Tech Companies Have a History of Giving Low-Level Employees High-Level Access

A reader shares a report (condensed for space): In the summer of 2010, Google fired a 27-year-old site reliability engineer named David Barksdale after it discovered that Barksdale had been accessing the Google accounts of four teens he met through a local Seattle tech group. The spying went on for months before it was reported, Gawker's Adrian Chen wrote at the time. In one incident Chen described, a 15-year-old refused to tell Barksdale the name of his new girlfriend; Barksdale broke into the teen's Google Voice account, listened to messages to get the name, then taunted him with it and threatened to call her. Google was contrite, saying publicly that it "carefully control[s] the number of employees who have access to our systems" and monitors for abuses by rogue employees. [...] The rogue Twitter customer service employee who momentarily deactivated President Trump's account on Thursday night brought this issue to mind. Twitter has 3,898 employees, according to Wikipedia, for 330 million monthly users, a ratio of one employee for every 84,658 users. This means that a single employee may have a ton of power over loads of users, but the value of a single user is low. Their privacy may seem insignificant in light of the greater mob. [...] At Uber, employees regularly abused its "God View" mode to spy on the movements of celebrities, politicians, and even ex-spouses.

This is no tech company problem.

[klingens]

All, really all, big organizations have this problem. Just ask Manning and Snowden; classic cases of too much access to too much information.
So governments, corporations, every organization needs to give power over information and access to the lowly peons or those peons can't do the lowly jobs they are supposed to do.
You can put in controls, access walls and shit, but if you do it, your administrative overhead will go through the roof. Someone like Google might sorta be able to pay for all of this, but it will hurt the bottom line to have a inhouse police. Someone like Twitter which is already leaking money like a faulty bucket leaks water: yeah right...
Even when you do this, all the security clearances, background checks and mandatory lie detector tests, etc. didn't prevent the whistleblowers.

Re:This is no tech company problem.

[boristdog]

Back in the 90's I worked in IT for the state govt. I found out in my first month that I had more access to the data systems than the Director or our agency.
He had to call me to get access to certain accounts.

Plus, I soon found out my IT badge would open every door in HQ. Security guard told me that "You computer guys are allowed to go anywhere."

Low level or low paid?

[rsilvergun]

I've had lots of high level access over the years because I need it to do my job. I've also seen lots of overworked, overtired people in charge of massively important systems because in theory the work isn't that hard. The thing is, if you pay somebody minimum wage they live like somebody making minimum wage. Meaning their lives are a never ending parade of problems they can't solve. They're going to make mistakes, and you're going to pay for them. The only question is do you save more money by paying them like crap than you do cleaning up the mistakes. Depress wages far enough and the answer is 'yes'.

Re:Low level or low paid?

[HornWumpus]

Jesus dude, stop humping that strawman.

In other news

[stabiesoft]

Maids clean rooms of VIP's.

Abuse of data access is nothing new

[The+Optimizer]

I see many other posts making the same point, and I'll add my specific story from the 1980s.

In 1987, I was doing some work for a local chain of auto-body shops that had some software to do job pricing. In the process of understanding how the business worked, I got to know some of the guys who did sheet metal, welding, body repair, mechanical, etc. These were your typical blue-collar young males for the most part.

In the corner of the main shop area there was a dedicated terminal (VT100ish) and modem for connecting to the state DMV mainframe, where you could do basic queries. There were a couple legit uses for it, which is why the shop had it, but the only time I saw it used was by a couple of the guys who would enter the license plate number of cars they saw driven by pretty women, to pull up the registration info to find out the names and addresses of the car's owner. No checks or balances or access control; the logon info was taped on the side of the terminal. Any access logs would have been somewhere in Austin.

Totally creepy stuff then, still creepy 30 years later.

Same applies to high level employees

[El_Muerte_TDS]

Level of employment does not equal trustworthiness of employees. In fact, often the higher you go the worse they get.

What's a "site reliability engineer"?

In engineering school, that major didn't exist - nor does it anywhere. Is it like a "Sanitation Engineer"?
Or "software engineer"? Or "domestic engineer"?

I get calls all the time form recruiters saying I'm an engineer. I say, "No. I'm a programmer."

"Oh, we're looking for engineers."

"My bad. I just read specs and develop software according to those specs."

"OHHHHHH! You are a software engineer!"

"I am?!"

"Yes!"

"OK. So, what's a programmer?"

"He's someone who takes specs and implements them in the programming language of choice."

"Ah. So, what's a software engineer?"

"He's someone who takes specs and implements in the programming language of choice using engineering principles."

"Ok. So, Thermo is involved?"

"What do you mean by 'Thermo'?"?

"Never mind. So, whatever - programmer, engineer, god, ....whatever the title is, I'll take the job."

"You have a problem with your attitude."

"....."

Not surprising... ask the janitor

[ctilsie242]

This is not surprising in the least. On a physical level, the person who likely has the most access is the janitor or cleaning staff.

Almost any access can be abused, if someone feels vindictive enough. An electrical worker can toss a dead rat in an opened panel, and the arc flash likely would take out a good amount of power in the building.

Having access controls to minimize things are critical, but even with those in place, there is a point where the problem changes from a technological issue to a HR issue, of why someone is that pissed and vindictive in the first place... and why they were cleared for access.

Re:Not surprising... ask the janitor

[tomhath]

On a physical level, the person who likely has the most access is the janitor or cleaning staff.

Back in the day, the people companies worried most about were the secretaries. They knew everything because they typed up and made the copies of everything. Today we have sysadmins and customer support, same deal. And get off my lawn.

"low level" employees are the ones doing the work

[gweihir]

Hence they need "high level" access. This is well-known and unlikely to change.

Misleading description

[mysidia]

The ability to login to a customer's account and check basic information to verify identity, reset a password, or turn off an account is NOT high-level access.

Minimum wage customer service representatives REQUIRE this level of access to customers' accounts to answer basic support requests or investigate problems. When Xyzuser calls in or e-mails to request their account disabled or request a troubleshooting assist, some low-level user is going to answer this request.

There's no way around that, other than companies SHOULD be very tight with auditing, and make sure to challenge any action on a customer account that doesn't have an explanation and a support ticket opened by someone else.

"High Level Access"

[Austerity+Empowers]

This isn't high level access. High level access means telecom, email and backup files of senior execs, possibly access to the people in question to support them, proximity to their cubes, permission to listen in on board meetings, that sort of thing. These high level employees aren't usually very good with data (or any more discrete), you probably wouldn't necessarily want them managing it.

It's all necessarily low level access. But clearly they are not protecting customer data well, or putting a high value on privacy.

Really really stupid

[rickb928]

I work for a well-known financial company. I guarantee you that if I accessed the information of any even marginally well known celebrity, public figure, even a notable individual, I would be asked why and expected to offer clear evidence of the need. I occasionally see personally identifiable information for any of our clients, and I do not pursue any I happen to come across that I recognize, and of course I would not.

I would also be asked if I accessed MY information - that usually results in one warning. Then dismissal.

But it's evident these Internet companies haven't worked out the confidentiality protections they should have in place, and so we read these reports. Kinda sad.

Is that really high level access?

[chispito]

Every website or service I've ever supported allowed the tier one support to disable an account. That's not the same as deleting an account and in many cases it's essential.

Take Twitter: If an account is taken over and used for malicious purposes, you want the first level support to be able to freeze it without having to go through a bunch of checks. That's not really that high a level of power, it's what's required to do the job.

Not just tech companies.

[hey!]

Think Bradley/Chelsea Manning an E-4 specialist who was entrusted with access to an astonishing breadth of sensitive information. Manning was, according to other soldiers, bullied to the point of a nervous breakdown during basic training, and yet even after that they moved him (as she was then) right into training as an intelligence analyst.

Assange cultivated Manning with methods anyone who'd read a LeCarré novel: pick out someone emotionally vulnerable and work to gain their trust.

Somebody's got to handle the grunt work of managing sensitive information, either in the military or private sector; but it's not going to be someone who spent four years at West Point or getting an engineering degree. But just because a job doesn't require *those* particular credentials doesn't mean anyone can or should do it.

The problem isn't that low level people have access to sensitive information; the problem is that organizations are sloppy about hiring people for those positions because they aren't high status jobs.

Re:Not just tech companies.

[EndlessNameless]

the problem is that organizations are sloppy about hiring people for those positions because they aren't high status jobs.

This is exactly the issue. Sometimes you have to pay well for a low-skill job because you don't want to risk having an idiot or a junkie doing it.

Somewhere, someone paid good money for a background investigation so that someone else could be a janitor. Because even the most sensitive labs have floors and bathrooms, and you don't pay an engineer $200K to clean the tiles and unclog the toilets.

Skills, reliable performance, and trustworthiness all play into an individual's value in the labor market, and some companies just don't understand that until there's a problem.

wrong wording

[supernova87a]

I don't think the problem is "tech companies have a history of giving low level employees high level access".

I think the issue is "tech companies give many employees priviliges to do things because it works, and then those things have unexpectedly important consequences that weren't realized because it's a young company doing something no one else did before".

That it was called God View is troubling enough.

[fahrbot-bot]

At Uber, employees regularly abused its "God View" mode to spy on the movements of celebrities, politicians, and even ex-spouses.

And, yea, on the Seventh day, God saw that the driver was at 5th and Elm and that it was Good. (... insert chanting in Latin ... )

It's not just about competency

[rsilvergun]

You've got to pay people enough so that they can have a stable life. One where they're car doesn't break down all the time and they're not spending weekends and nights driving Uber to make rent. Even the most competent person is going to start making mistakes if they spend 50/hr week at their job and another 40/wk putting out fires in their personal life caused by a lack of resources.