Google Engineer Fired For Spying On Teen Users; Serious Privacy Concerns Raised
from the privacy-concerns dept
The bigger Google has gotten, the more privacy concerns have been raised -- and with good reason. At times, unfortunately, the company has appeared dismissive of security and privacy concerns, even though it continues to try to make the case that people should trust the company. Sometimes, it feels like Google's critics take Google's comments out of context to slam the company, but that doesn't mean there aren't serious security issues to be aware of -- and the latest news is exceptionally troubling. A report came out that a Google engineer regularly accessed accounts and information from local teenagers he had met, mainly for the sake of showing off to them. Google has fired the guy, and also admitted that it knows of one other similar security breach, which involved another employee who was then fired.What's still rather alarming, however, is that this was possible, and that, despite all of Google's claims of security and procedures to keep these things from happening, the news did not come out until Google was alerted to the actions by parents of some of the teens involved. Google is notoriously secretive on these issues, and its "statement" on this matter, frankly, is pretty weak:
"We dismissed David Barksdale for breaking Google's strict internal privacy policies. We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls--for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly--which is why we take any breach so seriously."That doesn't explain anything about how Google makes sure these kinds of things won't happen again. I certainly can understand that there's always going to need to be some people who can access certain systems, but the question is what Google does to make sure that access is not just limited, but monitored to avoid serious abuses like this. At a time when Google is under such strict scrutiny for privacy issues, this news and Google's response are simply unacceptable.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Firing not a good idea.
[ link to this | view in chronology ]
Re: Firing not a good idea.
Google has very strict and well communicated policies that prohibit what the employee did with the penalty for violation being termination.
Who gives a flying fuck what little choices the dipshit has after being thrown out of 'Paradise' for breaking the rules of his employment?
[ link to this | view in chronology ]
Re: Re: Firing not a good idea.
Answer me this; which is worse, what this guy did, or an engineer who sits around cruising adult websites all day? In all my years of technology employment I've never heard of anyone who was kept on after it was discovered that they spent their on-clock time surfing adult sites. Arguably what this guy did is worse.
[ link to this | view in chronology ]
Place your bets now
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Indeed. I agree that there's no perfect solution, but given the extra scrutiny on Google, I would think that the company should be a lot more forthcoming.
[ link to this | view in chronology ]
Are logs not monitoring?
Computer logs are a direct way of monitoring system users. It will tell them what information each employee accessed and when. If Google is going to "significantly" increase the time reviewing their logs employees would rarely be able to access any information without Google knowing about it.
This seems to me to make access not just limited but also monitored.
[ link to this | view in chronology ]
Re: Are logs not monitoring?
There are different ways to monitor things. The sense given from the quote is that they monitor stuff after the fact, rather than having systems in place to alert them to potential breaches. That's my concern here. This was only discovered after people complained.
[ link to this | view in chronology ]
Re: Re: Are logs not monitoring?
[ link to this | view in chronology ]
Alright Mike, I normally dont side with the "Another typical mike article" people... but it said right in the paragraph that you quoted what they are doing to "monitor" or in this case they used the word "audit." While monitor implies as it is happening, and audit implies after the fact. Either way they did address what they are doing to fix future issues. Now you can say "Checking after the fact isn't good enough in a 'instant' world of the internet." but Google probably doesn't want to say we closely monitor X, Y, and Z so that people can't figure out how to beat the system as easily.
"for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A little insight.
Do you understand the complexity "monitoring" takes in a system which is comprised of many databases tied together, some probably not even in the same building?
Most companies use the trust system, meaning there are access modes given to employees and while they are monitored, the tools doing the monitoring only get used to prove a breach, not try to prevent them.
Imagine for a second if you were the one hired to monitor each and every single account access. You'd quit within hours.
You often use the "how does a site know what copyright material is owned or illicit" question in copyright discussions but the same type of question can be asked here: How does the monitoring system know the access is legitimate or illicit?
It won't know. It can't know. Google gets a well deserved break on this one, at least by me. At least it had monitoring tools to prove the offender did do what he shouldn't have done.
Also, this should be a very constant reminder of what you, the user, should believe is "private" or "secured". I've stated so many times that once you place data into the hands of someone else, it is no longer private.
Even is these hands are "monitored". If it's controlled by 0s and 1s, there is a breach waiting to happen.
[ link to this | view in chronology ]
Re: A little insight.
I have built a number of secure data stores and one of the most critical part is making sure you can prevent even admin level users from getting to sensitive data. Why isn't Google encrypting emails and requiring the email box owner's username and password to decrypt them? If they are, why are they giving this particular guy access to username/password combinations - particularly in a way that lets him associate it with a real-world person he knows?
There could be reasons that this guy needed access of this kind, but without Google showing us the related dirty laundry, we can assume it is because there security measures in their systems suck.
[ link to this | view in chronology ]
Re: Re: A little insight.
That's why. Google may be called upon at any time to hand over emails. Thus they must have a way to decrypt them without the user logging in. That means someone has access to do this task.
Why should Google show the world it's dirty laundry? It's a private company with an internal procedure that it has followed.
[ link to this | view in chronology ]
Re: Re: Re: A little insight.
That doesn't really play, because if I decide to encrypt an email, if I use strong encryption Google doesn't have a way to decrypt it*. They can certainly be compelled to hand it over (where "it" is the ciphertext), but they cannot be compelled to decrypt it, because they won't have the means to do so.
Similarly, they could decide to encrypt user emails before storing them in their database**, in a way that they would not be able to decrypt.
* without spending either many many years or huge amounts of money on it
** they wouldn't be able to encrypt everything immediately, since they only have access to your password when you type it in. This may be why they don't bother.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
LOL, whatever.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I love this Blog but, Mike...
I'll let Tommy say it.
"What I'm trying to say is when you buy a box marked guaranteed, all your getting is a guaranteed piece of shit. Hey if you want me to take a dump in a box and mark it guaranteed, I will, I have spare time."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
try "too" occasionally, as you statement might 'loose' some meaning, if you know what I mean.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
; P
Nobody's immune to errors, I suppose.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
*You
Sentences begin with capital letters....
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Does anyone recall that such spying is Google's purpose?
So they kicked out an unreliable low-level guy. Big deal. Just look at the revealed capabilities, and imagine what if anyone higher up is less than an angel.
Overarching fact is that Google is a SPY AGENCY, tracking us all every way it can. If you regard its spying as okay because "merely" a corporation, you're still a fool.
[ link to this | view in chronology ]
Re: Does anyone recall that such spying is Google's purpose?
One tries to prevent this by having auditing policies, and having strict hiring polices, but not everything can be accounted for.
This is not a sign of Google being evil, this isn't even a sign of Google spying on you. This is a sign of Google being run by people, and people are fallible. At least they found the problem, fired the guy, and announced that it happened. That's better then most companies and governments (if not all).
[ link to this | view in chronology ]
Re: Does anyone recall that such spying is Google's purpose?
[ link to this | view in chronology ]
Re: Re: Does anyone recall that such spying is Google's purpose?
[ link to this | view in chronology ]
Re: Re: Re: Does anyone recall that such spying is Google's purpose?
To make money.
[ link to this | view in chronology ]
Re: Re: Re: Re: Does anyone recall that such spying is Google's purpose?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Does anyone recall that such spying is Google's purpose?
[ link to this | view in chronology ]
Google security breach
[ link to this | view in chronology ]
Re: Google security breach
[ link to this | view in chronology ]
[ link to this | view in chronology ]
you were warned you ignorant sheeple
Now move along...nothing to see here.
[ link to this | view in chronology ]
Re: you were warned you ignorant sheeple
[ link to this | view in chronology ]
Google was notified of a problem and acted. What is the problem? Any time there is a system, someone will abuse it. End of story. Google fired those responsible. Why are we talking about it?
[ link to this | view in chronology ]
Monitoring something in real time is very difficult and is not a productive way to work things. The best way to go is to do a check later on and also at the same time have quick and effective punishment for any transgressions.
This has happened in this case.
I am sure that everybody in Google now knows that their job is on the line for privacy issue violations. It is at least as effective as active monitoring if not more.
[ link to this | view in chronology ]
Re:
Actually, it seems like everybody in Google now knows that their job is on the line if they violate privacy *and* let people know about it. As long as they don't tell anyone, there's no indication that Google will figure it out. That's what I'm concerned about.
[ link to this | view in chronology ]
I think your concern is a bit extreme. Clearly if there's external bragging going on, then yes people will eventually find out, and the dude will get fired. But that's not the only way an internal security group would find out. I'm sure they have various other more automated tools to search access logs looking for suspicious patterns, or have more accurate logging of actions which are more suspicious (i.e. looking at a particular user's account, fetching data which includes PII, or accessing the data of the employee's acquaintances).
If the employee is just browsing individual profiles randomly in a plausible way and never tells anyone, and nobody ever finds out about it, then it can also fall into the bundle of things that aren't worth worrying about, because their impact is miniscule and the occurrence from your view unknowable.
[ link to this | view in chronology ]
Spy
[ link to this | view in chronology ]