Google issued a short statement yesterday confirming our report about David Barksdale, the ex-Google engineer fired for violating users' privacy and spying on minors. But the statement did little to answer some big questions about Barksdale's conduct and Google's policies.
Here are four questions Google still needs to answer about the Barksdale case:
1) Has everyone whose privacy was violated by Barksdale been notified?
In their statement, Google confirmed that Barksdale, a 27-year-old former Google Site Reliability Engineer, was fired in July for "breaking Google's strict internal privacy policies." But Barksdale was fired only after he had been reported to Google for spying on at least four minors over a period of months. If I had come into contact with Barksdale while he was employed at Google, I'd be left wondering if he'd ever compromised my account. Hell, I've never met the guy, but I'm still wondering. Google should announce that it has informed Barksdale's victims that their private information has been exposed. And if it hasn't notified them, it should. (Knowing how widespread Barksdale's abuses were would be nice, too.)
2) Why weren't Barksdale's actions reported to the police?
Barksdale's snooping may have broken laws under the Computer Fraud and Abuse act and/or the Stored Communications Act, according to Forbes' Kashmir Hill. Reuters reports that Google didn't involve the police because "one of the families involved asked to remain anonymous." But clearly there was a way to report this crime without exposing that family, as there were at least three others who were apparently OK with going to the cops. As security researcher Christopher Soghoian tweeted:
When the Chinese broke into Google's servers, they called in the NSA. Yet when rogue employees peek at user data, they don't tell the govt?
3) What specific steps is Google taking to prevent similar incidents in the future?
In its statement, Google alludes to the fact that they've improved security since the Barksdale incident: "We regularly upgrade our security controls—for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective." The assumption here is that doing more of what didn't work in Barksdale's case—"auditing our logs"—will prevent future problems. But maybe a more radical solution is needed? (Gawker publisher Nick Denton suggests a "double key," which would require more than one employee to authorize access to private data, nuclear weapon launch-style. Sexy.)
After our report was published, Google admitted an employee before Barksdale had been fired for violating their privacy policies. Two incidents like this are two too many for a company that controls as much sensitive information as Google. Users deserve to know exactly what mechanisms are in place for monitoring and preventing abuse, and how those may have been improved since Barksdale was fired.
4) How many employees have the kind of unfettered access to accounts Barksdale had?
Google's statement said, "a limited number of people will always need access to these systems if we are to operate them properly." This makes sense, but the number should be kept as close to zero as technically feasible. How many employees are allowed access to Google accounts? Dozens? Hundreds? What kinds of screening and training do these employees undergo?
Google's statement essentially said, "Shit happens. We'll deal with it." That's not nearly enough. We'll send these questions to Google and update if we get a response.
And here's Google's statement, to date their only public comment on the Barksdale case:
"We dismissed David Barksdale for breaking Google's strict internal privacy policies. We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls–for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly–which is why we take any breach so seriously."
- Bill Coughran, Senior Vice President, Engineering, Google