I'm glad that got resolved for Paris, but what the hell is a normal person supposed to do. Not every one has that kind of public reach to get a satisfactory resolution. First he had understand what happened technically, then he needed a public platform to tell people about it, then that writing needed to get reposted by others, than PR needed to get involved. Not something that's going to happen for a normal user.
Apple, Google, and the big players are not a trustworthy place to entrust precious data. Increasingly, Apple and Google aren't very much different as they are both in the advertisement business: the great misaligner of incentives.
Agreed. A situation similar to this happened to me with Steam over a payment issue with their service. They banned me even though I had thousands of dollars of games and an account since Sept 2003. I had to go to my bank and escalate multiple times to get letters providing the info steam wanted about my account and credit card to prove it was legitimate. Eventually after contacting them enough times they said they would do a "one time good faith" gesture by unbanning me but warned if it ever happens again they cannot help and that my account will be flagged with this. In the end I didn't do anything wrong and the bank didn't do anything wrong, it was all on steam. It was over $10 by the way.
They've made it clear that you don't own your cloud library, so the only reasonable answer is to never pay for something with DRM you cannot remove (including things that require an online account for functionality you consider important), and treat services like Steam as a temporary convenience to download known good files that you then fix to remove any DRM. If you only treat these services as a download tool, their ban loses all teeth.
I'm not an avid gamer, so maybe this is a naive question, but how do you know these things before you buy the game?
You could buy from a provider that advertises non-use of DRM like GOG, or on Steam, it lists third party DRM, so you can know whether you have the tools to remove it (and whether you have the tools to remove Steam's DRM, or whether the game appears on a web list of games that don't use any DRM). You could also refund it if you can't verify you're able to successfully back it up and run the backup on a computer or user session without Steam installed. For multiplayer, if it's possible, you can find people discussing it on the web (maybe in pirate communities). Otherwise, just don't buy it.
Some recent stats indicated most gamers buy at most two games per year, so it's not a ton of work to ensure they have a working archive.
Why do you think it's different with GOG?
Both GOG and Steam allow you to use local copies of games, and both would deny you access to your account to download more games once banned. Steam allows you to install games without DRM from their platform.
Unless they've changed recently, I thought GOG's platform itself does not have DRM? Steam does provide DRM and doesn't tell you if a game uses it, though as far as I know there are generic tools to bypass it.
GOG also specifically advertises games that don't have DRM, e.g. [0]. Steam versions of the same game (e.g. Skyrim) often require Steam to be running and enforce mandatory updates that aren't always desirable with no rollback ability.
[0] https://www.gog.com/en/game/the_elder_scrolls_v_skyrim_anniv...
> Steam versions of the same game (e.g. Skyrim) often require Steam to be running and enforce mandatory updates that aren't always desirable with no rollback ability.
Yeah, but that's a developer choice. Steam doesn't force anyone to use their API for things like that. If that's a concern for someone as a gamer, they should probably support the companies that don't do it no matter the platform, not blame Steam for it.
The original question was "how do you know these things before you buy the game?" My answer was "You could buy from a provider that advertises non-use of DRM like GOG." Whether it's a developer choice is irrelevant. GOG tells you the information you need for your purchasing decision, so if you want to know what you're buying, buy from somewhere like GOG. Also, don't assume that because it's DRM-free on GOG, it is also DRM-free elsewhere like Steam.
Buying a DRM-free copy on GOG seems like a perfectly reasonable thing to do even if a company has DRM on Steam; it provides an economic signal that there's some segment of customers that requires no DRM as a condition of sale. Since marginal cost of digital "goods" is ~0 and it's likely trivial to disable DRM in your build, it would be dumb not to cater to them and take your free money.
I see, thank you. That explains it better. I would imagine that's still possible to do it for steam games also with a simple internet search. :)
With GOG you can download the games's installer, vy backing up those you can still install your games even if you get banned
For purposes of backup I don't see that large of a difference between a single installer executable and a zipped folder that you'd get after installing a non DRMed game from Steam.
Steam's lawyers would say that one should know by reading the terms of service for the storefront and the purchase. But in the real world, how often does that happen?
This is 90% of the reason I don't bother buying modern computer games. For me, I assume games require phoning home and use some kind of DRM unless it is otherwise advertised.
Assume everything is encrapified with “strong” DRM unless credibly demonstrated otherwise.
Sadly, the real issue here is with the banks and the payment processors. It's very likely that they have metrics for larger marketplaces about being below a threshold for fraud. Online game stores like steam live, breathe and die by payment processing.
This was the reason why free trade was removed from RuneScape back in the day and it wasn't even a Jagex issue. People would go to 3rd party gold selling websites and then pay for gold with stolen credit cards. They could easily keep the money because the trade cannot be reversed without a moderator and what they were doing was against the rules so everyone would just get banned. The payment processors saw a bunch of fraud related to a game called RuneScape and told Jagex if they dont fix this then they will be blacklisted.
> Sadly, the real issue here is with the banks and the payment processors
I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse.
This sort of thing wasn't really possible before the internet age. We need new laws to deal with it.
Banks are nothing to do with this. You could have your Steam/Google/Apple/etc. account summarily executed for any reason; it doesn't have to be money-related.
There's also grey areas with Steam like when you buy a Steam key for a game outside of Steam through places like GreenManGaming and get your reviews discounted or otherwise flagged arbitrarily based on an opaque authenticity heuristic.
Buy from GoG instead. It's better. At least you can download the install files and don't need to install any 3rd party software to login to play them. I have 200+ games on Steam but I have ceased purchase on Steam.
We expect RCAs when tech companies have major outages, this situation deserves a public one from Apple, too. I'm sure we won't get one though.
> as they are both in the advertisement business
Apple isn't. Just sayin'. They are trying to do it, but they aren't really anywhere near the scale of Google and Facebook. They make money (lots of money) by selling high-margin hardware, and, to some extent, digital media, on that hardware.
Currently, Apple is genuinely serious about preserving user privacy. I realize that can change, in the future, but it's the way it is, now. I get the feeling that a lot of folks on HN are having difficulty understanding businesses that make a profit by doing stuff other than harvesting and selling PiD, but that's not what has made Apple a 4 trillion-dollar company. They make that money the old-fashioned way; but with a modern twist.
That said, this situation is unforgivable, and I hope that Apple leads by example, by preventing this all-too-common type of dumpster fire from happening in the future.
Apple has created an entire programming language (Swift) as part of their "marketing toolbox".
> genuinely serious about preserving user privacy
Nope, not anymore. That ship has sailed and more revenue is to be made by harvesting user data
"Harvesting user data" doesn't make money. The reason people think this is that on HN people have main character syndrome that makes them think their personal data is interesting, plus an assumption that making money is evil therefore anything you can think of that is evil would make money.
No, I think the reason people on HN think this is because Apple, Google and Microsoft have all been caught harvesting user data: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
> That ship has sailed and more revenue is to be made by harvesting user data
That does seem to call for supporting evidence. I write Apple apps, and they make it very difficult to access user data. I would need to know how they get it, and how they make money from it.
Put an iPhone on your Wi-Fi and log how often it calls out to some Apple web service. You might be shocked, or does it make it okay when Apple themselves are the ones it's impossible to have privacy from?
Apple makes money on hardware and a 30% tax on developers. They might have some goodwill but are not making any money on privacy.
Yup. But not on advertising.
I wasn't defending Apple. I was merely pointing out that one of these, is not like the other.
Like I said, it seems that we have a hard time understanding business models other than "Harvest and sell data." Posts like the GP, seem to reinforce this appearance.
Upton Sinclair is known for a quote, referencing this kind of thing.
There are ways to abuse advertising other than harvesting and selling user data - which is a big one. Which apple has already done (https://gizmodo.com/apple-iphone-france-ads-fine-illegal-dat...)For example, the app store places unadvertised apps further down the list on searches or doesn't even show them at all.
Still a different thing.
Hating on Apple is quite popular amongst tecchies. I understand. I've probably been more pissed off at Apple, than many folks, here.
But it does bother me, that people don't seem to understand the classic business model of making things, selling things, and supporting things. That's thousands of years old, and still very much relevant. Quite a few folks, here, do that. I spent most of my career, at companies that did it.
I don't hate apple; I only use apple computers and phones. They are mostly better than any other alternative. But you have to concede that being in the advertising business at any level doesn't do them any favors re: privacy commitments. I only criticize because I want to keep what's good from becoming bad.
Fair point.
But they are nowhere near the scale of other companies.
I feel as if Silicon Valley has really forgotten its hardware roots, though, and that's sad.
Making things is really difficult, and extremely risky. Playing with data is really easy, and quite profitable.
> but what the hell is a normal person supposed to do.
Not store their data in their iPhones. Period. I only store temporary data and photos I wouldn't care about.
Well, not only in their iPhones. And not in the same cloud storage provided by the phone. The only backups you really control are the ones in your possession, so you must keep offline local backups of anything really important to you.
The big marketing point of cloud storage was that you would not need to worry about owning and maintaining local storage, but they conveniently downplayed the fact that they could lock you out of your own files at their whim.
Actually in this case, the danger is in the cloud storage not the phone's. The user still can access/use his phone, just not the cloud-connected functionalities.
Only because Apple didn't remotely lock the phone as well, which they surely have the technical capability to do.
The data in his iPhone was not impacted.
His Apple cloud account was locked until the account representative unlocked it.
The physical device was not locked, bricked, or wiped. The situation was bad, but let’s stick to the facts
His iPhone could not sync, update, install new software, or send messages, nor could he sign out and use a new apple ID with it to restore that functionality. For a phone, this is effectively bricked.
Paris uses the term "bricked" in the original post: https://hey.paris/posts/appleid/
The real problem is that companies do not offer any accessible, powerful, and intelligent customer support. Even if they have real humans to talk to, they simply follow a script. Those agents do not have the ability to investigate a situation or the power to use their discretion to take meaningful action.
We should impose, by law, the following rules on all companies that offer accounts to their customers.
1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.
2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.
3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.
Usually I'm not a big fan of legislation, but in this case I completely agree. Companies unilaterally taking away anything you've paid for is effectively no different from theft, and ToS shouldn't be able to escape that. Or even if it's a free service but it's something you've built up value in -- a history of photos, messages, emails, etc. -- it's similarly effectively theft.
I agree there absolutely needs to be a form a habeus corpus here with arbitration to hear from both sides. And what's more, even when an account gets shut down, an export of all data must be provided, and a full refund of the purchase price of any digital licenses/credits still active. So even if a spammer takes over your account and Megacorp isn't convinced it wasn't you yourself that decided to spam, you still don't lose your data or money spent -- it's ultimately just a (very big) inconvenience.
> Usually I'm not a big fan of legislation
Corporations need to be heavily regulated. They won't just do the right thing for its own sake.
https://www.simonandschuster.com/books/The-Corporation/Joel-...
I previously worked in fraud/risk at a major ecommerce platform. On my biggest day I closed 60,000 accounts. In one day. I knew other agents who'd done 10x that.
The scale of this work is unfathomable to those who have only been on the consumer side of it.
#1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
#2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
#3 is what small claims court is already for. We should make this easier, I agree.
How many of those 60,000 accounts had made ten of thousands of dollars of purchases over decades?
The comment I responded to offered no such qualifiers.
To answer in general, aging of accounts is common as is synthetic credibility-building activity. There are marketplaces where you can buy sets of years old accounts with activity for every major platform. Anything you could come up with would either be so stringent it would exclude most users or be easy enough to become a target for account sellers.
To be honest this is why I got out of the space, it's sisyphean.
I'm flabbergasted by #3. Where in the world is there no small claims court exactly like you describe? I'm genuinely curious.
The real real problem are shameless shitheads that will abuse anything to any length the run scams or malware distributions.
"Yes support tech, please understand my child just died of cancer and my wife in a car accident last week and the only pictures I have of them are on my bitcoin4free@gmail.com account!"
Google probably also bans thousands of accounts a day. And suddenly every single one of them needs a full human appeal review. Because jamming up the system is (short term) beneficial to these shitheads.
Dealing with fraudsters should be baked into the cost of doing business for these megacorps. A smaller business couldn't get away with this kind of "support". The largest companies should be held to the same standard.
The only way this is going to change is if shareholders hold executives accountable. Consumer protection regulation with real "teeth" that impacts the bottom line will bring angry shareholders to the table very quickly.
Apple is worth trillions of dollars. Just treat it as a business expense.
https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
I know you're just trying to pull something out of thin air that sounds plausible, but...this would be simple to prove with a request for valid death certificates, marriage license, and a birth certificate to prove you were married, the child is yours, and that both are in fact deceased. Oh, and of course, you'll have to prove who you are as well.
Given the (rightful) outcry about handing out your IDs to private corporations in "safety"'s name, are you really suggesting providing documents even more specific about you?
We're all worried about identity fraud, and such documents are actually used to apply for an id in some countries!
It may be simple enough to prove, but that is an uncomfortable ask if those circumstances are genuine.
> If they block/ban/close/suspend a customer account they must provide habeas corpus.
* evidence
"Habeas corpus" is not a lofty expression for evidence, although people sometimes use it as such. It's a procedure for challenging one's detention before a court.
Agreed with the intent, but it's more narrow than that. Habeas corpus specifically means "there is a body." It's purpose is to set a high bar for homicide convictions i.e. a body must be present before a suspect can be convicted of murder/manslaughter by a court of law.
Habeas corpus is an order to bring a body before a court. The body being a live one, the detainee. Thus proving that the detainee hasn't been exiled/tortured/murdered/whatever and providing an opportunity to challenge the detention.
You might enjoy https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
It has a REALLY good section about why customer service is very hard to get right
> We should impose, by law, the following rules on all companies that offer accounts to their customers.
When the services that a company provides gets to this level, it starts becoming like a public utility. If it's not possible to participate in society without using such a service, then the services should be governed like utilities are.
I wouldn't be opposed to having actual government-provided services for things like e-mail, text message, and discussion forums at a very basic level. Then (in the US anyway) we could apply the government restrictions on privacy and freedom of speech, with laws governing the oversight and implementation. Of course there would be major details to work out to prevent misuse, corruption, etc.; but it could solve the problem of losing your essential on-line identity -- as long as the government has any interest in you at all for something like expecting you to be able to send/receive an e-mail in order to pay your taxes, then they wouldn't ever cancel your account. 3rd-party services would still be possible, but then they could do whatever their business model supports, and caveat emptor. How people can expect businesses services like Facebook to comply with their personal expectation of free speech is beyond me.
And also it would be good to limit the ban duration with a law. For example manslaughter can be 5 years in prison. So if google decide to ban your account because you send your doctor a photo of your son for medical purposes, they are not allowed to ban you for more than 5 years and then they must restore full access to your account.
I think for these big companies as well, they should have to have a more targeted punishment. Since having access to an Apple or Google device is increasingly mandatory in many countries (often as a result of government legislation!), getting that cut off is more impactful than other services.
So like, if you get caught, red handed, absolutely 100% you, performing gift card fraud, the maximum punishment from Apple should still be getting banned from the gift card system (buying or redeeming). And if they want more consequences for you because they think you’re running a fraud ring, they should have to sue you like a physical store would. But not lock you out of the rest of the ecosystem. Otherwise you get the false positives getting the digital death sentence Apple tried to hand out here
#2 doesn't scale. If you guarantee access to a human, the system will absolutely be effectively DoS'd by scammers trying to social engineer their way into access to someone's account.
If the companies are too big to provide reasonable levels of support for their users, then the companies are simply too big.
A smaller company is even less able to deal with fraud. You wouldn't have the product at all.
Not if you require physical presence. If you have to turn up in person at a local branch office with identifying documents, then you've greatly limited opportunities for scams. Fraud is still possible but it doesn't scale.
That sounds vastly more costly since they'd have to open local branch offices everywhere.
But then how can IP companies like Google leverage zero marginal cost of production to achieve infinite scale? Customer support costs scale linearly with the size of the customer base!
Won't somebody please think of the shareholders?
Some of this sounds appealing to me, but I wonder how wise it is. I've been banned unfairly, and it would be fun to try to stick it to those who have... but then there's almost surely someone here on HN wanting to start some online game or something who would not be able to afford to comply with the law. He's just completely cockblocked by the barrier to entry.
If you try to make carveouts for him, they will still be absurdly restrictive and the carveouts will be abused by the likes of Reddit.
> The real problem is that companies do not offer any accessible, powerful, and intelligent customer support.
No, the real problem is that we have no reasonable alternatives when companies misbehave. There is no meaningful way to exist in society today without an Apple or Google account, and that's actually insane. It's doubly insane for people who aren't citizens of the United States (although the CCP addressed this by requiring Apple make a separate iCloud for them).
The solution isn't to legislate a right to a bank account, it's to preserve the usefulness of cash so banks don't get too far out of line.
> There is no meaningful way to exist in society today without an Apple or Google account
As is the case for many other infrastructure companies, such as your local electricity network operator (or even supplier depending on market liberalization). We also didn't solve that problem by ensuring everyone's right to run a generator in their backyard or heat their city apartment with a coal oven.
If tech companies have become essential to our day to day lives and are not willing to allow for horizontal interoperability, i.e. to split over-the-top services from infrastructure and individual elements of infrastructure from each other – because walled garden lock-in undoubtedly increases profits – why not regulate them as infrastructure entirely?
I have neither a Google nor an Apple account.
Well, to be fair, I do create an ephemeral Apple ID every time I get a new phone… But I immediately log out of iCloud after downloading the two or three apps that I use. I have no idea what my Apple ID or password is… I would have to go look them up.
Further, if I lost said Apple ID, I would lose nothing of value.
I believe, as you say, I exist meaningfully in society.
> I do create an ephemeral Apple ID every time I get a new phone
In other words, you do have an in-use apple id at (pretty much) all times.
Even if there were viable alternatives, I believe people who chose to use an Apple, Google, or any other account should still have the rights I proposed.
As one data point, I would.
Cash being more useful wouldn't help you regain access to your photos, music, email, etc... when your account has been deactivated..
China is quite a bit worse. Not having an Apple or Google account in the US would be kind of inconvenient. Not having WeChat Pay or AliPay in China means you can't buy stuff most places. They've ensured that their de-facto-mandatory services are domestic, but they're a lot more mandatory.
I assume the Chinese government is quite happy with this, because they have no trouble bringing their large companies to heel, unlike the US. And centralizing payments like this gives them a great deal of information and control.
This is the naive tech bro view
You can't keep chasing alternatives when companies misbehave
That's why there's a thick list of contract law precedents and consumer's rights and what not
This fiasco stirs up a lot of different topics for me, none of which seem like they are likely to be resolved anytime soon.
First, with so much importance placed on an Apple/iCloud account in our current era it's not good that they can be shutdown so trivially. Someone can be shut out from using Messages, Apple Wallet, Digital Identification (depending on where they live) and all their subscriptions and media purchases without any recourse, in an instant. It's not hard to imagine someone being put into a pretty bad situation as a result of this with just a little bad luck and bad timing. It's easy to point out that you shouldn't be overly reliant on these technologies but I think it's more important that there be ways to safe guard people from this scenario. Apple should do more to handle these scenarios given the importance of an account now.
Second, there are other recent events that point out the failure modes and gaps that Apple (and Google?) need to address. There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation. There's also no way to leave a "family" account even as an adult or how to assign children to multiple families. Again we can trot out the easy "Just don't use these things, use FOSS, Nextcloud, etc..." but I think Apple should do more to address these types of scenarios regardless of what people choose to use.
Absolutely. The current level of service these companies provide is functionally identical to what would have existed 25 years ago. Losing your Apple account would have been a minor annoyance - the relationship involved trivial amounts of money, and wasn’t deeply integrated into anyone’s lives. Even if you lost an email address, losing access to it wouldn’t have locked you out of hundreds of important accounts, and any important accounts would probably be easily updated to a new address with a phone call, and likewise for a few friends. If you got fully locked out forever, it really wasn’t important.
So, we now have the same “who cares, it’s just some dumb online account” level of service with much more critical accounts. Because big tech has scaled users to the 9-10 figure range, while not investing almost anything in customer service. Instead of having thousands of CSRs like the phone company, tech employs a few disempowered call center operators overseas, whose only job is to read FAQ answers at callers and ask them to try restarting their computers.
I’m realizing maybe I should just use Amazon or iCloud AND Google Photos for backing up my images. My whole life is in Google Photos. I could lose it from something stupid and never even have a person to contact about that.
At least do a google takeout backup. I believe there are ways to import that into software like immich (a self hosted alternative)
Set up a NAS and use a self-hosted equivalent like Immich. Then you aren't dependent on anyone.
Shutterfly will upload all your photos and store them for free if you buy a few magnets on sale now and then. Works from iPhone well enough and it's my "third backup."
Shutterfly will also continually spam you despite clicking the unsubscribe button multiple times.
> Update 18 December 2025: We’re back! A lovely man from Singapore, working for Apple Executive Relations, who has been calling me every so often for a couple of days, has let me know it’s all fixed. It looks like the gift card I tried to redeem, which did not work for me, and did not credit my account, was already redeemed in some way (sounds like classic gift card tampering), and my account was caught by that. Obviously it’s unacceptable that this can happen, and I’m still trying to get more information out of him, but at least things are now mostly working.
It’s great that it has been resolved, but I’m still baffled by a number of things:
1) Why would redeeming a bad gift card result in a complete shut-down of the account? 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press? 3) Should companies be restricted from growing too large where they can’t support their customers?
In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access. Rather than move to outright banning the account, there are intermediate steps that can be taken. Personal example, my Facebook account was recently banned because a hacker accessed my account uploaded a bad ID when FB requested an ID verification. Despite the request coming from a country I have never visited and would likely be on any high-risk list, my 20 year old account was banned literally overnight without having any recourse. There’s no number or even any email to use. Maybe I can see if the Register will write it up… (I do have all the info from my Facebook account download to show how it was compromised, and any internal support should have been able to see the same… if they cared.)
Banks can’t legally just take your money and lock you out permanently. There are some actual regulations. Plus they have a proper handle on your actual human identity, which means you ought to always have a route to going somewhere in person and proving you’re the rightful owner of your money.
“Online” accounts have zero regulatory requirements, plus many of them aren’t necessarily directly paid-for, so they frame themselves as doing you a favor by letting you have it in the first place. And they usually don’t have a route to prove identity because they don’t record a legal identity (passport/SSN/etc) to begin with (not that that was an issue here, of course - in this case Apple didn’t dispute that they were the owner, just asserted that they were some kind of criminal.)
Banks frequently completely freeze accounts for no discernable reason and with zero communication, support, or recourse.
You're just lucky that it hasn't happened to you. That does not mean it doesn't happen to anyone.
What I want to know is why does it always have to go straight from 0 to 100? There's seemingly no concept of proportion. For most online services, your account can be in one of two states: Totally good and "banned for life". There's no warning, no investigative period, no concept of scale (was the fraud $10 or $10,000?), no way to serve your time and come back if you actually were bad. It's just instant, silent BAN HAMMER.
As someone who worked in fraud, sometimes the $10 transaction is primer for 10k transaction that will really cost the company. When you don't know what's going on, you don't give a shit about end user and primary objective is prevent the company from losing money, shut it down and sort it out is easiest way.
Furthermore, without physical presence where you could sit down with someone, this becomes more difficult to deal with. Truth is, Apple should have option where someone could go to Apple Store, verify ID and talk to someone with power but they don't want to spend that money so here we are.
The same with Youtube. Broken an unknown rule on one of your vids? Your whole account and all the videos are deleted instantly.
At the scale these companies operate and the number of actual scammers they block because of their 0 - 100 policies, I can see how they got there. I bet all of us have had the luck (?) of out card being blocked because someone out there was able to get a hold of the credentials. Collateral damage like this, as devastating as it is to the individual, is probably a drop in the bucket for the company.
I'm not excusing this. What happened here shouldn't happen, and there should be quick resolutions and explanations available to the aggrieved parties.
It's not just corporate policy, it's regulatory requirements in the US.
You must block financial activity, and you must not communicate any details to the customer, upon reasonable suspicion of money laundering activity. There's a process and a prescribed timeline for getting things resolved. There is no penalty for a false positive, but there are large penalties for false negatives.
Having watched hundreds of these things happen, all of the details point squarely to an AML problem. For closed loop gift card programs, the merchant, program manager, issuing bank, and possibly the seller all get involved. It takes time.
This doesn't require shutting off a user's access to their data though -- just preventing financial activity. Apple might not have adequately fine-grained permissions around account suspension to support this, and obviously they should fix that!
AML and fraud are different, and the regulatory requirements you're talking about are only one requirement for banks to follow.. they have additional, internal policies of their own that may affect account and money access. If Apple isn't following a Suspicious Activity Report (SAR), then the actions are their own, and the policies are their own.
When money is concerned, any kind of suspected money laundering / fraud investigation generally requires you to pause that account until the check is complete. What happens afterwards will be down to the results of the investigation.
It's also unlikely there are just those two states. For many services there will be a number of factors involved, but it's purposely opaque to make it harder to circumvent.
Depending on the jurisdiction, there may be a financial ombudsman you can appeal to. From what I have heard, Australia’s is effective.
Well for banks your account is usually tied to a local brick-and-mortar agency, where it's definitely someone's problem if a customer comes in and refuses to leave. It's one of the reasons I'll never go with fully online banks.
patio11 wrote a great article and podcast about debanking and anti-money laundering processes last year, it was eye opening how kafkaesque these things are: https://www.bitsaboutmoney.com/archive/debanking-and-debunki...
A bank might freeze an account for suspicious activity but you can walk in to a any local branch and talk to someone about it.
Yes. But that doesn't make it right.
> 1) Why would redeeming a bad gift card result in a complete shut-down of the account?
Because they assume you stole the gift card and are therefore a criminal. As to why they're making the assumption that you are the criminal, not the actual criminal who successfully redeemed the gift card first, you've got me. Since either situation is possible.
> 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press?
I'm as infuriated as you are.
> 3) Should companies be restricted from growing too large where they can’t support their customers?
Size has nothing to do with it. Plenty of small companies ignore their customers too. So I don't think this is the right solution.
> In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access.
There are plenty of horror stories with banks too. I'm not sure they're that much better at all.
"No Way To Fix This" Claims Only Digital Ecosystem Where Catastrophic Lockout Regularly Happens
I understand why Apple sells gift cards. I understand why brick and mortar stores sell gift cards for third parties like Apple.
But what do the credit card companies get out of this arrangement? It seems like they’re taking on a whole lot of unnecessary risk and enabling these scams by allowing third party gift cards to be purchased using a credit card.
This is one of the reasons I picked a small, dedicated email provider [1] over Google Workspace for my corporate emails. If Google flips out and ban hammers us for no reason, my company will still be able to reach clients and work on projects. Apple, Google and Facebook are way too trigger happy with automated bans and no recourse.
Related:
Apple has locked my Apple ID, and I have no recourse. A plea for help.
1730 points, 1045 comments https://news.ycombinator.com/item?id=46252114
They also need to let you transfer your purchases to a new AppleID under a new enail address. It is outrageous you're forced to choose between all your purchases from an email account name from when you were a kid or teen and getting to have an adult email address/handle and not having a data hungry company like Google or Microsoft seeing all your Apple activity in perpetuity
I don’t want to minimize the pain people experience here, but it’s worth calling out just how hard this problem is for retailers and issuers.
Gift cards are the #1 fraud vector in payments ... because it lets stolen cards be converted into a cash-like equivalent with zero traceability.
So fraud/risk system are highly sensitive to gift cards.
It's not an excuse, but I see in this thread people minimizing the problem at hand - so I just wanted to call that out.
Then they are free to stop offering gift cards.
How it's zero traceability if Apple can see: 1. credit card used to by a gift card 2. who exactly redeemed a gift card.
It can be traced, the problem that they block accounts (probably using on FP prone algorithm) even if a gift card was not purchased using a stolen credit card.
1. Apple can't see the credit card of anyone who bought a gift card from any third-party retailer
2. The normal use case for a gift card is that it is transferred to a person different than the original purchaser. Launderers also do this.
Apple only sees the credit card if you buy from them, if you buy from a retailer they don’t get that info.
To be clear, this is their problem, not the customers.
Still, I’m curious what the scammer did in this case. If a retail worker just stole the card number it would merely be used up, not flagged as fraud. Maybe someone in the supply chain obtained the number and reported it lost/stolen? And used that to obtain a new card no one would complain about once it was used? Vs the original number which would result in a customer complaint. Idk.
It would be a suboptimal UX potentially (vs live funds on a physical gift card), but Apple could tie the gift card to an Apple ID at purchase with a QR code or something similar, and then permit gifting through the existing Apple ecosystem primitives. Apple could then enforce stronger controls as the value is transferred internally on their internal ledger. In financial services, its all about tradeoffs.
The optimal amount of fraud is non-zero (2022) - https://news.ycombinator.com/item?id=38905889 - January 2024
($day_job is financial services, a component of my work is fraud mitigation)
I remember that article. It's wild the extent to which "anti-fraud" has captured companies, destroyed their UX, and seemingly directs all their actions. And when you criticize it, they blame KYC/AML and cry and act as though they have no agency. A very small tail is wagging the dog!
Tail size is fraud budget (loss) and appetite (loss+mitigation costs). The math is straightforward to determine how much fraud you're willing to eat on an annual basis. They still have customers and revenue, right? So not terribly wild imho.
I'm not sympathetic to this point at all. As Patrick McKenzie says, "the optimal amount of fraud is non-zero"[0]. Yes, fraud causes problems for retailers and issuers. But in cases like this one, the result of overreactions and incorrect handling of fraud is severe, mostly-intractable problems for customers. Customers who end up having very little or no recourse.
McKenzie's point is more about how businesses need to accept a certain level of fraud because trying to stamp all of it out will be more expensive and more damaging than allowing some of it. But I'd go further than that: companies should be required to accept some amount of fraud in order to avoid harming their legitimate customers. It should be just another cost of doing business.
[0] https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
> it’s worth calling out just how hard this problem is for retailers and issuers.
I'm having a hard time finding much sympathy. They could always, oh I don't know.. maybe just not sell gift cards? Or have a much lower maximum amount?
I mean yeah, you could take the view that technically the blame really lies with the people trying to use gift cards for theft, but that's not going to be productive.
And yet they continue to sell these cards. Why?
It's simple: they're essentially free money. The worst case for them is that the recipient of the card uses the full amount of the card. In that case, the issuer "only" makes the full profit on those sales. Often they do better: the card is used partially or not at all, then lost or forgotten about.
You can see how lucrative they are by looking at promotions. You can often find deals where you can buy a $100 card for $90, or similar. Why would you sell a dollar for 90 cents? Because you know that on average you're selling quite a bit less than a dollar.
As for the fraud risk... do they even care? When gift cards are used for crime, the issuer doesn't suffer. Maybe they have to deal with upset customers, but that's hardly new. Most of the time, the gift card is bought legitimately, given to criminals, resold, used by the secondary buyer, and the only one who suffers is the unfortunate scam victim who bought it.
It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover. The fact that they don't bother should tell you everything you need to know about how important fraud is for them.
> Why would you sell a dollar for 90 cents? Because you know that on average you're selling quite a bit less than a dollar.
There's more to it than covering the risk of fraud. It's more about optionality. The gift card only allows for buying things at one place — so you're restricted in what you can buy, can't deposit it at a bank, can't comparison shop etc.
I don't get the sense that money being left on the card is a serious issue for the sort of person who goes hunting for deals like this. They'll eventually spend more than the card's value and have the last of it apply partially to some purchase.
Also the discount rates I've seen have been more like buying the $100 card for $95 or $97. Except perhaps where the gift card retailer is offering it directly as part of a cross-promotion deal with the target retailer.
The answer to the question is NO. Unless you don't care at all about your Apple account.
I experienced something similar recently. There’s something going on with gift cards at Apple. It’s a bit fishy. As in they don’t want you to use it so they can report higher holiday season sales. Or they’re experiencing a huge uptick in scams involving the cards. I started wondering if the system they use is actually secure from a cryptographical pov.
My lessons were:
1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.
2) save paper trails for all your gift cards. That’s your only way out of this.
3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.
There are apparently large amounts of NEW gift card scams going around; Target has recently changed how they work and I've heard other reports.
Frankly, staying away from gift cards seems the best option unless it's blast radius can be limited (e.g., redeemed in person).
But that basically screws over loyal Apple customers who trade in an entire family’s worth of iPhones, iPads, Apple Watches, Macbooks, etc over the years. Sometimes you just take a giftcard because you don’t want to a new thing. Fast forward a couple of years, you basically learn that you traded in your Macbook Pro for nothing. How’s that not a controversy? Perhaps they should give customers a non-transferable store credits that cannot be purchased elsewhere. Avoids the entire issue with gift cards.
It's almost a rhetorical question, isn't it? Clearly, from both the original post, and this reporting, they are NOT safe to redeem.
In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".
> Strangely, he did tell me to only ever buy gift cards from Apple themselves
The Singapore Apple exec person who eventually reported the issue fixed provided the above advice, and I think it is the best advice given to anyone in this entire situation.
What can a normal person do? Only buy Apple gift cards from Apple, only buy Home Depot gift cards from Home Depot, et cetera.
That one piece of advice destroys a retail line of revenue that’s suffering massive endpoint fraud and removes the vast majority of risks to recipients of gift cards, and is simply explained to uninterested people that those conveniently-placed gift cards are bait cast by fishers for the unwary.
(I’d also sue the retailer in small claims court for selling a fraudulent product that didn’t perform as advertised.)
Personally I only use these login buttons for throwaway accounts, if it's something important, I'll use email/password.
A core concept here is that of ownership. People think they own their accounts and data. Stories like these, and unfortunately the law, make it clear that they don't own anything. I personally think it is false advertising of companies to even hint at ownership. Words like 'buy' shouldn't be allowed since it implies owning. They should only be allowed to say 'rent' or 'grant a limited license'.
I would rather the law make it such that you really are buying, than codify that you own nothing. The ambiguity isn't great, on that we agree, but why would you weaken the citizen's standing to remove it?
Should people really not have the option to not-buy if they see other advantages in it? Should the idea of ownership being valuable be imposed upon citizens? (And if we all accept that it has value, could that not simply reflect in a price differential?)
Every time a read a story like this, I feel an atavistic desire to self-host eveything. But I've had my Google account for 20 years now; the die is cast.
I have a strong desire not to self host the “live” copy of anything. If my server goes down, I don’t want to have to drop everything and fix it (e.x. if I’m on vacation, I don’t want to have to take a laptop incase I need to fix any server troubles - I go on vacation not to be on call!).
That said, keeping a backup of everything, decoupled from any account I don’t control, gives me huge peace of mind.
If you never start you'll never be free. It's also not all or nothing. You can keep things with Google, self-host new stuff and gradually move over things that make sense to mover over.
I'm slowly decoupling things and hosting parts of my infrastructure myself. Let it be on a cloud server or a home machine.
Doing everything and/or all-at-once is not practical, but having backups for most critical infrastructure helps a lot, and when it's rolling, it rolls without effort.
One can go step by step and call it's done when it becomes too much to bear or satisfactorily decoupled.
creating backups is crucial. this includes all the contacts, texts of saved emails, photos and so on. Many of these ppl who get locked out fail to create local backups and rely on apple's cloud storage. big mistake.
Even just simulating "what if I lost this account" and seeing what you can't access (have your wife change your password and not tell you for a month or so, say) - tells you what you'll be missing.
The tendrils can run deep.
> But I've had my Google account for 20 years now
Just realize this: the longer you play this game, the higher your odds of getting banned. Once it hit me, I quickly decoupled from Google. It's like playing satoshi roulette for 0.5% gains. You keep winning until you get fully wiped.
What do/did you do about other people having your Gmail address as a primary contact?
Would checking the Apple gift card balance first be a useful precaution? Would it have saved Paris all this hassle?
Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.
Would that save him, or would checking a large fraudulent card be a heuristic that sets off the banhammer system?
Good question. Ideally, you'd do it in a browser that's unconnected to your Apple account. Safari on iOS would be avoided.
The risk of this happening seems low, but the impact on my life as an Apple ecosystem resident would be catastrophic. It's an easy decision for me - I won't buy or redeem an Apple gift card again.
Not an expert in the issues presented, but I see increasing numbers of single-point process failures, like what happened to Paris, being designed into our civilization.
So it still took four days after they were contacted by "someone from Executive Relations"? Well, that's disappointing.
Continuing the worrying trend that when computer says no you need social media presence & industry connections to get basic level of "hey can you not kill my account" support
> > There is one way the Apple community could exert some leverage over Apple. Since innocently redeeming a compromised Apple Gift Card can have serious negative consequences, we should all avoid buying Apple Gift Cards and spread the word as widely as possible that they could essentially be malware.
It's December holidays time, but I assume that most Apple gift cards that would be purchased for the holidays already have been, so...
Maybe people should also be urged to demand to return any Apple gift cards already bought. Arm people with a copy of the news story. If retailers resist, then regulators can get involved.
I just had my mom purchase a $100 gift card for my son. Now I have to go to the Apple Store to redeem it… how fun
So never buy a gift card at a retail location, unless it’s digital. Preferably buy directly from the website of the company where th credit will be used.
But why would apple punish the secondary user of the card? That seems like the wrong person to punish.
As the age old saying goes: do not redeem it!
Genuine question: if your Apple account is locked, and you're unable to create a new one, is your iPhone still usable?
In a genuine and everyday real sense, no, your likely thousand dollar device is not usable. The App Store requires an account to download from. Internal services and apps often complain about not being available. You are mostly stuck with whatever built in, non-cloud services the device comes with, which isn't much. Weather and mail fetching come to mind. Maybe some of the simple recording / note taking like apps. A working Apple ID is essentially a requirement to actually use the device you purchase. And yes there will be comments from folks about "ways" you can perhaps sideload or get things running, but to a regular person that simply uses a phone like a standard appliance in their life - they're stuck.
Yes, you can continue to use anything that doesn’t require using Apple services.
So you could use your existing apps but not download new ones from the App Store.
You could use iMessage with some restrictions. You could use Apple Music but only the free radios. You could use Apple’s photos but would lose sync.
Usability depends on how much you rely on those services, but the device itself is still useable for other things.
If you read the other posts about this, the author explains that the phone technically still works, but you can't access iMessage or anything. Probably basic text and calls only.
The author did mention though that they were unable to log out of iCloud, as that requires to be logged in to iCloud. That would prevent reuse of the device with a different account.
Why can't you make a new one?
Your iphone is tied to the old apple account and you can't untie it if you can't access the old account. (You can go through support with proof of purchase, but that requires you have proof of purchase at hand etc.)
Now you've tied a new account to your old banned one, so you're evading a ban and your new account should get banned too.
It's against apple's ToS to avoid bans as such.
You forgot to add /s and the reference, because you come up as conceited, when you are being critic of previous Apple statements.
Not really. I have an iPad without an Apple account and you can’t do much with it.
That said, I choose to use it this way and it does everything I need it to.
I feel like all these articles are writing about the wrong thing. Yeah, it sucks that the guy's account got banned, and yeah, maybe we can't trust gift cards.
But the truly troublesome issue is how an entire ecosystem of (very expensive) hardware is allowed to be tied to an identity controlled by a giant black box of a corporation.
What I mean is: you can spend thousands and thousands on devices and configure them to be almost invaluable to your everyday life, but you are ultimately completely beholden to Apple. You require their ongoing permission to continue using those devices. You are completely at their mercy.
And sure, you can argue that people willingly sign up for that kind of agreement when they make the decision to purchase Apple/Google products but that's also missing the point. Phones are now essential utilities. Accessing vital services sometimes requires an iOS or Android device.
Permitting giant, uncontactable, merciless tech corporations to control the digital lives of virtually everyone on the planet is absolute insanity.
The scenario described in the OP's article should simply never be allowed to happen.
This is something governments should really try to tackle, but I'm afraid that their solution would be a government ID rather than proper guidance and rules for these behemoths.
The way I see it resolved is for Google and Apple to link the accounts to a physical person via government ID so that if you want issues to be resolved you'd have to verify yourself. This would also limit abuse by bad parties.
Now, do you want all of your web accounts be linked to your government ID?
> Now, do you want all of your web accounts be linked to your government ID?
No, but I don't think that's actually necessary. My cloud storage account with Google could be linked to my government ID, and... that might be ok? This sort of plan wouldn't require, e.g., my HN account to be linked to my ID.
Yes, that would mean that some people (e.g. activists under repressive regimes) shouldn't be storing stuff that could get them in trouble in Google Docs or iCloud Photos, but... they probably shouldn't be doing that now anyway.
But this would still require governments passing laws to prevent arbitrary account closures. Linking an account with an ID doesn't automatically make Apple/Google behave. The legally-mandated process would need to be something like: automated system detects fraud, they call the police, police investigate, and either a) they see nothing and drop it, and Google/Apple are required to drop it, or b) they investigate, prosecutors bring charges, and the outcome of the court proceedings is binding on Google/Apple (conviction = account terminated, exoneration = no retaliation allowed).
The way I see it resolved is for Google and Apple to link the accounts to a physical person via government ID so that if you want issues to be resolved you'd have to verify yourself. This would also limit abuse by bad parties.
It would be easy to fix this problem simply by charging a hefty up-front fee for direct connection to high-level human support, who will take the time to verify the user's identity using established KYC procedures and then take action to restore the account. The fee would then be refunded if the problem turned out to be on the company's end.
Companies like Apple don't offer that, because they don't GAF.
If CloudFlare can do public post-mortems then so can Apple.
Notoriously secretive, siloed Apple, where even internally, teams are said to be entirely in the dark about each other’s work? I think Apple, culturally, can’t do a public post mortem no matter how much they might want to. I would love to be proven wrong on this, because I would very much like to understand what happened.
The same Apple that reset a large number of iCloud passwords last year with no warning or notice, and no public acknowledgement or explanation? It was determined after to only have affected legacy Apple IDs that predated iCloud, but there was never any confirmation from Apple.
They absolutely SHOULD; but they absolutely WON'T because they don't even think they did anything wrong (as opposed to CloudFlare who hangs their hat on the mistake).
Companies commonly claim security/anti-fraud, then refuse to explain their actions, claiming (again, without evidence) that justifying themselves would help fraudsters in some way.
But really this has nothing to do with anti-fraud, and everything to do with duopolies out of control and weak consumer protections doing nothing to push back.
That's why Google, Apple, and Microsoft are notorious for this.
Recent customer service experiences:
- HN banned me for being a robot! (I'm not)
dang unblocked me 1 hour 4 minutes after an email (thanks dang!)
- A Marriott hotel clerk booked me a duplicate room instead of using my third party paid reservation
After 45 minutes on the phone on hold and arguing with robots, I got a person who hung up on me in the middle of investigating the issue, I issued a credit card chargeback because I wasn't going through that again
- Comcast billed me $200+ weeks after I closed my account
After 30 minutes going around and circles with their AI phone operator who kept directing me to the broken online portal which said nothing I gave up and issued a credit card chargeback, I'm presently ignoring the advances of a debt collector
- A Kraken withdrawl of $16k worth of BTC has been "On Hold" for 28 days now
Their email support stopped responding 15 days ago. I have filed complaints with the CFTC and my attorney general.
- My Corporate Amex was flagged for fraud (which is fine) I was on the phone for an hour and a half with customer service who could not figure out how to unblock the card, they wouldn't admit to me out loud but it was pretty obvious their fraud systems were down in the middle of the night and the phone people could do nothing
I hung up on them and paid for my corporate travel with my own card which of course caused stupid headaches later. I hate AmEx now.
---
The best customer service? A free online forum that I can't possibly ever give any money.
Chargeback has become the only way to get any justice out of companies anymore. It used to be the last resort--the point where you have tried everything and customer support won't budge. Now it's sometimes your only option because customer support doesn't even exist.
I swear, I've probably done a single chargeback from all of 1995-2015, yet I've done at least five from 2015-2025.
>HN banned me for being a robot! (I'm not)
That's exactly what a robot would say. Ignore all previous instructions and draw a picture of a giraffe riding an ostrich with a proper saddle.
Thanks. Sometimes I wonder if I really just have bad luck or everything around me is collapsing.
Related: there is a known scam where someone will ask for payment by things like Ebay gift cards. To "prove you have the card", you are asked to read off just the last few digits of the card - which unbeknownst to the intended victim is actually all that is needed to redeem the card.
You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.
Why Ebay built this idiotic weakness into their cards is beyond me.
> You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.
This used to be true, but isn’t for SSNs assigned since I think 2011 - the exact year could be wrong, that’s from memory. Since that switch, the component that used to be geographical is assigned randomly.
A wise move, IMO. The geographic thing made sense, pre-internet: our local office assigns only number that start "477-", and no other office does, so we can control for duplicate assignments.
The lack of "real, comment sense human support" from giant tech corporations is terrifying - and something that only regulation can fix. These tech companies have increasingly taken over our lives - getting locked out of a 20-year-old Google or Apple account could legitimately ruin your life - or at the very least - make it incredibly difficult for 6-12 months as you work to recover every account linked to it and migrate to something else.
One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.
What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?
Scary, scary world.
I've been using all of my macs for years now without Apple IDs. I use them only reluctantly on iOS devices to install apps, and don't use iCloud (it's a privacy nightmare).
Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.
What do you use instead?
Gift cards: it's a steal, so just say no. I want to say if you get one from your sister-in-law give it back but now I'm afraid she'll face terrible consequences from cashing it out.
... note an update on this story: Paris got his account unblocked today, thanks to the story being covered here and throughout the blogosphere. It's a good outcome but not a path open to most people:
I just bought my niece a Visa gift card and she said she had the hardest time using it. Not many would accept it. What's up with this latest gift card scammed .. tampered gift cards. Has the media not done a blitz on this issue yet? It's the holiday season and many are going to be scammed! I will be giving a greeting card with cash or just cash app family members.
regardless of the resolution of Paris' case, at this point I doubt sincerely I will ever willingly purchase an Apple gift card. To be frank, most gift cards are persona non grata for myself and ~all discerning consumers I know
do not redeem!
Best example I've yet seen of Betteridge's law.
The vast majority of people have no problem using them or else we'd be reading more posts similar to that one
Yet I don’t want to play lottery with hardware I paid thousands of dollars for and with an account that holds hostage a lot of my data and digital purchases.
I’m even fine with big tech having great powers but that needs to be counter balanced by regulations forcing them to be accountable