The contradiction

They won't let you in, but they keep texting your phone.

If a platform is sending 'did you try to sign in?' SMS prompts to a number on your locked-out account, they have already admitted, in writing, that they know that number belongs to you. That is the single most useful contradiction a locked-out person has. Here's how to turn it into a record that a regulator, a journalist, or a small-claims judge will take seriously.

What is actually happening

You can't sign in. The recovery flow says it doesn't recognise you. But the platform's own security system is sending SMS prompts — usually variations of "Did you recently ask Google to help you sign in to your@email? If not, check your email to find out how to STOP this request." — to the phone number that's been on the account for years.

That message has three properties that work in your favour:

It is timestamped, by them, on your carrier's records and on your device.
It names your account, in full, in plain text.
It is sent to you — which means their fraud system already considers you the legitimate party. The recovery system simply refuses to talk to the fraud system.

The 24-hour rule (do this first)

Wait 24 hours from the most recent prompt before you film anything. Google, Apple and Microsoft all apply a "recent activity" cooldown — typically 24 hours, sometimes 48 — during which any new sign-in is treated as the same session and the system will not produce a fresh denial.

If you record before the cooldown ends, the platform may simply re-show a stale "we sent a code" screen and a journalist or regulator will (fairly) ask whether you tested it cleanly. Wait the day out. Then record once.

The recording itself — what a clean video looks like

You do not need a studio. You need one continuous, unedited take. Use a second device — a friend's phone, an old phone, anything — to film the screen of the device you are signing in on. Do not screen-record alone: a screen recording can be dismissed as edited. A second-device video of your screen, with your hands visible, cannot.

Set the scene out loud, on camera. "It is [date], [city]. I am [your full name]. I am about to attempt to sign in to my own account [your@email]. I have been locked out since [date]. This is attempt number [N]."
Show the SMS prompts first. Scroll through the inbox so the timestamps and the message text are readable. This is your contradiction exhibit.
Go to the official sign-in URL by typing it. Not a bookmark, not a link. accounts.google.com, appleid.apple.com, login.live.com. This kills any "you used a phishing page" argument.
Sign in slowly. Email, password, every prompt. Pause on each error screen long enough that a viewer can read it.
Take the recovery path the platform offers. Phone code, recovery email, security questions — every single one. Get every dead-end on tape.
End by stating the outcome. "It is now [time]. I have completed the recovery flow [N] times today. No human has reviewed my request. I have received no written decision."

Where to keep the video so it can't be silently deleted

Upload the original file (unedited, with all metadata) to two independent places. Suggested: one paid cloud you control (Proton Drive, iCloud, a hard drive) and one neutral public platform (an unlisted YouTube upload from a separate Google account, or a Vimeo upload).
Hash the file. On Mac: shasum -a 256 video.mp4. On Windows: certutil -hashfile video.mp4 SHA256. Post the hash publicly (a tweet, a comment on your /share story, an email to yourself). If anyone ever claims the video was edited later, the hash proves the file you have today is the file you had then.
Send a copy to a third party by email the same day — a lawyer, a journalist, a trusted family member. Email headers are tamper-evident timestamps.

The statutes this directly engages

EU — GDPR Article 22. You have the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects without the right to obtain human intervention. A recovery loop that is provably automated, with no human at the end, is the textbook Article 22 fact pattern.

Source: Regulation (EU) 2016/679, Art. 22(1) and 22(3).

EU — DSA Article 17. Online platforms must provide a clear, specific statement of reasons for any restriction. "We don't recognise this account" issued to the registered phone number is not a statement of reasons.

Source: Regulation (EU) 2022/2065, Art. 17.

Canada — PIPEDA Principle 4.9 (Individual Access). An organisation shall, upon request, inform an individual of the existence, use, and disclosure of his or her personal information and shall be given access to that information. The SMS contradiction proves the request is being made by the individual whose data it is.

Source: PIPEDA, Schedule 1, Principle 4.9; OPC complaint process at priv.gc.ca/report-a-concern.

US — FTC Act §5. An act is "unfair" when it causes substantial injury, is not reasonably avoidable by consumers, and is not outweighed by countervailing benefits. A free Gmail / Apple ID / Microsoft account marketed as recoverable but engineered so that the legitimate owner cannot recover it meets that test.

Source: 15 U.S.C. §45(n).

US — TCPA (47 U.S.C. §227) covers unwanted automated SMS in most contexts. The wrinkle: the texts you're getting are technically consented to, because your number is on the account. But once you have told the platform in writing that you cannot access the account and they continue sending them, the consent argument weakens substantially. Save every "STOP" attempt.

Source: 47 U.S.C. §227(b)(1)(A)(iii); see also FCC Order FCC 15-72 on revocation of consent.

UK — Computer Misuse Act, s.1 (the reverse argument). If someone else is the one triggering the sign-in prompts to your phone — trying to get into your account — that is unauthorised access (or attempted access) to a computer. Report it to Action Fraud with the SMS timestamps. The platform's refusal to give the rightful owner access while a third party attempts entry is the strongest possible facts for regulator attention.

Source: Computer Misuse Act 1990, s.1.

Where this evidence goes next

Write the escalation letter — it will cite the SMS timestamps automatically once you paste them in.
File the complaint with your national regulator (FTC, your state AG, your EU DPA, the OPC, the ICO) — the video is the attachment.
Add your case to the public record — include the hash of the video so the timeline is provable.
Request a Wall verification call — a real human on this network watches the recording with you and signs the receipt. That receipt is what a journalist will read first.

One last thing

This page exists because Allan got pinged on his own phone walking through Ho Chi Minh City — four separate "did you try to sign in?" messages over a week, to an account Google would not let him into. That is not a glitch. That is the pattern. You are not alone, you are not crazy, and the video you take tomorrow is worth more than another year of arguing with a help-centre form.