Les Bell

The whole concept of identity is a complex one, and this was brought home to me by events of the last week.

I work from home, as does my better half. We have dedicated offices, quite a sophisticated network setup (as you'd expect) and some years ago we switched from using an on-premises Lotus Notes and Domino setup to Google Workspace domains to provide email, calendar and other services for our businesses. This reduced my admin workload markedly, which was a great relief, and Workspace has turned out to be a great resource for many collaborative tasks - you'll notice that some of the course slides on this site are maintained in Google Slides, for example, and we make heavy use of Google Meet, Chat, Groups and Spaces, etc.

We also have a smart home, with voice-actuated lighting, Chromecast with Google TV, Chromecast Audio devices for music in various places, voice-controlled air conditioning and rooftop solar PV which is monitored using a Google Sheets-based dashboard. I also have uploaded music in what used to be Google Play Music and is now YouTube Music, as well as purchased movies in Google Play or YouTube or Google TV or whatever it's called this week.

A couple of weeks ago, our doorbell died. It's a classic battery-operated electro-mechanical chime, suffering the ravages of time and corrosion, so I searched online for a replacement. Nobody makes them any more - the closest replacements are completely electronic, with synthesized tones that really don't appeal. But we already have a home full of smart devices, so the obvious answer is to add a smart doorbell, and an even more obvious next move is to extend our Google ecosystem with a Google Nest doorbell.

Now, I'd already had some hints that this might not be straightforward; our Google Nest smoke detectors don't work in the Google Home app, instead requiring the Nest app. And I found I couldn't set up the Nest app using my Google Workspace account - it gave spurious error messages and in the end I had to resort to a free Gmail account, which is now doing little other than attracting spam.

But I attributed that to the Nest app pre-dating the Google acquisition. By now, surely, Nest had been integrated into the Googleverse, their developers brought up to speed on the Google Way of doing things? And indeed, a Nest Hub I'd bought had configured itself with no problems. So the doorbell should work with it, right?

Boy, was I wrong!

I ordered a doorbell from the Google Store, and it duly arrived. I immediately ripped the package open and set about following the setup instructions, which involve scanning a QR code printed on the doorbell and its packaging. However, when I got to a step which involved "Supplemental Nest terms", tapping on "I agree" I got an error message: "Request contains an invalid argument" and the setup process hung. No matter what I tried, I could not get past that point.

So I did all the usual things, and ended up requesting an online chat session with Nest support (in my experience, it's easier to debug phone-based setups without using the phone, and the chat session also preserves a record - something I felt might be useful).

To cut a long story short, Google's response is essentially that a Google Workspace account is not a Google account. In essence, "thanks for being a paying customer - screw you".

The support tech asked me to use a different email account. I said I wouldn't.

I asked, "Are you saying that a Google device will not work with a Google account?", and got the reply, "It will work with a Google account but it should not be any business account".

No matter what I said, the answer was, "Create another account". That won't work - and there's a very simple reason - every other device in our household is configured to use my Google Workspace account.

In the interests of fairness and accuracy, I later did do what they had recommended - I set up the doorbell using a free Gmail account, and guess what? It worked, but was useless, since whenever the button was pressed, nothing happened on any of the Google Home or Nest Hub devices in our home.

So I went back to the Google Store, and filled in their Returns form - and the very first pull-down option for the return reason in the form was "Does not work with my account". It certainly looks like this is a common complaint.

Why Is This So?

Look, I'm a security architect. I get it. In a Google Workspace account, the data is managed by the organization that runs the domain - in my case, that's my company. Google obviously feels that doorbell events, video recordings etc. are personal data that shouldn't be available to an employer.

But guess what? I am the employer. There's a conflict between Google Workspace and the Google Home app, and its related devices when, as in my case, your Workspace is your Home.

Besides, there are lots of small businesses that are located in converted warehouses, terrace houses (very popular in inner Sydney suburbs and North Sydney) or even suburban brick veneer house-like premises that actually have a front door and need a doorbell. Retails jewelers are an obvious example, but I can think of market research consultancies, accountants, advertising agencies, dentists and optometrists, medical specialists and many others that work this way. In this case, the owner of the doorbell is in no sense a person - it's the business.

We've seen this problem of corporate vs personal data being accessed by corporate or personal systems before. When the Google Home devices and the related Google Assistant feature for phones were first introduced, they were able to access email and calendar information for free Gmail accounts only. I suspect Google were concerned that allowing "home" devices to access information in Workspace accounts would cause them problems in passing SSAE 18 SOC 2 and 3 audits and the like (it's interesting that these devices use voice matching to identify who is speaking and respond appropriate - but this is not really authentication).

But then, a beta program was opened up, and eventually the feature was made fully available. Each morning the little speaker on my desktop greets me at 8:30 am and then tells me my appointments for the day, and will answer questions like "when is my next meeting?". The feature needs to be enabled in the Google Workspace admin console, but that's completely appropriate.

This is a risk management decision that needs to be made by the customer and not by Google. If someone is able to get into my office and somehow access sensitive data by talking to a smart speaker, I've got much bigger problems, primarily with physical security, than I do with voice authentication. I'd probably want to upgrade my physical security controls - perhaps by installing Google Nest cameras and a Google Nest doorbell . . . Oh, wait . . .

Google needs to similarly configure a flag which allows a Nest doorbell owner to accept that their doorbell data will be stored in a Workspace account and - shock! horror! - accessible by their employer, which is themselves. (In fact, I'm not entirely sure that Workspace admins can access that kind of profile data - I can't see anything like it in my own Workspace admin console.) Or it needs to allow a Google Workspace account to define locations which can be managed by Google Workspace.

At heart, the problem is one of our multi-faceted identities. Some of us do have a personal identity and a work identity, and possibly others. Google expects these to be different accounts. However, for some people these are just different facets of a single identity, or maybe it's all one.

For Google, this is a big problem that needs to be addressed.

I've struck lots of problems because of having a Workspace account. The first was trying to get a Xiami Mi Box running Android TV to work; because we had implemented mobile device management, and Workspace assumed that this Android device must be mobile, yet could not run the necessary agent, I never did manage to get it to work.

Then the ability to set reminders was removed, "in order to improve the product". My reminder to plug in a backup drive simply stopped working. I can't tell my smart device to remind me to move my laundry to the tumble dryer in an hour, because I'm a Google Workspace user.

If you are a paying Google customer, everybody else's products work better for you than Google's.

Then there were the Nest Alert smoke detectors - but then, I don't think even ordinary Gmail account users can see them in the Home app yet. If I try to invite my better half, who shares this home, to join the Google Home, I get yet another spurious, "Unable to send invitation - try again later", message. Google One cloud storage, which I got free when I bought a Pixel phone, is not available to me. Family sharing won't work.

The list goes on, and on. This is a problem that crops up again and again in Google's support communities, where volunteers simply tell those who complain what they already know - "this feature is not supported for Workspace accounts. Have a nice day". Don't tell us - tell Google. Before long, threads are simply locked or deleted, to avoid the extent of the customer unrest becoming obvious.

Nobody in senior management at Google seems to have any coherent strategy for building a Google ecosystem, or leveraging their product lines. Products are launched, achieve popularity and are then withdrawn, to join many others in the legendary Google Graveyard. But if you are a paying Google customer, it's even worse: everybody else's products work better for you than Google's. Ring doorbells, Sonos speakers - you name it.

I can't imagine any other company managing to do so much to alienate their best customers.

Epilogue

You couldn't make this stuff up. Here's a newly-posted Google Workspace "Ask Me Anything" video on the subject of cloud identity. Less than four minutes in, the presenter is selling the virtues of a single cloud identity by pointing out that having to have multiple identities, with different credentials is time consuming, not secure, and an unpleasant user experience, requiring different passwords.

https://www.youtube.com/watch?v=c6ddHRc_f0M

So why is Google's answer to the problem of its own products not working with Google Workspace, "create another identity"?

There's an old saying: don't pee on my leg and tell me it's raining.