gmail account when there are somewhere between 500 million and a billion of them. Certainly, a lot of people in my contact list appear to use Gmail as their primary email, which is not surprising, since you can store 15GB of emails in there. Besides, being a digital behemoth takes plenty of time, energy and money.
In June, the EU fined Google a record €2.42 billion ($3.8 billion) for systematically favouring its shopping comparison service over others in the returning of search results. The EU’s finding – following previous financial slap-downs of Intel, Apple, Daimler and others – also requires a change to its search algorithm, something that will vex the company more if the case stands up to appeal.
Google, of course, is the search engine – and everything else – we didn’t know we needed. The company, along with four other technology giants, sits at the centre of our digital life. It is, as one commentator notes, “essentially inescapable for any consumer or business that wants to participate in the modern world”. Apple or Microsoft sit on almost every desk and in almost every pocket; we buy, read and watch (and even publish) on Amazon; and for two billion people, Facebook is news source, support group, church.
Amazon, whose share of online retail sales has reportedly passed 40% of the market in the US, not to mention its cloud services or cable TV offerings, has just bought the green-minded supermarket chain Whole Foods Market. The US$13.7 billion ($18.5 billion) deal was intended to increase Amazon’s total market share but also presumably to provide faster delivery points to online customers from its hundreds of stores across North America. Amazon has also begun setting up bookstores, and is establishing a beachhead in Australia.
Google and Facebook, meanwhile, continue to undermine the advertising-funded hopes of industries that have shifted online, including traditional mainstream media. Researchers reckon the two digital giants control nearly 80% of internet advertising spending and have nabbed nearly all recent new spending.
The ambitions of Google and Facebook
are endless. Google has reportedly begun using billions of credit-card transaction records to prove that its online ads are prompting people to make purchases offline. It marries these up with information gathered from our web browsing, online searches, location, email, video and data from other apps. It has just launched Google for Jobs, immediately threatening the businesses of all the employment companies from which we get emails. Amazon, for its part, has reportedly been granted a patent to restrict online price comparisons within its physical stores.
UNCONTROLLED EXPERIMENT
That business model, used by Google and Facebook in particular, of providing “free” services for customer data has come under increasing criticism. Technology commentator John Naughton, emeritus professor of the public understanding of technology at the Open University, calls it “the greatest uncontrolled experiment in history”.
“Without really thinking about it, we have subjected ourselves to relentless, intrusive, comprehensive surveillance of all our activities and much of our most intimate actions and thoughts.” The billions of posts and searches daily on Facebook and Google leave “digital trails that are logged, stored and analysed. We are being watched 24 x 7 x 365 by machines running algorithms that rummage through our digital trails and extract meaning (and commercial opportunities) from them.”
Solid research, Naughton adds, says our Facebook likes can accurately predict such personal attributes as sexual orientation, age and gender, ethnicity, political and religious views and even use of addictive substances.
Not bothered? If you use Google, log in and it’ll show you years of searches. How would you like those detailed on the front page of your newspaper?
Surely all that big data from customers, artificial intelligence and unswayable algorithms allow digital companies to provide us with the acme of a consumer society – truly frictionless competition?
“We have the facade of competition,” says Ariel Ezrachi, a professor of competition law at Oxford University. “What we have is literally a market where everything tilts in favour of the dominant.”
Big data, he argued at a recent conference, can potentially be used to harm consumers through discriminatory prices and behavioural discrimination. Companies can use what they know about you to tweak up
prices. “Today almost all the prices that you see online are actually designed for you,” says Ezrachi. “Dynamic pricing is the art of squeezing every dollar out of your pocket.”
Think of The Truman Show, he says, where everything looks rosy and comfortable, but all the value accrues to whomever controls the little bubble that was created for you.
“The invisible hand of competition,” Ezrachi says, has been replaced by a “digitised hand”, controlled and “easily manipulated” by corporations with just a few clicks.
Technology journalist Farhad Manjoo, who made the observation about the digital giants becoming inescapable in the modern world, argues that they are “becoming the most powerful companies of any kind”. A recent opinion piece in the New York Times wondered whether Google had become so unprecedentedly powerful that it was time to break it up, as has happened before under US antitrust (competition) law such as with AT&T in the 1980s.
Some security professionals are calling for the proprietary algorithms of the digital giants to be regulated, much like cars, drugs and banks. The EU says it may require that companies be able to give users an explanation for decisions that automated systems reach. Ruslan Salakhutdinov, director of artificial intelligence research at Apple and an associate professor at Carnegie Mellon University, in Pittsburgh, told MIT’s Technology Review that he sees explainability as the core of the evolving relationship between humans and intelligent machines. “It’s going to introduce trust.”
A MATTER OF TRUST
So do we trust the likes of Google or Facebook – or scandal-plagued Uber, for that matter? Or do we accept what they demand because we have no choice if we want to use their products and services?
Customers in this country have had their trust repeatedly tested by a digital giant. In 2016, after nine years of intermittent outages, undelivered messages and security breaches, Spark announced it was finally ditching Yahoo as the provider of its Xtra email service. Last year, Yahoo, which was one of the biggest online companies in the world in the 1990s, confirmed that in 2014 hackers had obtained the personal information of at least 500 million accounts, perhaps 130,000 of those from this country. The information may have included names, phone numbers and security information.
Last December, Yahoo reported an even bigger breach of perhaps a billion accounts that the company believed to be “statesponsored”. Spark, formerly Telecom, was investigating whether local users had been affected in this case. Some Xtra customers were still reporting outage problems as recently as February this year. By March, Spark had migrated tens of thousands of its customers to New Zealand-owned email provider SMX, whose investors include Trade Me founder Sam Morgan and Warehouse supremo Sir Stephen Tindall.
Technology users know that there are some changes they can and should agitate for, but they also know that the big issues remain in the hands of governments and powerful regulators. When my Google account was hacked, what did I want on the micro, human level? An apology? Hardly. Perhaps some acknowledgement that one of its customers had been poorly provided for. Perhaps some communication instead of the corporate black box I was presented with. I believe the digital giants should have better, faster security and recovery protocols if accounts are taken over, perhaps even freezing and rollback functions for disputes. Perhaps even post-hack “fumigation”.
Google already has an anti-phishing project, which if it’s anything like its efforts on spam, could be a game changer. The company says it usually takes several days to get back to you should you be locked out of Gmail. That’s far too long. On any account, we should have clear access routes to regain control, and the status of queries should be communicated clearly. I can’t imagine a commercial customer of any of these companies – one who pays in cold, hard cash – would have had so much trouble.
We did send Google some questions, via its PR staff in Australia. We asked it why it might take 11 days to return an account despite clear evidence of a hack and about the possibility of locking down accounts and improving its accessibility to users. We also asked how you can check when you opened your Gmail account. Google didn’t respond.
Was I surprised? No. But I found out when I opened the account, by googling. Or rather, by using another search engine. Same result. Turns out I was an earlier adopter than I thought, and I’ll know next time Google asks. Hopefully it won’t take 11 days.
“We are being watched 24 x 7 by machines running algorithms that rummage through our digital trails.”