Your Gmail Hacking Finale: Official Advice From Google

By James Fallows

In the week and a half since my wife's Gmail account was taken over, I've learned a lot about "cloud" security in general, the difference between average-user and expert-insider views on the topic, the world geography of hacking, the economic logic and illogic of hacking, the habits that make for "unsafe" and "less unsafe" reliance on the cloud, and so on. I will go into these in greater depth later on, probably in a "real" article.

I've also heard from a broadening stream of people whose accounts have similarly been taken over. The most desperate-sounding are those who have regained control of their Gmail account after a hack, only to find that all the information they thought was eternally nestled in the cloud had disappeared. The embarrassing picture of you at a drunken party will never vanish from the internet, but your working files and correspondence might. This is a generic cloud problem rather than one specific to Gmail, but I'm hearing about it with Gmail cases. For instance:

On Monday, April 11, I woke to a call from my neighbor checking to see that I was safe and had not been mugged in Wales. The call was surprising enough, but the events that followed were devastating. I opened my gmail account a little after 7 am and I believe all my email was intact. I reported the breach and received a link to reset my password. I logged back in and all my email was missing, years of email, not only in the inbox, but the sent mail and dozens of folders of filed mail. In addition, all my contacts disappeared. My folder tree was completely intact, but every folder was empty.
 
I spent the next hours following every piece of advice I could find on Google support and reported the missing email and contacts and requested that Google try to recover it. On April 12, after filing other reports and giving more information, I received an email saying that Google had retrieved what email it could and that "We unfortunately will not be able to respond to any further emails on this case." The email recovered dated back to February 25th and consisted of mostly email that I had actually deleted and some sent mail, a tiny portion of what was in the account.

What I've learned from this flow of information, much of which I have shoveled on to Google and asked for their response, is that there is a huge gulf between how "normal" people think about their cloud-based email records and what the professionals know. Simply put:

- Normal people think their cloud-based email is safe, conveniently backed up, and easily recoverable if anything goes wrong.

- The pros realize that it is not -- or that it might not be, and that users should protect themselves accordingly.

I think that Google and other companies have under-stressed this reality. In the messages I've received from users who've lost their entire archives, not one has included something like "I always knew this could happen" or "I understood that I needed to have my own back ups, because my online mail might permanently disappear." As I mentioned earlier, I have always made on-disk backups of all my email (with those backups backed up elsewhere), but I was semi-embarrassed about this as primitive, Old World behavior. Unfortunately not.

So, as a public service, plus as a way of sparing myself the chore of explaining this in separate emails to the next 50 people who write in, here is a summary of the on-the-record responses I've gotten from Jay Nancarrow, a Google spokesman, and others there about various email security and recovery issues.

1. The most important thing you can do is protect your own account. And to Google's credit, they now offer, free, a tool that makes it almost impossible for anyone to get into your account remotely, as happened in the cases I have heard about. This tool is the famous "two-factor authorization," for which you can read the official Google description or my reference, or a security-pro's analysis. If you apply this system you can probably stop worrying about this whole nightmare-scenario -- and may not need to keep reading after the jump. (Or, if you're seeing this post on a single page, below.)

1A. Another thing you can do to protect yourself is to make your own local on-disk backups, as I previously described and as Google explains.

1B. And, just for the record, in principle you should never use the same password on more than one site. A Google friend says, "If one uses the same password at reliable.com and risky.com, then when risky.com is compromised, that gives criminals your password and often email address to try at reliable.com; even when reliable is as reliable as Google this would give criminals access. And when your user name at risky.com is your email address then using the same password is catastrophic to security. Solution: use a different password absolutely everywhere." I will confess that I have not yet fully implemented this plan.

2. If you have taken the Gmail protective steps too late, and you log on to find nothing in your archives, how do you get Google's attention? You start with this "My messages have gone missing" troubleshooting form, which takes you through a list of diagnostics and, if those don't help, lodges a report with Google's message-recovery team.

Here is what you will see from Google once you've tried other solutions and conclude that the messages really are gone:

"If you can't find your messages in 'All Mail', 'Spam', or 'Trash', or by performing a search, then they've been permanently removed from Gmail.  Messages that users place in Trash are purged from the trash every 30 days, or users can go into Trash and choose to purge immediately.

In the past, users have reported that they are missing messages as a result of unauthorized access.  Though we cannot explain how or why this happens (we do not have access to the content of mail, whether or not it has been deleted), in some cases we may be able to recover missing messages that were deleted as a result of malicious behavior.  If your account was compromised and you would like us to investigate whether recovery is possible, please first complete this process to secure your account [with link to that form] and then file a report [with link]."

Jay Nancarrow of Google says about this process:

Realizing how disruptive a compromised account can be, we've worked hard to find a
way to recover deleted messages whenever possible. We describe the possibility on this Help page, and we make the process available to users directly after restoring access to accounts that have been compromised. We also offer a separate procedure to assist with restoring lost contacts."

3. You will hear back from Google after that. They will have run an automated-recovery routine. If it works, great! I know of cases where that has happened. But if it doesn't, or if it comes up with only a handful of messages, you are probably out of luck. Your material is probably beyond recovery. I know of these cases too.

I've made this point before, but I stress it again for this simple reason: I believe that most "normal" users do not imagine that this can be so. They don't think it's really possible that everything they've archived for years and years might be vaporized. But indeed it is possible, and online life should be conducted with appropriate "tragic imagination" of that fact.

You will know that this has happened to you if you get a message from Google saying that they've done a recovery run and tried their best, and anything that's still not there is gone. That message will end, "We unfortunately will not be able to respond to any further emails on this case."

I asked Jay Nancarrow how users were supposed to react to the "hey, tough luck, now scram" tone of such a reply. Especially after Google had assured them that they should leave the data-protection to the professionals, lulling most users into the assumption that of course cloud data would always be there. He wrote back:

Unfortunately if a user receives this message, it's because we've tried all we can to recover their messages but it wasn't possible. So I'm afraid that filing another report won't help. Recovering deleted messages is a labor-intensive process that isn't possible in all cases. Of course, there are legitimate reasons why users may want to delete messages and make them unrecoverable, even as there are times when recovery is desirable. We try hard to strike the right balance.

Since this situation is clearly undesirable, Google goes to great lengths to help users protect their accounts in the first place, with features like 2-step verification, default HTTPS, and alerts to users about suspicious access."

So what have we learned here today? For veterans and insiders, probably nothing. But for the average computing public, the idea that your cloud-based email account needs conscious protection on your part, through password management and "two-factor" systems and even local backups, would generally come as news. That is the news. And it's the end of this topic until later in-print treatment, or until something I'm not aware of now comes up.

This article available online at:

http://www.theatlantic.com/technology/archive/2011/04/your-gmail-hacking-finale-official-advice-from-google/237734/