Way too risky to use Google services like this tied to your primary account. There’s too much risk of cross damage. Imagine losing access to your Gmail because some Gemini request flags you as an undesirable. The digital death sentence of losing access to your email with a company that notoriously has no way for the average human to contact a human is not worth the risk.
Use a custom domain and don't use google for email.
And if you do use your gmail address just forward it and start to transition to something else. With time everything of importance has been transferred.
There was a time back when we could get generic LoginWIth OAUTH butons along with the social media roster , allowing one to use whichever provider they wanted.
Current state of OIDC should be pretty much standard across most providers - it put it that devs need too make the push to support alt login providers for preventing vendor lockin in identity like were currently barreling towards in hardware/software.
Use your own domain to sign up for a paid email service, provided by a company that focuses on email. I use Fastmail, but there are many other options.
Set up forwarding in Gmail to your new address.
Then, whenever you log in to a website or app with your Gmail, take a moment to change it to your new address. In a few weeks, most of your important accounts will be covered. In a few months, almost everything you still actively use will be done.
I did this ~5 years ago and the only thing that still arrives at my Gmail is spam.
I just sold a domain I had for 25 years and used for everything including API endpoints, email, authentication, etc. It took a couple weeks to transition myself and my family/friends.
Pretty sure just moving emails would have take a lot less effort. I had the advantage of keeping the domain until I was ready to move, now imagine Google just turned it off one day and what your workload would be. I shudder to think about having to deal with that.
Get your own domain so you can easily change providers in the future. Start with your password manager and change the address on all the accounts you have in there.
After a few years you'll notice you stop bothering to check your Gmail and you can delete it to close the address.
If you need motivation, skim the /r/GMail subreddit and see how many people are getting locked out daily.
Do you have a recommendation for a major email provider as a fallback if you have to pick one?
I vaguely recall encountering a service that only accepted addresses from a whitelist of big providers (Gmail, Yahoo, Outlook, etc.), even @icloud did not qualify.
That's a service that doesn't want your business. If you care, message them about it
I've never once run into a service with such a restriction, but I can imagine someone being that short-sighted. I have seen services that only support "log in with Google or Facebook", which is comparably terrible.
Discogs will not let me login with my own domain (of 30 years) and required one of the big providers. It kept complaining about "risky domain". But that is the only incident I can think of.
Although I am increasingly concerned with its longevity since there's a non-zero risk that Proton might shut down SimpleLogin since Proton Pass has its own alias feature.
This wasn't due to some random Gemini request. Users were using sketchy antigravity auth plugins to use their antigravity tokens on things like OpenClaw, clearly against ToS. It's great that Google is giving these users a second chance.
Yes, our masters once again embarrass us unworthy peons with their endless grace, generosity and forebearance. How lucky we are to entrust our data and our lives to them!
If a 3rd party product advertises compatibility with a Google service and you use it to login via a first party Google login page, doesn’t the responsibility fall somewhere between the offending product and Google itself? In practice it’s structured pretty much like a phishing attempt.
Notably some model providers explicitly allow that very flow, while others will ban you without notice.
Why do you call it self-hosting? It appears to be installable app with a fancy homepage. At what point does the software being covered by an open license changes the responsibility model?
The concern is not losing access to some new IDE for operating outside the terms of service. The concern is when you lose access to the IDE, you also lose access to your 20 year old Gmail account.
A general problem for Google products is that everything is mixed together.
Okay but they were paying customers paying $$$ for the service. Banning your customers without prior warning is not right, however sketchy their behaviour might appear. Even if it's obvious to Google that there's a difference between a Gemini API key and an Antigravity API key, it's not necessarily obvious to others.
The correct and sane thing to do is to send them an email, with at most a 24 hour suspension. If they keep doing it despite being warned then by all means fire them.
No Google account has been banned for this. People just keep spreading this lie because no one agrees that they have the right to steal the OAuth token.
I’ll go further: there should be laws addressing account consolidation. Getting banned from an Apple or Google account is an incredibly wide blast radius. It would be like being banned from buying Unilever or Nestle food from your grocery store.
Email providers should be utilities and also legally require a warrant before disclosing any information whatsoever to the government.
Unfortunately the government is full of corrupt geriatrics who do not understand technology and are paid to continue not understanding technology as they sign bills prepared for them by ALEC.
yeah exactly have you ever tried to call Google support? it doesn't exist. the only way to contact Google is by posting something on news.ycombinator.com and then hoping that some person who works at that company actually responds to you and logs in somewhere and then changes your access.
The danger here is they'll ban you with no specific reason, fill out the form and you get an automatic unban and then something else automatically flags and you're banned the second time permanently.
Support bot will then say "you were warned, read the TOS" and you get to guess what you did wrong.
You'll notice there are no appeals or reviews in this workflow.
Google has no creditability when it comes to handling account bans.
Ex googler here. It is based on Google’s fundamental disdain of customers. Googlers are repeatedly told by management that they are the smartest people in the world and that their time is too valuable to spend on silly things like helping customers.
Google has zero customer service. using them for anything serious makes no business sense. the only thing that they're good for is serving ads to people, and they have a support team for that, but only if you're spending a lot of money, and even then good luck finding it
> Using third-party software, tools, or services to harvest or piggyback on Gemini CLI's OAuth authentication to access our backend services is a direct violation of Gemini CLI’s applicable terms and policies.
It's been 2 months since these bans have started, first Anthropic, then Google. And their wording is still so confusing that I can't get a simple answer to a simple question:
Is piggybacking on headless 'gemini-cli -p' or 'claude -p' a TOS violation? Because there's really no reason why you can't do exactly what these tools did that caused these two companies to start giving out bans.
Unless you're in for a very specific configuration of models for some niche concern, CLIs give you nearly exact same access to the backend that snatching an OAuth token from them does. They give you JSONL for stdin, JSONL for stdout, and if you spin up a local proxy, you even get the same exact API contract in responses that you get from public APIs.
In fact, I already built a small tool for myself that does exactly that, to allow usage of alternative harnesses I prefer. Once I release it to the public, will -p be banned too?
I think the issue is people are using tools in an automated fashion and running up a compute bill for free when they were only meant to be used by humans in a more limited capacity (for companies to gather data on how to improve their products for humans). I think the correct way to use these models in an automated fashion is via the APIs and even then they might also worry about things like abuse/distillation type attacks still if the volume is too high. I think the lack of transparency might actually be by design so that people abusing their services don't figure out what triggers them losing their accounts. I could be wrong of course, this is just speculation on my part.
I still kinda wish that the subscriptions would just allow you to use the tokens however you wish.
I get that they rely on people not using all of their quota. But e.g. with open code it doesn't really matter if I use antigravity or gemini-cli the usage should be about the same.
What they are actually trying to force you to do is to pay for the tokens that you don't use in their applications to increase their revenue and/or give their in-house tools an "unfair" advantage. But this is bad for the consumer because it means that there is less competition between coding agents and unless I'm willing to pay per token I have to take one of the model labs agents.
Anticompetitive behaviour imo they could just ban reselling tokens or something like that instead of locking your subscription in like this.
>I still kinda wish that the subscriptions would just allow you to use the tokens however you wish. I get that they rely on people not using all of their quota. But e.g. with open code it doesn't really matter if I use antigravity or gemini-cli the usage should be about the same.
This is almost as realistic as "I wish netflix or youtube allowed me to use VLC to watch their content".
The easiest way to watch a movie in the player of my choice - even if i have legal access to it because it's in my netflix subscription - is to download it off piratebay.
Add to that Netflix's shitty discovery system, I'm pretty sure I watched some downloaded movies in spite of actually having legal access to them.
Oh, remember when PC games used to come on disks? For the Netflix example I can only guess, but I'm 100% sure I downloaded isos for games I had actually bought and had the physical disc... somewhere.
i don't believe this is a significant driver of piracy tbh, normal people don't care about that kinda thing :P
especially considering most modern movie/tv piracy is free streaming websites - shitty quality and awkward player controls, definitely no choice of player here
I do wish that though. I have given up on streaming services, I am not paying for this bullshit experience. We used to have all the content unlimited on one service for like $10/mo. I can accept prices increasing with inflation but society should not accept such a backslide in service quality.
> I get that they rely on people not using all of their quota
They have no problem with users using their quota on their own software. Because they get the signals. They do have a problem with users using the API in 3rd party software, because they don't get the signals.
> But e.g. with open code it doesn't really matter if I use antigravity or gemini-cli the usage should be about the same.
This is not at all true. What is prompting this behavior from Google and Anthropic is that people are using their oauth creds/API keys to run OpenClaw bots that use orders of magnitude more tokens than the IDEs. The official clients also can use a lot more prompt caching because they have expected workflows.
And like, if you want to run OpenClaw, they’re not saying you can’t do that: use the API pricing, that’s what it’s for. But people are getting mad that they’re not allowed to roll their pickup truck up to the all-you-can-eat buffet table and fill it.
What I don’t understand about policy violations is why Google never warns the user before banning. A simple alert or email would reduce so much frustration on the part of users and so much overhead for Google.
ToS change frequently and it’s not really fair to assume the user knows what is and is not correct use of tokens.
Not just Google. This seems to be the default for most tech giants. I was banned on Facebook for an unknown reason, not provided any explanation, and given zero recourse. Had to resort to reaching out to a friend who worked there.
problem is google's security concerns. when people connect gmail to openclaw, google flags the activity as weird and suspend the account because of unusual activity. Many whose accounts got locked because of this and they thought it was because they connected it to antigravity use against the policy (which happened in some cases). We will still see google account suspensions, and that would keep making news. and it wont be because of antigravity usage.
All this whole thing did is ensure I never, ever use any google AI service. The fact that they didn't instantly comprehend what a total account ban means when they've got people with 20+ years worth of personal data in those accounts is incredibly concerning.
It’s interesting that with both Anthropic and Google we’re seeing them develop agentic models that are supposed to do anything a human can do on computers without human intervention, but at the same time, if you plug one program into another of their programs or APIs in a way that wasn’t preapproved you may be blocked or banned.
To be charitable, maybe they’re expecting AI agents to eventually start reading the ToS docs
Just wanted to say that Windsurf is chugging along just great. No drama for users, excellent outputs at low cost. I am confused why they are not used more widely.
I see a lot of comments in googles defense, part of me wonders whats the split between google employees(even so people in teams related to these products) and normies who ignore the true underlying issue here…
Google consistently fails to provide a process to deal with user issues.
You donot see many reports of these at Amazon, Microsoft, Apple, and many more providers. Though Meta learns from google I think.
this is the long-standing problem with using Google services. either they become deprecated and removed without notification, or they outright ban you for using tools as intended. either way, using Google tools for anything doesn't make business sense to anybody who's seen the history of this.
Complete risk to use google products like this with your real account. My youtube is still banned over uploading two clips of Dexter's Laboratory over 15 years ago.
Today I could have uploaded them fine, and let whoever owns the cartoon make money I was just a fan of the show.
cool. now do something about the hundreds/thousands of people getting rate limited on Antigravity even after upgrading their plans, even on their $250 /month plan.
Another recent concern on other posts here on HN is whether a private company should have veto power over the US government. Or, another way to look at it, whether the US government should be able to designate a company as a supply chain risk and ban them from most business in the host country.
If I squint at the conversation, it doesn't seem that different from a behemoth company taking an employee of a private company and forcing them to still stop working for arbitrary reasons.
I'm giving agents and coding tools wide berth here, but if AI is going to replace all employees, what guarantees do you have as the employer that your employees will do your bidding, and not the bidding of enterprises with a shifting moral landscape?
Once we have tooling wrapped around specific agents, it'll be hard to rehire. What will we do then when our "employees" are furloughed?
This will be especially relevant when the big AI labs decide they need to enter a market to justify an obscene valuation. Or, when the sovereign wealth fund decides they don't like the direction of a business.
This is a good and honorable decision by Google. But it also brings up scary times ahead.
And if you do use your gmail address just forward it and start to transition to something else. With time everything of importance has been transferred.
Current state of OIDC should be pretty much standard across most providers - it put it that devs need too make the push to support alt login providers for preventing vendor lockin in identity like were currently barreling towards in hardware/software.
Set up forwarding in Gmail to your new address.
Then, whenever you log in to a website or app with your Gmail, take a moment to change it to your new address. In a few weeks, most of your important accounts will be covered. In a few months, almost everything you still actively use will be done.
I did this ~5 years ago and the only thing that still arrives at my Gmail is spam.
Making a new local account on your machine is a good first step.
Pretty sure just moving emails would have take a lot less effort. I had the advantage of keeping the domain until I was ready to move, now imagine Google just turned it off one day and what your workload would be. I shudder to think about having to deal with that.
After a few years you'll notice you stop bothering to check your Gmail and you can delete it to close the address.
If you need motivation, skim the /r/GMail subreddit and see how many people are getting locked out daily.
I vaguely recall encountering a service that only accepted addresses from a whitelist of big providers (Gmail, Yahoo, Outlook, etc.), even @icloud did not qualify.
I've never once run into a service with such a restriction, but I can imagine someone being that short-sighted. I have seen services that only support "log in with Google or Facebook", which is comparably terrible.
What's the playbook for migrating away in this situation?
I switched to fastmail with my own domain.
Although I am increasingly concerned with its longevity since there's a non-zero risk that Proton might shut down SimpleLogin since Proton Pass has its own alias feature.
Its not evil of Google to say "Here is an allotment of steeply discounted tokens, but you can only use them with our services."
"Google Shuts Down Gmail For Two Hours To Show Its Immense Power"
Notably some model providers explicitly allow that very flow, while others will ban you without notice.
A general problem for Google products is that everything is mixed together.
The correct and sane thing to do is to send them an email, with at most a 24 hour suspension. If they keep doing it despite being warned then by all means fire them.
That's exactly what they did, plus Gemini CLI and Code Assist, which are the same product in different formats.
Unfortunately the government is full of corrupt geriatrics who do not understand technology and are paid to continue not understanding technology as they sign bills prepared for them by ALEC.
I hope this is sarcasm. A permaban as the first action is never a good idea.
If people lost access to their whole accounts that would be a major crisis for Google users. But it doesn't seem that that was actually the case.
This doesn't make it super clear, but, the submission from a week ago when bans got handed out: https://news.ycombinator.com/item?id=47115805
However many stories appeared where people tried to claim that their whole Google account was banned to gain traction.
Unless it is clear that a full Google account has been banned we should push back on any story that claims this.
By now they lost any trace of goodwill they ever had and are guilty until proven innocent.
A week? Try at least 16 days
https://discuss.ai.google.dev/t/account-restricted-without-w...
The danger here is they'll ban you with no specific reason, fill out the form and you get an automatic unban and then something else automatically flags and you're banned the second time permanently.
Support bot will then say "you were warned, read the TOS" and you get to guess what you did wrong.
You'll notice there are no appeals or reviews in this workflow.
Google has no creditability when it comes to handling account bans.
It's been 2 months since these bans have started, first Anthropic, then Google. And their wording is still so confusing that I can't get a simple answer to a simple question:
Is piggybacking on headless 'gemini-cli -p' or 'claude -p' a TOS violation? Because there's really no reason why you can't do exactly what these tools did that caused these two companies to start giving out bans.
Unless you're in for a very specific configuration of models for some niche concern, CLIs give you nearly exact same access to the backend that snatching an OAuth token from them does. They give you JSONL for stdin, JSONL for stdout, and if you spin up a local proxy, you even get the same exact API contract in responses that you get from public APIs.
In fact, I already built a small tool for myself that does exactly that, to allow usage of alternative harnesses I prefer. Once I release it to the public, will -p be banned too?
But that's the sole reason why all of the tools have headless modes. Headless mode is textbook definition of supporting automation.
From gemini docs: [1]
> Headless mode allows you to run Gemini CLI programmatically from command line scripts and automation tools without any interactive UI.
And claude code:
> Use the Agent SDK to run Claude Code programmatically from the CLI, Python, or TypeScript
Why does headless mode exist if using it is a bannable offense?
[1] https://google-gemini.github.io/gemini-cli/docs/cli/headless...
[2] https://code.claude.com/docs/en/headless
What they are actually trying to force you to do is to pay for the tokens that you don't use in their applications to increase their revenue and/or give their in-house tools an "unfair" advantage. But this is bad for the consumer because it means that there is less competition between coding agents and unless I'm willing to pay per token I have to take one of the model labs agents.
Anticompetitive behaviour imo they could just ban reselling tokens or something like that instead of locking your subscription in like this.
This is almost as realistic as "I wish netflix or youtube allowed me to use VLC to watch their content".
The easiest way to watch a movie in the player of my choice - even if i have legal access to it because it's in my netflix subscription - is to download it off piratebay.
Add to that Netflix's shitty discovery system, I'm pretty sure I watched some downloaded movies in spite of actually having legal access to them.
Oh, remember when PC games used to come on disks? For the Netflix example I can only guess, but I'm 100% sure I downloaded isos for games I had actually bought and had the physical disc... somewhere.
especially considering most modern movie/tv piracy is free streaming websites - shitty quality and awkward player controls, definitely no choice of player here
They have no problem with users using their quota on their own software. Because they get the signals. They do have a problem with users using the API in 3rd party software, because they don't get the signals.
This is not at all true. What is prompting this behavior from Google and Anthropic is that people are using their oauth creds/API keys to run OpenClaw bots that use orders of magnitude more tokens than the IDEs. The official clients also can use a lot more prompt caching because they have expected workflows.
And like, if you want to run OpenClaw, they’re not saying you can’t do that: use the API pricing, that’s what it’s for. But people are getting mad that they’re not allowed to roll their pickup truck up to the all-you-can-eat buffet table and fill it.
ToS change frequently and it’s not really fair to assume the user knows what is and is not correct use of tokens.
problem is google's security concerns. when people connect gmail to openclaw, google flags the activity as weird and suspend the account because of unusual activity. Many whose accounts got locked because of this and they thought it was because they connected it to antigravity use against the policy (which happened in some cases). We will still see google account suspensions, and that would keep making news. and it wont be because of antigravity usage.
To be charitable, maybe they’re expecting AI agents to eventually start reading the ToS docs
Google consistently fails to provide a process to deal with user issues. You donot see many reports of these at Amazon, Microsoft, Apple, and many more providers. Though Meta learns from google I think.
> bans for Antigravity usage also blocked access to Gemini CLI and Gemini Code Assist.
Disclosure: I work at Google, but not on anything related to this.
Today I could have uploaded them fine, and let whoever owns the cartoon make money I was just a fan of the show.
https://discuss.ai.google.dev/c/antigravity/64
If I squint at the conversation, it doesn't seem that different from a behemoth company taking an employee of a private company and forcing them to still stop working for arbitrary reasons.
I'm giving agents and coding tools wide berth here, but if AI is going to replace all employees, what guarantees do you have as the employer that your employees will do your bidding, and not the bidding of enterprises with a shifting moral landscape?
Once we have tooling wrapped around specific agents, it'll be hard to rehire. What will we do then when our "employees" are furloughed?
This will be especially relevant when the big AI labs decide they need to enter a market to justify an obscene valuation. Or, when the sovereign wealth fund decides they don't like the direction of a business.
This is a good and honorable decision by Google. But it also brings up scary times ahead.