Google Engineer Spied On Teen Users

bonch writes "Former Google employee David Barksdale accessed user accounts to spy on call logs, chat transcripts, contact lists. As a Site Reliability Engineer, Barksdale had access to the company's most sensitive information and even unblocked himself from a teen's buddy list. He met the minors through a Seattle technology group. Angry parents cut off contact with him and complained to Google, who quietly fired him."

All the data on Google

[odies]

And not only call logs, chat transcripts and contact lists. The article notes:

he pulled up the person's email account, contact list, chat transcripts, Google Voice call logs—even a list of other Gmail addresses that the friend had registered but didn't think were linked to their main account—within seconds.

So even if you think logging out and making a new separate account is enough, it's all linked

And what about Google Analytics and everything else? They can see everywhere you've been on the internet, and obviously abuse it.

Re:All the data on Google

[mandark1967]

"...So even if you think logging out and making a new separate account is enough, it's all linked"

That's relatively easy to get around. Create your initial gmail account on 1 machine using a particular ISP, and create your second acct by using a different computing device(like a droid) on another ISP. Of course, you must remember to never use one machine to check both accounts. It takes dicipline, but it an be done.

I have a gmail account that I created on Comcast with my home desktop, and a completely different one that was created when I purchased my droid through verizon.

I never check the droid gmail account from home on the phone because I do not want GPS to put me close to the other gmail account. I never check my original gmail from work (I'm blocked)

I highly doubt that google can link these two accounts together.

Re:All the data on Google

[Aeros]

oh...we can NOW!

Do No Evil

[whisper_jeff]

Google's policy may be "Do No Evil" but each individual's policy may differ...

Re:Do No Evil

[Richard_at_work]

And the quietly letting him go rather than warning others about this persons actions is ... whose policy?

Re:Do No Evil

Unless he is charged and convicted, let's not hang a man in the realm of public opinion. He was fired, and hopefully he learned something.

Re:Do No Evil

[xouumalperxe]

And the quietly letting him go rather than warning others about this persons actions is ... whose policy?

I expect that quietly means "no media coverage". I guess that, internally, word spread pretty quickly why he was being let go.

Re:Do No Evil

[antifoidulus]

Holy shit, Pope Benedict must be a majority shareholder at Google!

Re:Do No Evil

[Richard_at_work]

If this case involved credit card numbers, what would your suggestion be then? What about this case does not scream invasion of privacy, misuse of privileges, abuse of trust and numerous other things? This person should not have been simply let go, it should have been referred to the authorities - he didn't make a simple mistake, he took deliberate action. Simply letting him go allows Google to silently preserve their pristine image.

People seem to be taking my point about quietly letting him go to mean that Google should have issued a press release or made a public announcement - no, that's not what I am suggesting, but its quite apt since reporting this matter to the authorities would have been akin to making a public announcement.

Re:Do No Evil

[UnknowingFool]

He no longer has access to Google. He's no longer in the program where he first met the teens. What else would you want them to do? Reading the article it does not seem that he did anything illegal that the police can charge. His position allowed him to access the information but he violated the company policies.

Re:Do No Evil

[nomadic]

If this case involved credit card numbers, what would your suggestion be then? What about this case does not scream invasion of privacy, misuse of privileges, abuse of trust and numerous other things?
Are those crimes, though? "Lock him up!" "But he didn't commit a crime." "Would you make the same excuse if he HAD committed a crime?" "Huh?"

Re:Do No Evil

[Shabazz+Rabbinowitz]

...let's not hang a man in the realm of public opinion...

You're new here, aren't you?

Re:Do No Evil

[nschubach]

So new that Slashdot hasn't had time to assign them a user ID.

Re:Do No Evil

[UnknowingFool]

Informing their users would likely get Google involved with a lawsuit either from the teens' parents (since the teens were under-aged) or from him for invasion of privacy. Generally admins don't have this kind of access but his particular position allowed him to do so. Google is looking at further restricting policies about access. I don't know about your workplace but different admins have access to all sorts of information. If you have a bad seed, you had a bad seed.

Re:Do No Evil

[ArsenneLupin]

Holy shit, Pope Benedict must be a majority shareholder at Google!

It said quietly fired, not quietly transferred to a different regional office.

Re:Do No Evil

[ultranova]

Not to mention, the people he spied on weren't threatened with Hell if they ever spoke of it.

Re:Do No Evil

[epine]

Stupid or bad people sometimes get into positions of responsibility.

Speaking of which, Newt recently cleared the bar at 18 feet, elevating "Luo tribesman" into the neo-conservative N-word lexicon in a single bound.

These people hate Michael Moore with a passion, so why do they expend so much energy making him sound like an intelligent man? As Mr Moore pointed out, it is obvious to anyone who has ever cracked open an American history book, American was founded on the sentiment of anti-colonialism (only when done by the British--it's increasingly OK when we do it).

The other thread of American history which comes to mind is the Salem witch hunts. One forgets how deep certain threads in American history run.

There's plenty of abuse of children far more severe than reported in this story. He's a man among millions if you include drunken frat boys, men of the cloth, and morally destitute fathers. There seems to be this weird pseudo-Christian ideology in America that one witch in a fire purifies society of a million nervous glances of suspicious-looking old hags.

It's the adult version of "who farted?" Reminds me of the book Everything I need to know I learned in kindergarten. (Obviously written by a guy without much ambition in the knowing dept.)

Here's how I first learned that I'm a geek at heart. In my introduction to how the fart game was played it turned that *I* farted without having realized it prior to lightening-fire social deliberations. I sensed immediately that there was another kind of logic to the lifeforms around me. Stupid me, I decided that adulthood was the process of growing out of this behaviour, not growing into it.

Always a concern

[Pojut]

You never know who is watching or listening in. People don't realize that every single thing they do online can, at some point along the pipe, be potentially seen by someone.

Re:Always a concern

[bill_mcgonigle]

People don't realize that every single thing they do online can, at some point along the pipe, be potentially seen by someone.

Not if you're using end-to-end encryption without a public CA. Computer scientists have known this since 1977 and end-users have had tools since at least 1991. Key distribution is still hard, so it's not quite popular. We could really use some apps that securely exchange keys via phone "bumps".

Re:Always a concern

[sjs132]

An old friend of mine used to work for a high clearance group out in Colorado someplace. This is going back to 1995'sh... He has since gone silent (No contacts) , but I remember one conversation that we had had where he warned:

"If you want it to be a secret you better keep it in your head. Don't write it down, don't email it, don't call on the phone... Because if they want, they can know." (Paraphrased from so long ago...) But you get the point.

It was true then and even more so now. Who are "They"? Well, that's the problem... in 1995 I presumed it was the Federal Government that could disseminate the information to state/local. And under Homeland Security we do have "FUSION CENTERS" so you know that happens. But also it seems corporations of large magnitude can fall into it. If it is for "research, Statistics & Administration" then big whoop, but obviously it is a big temptation for people to abuse it once they are on the "inside."

Case in point would be Crystal Bowersox. She had her privacy violated multiple times in Ohio. Probably by people paid to dig up dirt for tabloids or something, but just like Google, Creepy.

http://www.dispatchpolitics.com/live/content/local_news/stories/2010/09/09/copy/ohio-apologized-to-idol-star-for-illegal-snooping.html?adsec=politics&sid=101

http://content.usatoday.com/communities/idolchatter/post/2010/09/crystal-bowersoxs-privacy-breached-by-ohio-officials/1

http://marquee.blogs.cnn.com/2010/09/09/ohio-apologizes-to-crystal-bowersox-for-security-breach/

http://www.google.com/hostednews/ap/article/ALeqM5i_29YKZdSnooBzedGCwrNGaqfyDgD9I4IR7G1

http://au.eonline.com/uberblog/b199540_why_were_cops_snooping_on_idols_crystal.html

 

Re:Always a concern

[Net_fiend]

While that may be true citizens should have some sort of integrity about themselves. There was a time when, regardless of the abilities people had, that privacy was respected. This "Its the internet age you have no privacy" is bunk. We only have privacy regardless of whether its digital or not if people kept some sort of respect and integrity about themselves. However we live in an age where people are selfish as hell and could care less about smearing or stabbing someone in the back to get ahead or just watch the fires burn around them. Sad days.

Happens on every website.

[onion2k]

Someone always has access to the data, and they're going to look at it at some point. The expectation that no one will be nosey when they're bored one day is just naivety (or stupidity). In this case the motivation is a bit creepier but on other websites people will be looking through "private" data when they're bored - be it Facebook messages, Twitter DMs, GMail emails, or Slashdot private journals.

If you want it to remain secure and unread by other people, don't put it where other people might access it.

Re:Happens on every website.

[Aqualung812]

This is Google. They drive up and take pictures of your house.

OMG! Pictures of my house, on a public street, where thousands of people can drive by and see it? MY PRIVACY IS RUINED! I might as well post my SSN on the Internet now!

Re:Happens on every website.

[mikael_j]

In this case the motivation is a bit creepier...

Well, if the linked article has its guesses and quotes correct then it seems this guy was just trying to show off with his neat GEP (Google Employee Powers) and overstepped privacy boundaries doing so. Now, IMHO this is generally worse than just being curious or "nosey[sic]" but probably not creepier (I worked tech support just after college and I saw more than one "curious" co-worker search the customer database for members of the opposite sex who happened to live in the same city as we were in and who had a date of birth within a few years of their own. Sure, I'm guessing none of them actually used this info to their advantage (by say, looking up phone numbers and email addresses to people they had met at a club or something) but that's still a lot more creepy than trying to show off in front of others).

Oh, and in case someone missed it, I didn't say this guy shouldn't have been fired or that what he did was ok, simply that I'm not sure "creepy" is the best word to describe it (since that word tends to lead the minds of readers into "OMGZ SEX OFFENDARS PERVART!!" territory which apparently doesn't apply in this case).

Re:Happens on every website.

[PhxBlue]

Could you post your date of birth and mother's maiden name, too? Thanks!

Re:Happens on every website.

[buck-yar]

Many people have gotten fines from evidence collected on google earth. Specifically swimming pools that don't meet zoning, that would not be visible from public view (only satellite or airplane).

http://www.switched.com/2010/08/02/long-island-town-uses-google-earth-to-find-rogue-swimming-pools/

TFA firewalled off here

[mcgrew]

But I found anotherFA.

Re:TFA firewalled off here

[Jeslijar]

according to this FA, it wasn't some creepy stalker type deal.

He found a techie group and wanted to impress them with his 'haxor' skills. It probably didn't come out until later that he worked for Google. It was a stupid move and an abuse of power, but it wasn't something as creepy as the original post here makes it sound.

"Barksdale's harassment did not appear to be sexual in nature, although ... [he] demonstrated extraordinarily questionable judgment. ... It seems part of the reason ... was to show off the power he had. ... A self-described "hacker," Barksdale seemed to get a kick out of flaunting his position. ... The parents of the teens whose Google accounts were violated by Barksdale were hardly amused, however."

Doesn't sound newsworthy. Google did what they should have did; They got rid of him. Sounds like "do no evil" to me. He doesn't deserve to be burned at the stake for something like this, as immature and stupid as it may have been.

Re:More than enough reason for no business

[Xiph]

Then they couldn't index it for advertisement, which is Google's business

Big Google is watching

[Drakkenmensch]

"Is it 1984 already?" Daria

Duh

[ebonum]

Young single male admins at companies like Google and Yahoo are golden contacts. If you are looking to research something, they can help. For a price.

Re:Duh

[M4n]

"Research something" or "Research something"?

Re:Not just online

[piffey]

Not just line men. We used to do that all the time as kids, just cause we figured out we could.

Come on...

[grub]

...the question is: what's his /. ID? It must be in the 4 or 5 figure range.

This just in!

[mdm-adph]

Individual person does nefarious actions -- name of company he works for used in title of news article for salacious reasons. More at 11.

Re:This just in!

[crunzh]

mayor company that keeps houge amounts of personal data dont protect user data from employees, I think thats the story.

Re:This just in!

[Combatso]

so you think they should have left out Googles name? I for one will think twice about how private any emails / chats sent through google really are. Without getting in to a 'think of the children' rant here... the real story is this guy was spying on teenagers conversations, chatting with them... and actually unblocked himself... if one rogue employee at google can do this, than many more can... and I stand by theory that anything than can happen, will happen... So yeah... the company name belongs here..

Re:This just in!

[crunzh]

either encrypting userdata, or atleast limiting access or not giving access to multiple services. If he only had access to one of the services damages would be less, but he had access to both voice, email and google talk.

Re:This just in!

[Dhalka226]

And what company do you think exists where nobody has access to this sort of information?

If your logic is "anything than[sic] can happen, will happen" then it is happening everywhere. You're out of luck.

Re:More than enough reason for no business

[Rob+Kaper]

More than enough reason for no business to store any business e-mail on their servers and no one with any e-mail which has real world value.

You are basically suggesting that no one uses the Internet anymore. End-to-end encryption aside, there will always be a system administrator with the technical ability to snoop data stored or in transfer. The only reason you can slam Google here is because they actually caught the guy.

Re:Did Google do enough?

[bberens]

Google has no grounds to prosecute the guy. The kids/parents may have some grounds based on harassment or something but the guy legitimately had access to that data, he just abused it. It happens, he was fired. I love these posts which act as if "my company" could never hire anyone who would abuse their access to data. It happens regularly at every company I've ever worked at to some degree or another. When it happens, you deal with it. *shrug*

Cannot really be prevented

[gweihir]

As anybody with real system administration experience knows, what protects user privacy is that you do not look at their data without explicit permission. That means people with this level of access have to have certain personality traits, and a high level of personal integrity is the most important one. I guess this is just another failed Google hiring process result.

What now needs to follow is criminal proceedings resulting in a a rather unpleasant punishment. Oh, wait, the US does not have working privacy laws...

Re:More than enough reason for no business

[jgagnon]

Exactly... any admin worth their position could extract similar information from their corporate network. This was an inside job like any other inside job. It's only news because it is Google.

If this has been an admin of Facebook or MySpace it would have had similar impact. It should be no surprise that any information you give to a company is available to their admins to use or abuse.

Luckily for David Barksdale, creepy kiddy stalker

[Rogerborg]

He - David Barksdale, notorious harasser of vulnerable teens, I mean - shares a name with a more famous chap, who will remain at the top of Google searches. Unless enough people start referring to David Barksdale primarily in the context of the famous freaky violator of childrens' privacy. You know, David Barksdale. The freaky creepy weird fucked up emotionally stunted probably-not-a-pederast basket case fired by Google for stalking children. That guy.

Surprise!

[nomad-9]

Hardly surprising, since Google CEO Eric Schmidt's notorious "if you want privacy, you have something to hide" remark.

The problem with this guy power-tripping on some kids, was not that he didn't give importance to people's privacy - which is apparently along the lines of the company's general mindset - but that he got caught for being stupid.

Re:Surprise!

[nomad-9]

Here's the citation you asked:

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

"And it’s important, for example, that we’re all subject in the United States to the Patriot Act... "

The "Patriot Act" was given as just one example, not as the main reason. The old "security versus privacy."

Re:Surprise!

nomad-9 said:

Power-tripping on some kids ... is apparently along the lines of the company's [Google Inc.'s] general mindset.

See what happens when you don't quote somebody, but quote a segment of what they said, and rearrange the order to imply something totally different? It's a favorite tactic of politicians and journalists.

Now that you're finished butchering Schmidt's quote, here's a real, accurate, summary of the conversation, courtesy of Wikipedia:

During an interview, aired on December 3, 2009 on the CNBC documentary "Inside the Mind of Google", Schmidt was asked "People are treating Google like their most trusted friend. Should they be?" His reply was: "I think judgment matters. If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example, that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities."

What is wrong with what he said now? Because all I see is sound advice. Most people, when given the opportunity, do something so stupid that they would later regret it, if they had known their actions were under surveillance. Most people need to know that Google is being monitored, and that their queries don't just disappear into a black void.

define 'quiet'

[WhitePanther5000]

Google, who quietly fired him

Not as quietly as they might have hoped...

ah

[Chrisq]

What part of heaven is most popular?

...the fucking Cloud.

Re:More than enough reason for no business

[arivanov]

It was not Google who caught the guy which is what is worrying in this case, it was the parents of the kids involved.

I would have expected a shop of their size to have proper security and use at least some of their precious IPR on log analysis.

Re:More than enough reason for no business

[Runaway1956]

Hell, I'm not even an admin worthy of the position - and I can do as you say. Crap - some ditzy female was playing one of the kids for a fool - I knew she was a worthless tramp, but you don't just tell your kids that, because they will HATE YOU FOREVER for interfering in their personal love lives. Well - she used a computer at my house to read some personal emails and such stuff. Dad just forwarded all the dirt, complete with account passwords, to the son via a "proxy". The female disappeared from the son's life faster than pizza on football night. No, I don't condone spying on people - but bitches don't count, LOL

Federal laws were violated

[glittermage]

After RTA it appears that David Barksdale violated Google internal policies so that means some Federal ECPA laws were violated, specifically 18 USC 2701(a).

The exceptions outlined in voluntary 18 USC 2702 and mandatory 18 USC 2703 don't apply either.

If Google doesn't have a policy of handing privacy violations over to AUSA/Federal or local law enforcement then I would urge a review of Google's policies.

Re:Did Google do enough?

[cervo]

They might. A lot of companies have huge disclaimers on all their systems. Something about people unauthorized to use a system or using it in excess of their authority will be prosecuted. They also typically include a blurp about information being intended for you as well....Also typically some type of consent to being monitored.

I would think that it is similar to an EULA and maybe could be enforced. Also most companies have an acceptable use policy and people who violate it can be subject to civil penalties as well as disciplinary action.

Also a lot of companies sue you if you say something the slightest bit bad about them. This guy just shit on Google's reputation, that probably will cause some economic damage (no matter how small....since most people won't care, but I would bet at least one person might be put off from trying Google for that violation). I would think a civil suit could proceed on that merit....

But now the guy is popular in the news and has probably just lost any chance of being hired by any big company in this day of web searching potential employees... Unless Google changes their ranking algorithm to bury this case....

iso certification

[StripedCow]

Isn't there some ISO 9000 rule (or other standard) that says that admins cannot look at user data? And why isn't google adhering to this standard?

Re:More than enough reason for no business

[darth+dickinson]

The only reason you can slam Google here is because they actually caught the guy.

No, Google didn't catch the guy. The kids' parents caught the guy and told Google about it, and only *then* did Google take action.

Google screwed up

[Coward+Anonymous]

Evidently, Google does not have a process controlling the access of user accounts by employees of the company. Google needs to stop ignoring the fact that it is dealing with increasingly more private information on individuals and that like other organizations with such information (think banks) it needs to develop a full fledged process (with well defined protocols, auditing, etc.) to ensure that any access to a user's private information is authorized and accounted for.
Google wants to think of itself as a technology company where process is a hindrance. Google is too big to continue thinking and acting like that.
I'm guessing Google will not deal with this particular problem until it gets sued.

Re:Luckily for David Barksdale, creepy kiddy stalk

[Stiletto]

So you'd be willing to try to ruin some guy you don't even know over 'evidence' in a three-line Slashdot blurb? You want to at least wait and see if actual charges are filed, let alone a guilty verdict? Talk about jumping to conclusions...

Re:More than enough reason for no business

[Trepidity]

I dunno, at places I've been the low-level sysadmin access is not very closely monitored. "Official" access through the normal APIs is logged and monitored, but when the Unix sysadmin has root on the database machine, he could be grepping through the database for all anybody knows.

Re:Youth culture run amok.

[Sancho]

In other words he is acting like a teenager.

Once you grow up, the term becomes "sociopath."

Re:And let the defense of Google begin

[jgagnon]

I was not defending Google, I was only stating that SOMEONE on the inside of every company has access to things that could be dangerous in the wrong hands, even your bank of choice. That being said, the problem isn't that someone has access, the problem is that they need to better screen their employees and their behavior to discourage this sort of thing.

This kind of idiotic move happens all the time and people get fired over it. I read recently about a school principal viewing porn on his computer at work (in the school) and getting canned for it. Idiots are everywhere and people with access or power are not except from being idiots. Again, this is not news.

Re:And let the defense of Google begin

[jgagnon]

What happened around here? Slashdot used to be so pro-privacy as a matter of principle. We're supposed to ignore a huge breach of trust at Google because it happens elsewhere? Nobody else has the enormous amount of data that Google has on you. Think about it.

We're on different pages. This isn't a breach of privacy by Google the company, it is by this individual. Google has policies already in place against this behavior and does not condone or promote it. What else could you possibly expect them to do as a company?

Additionally, you (or whomever) gave your information to Google by using their services. People inside Google have access to that information you willingly gave them (duh). Someone within that inner circle violated Google's policies for people within that inner circle. That person was fired. There is no way for Google to completely prevent this sort of thing from happening, they can only monitor and react.

If you do not want this to happen to you then do not use Google's services. But don't go on the Internet and use publicly available (and free) services and then expect anything other than your "privacy" being violated.

Re:More than enough reason for no business

[KingAlanI]

good, gave him the tools/;info to handle it himself and it worked out better.

Re:More than enough reason for no business

[Altrag]

And yet here I see you on Slashdot. As an unsubscribed plain old user, I can find:
- Your last few comments
- The last few stories you've submitted
- Your Slashdot friends / fans / foes
- Their comments / stories / etc

I'm not trying very hard, and I'm certainly not a data miner, but I'd guess even that amount of data would be enough to put something together about you -- at least a vague sense of your interests and disinterests. And how much more information would the Slashdot admins have about you? All they have to do is miss a single creep in their hiring process and all of that information is free reign. It might not be as sensitive as your emails, but its still an invasion of your privacy. And the chances for creeps to slip through the cracks grows with the size of your company (I'd imagine sub-linearly as screening procedures typically would get better as the company grows, but its still not a DECREASING chance).