When Security Meets Reality
by aestetix
In the summer of 2023, my brother tragically passed away. Amidst the grieving and settling of affairs, I inherited his phone, a Google Pixel 6. Normally, I dislike cell phones due to their addictive nature and surveillance capabilities, but I thought it might be nice to turn this phone into a cool project to honor my brother's memory. After verifying that it was O.K. to do a factory reset of the phone, I began to set up a fresh install. I got near the end, when it refused to proceed unless I entered in a recently used password.
It turned out I had encountered a security feature that Google calls "Factory Reset Protection," or FRP. The idea is simple: cell phones are commonly stolen and sold for a big profit on the black market, and by turning them into a very expensive brick, Google wants to curb the theft rate and hopefully protect their customers. This is a good idea and very logical, and probably does dissuade thieves. However, since nobody knew my brother's password, it also affected me.
After some research, I learned that Google had a process for handling data of a deceased individual. I went ahead and filled out a form, added relevant documents such as the death certificate and my own government issued ID, and clicked Submit. When they responded, there was some confusion. Google said they could either send me a copy of all my brother's data, or delete his account entirely, but they could do nothing else. I had no desire for either of those choices, so I replied with a more detailed explanation, and asked for a phone number where I could call them. I should add that there was no name on the response, just the generic "The Google Accounts team."
The answer to my more detailed message upset me: "As mentioned earlier, we will not be able to comment on specific issues as it lies outside of our scope." Google's support system is partitioned by product, so someone with a Google account issue will go to a different department than someone with a Google Pixel issue, and so on. These departments apparently do not talk to each other at all, and they seem incapable of handling an issue like mine which involved two areas, the phone and the account to which it was connected. This is fairly ironic, given the efforts by Google to integrate all of our accounts and services into a unified system. But more germane to my situation, I had a support need which was apparently not covered by their procedures, and they did not care.
At this point, I should mention that I did try technical solutions, including purchasing tools which claimed they could unlock the phone. However, most of those tools are actually aimed at non-Google brands like Samsung, and do not work on actual Google hardware. When I asked for technical help in forums, people accused me of theft, lying, or generally took Google's side and dismissed my issue. Needless to say, I did not continue pursuing that route.
I tried every option I could imagine: I reached out to a friend of mine, a lawyer in the Bay Area who was interning at Google's legal department. That went nowhere, despite my lawyer friend's best efforts. I also reached out to a friend who worked at Google as an engineer. According to him, Google does not care about my issue because they view everything in terms of money: while the phone has a lot of sentimental value to me, to Google, it is just a thousand dollar disposable piece of hardware. When (((Big Tech companies))) are nearing or exceeding a trillion dollars in revenue, I guess that a thousand dollars seems like pocket change. Beyond that, the average employee might make so much money that they can't see that this is something completely unaffordable for people who do not earn Big Tech salaries. I also learned from my lawyer friend that Google is notorious for their horrendous support - to the extent that the small claims court in Santa Clara County, where Google is based, has turned into Google's de facto support center. Simply put: if you want Google to pay attention to you, you have to file a lawsuit against them.
Thankfully, there is a happy ending to this. After a few attempts at hacking the phone, I was finally able to bypass the FRP by plugging the phone's USB-A connector into another Android phone with a double-ended USB-A cable. This tricked my Pixel into thinking it needed to mount a drive, and opened up a menu I could navigate to exploit a security hole and set up a new account. Once I did that, I logged into the new account, removed my brother's account, and was good to go. But that was a lot of work (and some luck), and a trick most people do not have the technical skills to perform. And of course, I'm lucky that I found a security hole that Google doesn't care enough about to "fix."
This saga left me with two big concerns. First, Google's attempt to automate human contact out of their support system has clearly failed. I'm not the first to run into an issue like this. There are reasons why respectable companies have phone numbers and ways to reach an actual human being. It's hard to say why they have turned into this kind of beast. Perhaps the decades of perks like in-house laundry services and free gourmet food, designed to keep employees working longer and longer hours, had the unintended side effect of putting those same employees out of touch with real world scenarios. Or is there some fallacious reasoning whereby they don't care about the little guy as long as they can make their bottom line? I'm not sure if Google has become evil, or if they are just incompetent now.
The second is equally important. When "hacking" morphed into the "security industry," the focus turned away from exploring systems and towards preventing others from exploiting them. On one hand, security could be seen as always good. If you have a boat, you want to make sure to plug all the holes so that water doesn't leak in and you sink. If you have a technical system with no known holes, you can operate with a sort of assurance that you will not be attacked. But a good systems designer will always leave themselves a back door.
Consider Microsoft BitLocker: when you encrypt your drive, they make you download a special recovery key to store locally in a safe place, in case you forget your password. In the real world, people forget their passwords, and not having a "just in case" backup plan for emergencies can lead to disaster. This is clearly what happened with Google. By designing a system to be extremely secure, they neglected to create an alternative process by which someone who was locked out could reclaim their access. It reminds me of a 1983 Italian movie, A Joke of Destiny, in which a government minister accidentally locks himself inside of a secure car; the whole movie is about people trying to get him out.
There is a saying I've used often over the years: in theory, there is no difference between theory and practice. We really need to set a better balance to ensure that security models reflect real needs, and that when they fall short, that we side with reality, not security.