This story is the one that finally pushed me to leave google. I moved off my ~20 year old Google account and deleted everything off their services including almost a decade of Google photos. I cancelled my Google one subscription for extra space. I'm now self hosting what I can and paying proton mail for everything else. I refuse to allow a company that will hand over data at the request of an administrative warrant to hold my data.
This. The real solution here is to keep your data, encrypted, on your own devices. The idea that everything needs to be in the cloud is absurd and naturally leads to concentration of power.
That is A solution. To be "the real solution", it needs to be within the grasp of a regular person. Self hosting your entire digital life is absolutely asking too much of the vast majority of people
This is like saying the real solution to bad practices of food companies is to exclusively grow your own food, or the answer to anti-repair practices is to only build your own devices, vehicles, etc. Contractors cut corners? Don't try to regulate, just learn carpentry, plumbing, and HVAC plus codes!
You said it better than I could! As someone who does software for a living, do I want to come home and maintain a homelab that hosts photos, email, decentralized social, etc? Hell no!
Even if it's fun as a hobby, I don't want to be on call for my own basic online services.
This is what stops me from doing it. I used to host all my own stuff, with custom setups etc etc. But you end up having no free time, or reduces it at best, and it'll break down at the least convenient time.
The last part about it breaking can of course be true, although knock on wood has not happened to me in quite some time. But I don't find myself spending all that much time on my selfhosting setup day to day. Once a week I do a backup to external storage and upgrade software and that's it most of the time. Once everything's set up it is mostly quite hands off.
That said, I also don't think selfhosting is a realistic solution for most people.
Ideally, self hosting shouldn't be like building your own devices, vehicles, furniture and pipes. It should be like owning your own devices, vehicles, furniture and pipes. Go to a store exchange money and it runs itself with minimal maintenance. I'm not saying we are there, but it's clearly a state that could exist.
> This is like saying the real solution to bad practices of food companies is to exclusively grow your own food, or the answer to anti-repair practices is to only build your own devices, vehicles, etc. Contractors cut corners? Don't try to regulate, just learn carpentry, plumbing, and HVAC plus codes!
you're acting like these are bad or impossible skills to learn? these is just basic skills that people should have.
It still is risky, as who knows what tools NSA & cie really have. Even if it feels safe now, it can be stored by them, and what will (quantum?) computers be able to do in a decade? And how will the US gov look like at that time?
Forget that. If they are really so motivated, they can get a warrant to raid your home and confiscate your hard drives.
It's not an apples to apples comparison because an administrative warrant served to Google is much different from raiding your home but if they wanted to they could.
At this point, acting as if America (and many parts of the world for that matter) aren't living under an authoritarian government is futile. We still have freedoms but they're trying really hard to take them away from us.
Even if the encryption is sound, some day in the future laws can be written that compel a citizen to relinquish their passwords. In 2000, the UK passed a law called RIPA that can be used that way. They say it is only used in emergencies, but who is to say what constitutes an emergency.
Of course, technical solutions are only helpful for a small portion of the population, while the default is what happens to most people. Since this is Hacker News, for plausible deniability for forced password disclosure, you can use VeraCrypt hidden partitions.
the entire point of encryption is to facilitate communication across adversarial channels, if you want to keep your data in a locker you don't need encryption, and if you use encryption you can keep it stored in North Korea for all it cares
Not only. Someone could break into your house and steal a PC, or you might lose your laptop while traveling. You don't want someone reading your files, passwords, or crypto wallets. You absolutely want some form of disk encryption unless you have exceptionally good physical security.
Migrating is such a good feeling. You don't have to do it all at once, either: I migrated to fastmail over the course of several years. Each time google did something that got my blood pressure up I went into my password manager and migrated another account. In aggregate it was a hassle, but these days I almost miss the feeling of being able to do something in response to stinky actions from google.
I don't think fastmail is going to help you. They are subject to legal requirements too and probably American jurisdiction also despite what their particular position is. https://www.fastmail.com/blog/fastmails-servers-are-in-the-u.... People love to hate Google but they're just doing what any corporation subject to law is going to do.
> It has been pointed out to us that since we have our servers in the US, we are under US jurisdiction. We do not believe this to be the case. We do not have a legal presence in the US, no company incorporated in the US, no staff in the US, and no one in the US with login access to any servers located in the US. Even if a US court were to serve us with a court order, subpoena or other instruction to hand over user data, Australian communications and privacy law explicitly forbids us from doing so.
They can say what they like, and I am a customer, but in hand-wavey generalization terms one should be aware that Australian law enforcement has excessively broad access to telecommunications data on request and a long history of doing the bidding of the United States. Carriers are forced to retain your data for 2 years.
Under TIA Act provisions (such as s180), an authorised officer of a criminal law‑enforcement agency can authorise access to prospective telecommunications data [metadata only; not whole messages] if satisfied it is reasonably necessary for investigating an offence punishable by at least three years’ imprisonment. (In other words, ~any time they want)
Example: the data‑retention regime’s records were being accessed over 350,000 times a year by at least 87 different agencies, including non‑traditional bodies such as local councils and the RSPCA [pet cruelty nonprofit].
Given Australia's population is only 28M, that means roughly 1 in every 80 people gets communications metadata pulled by their own government annually.
Yep, I am a fastmail user, born and live in Oz. I just assumed that this data would be collected either on this side or via the US servers. Also, we are still a part of the 5 eyes alliance.
In addition to what the sibling comments say, this also puts Fastmail at risk of having their US based service suspended while they attempt to resist government overreach (were they to attempt to do so) which is really not a lot better for their users.
I wasn't looking to dodge US jurisdiction, I was looking to dodge "our craptacular moderation AI had a brainfart when reviewing your account and now you are locked out of your life."
I recently migrated off of my legacy "Google Apps for Your Domain" (now Workspace) account to a mix of self hosting and a regular old vanilla gmail account.
It was a real eye opener to experience how challenging it was to move my data from one Google account to another. Takeout is nice in theory, but there is no equivalent "Takein" service that accepts the data form import to another Google account in the format produced by Takeout! I naively assumed "Export Google calendar from here, import same files to there" but nope, that did not work at all. Maps data was even worse.
I've migrated everything from Google except for Google Voice. I have yet to find an alternative that can match the feature set and ease of use, regardless of the cost.
I have one page with my full history of text messages, full transcription of all voice messages, contacts information connected with every number, and I can search everything. I can configure which of my phones ring.
And, possibly most importantly to me right now, my current phone has only a data connection and I make and receive calls using the Voice app. I think SIP eats too much battery and data and doesn't work well for wifi<->lte switching, but it's been a long time since I used it much.
I'm not sure what the OP does, but at least for me I find myself chained to Google Voice for SMS 2FA use because it's basically the only phone number provider that cannot be exploited with a sim swap attack (same deal with Google Fi). And while I don't necessarily trust Google, their account security is leagues ahead of anyone else imo.
I previously looked at jmp.chat but they didn't really inspire confidence on the security front.
My use cases include 2FA and I like the added security that Voice provides, but it's not really added security, it's just moving the risk from your cell provider to Google. IMHO, Google does security better than the cell providers do.
I like the muti-platform integration of Voice. I use it on my iPad, on my Android phone, and mostly from my desktop. It works well on all platforms.
When I'm at home, I mainly use my VoIP phones. GV forwards to them, and they spoof my GV numbers when I make outgoing calls.
I like the spam text and call protections that GV provides. I believe they're partnered and integrated with Nomorobo.
I also have jmp.chat. It has capabilities that GV doesn't have, but it's not well integrated. (I use Cheogram on my Android phone, but there's no easily usable client on my iPad, or my desktop.)
I don't like they way they've made it harder for me to see what they actually offer vs. what I offer myself (with my FreePBX VoIP client). I wish they would (maybe on a separate page) show the capabilities of their SIP trunk. E.g. Does it support SMS? Does it support video calling? Does the client require a static IP? Etc.
Anticipation of stories like this are why I didn't rely much on Google 20 years ago.
Never used Gmail other than as a throwaway account.
Went many years before I had a Youtube account. Finally made one to upload some videos. I am normally not logged in.
(OK, OK - I was more concerned with them suddenly charging for a "free" service, as well as selling data to commercial enterprises than with them giving to the government).
Does anyone else remember Epic 2014? It was a video made years ago that speculated about the future of the internet and media, with the end game being personalized news written by a computer. The timeline is off but the brand names are mostly the usual suspects. Rewatching it now gives me this uncanny feeling.
Edit: People are not understanding the humor in the question. I implied I predicted this reality 20 years ago, and he's asking for another prediction 20 years out.
If you haven’t already, have a look at Immich. It’s a fantastic self hosted replacement for Google photos. They have pretty much perfectly replicated the UI.
Have you tried Ente.io and have any thoughts on comparison? I only use ente and have been happy with it but hear many good things about immich. Does it support E2EE?
I used Ente, switched to immich just recently. Overall immich gives more of a quality feeling, has much more community support as well and a clear roadmap. I also think it will eventually receive nice, native apps for all platforms with the support of sizeable community. E2EE in Ente was nice but that's pretty much its only advantage.
Immich is self hosted only so it doesn’t really need e2ee since you can just encrypt the disk of the server. It also runs a load of on server machine learning stuff for automatic people tagging and search.
Ente is selfhosted (also has a hosted version) but encourages family use so I think that's why they do E2EE. It also does all the ML on the client side for people tagging and search.
Mozilla backed it with a grant but that was a few years ago.
It was 13 years ago that Snowden told us they were using FAA702 as the #1 source of sigint to warrantlessly obtain any data they want from major service providers.
Did you not understand it at the time? Did you not see the news stories? This isn't rhetoric, I'm genuinely curious. It's been public knowledge for a long long time that Google hands data over to the USG without a warrant (likely without even Google eyes on the request, via automated means).
What changed that this story was the one that made you react?
I've built a tool that scanned my inbox, identified tiers of emails per various criteria (essentially how personal, important, unique/irreplaceable etc the information contained therin is) and built semantic search over it.
My initial motivation for this was the "account 89% full" notice, so I wanted to delete all the old junk to free up some space. But after reviewing what's in there (and I've had that account since ~2004) the opposite sentiment arose: delete everything important, unique, personal. Leave them with the junkyard of various subscriptions, newsletters, just the digital flotsam that's both ambiguous and meaningless -- perfect for appearing both legitimate and irrelevant.
Protonmail is widely believed to be compromised and some evidence supporting this has come forth in two separate incidents in the last year.
Protonmail also has gone on record stating that they will comply with legal orders from the Swiss government to spy on and turn over the private data of their users.
Swiss law has recently gotten significantly more aggressive in recent years, especially wrt to prosecuting climate activists. Criminal damages for drawing with chalk on pavement, for example...
Look up the "Secret Files Scandal" of 1989 and decide for yourself how comfortable you are with Swiss law.
> Protonmail is widely believed to be compromised and some evidence supporting this has come forth in two separate incidents in the last year.
There has been no evidence of this, stop spreading misinformation. They're clear on what they can and can't hand over and what you can do to reduce the information that they can hand over like billing info. For some inexplicable reason people expect a corporation to disregard legal government warrants and subpoenas. Thinking any company would do this is next level delusion. Even if you self-hosted, you wouldn't be able to escape this because it would just end up with you in jail.
The only protection against that is end to end encryption. And to this day Proton has handed over zero data that falls under their E2EE umbrella.
At best, even if you assumed that they were collecting incoming/outgoing emails before encryption it would be nonsensical to think that this wasn't happening to other providers, it's just the nature of email. Nobody who cares about absolute privacy should be using it as a means of critical communication regardless.
The notion that Proton capitulates and somehow hands over your emails or other encrypted data is false and completely unsubstantiated. Unlike Google on the other hand, who will hand over your entire inbox unencrypted with zero issue to DHS/the FBI merely for writing a letter to an attorney:
Compromised how and by whom? In the form of the answer to legally binding Swiss courts subpoenas, or in the sense some other agent(s) have access to their systems and can read the encrypted data?
Nice. I want to do the same too. What process/workflow did you use to move all the websites you had given your email addresses to, to move to your proton email? I am guessing it will take several years, but I would like to start the move of my gmail.
It's good that people migrate, just remember that you haven't deleted anything. They have all of that data and so do various US government agencies and, who knows, maybe other third parties.
Also remember, that when you exchange email with people who use GMail, then they've got you again.
That statement is true at face value. But if you look at how Eric Schmidt travels with government representatives, how rich and powerful BigTech is, and how much they individually and collectively spend on lobbying, then they could be a massive obstacle if they only cared.
Have you run into any serious complications doing that? I'm a bit worried that I've used my google account for so long and for many things that I might accidentally lock myself out of something important without it.
I migrated away from my main email, it wasn't a Google mail but it was on the providers domain.
First I signed up with Proton Mail and added my own domain, they fit the bill for me, YMMV.
Then I did a search in my password manager and went through those accounts.
Then I just let the old account sit there for a year. Each time I got an email from something I cared about I'd log in and change mail.
It's been a year now, and I'm about to terminate the old account. All I get there now is occasional spam.
I really dreaded this, but all in all quite painless. And next time it should be easier since I now own the email domain.
edit: Forgot to mention I use Thunderbird, so old email I archived to local folders. That's part if why I ended with Proton, their IMAP bridge allows me to keep using Thunderbird.
I started doing this a while ago, but made the mistake of buying a .io domain. With the future of that domain uncertain, I’ve been rolling that back, not back to Gmail, but to the underlying Proton account for the moment.
I’ve also had some bad experiences with rates being raised on domains. That still ends up feeling like a risk to me, as the problem of domain squatters has not been solved, and the “solution” being employed seems to be continued rate hikes and exorbitant pricing for “premium” domains. It makes buying a domain for email not seem worth it… or at least not without its own long-term risks.
My current project has been trying to reduce my footprint, by deleting old and unused accounts, so any future migrations will be easier. I’ve found with many sites, this is easier said than done. For example, I deleted my Venmo account at least 2 months ago, yet I just got an email from them yesterday about reviewing privacy settings. Did they delete my account? They sure didn’t delete all my data if I continue to get emails. I’m betting they just set a ‘delete’ flag in the database. The lack of accountability and transparency on these things is really bad.
> My current project has been trying to reduce my footprint, by deleting old and unused accounts
I've actually split the accounts. I have a Gmail which I use for "throwaway" accounts, like shopping sites where I don't care if I lose access. But it's probably better to exercise some account hygiene and do some spring cleaning every now and then.
I exported all my email with Google Takeout, and Claude Code was able to write me a threaded email viewer local web app with basic search (chained ripgrep) in about 10 minutes, for any time I need to search archived emails.
One thing I've not seen mentioned when people talk about moving to an owned domain is what happens when you don't own it anymore?
There are a million services that assume that if you have access to the email content you are the account holder. Google claims they don't recycle email addresses, but if you lose your domain, the next owner has access to all emails from that point forward.
If something happens and you're unable to renew your domain, are your next of kin out of luck?
> If something happens and you're unable to renew your domain, are your next of kin out of luck?
I'd say "don't do that". I had a friend pass which I knew had a custom domain for email, I told the relatives they had to be on the ball regarding renewal.
At least my registrar will keep sending invoices for a few months without letting go cough cough, so should be enough time to get the certificate of probate. With that the heirs should be able to get the invoice so they can pay.
Nothing. To the contrary things work BETTER outside the google eco system. The way to do it is incrementally. You don't just yolo delete you Gmail day 1. I still have mine, it's just getting almost no traffic today. Start by moving to an alternative email provider. I use proton. Buy a domain so that you can move providers easily in the future and use catch all email. Do a Google takeout and store the backup somewhere safe (I just use two hard drives sitting and home, replicated). Move the thing that you need day to day somewhere else. You can pay for someone to host it for you or self host. I'm self hosting immich for my Google photos replacement. I'm using proton calendar and email for Gmail service replacements. I was already using signal for most communications, but do that. I moved to graphene to get off of android and there are some sharp edges there if you want off Google play. I had to give up Android auto and gps tends to work worse (graphene does support android auto but I didnt like the tradeoffs). Nothing dealbreaking but can be annoying.
For general security, I also use a yubikey for all services that support it, froze credit with all agencies, and added phone support passwords to all my financial institutions.
> I just use two hard drives sitting and home, replicated
The failure modes of that are fire/natural disaster, and thieves. Do that, but also have a geographically redundant backup scheme. Either encrypted eg Backblaze or a relatives house in another state.
Damn that’s wild to me, because Gmail absolutely refuses to send things to spam despite me incessantly marking them as spam.
I honestly assumed that everyone had a rotten time with Gmail spam filtering but I guess it’s just a me problem. I suppose that means I’m up for an interesting time dealing with it as I move to a custom domain somewhere else.
Anyone have any recommendations for providers that have exceptionally good spam filtering? Hell I’d even just settle for ones that honor “mark as spam,” because Gmail absolutely does not.
Interesting, I have used Fastmail for probably a decade plus at this point, and whether it's my obsessive rating of false negatives and positives, it is amazingly rare that I get spam slip into my inbox (maybe one message a week from ~100/day received, while my spam folder gets about 10/day).
I, too, mark all positives and negatives obsessively, but still get the same obvious spam in my inbox too often for my liking. Still, though, I love Fastmail.
I've run into one government website that required email addresses to come from gmail.com, outlook.com, or another common domain, and several websites that won't let you change your email address once registered. It also makes it really confusing if someone needs to share Google Docs with you. So I've moved as much as I can off of Google, but some stuff will linger forever.
I've run into this, too, and found it hilarious because I remember when some sites wouldn't allow you to sign up with hotmail, gmail or other free email provider (over 20 years ago).
Personally, I deleted everything I could but kept the Gmail account for a couple of years with a forward to my new account, and after that, I also deleted it. Google Takeout is a very useful way to quickly create a backup of everything Google.
Use of Google seems to have become implied consent for them to use or give away any and all of your data, for whatever purpose, to any government, legal entity, or advertiser.
As other comments say, it was a major story months ago. I started moving off around December. It's a long process to switch over all email accounts. I only recently got self hosted kubernetes set up for immich as a Google photos replacement and some other hosting needs but for the most part I am off google. I get probably 1-2 emails a week still going to Gmail but when I do I just switch those accounts to my new email. It will be a while before the old Gmail is deleted entirely unfortunately.
I didn't mention it in op but I also moved to graphene os which tbh feels much better than android has recently.
Note that there was a major press cycle about this in October / November of last year - a quick Google showed stories in the Guardian, The Intercept, and the Cornell Sun, as well as commentary on Reddit. Not inconceivable that they found about it last October and had six months to leave and de-Googlify.
> Note that there was a major press cycle about this in October / November of last year
Fair point. However...the parent's comment is also fair because the article does a poor job of raising this material fact. You have to click through a sub-article.
It's almost like this article should be tagged (2025) because it's basically a replay of the author's account from 2025.[0]
Setting aside the fact that this is a new account and it's their only post, what about the timeline is difficult to understand?
The request came in April 2025, and the user was notified the following month. That's next to a year for them to hear about it internally and then quit and setup self-hosting prior to today.
If they were motivated enough by this story to delete 20 years worth of history maybe they were motivated enough to create an account and talk about it?
I don't care. The UX means I can't give it any credibility.
For all I know this could be somebody's OpenClaw spouting bullshit. The default credibility of all throwaways is zero and that was even true before 2023.
If you let it influence your opinion in any way you're a fool.
The content of the message is the credibility. It doesn't matter where it came from or who posted it. This exact topic comes up every time Google reveals its true self and lots of us have a resurgence of our latent interest to de-Google (the massive inconvenience being the major barrier).
From busterarm's profile: "Most people are stupid and/or on drugs."
The account is from 2013 but given that profile, I can't give it any credibility. After all, it could be somebody's OpenClaw having been granted control of the account.
> After all, it could be somebody's OpenClaw having been granted control of the account.
Luckily for HN, I actually have a post history. You can use my post history, textual analysis and statistics to make an informed decision about whether I'm a bot or not. Whether I'm being consistent or spouting any random bs.
The account I was responding to doesn't have anything.
> The account is from 2013 but given that profile, I can't give it any credibility.
What's in my profile is a statistical fact. It's there as a reminder, to me, not to expect everyone to see the world the same way that I do. To be comfortable with strong disagreement.
Just a hair shy of half the population is below average intelligence. Roughly 1 in 4 people has a cognitive impairment. This is of any age but trends upwards with age, reaching 2 in 3 by age 70. 1 in 4 Americans take psychiatric medication. 1 in 4 participates in illegal drug use. We haven't even touched on alcohol abuse.
My profile statement is just objective reality, whether you're comfortable with being stated openly or not.
This is a violation of the guidelines: "Throwaway accounts are ok for sensitive information, but please don't create accounts routinely. HN is a community—users should have an identity that others can relate to."
`Throwaway accounts are ok for sensitive information, but please don't create accounts routinely. HN is a community—users should have an identity that others can relate to.`
This just proves my point to discount what you say. You're basically admitting to being a pest.
More than that but they back up the things they say with something more than vapor.
You don't have to dox yourself, but people have to be able to at least call you out on consistency. There needs to be some indication that you're not _just_ a sockpuppet.
Otherwise I don't have any justification to engage with your expressions seriously.
Oh ok, I'm fine with that, but that newbie account is following the rules and being respectful. Same cannot even be said about some accounts with 9999 points.
it was mainly meta-data they acquired, which paints a fairly complete picture of what you do on the internet anyway. an isp can hand it over also but google likely just has more of it to give.
Depends on how legitimate you consider an administrative warrant and how willingly you think complying with one is.
On a more practical level, forcing them to go to court might not be much better. If this went to a FISA court, those are essentially rubber stamps and give nearly 100% approval.
reply