I hope most people are vaguely aware that the Google’s great utility and ubiquity also pretty much means it knows everything about you. If not, this Gawker/Valleywag story by Adrian Chen should be a primer. It’s the first detailed alleged case that I’ve read in which a Google employee was reportedly caught and punished accessing and disseminating private information. And not just basic private information, like birthdate or middle name. But something as tangential as the phone number and name of his target’s girlfriend.
It’s unclear how widespread Barksdale’s abuses were, but in at least four cases, Barksdale spied on minors’ Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he’d befriended, Barksdale tapped into call logs from Google Voice, Google’s Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid’s account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.
There’s any number of ways to get this info…it could be as simple as going through the contacts list. Or the chat and call logs. Or typing in “xoxo” into a Gmail search. The point is, according to Gawker’s exclusive, is that even if Google lives up to its public-relations image of being privacy-conscious, a rogue employee can apparently have free and all-seeing access into your accounts. This is the case with any database-service, government or corporation run. But for some of us who use Google for everything, unauthorized information access can be catastrophic. For example, because GMail’s search capability is so convenient, I email myself the dates and times of doctor appointments. Anyone who has access to my account could easily find every doctor or dentist I’ve gone to, and when.
The biggest question in Gawker’s piece (Google did not return their calls for comment) is what kind of access logging they do for engineers such as Barksdale. Gawker says an ex-employee tells them that Barksdale’s position required constant access to the servers, and that engineers such as him were highly competent and trusted:
Barksdale’s intrustion into Gmail and Gtalk accounts may have escaped notice, since SREs are responsible for troubleshooting issues on a constant basis, which means they access Google’s servers remotely many times a day, often at odd hours. “I was looking at that stuff [information stored on Google’s servers] every hour I was awake,” says the former Google employee. And the company does not closely monitor SREs to detect improper access to customers’ accounts because SREs are generally considered highly-experienced engineers who can be trusted, the former Google staffer said.