[Note: I am too depressed by the general election to even begin to talk about it, so instead I’m having a rant about tech companies’ inability to communicate usefully.]
Every now and again I get an email from Google with the subject “Google Account: sign-in attempt blocked”.
We recently blocked a sign-in attempt to your Google Account.
Okay. Want to tell me why? No?
Sign-in attempt details
Date & Time: Friday, 8 May, 3:16 p.m. BST
Location: London, UK
Well, I am in London and several devices are powered up here.
If this wasn’t you
Not really enough information here to be able to tell one way or another. Was the sign-in attempt on the Google website? From my email client (on phone, iPad or iMac)? Or maybe my feed reader refreshing in the background as that uses Google as a login? Any hints?
Please review your Account Activity page at https://security.google.com/settings/security/activity to see if anything looks suspicious.
Google wants me to work out whether something was suspicious. When it has presumably already decided that it was suspicious, given that it blocked the attempt…
Whoever tried to sign in to your account knows your password; we recommend that you change it right away.
Oh! So this was a person trying to get into my account. Bugger.
If this was you
Again… Give me something to go on so I can tell if it was or not…
You can switch to an app made by Google such as Gmail to access your account (recommended)
So… It was an app? I’m confused… And how about a link to a page with information about apps made by Google? Just a thought.
or change your settings at https://www.google.com/settings/security/lesssecureapps so that your account is no longer protected by modern security standards.
Well that sounds like a jolly fine idea. NOT. And that linked page? On it there is just a warning that this will make your account vulnerable and an option to turn “Access for less secure apps” on and off. I’m not sure what else I want to see here, but somehow there should be something.
To learn more, see https://support.google.com/accounts/answer/6010255.
The Google Accounts team
That support address at the end? At first glance that looks like it might have some useful information. It even lists some apps that don’t have “modern security standards”. Like the iPhone Mail app on iOS 6 or below (we’re on iOS 8 now)… It also says that I should see a “password incorrect” message when they block an app. Nope. Never seen that. The rest of it is just a repeat of the “get a Google app or turn off security” advice in the email.
After reading the email, I go to the Account Activity page and, yay, there is more detail.
For a start it tells me the IP address the access attempt was made from. Why on earth isn’t this information in the email along with the date and time? Seriously, this one piece of information would immediately avoid any panic, as, so far, it has always been my home IP address. So yes, it was me or one of my devices.
It also tells me that “Google blocked a less secure app from accessing your account.” So, not a person who knows my password then. An app. An app that apparently cannot be identified, even though it is almost certainly Apple mail on either my iPhone or iPad. But of course, the type of device the request came from can’t be identified either.
I’m starting to think the problem is Google’s, not mine.
I’m also not sure which I’m more annoyed about: the useless scaremongering email or the fact that, according to the activity page, Google has blocked a whole bunch of other (unidentified app/unidentified device) accesses in the last week and not bothered to tell me!
I’m all for online services keeping an eye on login activity, watching out for anything that looks a bit dodgy, and letting the user know when they spot something. But if the contact with the user is unclear (app? person?), doesn’t give all the relevant information (IP address and BTW it was an app) and gives confused instructions (change your password now, oh, was it you?), then they might as well not bother. A lot of people will either just panic at the mention of blocked sign-in attempts or will ignore it completely because they don’t understand it or are too frustrated to try and figure it out.
Communicating technical information to people is hard, especially when you don’t know their level of expertise. You don’t want to confuse people who just know how to use the apps they need, and you don’t want to treat people who are technical as though they know nothing. And you can’t assume that either group will be prepared to research past the information in the email you send them. So, yes, it is difficult. But it is vital to get it right, especially when you’re dealing with security issues.