Google Engineer Fired For Spying On Teen Users; Serious Privacy Concerns Raised

from the privacy-concerns dept

The bigger Google has gotten, the more privacy concerns have been raised — and with good reason. At times, unfortunately, the company has appeared dismissive of security and privacy concerns, even though it continues to try to make the case that people should trust the company. Sometimes, it feels like Google’s critics take Google’s comments out of context to slam the company, but that doesn’t mean there aren’t serious security issues to be aware of — and the latest news is exceptionally troubling. A report came out that a Google engineer regularly accessed accounts and information from local teenagers he had met, mainly for the sake of showing off to them. Google has fired the guy, and also admitted that it knows of one other similar security breach, which involved another employee who was then fired.

What’s still rather alarming, however, is that this was possible, and that, despite all of Google’s claims of security and procedures to keep these things from happening, the news did not come out until Google was alerted to the actions by parents of some of the teens involved. Google is notoriously secretive on these issues, and its “statement” on this matter, frankly, is pretty weak:

“We dismissed David Barksdale for breaking Google’s strict internal privacy policies. We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls–for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly–which is why we take any breach so seriously.”

That doesn’t explain anything about how Google makes sure these kinds of things won’t happen again. I certainly can understand that there’s always going to need to be some people who can access certain systems, but the question is what Google does to make sure that access is not just limited, but monitored to avoid serious abuses like this. At a time when Google is under such strict scrutiny for privacy issues, this news and Google’s response are simply unacceptable.

Filed Under:
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google Engineer Fired For Spying On Teen Users; Serious Privacy Concerns Raised”

Subscribe: RSS Leave a comment
46 Comments
Andy (profile) says:

Firing not a good idea.

It probably would have been better if the engineer had been demoted to a position that would keep him out of the accounts and GMail/Chat databases, yet let him keep doing useful work for Google. Just firing him, from what to some is Paradise to a traditional hacker, would leave him with little choice but to engage in crackery to make a living.

interval (profile) says:

Re: Re: Firing not a good idea.

Agreed. This guy is a liability, at the least, and a bonafide nut job and possible postal employee of the month at the worst. There can’t be any room in a supposedly professional organization for such a guy.

Answer me this; which is worse, what this guy did, or an engineer who sits around cruising adult websites all day? In all my years of technology employment I’ve never heard of anyone who was kept on after it was discovered that they spent their on-clock time surfing adult sites. Arguably what this guy did is worse.

halley (profile) says:

I am a pretty strong privacy advocate, but I fail to see how this story is not exactly the kind of “grandstanding” that you often thrash the various politician-cum-prosecutors for. Every single organization has to deal with effective policies and what to do with internal people who fail to follow the policies. There is no technical uber-solution that can fully address the existence of impropriety, and there is no general right that every policy or technical half-solution must be publicly explained.

Kaega (profile) says:

Are logs not monitoring?

In the quote you provided from Google they say “… we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective.”

Computer logs are a direct way of monitoring system users. It will tell them what information each employee accessed and when. If Google is going to “significantly” increase the time reviewing their logs employees would rarely be able to access any information without Google knowing about it.

This seems to me to make access not just limited but also monitored.

ComputerAddict (profile) says:

“That doesn’t explain anything about how Google makes sure these kinds of things won’t happen again…but the question is what Google does to make sure that access is not just limited, but monitored to avoid serious abuses like this.”

Alright Mike, I normally dont side with the “Another typical mike article” people… but it said right in the paragraph that you quoted what they are doing to “monitor” or in this case they used the word “audit.” While monitor implies as it is happening, and audit implies after the fact. Either way they did address what they are doing to fix future issues. Now you can say “Checking after the fact isn’t good enough in a ‘instant’ world of the internet.” but Google probably doesn’t want to say we closely monitor X, Y, and Z so that people can’t figure out how to beat the system as easily.

“for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective.”

R. Miles (profile) says:

A little insight.

“…but the question is what Google does to make sure that access is not just limited, but monitored to avoid serious abuses like this.”
Do you understand the complexity “monitoring” takes in a system which is comprised of many databases tied together, some probably not even in the same building?

Most companies use the trust system, meaning there are access modes given to employees and while they are monitored, the tools doing the monitoring only get used to prove a breach, not try to prevent them.

Imagine for a second if you were the one hired to monitor each and every single account access. You’d quit within hours.

You often use the “how does a site know what copyright material is owned or illicit” question in copyright discussions but the same type of question can be asked here: How does the monitoring system know the access is legitimate or illicit?

It won’t know. It can’t know. Google gets a well deserved break on this one, at least by me. At least it had monitoring tools to prove the offender did do what he shouldn’t have done.

Also, this should be a very constant reminder of what you, the user, should believe is “private” or “secured”. I’ve stated so many times that once you place data into the hands of someone else, it is no longer private.

Even is these hands are “monitored”. If it’s controlled by 0s and 1s, there is a breach waiting to happen.

Michael (profile) says:

Re: A little insight.

There may be a reason that this employee needed access at a level that allowed him to read email from someone’s inbox, but Google has not really told anyone what that reason is.

I have built a number of secure data stores and one of the most critical part is making sure you can prevent even admin level users from getting to sensitive data. Why isn’t Google encrypting emails and requiring the email box owner’s username and password to decrypt them? If they are, why are they giving this particular guy access to username/password combinations – particularly in a way that lets him associate it with a real-world person he knows?

There could be reasons that this guy needed access of this kind, but without Google showing us the related dirty laundry, we can assume it is because there security measures in their systems suck.

Cowardly Annon says:

Re: Re: A little insight.

In a lawsuit brought by the Federal Trade Commission, a subpoena was sent to Google for the complete contents of a Gmail account, including deleted e-mail messages.

That’s why. Google may be called upon at any time to hand over emails. Thus they must have a way to decrypt them without the user logging in. That means someone has access to do this task.

Why should Google show the world it’s dirty laundry? It’s a private company with an internal procedure that it has followed.

nasch (profile) says:

Re: Re: Re: A little insight.

Google may be called upon at any time to hand over emails. Thus they must have a way to decrypt them without the user logging in.

That doesn’t really play, because if I decide to encrypt an email, if I use strong encryption Google doesn’t have a way to decrypt it*. They can certainly be compelled to hand it over (where “it” is the ciphertext), but they cannot be compelled to decrypt it, because they won’t have the means to do so.

Similarly, they could decide to encrypt user emails before storing them in their database**, in a way that they would not be able to decrypt.

* without spending either many many years or huge amounts of money on it

** they wouldn’t be able to encrypt everything immediately, since they only have access to your password when you type it in. This may be why they don’t bother.

Anonymous Coward says:

“That doesn’t explain anything about how Google makes sure these kinds of things won’t happen again”

I love this Blog but, Mike…

I’ll let Tommy say it.

“What I’m trying to say is when you buy a box marked guaranteed, all your getting is a guaranteed piece of shit. Hey if you want me to take a dump in a box and mark it guaranteed, I will, I have spare time.”

out_of_the_blue says:

Does anyone recall that such spying is Google's purpose?

Such stories seem almost intentional propaganda to divert from the fact that Google is SPYING in unprecedented ways. First, it more or less takes attention off that fact, it’s made incidental to prurient interests in a “scandal”, and second, it presents a heartless profit-above-all corporation as deeply concerned about such problems.

So they kicked out an unreliable low-level guy. Big deal. Just look at the revealed capabilities, and imagine what if anyone higher up is less than an angel.

Overarching fact is that Google is a SPY AGENCY, tracking us all every way it can. If you regard its spying as okay because “merely” a corporation, you’re still a fool.

Chronno S. Trigger (profile) says:

Re: Does anyone recall that such spying is Google's purpose?

There is a minimum level of access required to make any system keep working. You can limit an E-Mail account to only be accessed by the end user, but if it breaks, the end user is screwed. This is not something limited to Google, this isn’t even limited to E-Mail. Any database has this risk, it’s a risk that is required to make the database function. From credit card transactions to voice mail to software activation keys, someone else has access to that data.

One tries to prevent this by having auditing policies, and having strict hiring polices, but not everything can be accounted for.

This is not a sign of Google being evil, this isn’t even a sign of Google spying on you. This is a sign of Google being run by people, and people are fallible. At least they found the problem, fired the guy, and announced that it happened. That’s better then most companies and governments (if not all).

Michael Knight (profile) says:

Google security breach

What you don’t seem to understand is eventually a human needs to be relied on to be ethical and hiring staff to watch other staff is absurd and unsustainable. So the only issue here is hiring practices as Google has a system which is just fine if the humans were just ethical. Now we are talking about the actually topic here, can humans be relied on? No, we have proven this through history, eventually we humans will abuse each other, always have and always will.

FormerAC (profile) says:

So you want Google to have a monitor in place to let them know anytime any of their employees accesses something inappropriate? Kinda like the RIAA wants the ISPs to have monitoring in place to let them know anytime someone uploads infringing content?

Google was notified of a problem and acted. What is the problem? Any time there is a system, someone will abuse it. End of story. Google fired those responsible. Why are we talking about it?

ranon (profile) says:

“…but the question is what Google does to make sure that access is not just limited, but monitored to avoid serious abuses like this.”

Monitoring something in real time is very difficult and is not a productive way to work things. The best way to go is to do a check later on and also at the same time have quick and effective punishment for any transgressions.

This has happened in this case.

I am sure that everybody in Google now knows that their job is on the line for privacy issue violations. It is at least as effective as active monitoring if not more.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...