Slashdot Mirror
Google Engineer Spied On Teen Users
bonch writes "Former Google employee David Barksdale accessed user accounts to spy on call logs, chat transcripts, contact lists. As a Site Reliability Engineer, Barksdale had access to the company's most sensitive information and even unblocked himself from a teen's buddy list. He met the minors through a Seattle technology group. Angry parents cut off contact with him and complained to Google, who quietly fired him."
And not only call logs, chat transcripts and contact lists. The article notes:
he pulled up the person's email account, contact list, chat transcripts, Google Voice call logs—even a list of other Gmail addresses that the friend had registered but didn't think were linked to their main account—within seconds.
So even if you think logging out and making a new separate account is enough, it's all linked
And what about Google Analytics and everything else? They can see everywhere you've been on the internet, and obviously abuse it.
Google's policy may be "Do No Evil" but each individual's policy may differ...
You never know who is watching or listening in. People don't realize that every single thing they do online can, at some point along the pipe, be potentially seen by someone.
Living With a Nerd
With the amount of personal/business information stored in Google servers I wonder if Google did enough by just firing the guy? Googles internal system is built on trusting those with access to the information and most Google employees don't want to dig into their databases... but some do. Google replied that this isn't the first time it happened. So what is Google going to do differently in the future? Probably nothing since it has already happened before. It's amazing the amount of damage that can be done through reading personal emails. Google should of stepped it up a bit and sent this guy off to jail to set an example.
www.newviewmedia.com
And people think Google is watching everything we do. They are all nuts...Oh wait.
who watches the watchers?
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
Someone always has access to the data, and they're going to look at it at some point. The expectation that no one will be nosey when they're bored one day is just naivety (or stupidity). In this case the motivation is a bit creepier but on other websites people will be looking through "private" data when they're bored - be it Facebook messages, Twitter DMs, GMail emails, or Slashdot private journals.
If you want it to remain secure and unread by other people, don't put it where other people might access it.
http://twitter.com/onion2k
to store any business e-mail on their servers and no one with any e-mail which has real world value.
Sorry, but if they can read my e-mail account on GMail without my permission, as in my password, then there is zero security regardless of what all their policies and procedures declare. They should just step up and encrypt all of it using the user's password as part of the key, if not that then automated systems which send e-mail to an audit team, the user, and anyone the user designates, when access by SQL or direct means is performed on the mail accounts from within Google.
I wonder if they store our passwords plain text as well.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I know one or two telephone linemen who enjoyed listening in to phone conversations when they were supposed to be working.
Why, without your clothes, you're naked, Miss Dudley!
Well to be honest Google employees some of the smartest and clever people in the tech field. When you employee that many intelligent people you tend to run into their odd habits, and thought processes. Employeeing that many strange ducks I imagine it was only a matter of time before one of them managed to make the company look bad, or do something stupid with their position. I really doubt there was anything sinister in it, but you can't keep someone employeed after something like this.
But I found anotherFA.
Free Martian Whores!
"Is it 1984 already?" Daria
Young single male admins at companies like Google and Yahoo are golden contacts. If you are looking to research something, they can help. For a price.
Slashdot is filled with IT People who have access to various levels of personal data. These things happen. This guy has just ruined his career though. Half of the job of a good database manager is being trustworthy with sensitive information.
...the question is: what's his
Trolling is a art,
When I was a DBA, I had access to all of the companys data and I couldn't care less. The company audited the payroll departments paycheck but, us, who had access to the raw data, didn't. All I cared about was the integrity of the data. That and performance. I was too business chasing women and drinking beer. Oh, wait, this is Slashdot. Let me correct that... I was too busy drinking beer.
Alan
Individual person does nefarious actions -- name of company he works for used in title of news article for salacious reasons. More at 11.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Barksdale was working on GChat Roulette.
He sounds a little like an egomaniac windbag that hasn't grown out of adolescence yet (like a lot of geeks). I find it hard to beleive that anyone who wears a "Free the Mallocs" and "I Love toxic waste" t-shirts isn't going to keep tight-lipped about freaking someone out with his "m4d l33t 5k11z".
boycott slashdot February 10th - 17th check out: altSlashdot.org
...any sane person should be skeptical about moving everything to the fucking Cloud.
As anybody with real system administration experience knows, what protects user privacy is that you do not look at their data without explicit permission. That means people with this level of access have to have certain personality traits, and a high level of personal integrity is the most important one. I guess this is just another failed Google hiring process result.
What now needs to follow is criminal proceedings resulting in a a rather unpleasant punishment. Oh, wait, the US does not have working privacy laws...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
He - David Barksdale, notorious harasser of vulnerable teens, I mean - shares a name with a more famous chap, who will remain at the top of Google searches. Unless enough people start referring to David Barksdale primarily in the context of the famous freaky violator of childrens' privacy. You know, David Barksdale. The freaky creepy weird fucked up emotionally stunted probably-not-a-pederast basket case fired by Google for stalking children. That guy.
If you were blocking sigs, you wouldn't have to read this.
The problem with this guy power-tripping on some kids, was not that he didn't give importance to people's privacy - which is apparently along the lines of the company's general mindset - but that he got caught for being stupid.
Google, who quietly fired him
Not as quietly as they might have hoped...
When they asked him, WHY, TELL US WHY??? He answered: BECAUSE, i can do it...... I hope, you have got the joke....which turns out to not be a joke, but..........
...the fucking Cloud.
This is a taste of things to come. Companies will do it. Subcontractors will do it. Employees will do it. Trainees will do it.
When you put your data out there... well, it's out there. Your choice. THis was Google's responsibility.. what was their punishment ? nothing.
The Cloud - because you don't care if your apps and data are up in the air.
Oops: Parents at Google in the US talking about child safety online, from the just-announced Google Family Safety Center, apparently still in Beta.
I've tried it. Came back to the web based client. Within 2 minutes.
Referred for what? As far as I can tell, the guy didn't do anything illegal. Creepy? Oh, hell, yeah, but illegal?
Fact is, I know that when I send and receive e-mail via Google, there are people in the company that has access to that stuff. I run a few web sites myself, and I hope that people understand that with root access to the server, I have access to everything they do, also. I even go so far as to point that out now and then. But I'm a pretty nice guy, and apparently I'm trustworthy enough for them to believe that I won't use their data for evil. (And I diligently try to live up to that reputation.) I haven't read it in detail, but I'd be very surprised if it doesn't explicitly tell you that in the Terms of Service when you sign up for these services.
What we have here is basically a case of a guy who essentially read some people's diary and used the content within to bug them. If he used the information to lure them into having sex, I'd be right there with you in wanting him thrown in jail. That's not the case. The article even specifically mentioned that he did it to one person with their consent while they were actually watching him to show off his level of access to the systems.
I could be wrong, but I don't think that reading someone's diary is illegal, especially when they hand it to you to keep for them. Or at least, if it is, I seriously doubt much would come of it. I strongly suspect that any competent prosecutor would tell you, "I have murderers, rapists, and even worse--music, movie, and software pirates!--to go after; I don't have time for this."
What Google did was altogether appropriate, and frankly, probably far worse than reporting him to the authorities. They took away his paycheck (which in this economy is no small punishment) and arguably worse, they took away his sweet, sweet access. The guy can't brag to his family and friends any more that he works at Google. He sure as hell can't show off how much trust they have in him to allow him unlimited access to their most trusted data.
I see here that there are people who are so desperate to take Google down a few pegs that they want to take everything crummy individuals do as being representative of the company itself. I think that's a shame. Google's history with the good of consumers has an excellent record, MUCH better than most companies, and they have changed literally entire industries for the better. Their informal "do no evil" slogan should be encouraged and lauded, not picked apart at every opportunity, especially over stuff they have little or no control over. They set a very high standard for themselves, and just because they pick a bad apple now and then, far fewer than most companies, doesn't mean that they're not still a reputable, highly regarded company.
I'm pretty sure Google has lawyers. Furthermore, I'm pretty sure they were involved in the firing of this guy.
I think it's pretty silly and disingenuous to suggest that anyone, especially a company, should report unethical behavior to the authorities and let them sort it out whether or not it's illegal, especially when it's pretty likely that it's not. Again, we're not talking about someone stealing credit card numbers, which is clearly a crime. (And which, if I'm not mistaken, would require them to report the activity.)
Or put another way, if you gave your diary to a buddy to hold onto and expected him not to read it, and later you found out he did and used some of the information to embarrass you, would you call the cops? Just how far do you think you'd get in prosecuting that case with no damages incurred?
Well , it had to be said :)
at no point do they mention if the teen was hot, or posted nudes.
ridiculous.
After RTA it appears that David Barksdale violated Google internal policies so that means some Federal ECPA laws were violated, specifically 18 USC 2701(a).
The exceptions outlined in voluntary 18 USC 2702 and mandatory 18 USC 2703 don't apply either.
If Google doesn't have a policy of handing privacy violations over to AUSA/Federal or local law enforcement then I would urge a review of Google's policies.
Isn't there some ISO 9000 rule (or other standard) that says that admins cannot look at user data? And why isn't google adhering to this standard?
If Pandora's box is destined to be opened, *I* want to be the one to open it.
He had legal access to it as long as he used it in the capacity of doing his job. He didn't have any legal right to use his administrative access to harass anyone. If nothing else a misdemeanor charge for harassment would be in order. I don't know about jailtime, but a stiff fine and a restraining order barring him from working in IT would fit.
Maybe they should look for a guy named Avon too.
Having worked for a community bank, I was forced by regulators to put controls in place to prevent people from accessing other user's data, or data they were not authorized to use.
These regulations are in place specifically because this problem has happened frequently in the past - well before the cloud computing phenomenon. Back then "cloud" stuff was called "hosted" or "serviced" applications.
Trusting someone else with your data is not a new problem, and one that is not going away. If the private sector does not deal with the issue, it will only be a matter of time until government expands current non-public data laws (GLBA, and SarbOx..etc.) to all hosted data.
-ted
Why can't I friend Anonymous Coward under the zoo system?!!!
I think Anonymous Coward is a pretty cool guy. He tells it like it is and isn't afraid of anything.
We are looking for an active new member, David.
Bring your access codes with you.
Write to:
St. John's Catholic School for Boys
Father Richard Stroker
Secludedroad 12
DI252Q - Cork
Is it not possible to make every access to data logged (whether through the application our outside of it) and then provide permissions to change those permissions only to a select group of people. These limited set of people (with ability to change the logging behaviour of the systems) can then be selected/monitored through highly stringent processes. While this will not eliminate the possibility of still having an insider threat but I'd think it'd go a long way towards deterring "insider" threat especially of all admins know that all their actions are logged and only the "superadmins" can change that. It seems to me that it is a design + awareness issue combined. Then comes the issue of even if it can built (the process) and implemented is there sufficient motivation for Cloud providers to do this. This is where regulation may be needed because if this investment is measured using regular business investment metrics around ROI then it is unlikely to meet the criteria.
Brought to you by Microsoft. Or Apple. Or Comcast. Anyway, the Google is BAD!
For job security, he might consider teaching.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
Scary story goes here...OMG how can they do this...there should be a law...your own fault if you don't encrypt...encryption is only for paranoid people who have something to hide...minor flames here...encryption is too hard to use...no it's not...yes it is...rinse/repeat...next Slashdot story...back to normal...unencrypted...back to square 1 :-)
What's the issue here? A guy in a position of power did bad things, then he got fired (and rightly so). This happens in all companies, and even in many positions of trust (teachers, childminders etc) - but as it's Google it's OMGSCANDAL
Mark Zuckerberg has hired him and made him COO of facebook
This guy doesn't even seem to be a sexual predator. He was just a terminal teenager.
He lacked manners, respect, an understanding of boundaries, and a total understanding of the consequences of his actions.
In other words he is acting like a teenager. Google management failed because they let this bumbling fool have access to the data. His future in tech and frankly most businesses is shot to heck.
On the plus side he was really harmless but immature.
This is a case of not having a grownup in charge.
There is a value to maturity and experience and frankly it seems as if Google is lacking those kinds of people.
This guy should have been working on intrusion detection stuff and kept away from peoples personal data.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
What's even more concerning in light of this issue is the fact that some governments are switching to Gmail. I can't recall which ones but I recall some local and possibly state governments making the switch to use Google's email infrastructure. With the obvious lax security in auditing access to data and the lack of data access controls, this causes significant concern.
Evidently, Google does not have a process controlling the access of user accounts by employees of the company. Google needs to stop ignoring the fact that it is dealing with increasingly more private information on individuals and that like other organizations with such information (think banks) it needs to develop a full fledged process (with well defined protocols, auditing, etc.) to ensure that any access to a user's private information is authorized and accounted for.
Google wants to think of itself as a technology company where process is a hindrance. Google is too big to continue thinking and acting like that.
I'm guessing Google will not deal with this particular problem until it gets sued.
So you'd be willing to try to ruin some guy you don't even know over 'evidence' in a three-line Slashdot blurb? You want to at least wait and see if actual charges are filed, let alone a guilty verdict? Talk about jumping to conclusions...
I am uncle ernie, fiddlin' about, fiddlin' about.
The mind conceives, the body achieves, the spirit manifests.
BETA.
That is all.
Or has the work environment at google become so bad, that he was no longer interested in keeping his job? Surely he must have been aware that he would get caught eventually.
Sorry, but if they can read my e-mail account on GMail without my permission, as in my password, then there is zero security regardless of what all their policies and procedures declare
Your ISP can read your E-mail. If you have in-house systems, your staff can read your E-mail. That's the way E-mail systems work.
If you want private E-mail, use encryption; that's the only way. FireGPG works in your browser with webmail clients if you care.
Only on Slashdot is crap like this defended. "This isn't really newsworthy; it's only being posted because it's Google."
Remember when Slashdot gave a shit about privacy and rights? Then Google came along and gave you free email so you'd get hooked onto their closed source search/advertising platform, and suddenly Google can do absolutely no wrong.
Facebook and Myspace aren't the biggest internet companies in the world archiving your email, voice calls, IMs, WiFi networks, etc. etc. etc. in one location.
Google fanboys to the rescue! Using their firehoses of fandom, they put out the fires and tell you that this is a non-story. Why, the biggest internet-based company in the world with the biggest customer data archive in the world is merely a "salacious reason" for posting a headline about privacy abuse! Are you questioning Google's cloud computing? This was merely an "individual!" It doesn't matter that he wasn't caught by the company for months, and that it's an illustration of how you don't know when your privacy is broken by a corporation with financial interests in information about your life.
Assimilate, Slashdotters! Pay no attention to that man behind the curtain! He's an individual person doing nefarious actions!
Cannot is pretty much impossible without royally impeding one's ability to do one's job. I can read anyone's email where I work, even the big bosses. In fact, this has been the situation anywhere I've worked. I don't because I:
a) Have morals/integrity
b) Don't feel like being shitcanned and being locked out of my job market
c) Have better things to do with my time
But, even in systems where the password is encrypted (ours our), the emails/chats are encrypted (ours are), etc, it's not hard. Almost any password system will have a reset-by-admin function. So the original password hash gets dumped somewhere safe, the password is changed (and the rogue admin can take the role of the user, doing whatever). When done, the password is reset. Of course, in a more secure system there may not be direct access to the password hash (and thus it can't be reset), but the excuse of "oops, the system messed up and the account logins were messed, don't worry I'll reset your account/password" would probably get one past that.
Maybe a two-factor system where two admin ID's are needed for significant account changes might work, but then again a little shoulder-surfing would work. Logging works up to the point where the admin may be able to alter the logs (or use another's ID, create a dummy account, whatever).
I guess the big point is that a company should be able to trust its admins. An admin violating that trust without a very, very good reason *deserves* to be fired.
I think they are the same guy.
apparently not quite enough since /. is in on it.
"It's a Barksdale, Jim, but not as we know it!"
Speaking as an experienced sysadmin - that's the right call. Also possibly negotiating with anyone affected but due to privacy laws (and at least in Canada this is the case) NOT publicized.
Part of a sysadmin's responsibility is ensuring no one has access to data they shouldn't. This includes the administrator themselves - but has to be taken on trust, barring unusual ways of securing data. I'm actually trying to design some software to do that, but it's slow going as none of the APIs are very well documented.
So - good call firing him. That is not proper etiquette for a system administrator.
No, I'd be willing to ruin David Barskdale, notorious kiddy stalker, based partly on the evidence in the various articles (which I took the time to find and read) but mostly based on the freaky pictures on his Facebook profile. Best case, he's a hippy, so deserves everything he gets.
If you were blocking sigs, you wouldn't have to read this.
Like was said, didn't Google's CEO said somewhere that if you want privacy you have something to hide or something? Not surprising their own employees have little respect for their user's privacy.
He - David Barksdale, notorious harasser of vulnerable teens, I mean - shares a name with a more famous chap, who will remain at the top of Google searches. Unless enough people start referring to David Barksdale primarily in the context of the famous freaky violator of childrens' privacy. You know, David Barksdale. The freaky creepy weird fucked up emotionally stunted probably-not-a-pederast basket case fired by Google for stalking children. That guy.
It's on the first page, the fourth entry is about him.
But come on? They didn't have enough sense to have access control procedures?
If someone can read your emails, watch your search records, they have an awful lot of power.
Oh, I was thinking of yet another Barksdale, a Mr. Avon Barksdale from the HBO series The Wire..