Brett Schulte

Out of the blue today I got the message that my Gmail, or more specifically my Google Apps account, was “locked”.  There was a link that told me:

“If we detect abnormal usage that may indicate that your account has been compromised, we may temporarily disable access. It will take between one minute and 24 hours for access to be reinstated, depending on the behavior detected by our system.

Unusual account activity includes, but is not limited to:

1. Receiving, deleting, or downloading large amounts of mail via POP1 or IMAP2in a short period of time. If you’re getting the error message, ‘Lockdown in Sector 4,’ you should be able to access Gmail again after waiting 24 hours.
2. Sending a large number of undeliverable messages (messages that bounce back).
3. Using file-sharing or file-storage software, browser3 extensions, or third party software that automatically logs in to your account.
4. Leaving multiple instances of Gmail open.
5. Browser-related issues. Please note that if you find your browser continually reloading while attempting to access your Inbox, it’s probably a browser issue, and it may be necessary to clear your browser’s cache4 and cookies.

If you feel that you have been using your Gmail address according to the Gmail Terms of Use, please contact us.”

I particularly like that last part… “please contact us” without a link, instructions of any kind, or EVEN ACCESS TO EMAIL. Remember?  And good luck getting a Google response anyway, clearly, I was stuck with the 24 hour penalty?  Reallly?

Like most criminals, I was convinced of my innocence but had nagging doubts.  Was it that email Linkin spaammed my addressbook with?  No, that didn’t send through Gmail.  None of the offenses that they described really seemed to fit.  I’ve long since migrated from Mac Mail to browser based use of Gmail (so no iIMAP or POP3), and my Android phone uses a native Gmail client (I did double check, and POP and IMAP were disabled in my account).  My password is a “strong” one, a long combination of letters and numbers that don’t spell anything and would not likely be beaten with a brute force attack.  My browser extensions are pretty trivial.  Nothing made sense.

While I will probably ever know what triggered the lock out, it was a sobering experience.  Because I use Gmail in a browser and not a client, I had access to NOTHING.  No saved mail.  No contacts.  If I’d been on the floor needing to call a doctor I’d have been out of luck.  Yes, there IS always 911, but you get the point, and it’s really not that unlikely a scenario.

Few if any of us can survive (at least in a professional sense) without email for 24 hours, so I pulled the plug and changed my MX records back to GoDaddy mail <yuck>.  No sooner had I done so, when Gmail let me back in.  It wasn’t 24 hours down, it was MAYBE one hour, but it was enough to disrupt my day and redefine my workflow which is unacceptable for a product designed for groups.

So Google, here are my thoughts.  If you need to disable the ability to send / receive mail, by all means do so, but don’t lock me out of my own data.  More importantly, I couldn’t even log in to sign out of other browser sessions, review my account for suspicious activity myself, or otherwise follow your good advice.  That seems dumb.

I’ll be watching this closely, but I would hope that Google builds some intelligence in to look at accounts and account behavior BEFORE locking users out.  How long has the account been in use?  Has it been used daily?  Is it tied to a phone?  Is it in the USA on a residential IP?  By those measures, my account is pretty clearly benign.  If Google can be so awesome at identifying spam, they should be at least that awesome in checking accounts before locking them, something that could literally be life or death.

1. outsid3r liked this
2. brettschulte posted this