NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] In Perspective: Alleged Snooping at Teens' Data by Google Engineer

       In Perspective: Alleged Snooping at Teens' Data by Google Engineer


Greetings.  While I believe it's fair to say that Gawker sometimes
exhibits what appears to be a noticeable anti-Google bias, today they
published a very troubling article that's impossible to ignore,
alleging that a (now reportedly fired) Google employee used his
privileges as a Site Reliability Engineer (SRE) to inappropriately
access the private files of Google users, including minors 
( http://bit.ly/coSXSv [Gawker] ).  (An ongoing independent discussion
thread on this topic is also available: http://bit.ly/d9X9cF [Buzz] ).

Google has now confirmed the firing, has noted that this is the second
such firing for a similar offense, and says that it will increase
auditing of its logs.

Of course, Google is not the first Internet firm to be faced with such
a situation.  Nor should cases of individual rogue employees be used
to spew forth accusations of Google being evil, not caring about user
privacy, or some of the other unfounded claims I'm already seeing
popping up around the Net associated with this situation.

As I noted recently in "Trusting Your Friends -- and Trusting the
Cloud" ( http://bit.ly/bpW6pQ [Lauren's Blog] ), information
technology models used by individuals, business, and governments are
moving inexorably toward "cloud computing" methodologies.

Trust in these cloud-based systems and the individuals who design,
operate, and maintain them is paramount.

Given the possibilities of litigation related to the current case, it
is perhaps understandable that Google has apparently not been
volunteering many specific details regarding these allegations and the
accused employee.

However, transparency regarding policies and procedures related to
employee access to Google-based data is another matter -- and this is
an area where it would behoove Google to be as direct as possible with
its users and the public at large.  This includes providing
information with the maximum specificity that is consistent with good
security practices.

Among the key factors that are important to users' continued faith in
the privacy and security of their information on Google services (both
Google "standard" and the new "Google government services" platforms):

 - Who at Google has access to Google users' content data?

 - Under what conditions are Google employees officially authorized to
   access such data?

 - Can an individual at Google access such data on their own without
   specific "need-to-know" authorization for specific cases, and without
   the oversight of any other employees during such access itself?

 - What technical measures are in place to control Google employees'
   access to users' content data and to limit the possibilities of

 - What reporting and/or logging mechanisms, and any associated audit
   procedures, are in place to routinely track (in real-time or
   retrospectively) employee access to such user content data?

A breach of the sort alleged in this case is certainly disconcerting,
but no system is 100% secure.

Of more lasting concern and importance is assurance that Google's
procedures, policies, and technologies associated with protection of
user content data -- from both external and internal threats -- both
are and remain adequate to their critical tasks, and that Google is
sufficiently forthcoming about these issues.

While it is not necessarily desirable nor practical for the
nitty-gritty details of security procedures to be publicly known in
every instance, there is often a great deal of relevant information
short of that threshold that can and should be safely made publicly

By definition, cloud computing resources are not under our individual
direct control.  Faith alone is not enough to encourage confidence in
the security and privacy of these environments.  It is incumbent on
Google and all other Web services firms to be maximally transparent on
these matters at all times.

The alternative is to risk concern among loyal users, smoldering
embers of distrust among many potential users, and damaging conspiracy
theories courtesy of your adversaries.

As far as I'm concerned, transparency wins.

Lauren Weinstein (lauren@vortex.com)
Tel: +1 (818) 225-2800
Co-Founder, PFIR (People For Internet Responsibility): http://www.pfir.org
Co-Founder, NNSquad (Network Neutrality Squad): http://www.nnsquad.org
Founder, GCTIP (Global Coalition for Transparent Internet Performance): 
Founder, PRIVACY Forum: http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://bit.ly/lauren-buzz