How about the steps noted in the post? Make sure you have a good password, use two-factor authentication, and be careful about clicking on any login links? It could also be incentive to change accounts, or change to a different communication mechanism. As long as this warning is triggered by actual data, I am not sure how you could categorize it as "FUD" or even political activism. Hacking into accounts should not be political - it should be criminal.

> Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. Attackers often send links to fake sign-in pages to try to steal your password, so be careful about where you sign in to Google and look for https://accounts.google.com/ in your browser bar. These warnings are not being shown because Google’s internal systems have been compromised or because of a particular attack.

How does any of this differ from regular user advice? And note the last sentence, they are explicitly admitting the warning relates to nothing in reality beyond the normal environment. Do we suppose that people in China aren't aware their government spies on them? Do you suppose your own government does not?

I don't understand why this banner isn't shown to all users - China or otherwise, or why show it at all. Do something actionable and meaningful - introduce password complexity requirements, mandatory 2 factor authentication, require use of a signed browser with pinned SSL certificates - anything but non-specific nonsense that does little but promote unactionable fear in the hearts of thousands of users.

Don't forget that government officials, defense contractors, etc. also use Google products. Not all hacking is criminal or local. Some of it is geopolitical in nature.

> What kind of productive, actionable result can this notification lead to for a regular user?

The users may make their account more secure and take more care of their physical security?

I don't understand what makes you so upset. I find this nice. Are you saying that Google will be misusing this to make some states look bad?

If you were at Google, what would you propose? Do nothing with accounts that you know are being attacked by states?

Apart from this being very empowering to the individual user, it is also a wake up call to states who have any interest in participating in an international community that they cannot act without consequences, potentially making it an effective deterrent to this kind of behavior in the future.

Maybe you could stop using Gmail or stop discussing next week's protests.

Or even start including deliberately misleading information in your communications.

2-factor logins require, in addition to 'knowing' the password, to prove that you 'have' a token (e.g. mobile phone possession). It makes your account significantly harder to crack.

Potential productive responses are detailed in the OP.

They can stop downloading attachments. That's a 99% fix to the problem google is reporting.