At the moment, all three top level comments are accusing Google of lying, despite the fact that these kinds of flat denials by high-profile companies are almost never proven false, probably because they almost never are false. (As described elsewhere, PRISM was not such a case.) In this case, the original story was already dubious, and it should be clear that the fallout from being caught lying would be drastically worse than either ignoring the story or being the second to admit to doing something (legal) that Microsoft already admitted to. The fact that the comments exist anyway tends to shake my faith in the rationality of other, more credible criticisms of big companies in this forum.
Of course they don't lie. Overly specific denials are much better than lying.
> “Mike makes a serious allegation here — that Google opened email messages in his Gmail account to investigate a leak,” Kent Walker, Google general counsel, said in a statement.
and
> “The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account,” wrote Arrington. “A little while after that my source was no longer employed by Google.”
Arrington declined to comment.
See, you don't need to actually open the email to see if a correspondence occured.
At least that was the first thing I thought when I read the article.
But of course, we'll probably never know. And I agree with you that we shouldn't jump to conclusions, it's just a possibility.
Should they get caught I doubt there will be a fall out. They can go the NSA route: It was just metadata.
Huh? Kent's statement on behalf of Google was anything but narrow. It was general: "We have never done this."
If I'm comparing the veracity of Kent's blanket denial vs. Mike A's hypothetical well-maybe-they-did (which could be satisfied through multiple alternative methods), well, that's an easy call.
> Huh? Kent's statement on behalf of Google was anything but narrow. It was general: "We have never done this."
The definition of this in context:
> that Google opened email messages in his Gmail account to investigate a leak
So that's not a blanket denial. Mike accused them of "accessing my Gmail account".
Which Kent explicitly rephrased to "that Google opened email messages in his Gmail account to investigate a leak".
> At the moment, all three top level comments are accusing Google of lying [...]
Wait a minute, this is not the kinder garden. When a company's motto[1] is "Don't be Evil"[2], I expect them to live up to certain standards. Not specifically lying in the real world is exactly the same as not saying anything when something unacceptable happens (Talent poaching agreements, PRISM, Privacy infringements, Tax evasion, etc.). So either you are soliciting a situation (Poachign agreements) or take part in a privacy breach (PRISM), you're in both cases equally responsible in a social frame. We can argue about your share of responsibility (and Google's is big, because they are BIG kids, know and understand repercussions of their actions), but either way you're guilty.
Also keep in mint that to prove any allegation against Google or any other company of the caliber it takes a lot of resources. How many people or companies actually DO have these resources? Only organizations like the EFF try to figure out if/what/when happens and even these organization can't really perform any real inspection.
After PRISM, whatever Google/Apple/MS says, it makes sense to take their words with a grain of salt.
[1] A motto (derived from the Latin muttum, 'mutter', by way of Italian motto, 'word', 'sentence'; plural: mottoes (always listed first) or also mottos) is a phrase meant to formally summarize the general motivation or intention of a social group or organization.
I've been meaning to look at the trend in reactions to comparable news about google and that about microsoft. My suspicion is counter to your first statement, but very much believes your last.
I don't disagree. They are most likely telling the truth. However, they do have the ToS written in such a way that they could do that. Why would they need it like that, if they would never intend to use it?
Ok, let's assume, it's only written like that as an accident - so surely they will change it right away, so it doesn't say that anymore, right?
But I doubt they will. I really hope Google intends to add end to end encryption to Gmail, as least as an obvious option (UI wise), if not by default. Otherwise, I'm moving away from Gmail as soon as such a simple solution comes up.
I can't take anything these companies say as true after the no poaching agreements came to light. Sergey tried to keep it off the record and didn't want a paper trail, and that's behavior coming all the way from the top. How can you trust anything these companies say?
there is a reason executives avoid getting into any details of anything. Just like that Enron CEO "I'm not an accountant". Time for SOX style act for privacy/security area?
Google didn't avoid details here. Their General Counsel issued a categorical denial not just of Arrington's story, but of the notion that anything like Arrington's story had ever happened in any other circumstance. It is very difficult to argue that they're weaseling.
For whatever it's worth, Google is also not Enron. It's not hard to imagine Enron executives saying anything, because Enron was a sham business, "faking it until they made it" or, as it happened, fell off a cliff. Google generates tens of billions of dollars of revenue per year. They have a lot to lose. When Google's General Counsel says something newsworthy, it's not done casually.
Finally: I think it's worth reminding people that the other side of this argument is a person who claims not to have reported on this story until a few days ago because --- despite the fact that the story was immensely relevant to the public interest, and despite the fact that not reporting it put his own sources at grave risk not merely of losing their jobs but of being sued by billion dollar companies --- to have reported it earlier would have risked the bottom line of his own publication. Who are you going to believe?
I don't think Arrington is particularly credible nor do I believe Google, as a matter of course and policy, runs around reading specific users' emails. But the comparison to Enron is not necessary for something like this to at least conceivably have happened. After all, this happened
I tend to believe Google's GC and think Arrington is having some paranoid attention-seeking fantasy. At the same time, can some schmoe at Google read a gmail email? It seems like they can.
An SRE does not immediately mean you have the access needed to spy on email. I'm not saying that SREs don't have the access, but it is conceivable, and likely, that within the SRE field they have higher level clearance for some employees. The response from Google in that article even points to this being the case.
That's correct. There are thousands and thousands of SREs, but gmail data is considered to be basically the most private thing in the data centers - its access is heavily gated and audited.
I understand that all SREs wouldn't have access - but if one SRE was able to gain access to look at some personal emails, surely it would be fully possible for other employees to manage it as well? I think the stance that a lot of Google employees are taking - that gmail data is secure - seems to have a lot of holes in it. The data can't possibly be that secure if this guy got fired over looking at it.
It's not possible to manage the data if no one has access. The SRE in question didn't "hack" into the data - he had access. The access was audited, so when it was abused, the SRE was fired with cause, and I think that the Google helped the prosecution.
And I believe you too! I do think there is some schmoe at google who can read my email. I don't think they do because what business does a schmoe have reading another schmoe's mail? My point was that it can be done, and it has been done, in a documented way, not that google is malicious.
Just to add it wasn't some highly detailed audit that caught this teen mail voyeur. It was the teens' parents that reported the access to google. This breach could have happened about the time Arrington ran into his problem. Perhaps controls were a little lax back then. We'll never know.
They categorically denied this: "that Google opened email messages in [Michael Arrington's] Gmail account to investigate a leak,"
They went on to say this: "While our terms of service might legally permit such access, we have never done this [opened email messages in Michael Arrington's Gmail account to investigate a leak] and it’s hard for me to imagine circumstances where we would investigate a leak in that way."
> Who are you going to believe?
Technically, neither contradict the other. Considering who they are and what they are, technicalities matter, I think.
The antecedent of "this" in that sentence is fuzzy, but the clear, obvious, intended meaning of the sentence is that Google has never deliberately read someone's mail in the process of any investigation, not just Arrington's.
Let's put Google's denial off to the side for one moment. The core of Arrington's accusation is broken:
"The source had corresponded with me from a non Google email account, so the only way Google saw it was by accessing my Gmail account."
No, that's not the only way Google could have seen this email. It could easily have leaked via the non-Google email account: The employee could have (intentionally or accidentally) forwarded the email to their work account. Or they could have sent it or accessed it unencrypted from a Google internal network. They could have also sent the email to someone else who passed it on to Google. And so on.
Yes, these are all stupid mistakes that your careful, tech-savvy leaker shouldn't make, but people make mistakes like them all the time. And I wouldn't expect an inebriated leaker to make a point of mentioning whatever stupid mistake they might have made (if said leaker even realized where they went wrong).
Or they could have sent it or accessed it unencrypted from a Google internal network.
I have a relevant anecdote. When I was an intern at Facebook, during one of the university relations event that was of a "hackathon" genre, I was creating with my friends a multiplayer web game that was using websockets for communication. The guest wi-fi network wouldn't let packets between different machines connected to it go through, so we decided to just tunnel all traffic to my laptop (the game server) through AWS using ssh tunnel.
It took only a few minutes for network security people to contact me, asking what's this big encrypted transfer to AWS all about, and mind you, it was Saturday evening.
> Or they could have sent it or accessed it unencrypted from a Google internal network.
This is the most likely scenario. If you are using a shared network administered by someone other than you, you should assume nothing about privacy or secrecy.
I think the most likely scenario is that the employee leaked it to multiple people, and one of them forwarded it to Google. either intentionally of non intentionally.
I would find it very dubious if my own employer asserted that it was appropriate to read and act on an employee's private, non-work email because that employee accessed it from their network or device.
If I were a Google employee I'd be pretty interested in getting answers as to how they acquired this information, and to advocate to change internal policies if this was the case.
It also makes me think twice about ever working for an organization where I don't have root on the devices I use.
Google employees have root on their devices, unless it's a chromebook pixel for some reason. If you root that you can't use the corp network. Not sure why, since you have root on any other kind of laptop you might get from corp.
Just like they denied they had no knowledge of PRISM or any other NSA programs? They got awful quiet about that when the NSA started saying that Google and other companies knew what the NSA was doing. So, Google has already demonstrated that they will do or say anything so that people continue sharing and storing personal information on Google servers.
And it turned out that Google was correct. Guardian backtracked on their original story and changed the story to NSA surreptitiously stealing user information rather than claiming tech companies were complicit. In response, Google enhanced encryption to further protect users.
"• This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders. Other minor clarifications were also made."
They may have updated their article to excise the denials about PRISM - however the water is still muddy regarding the truthfulness of their statements under numerous other programs that the NSA has conducted under other legal authorities like Section 702, Section 215, etc..
Amongst other things, it makes NSA tapping of fiber in front of their datacenters less useful. It also makes switches that replicate traffic to NSA less useful.
http is like the postcard of the internet. By switching to https only, they are requiring you to send them messages in security envelopes rather than postcards.
Stipulating to Arrington's claims for the moment, he doesn't come across as very security-minded. When you're collaborating with a "whistle-blower", the employer is your adversary. Why would anyone use the employer's communication service to collaborate in such a case?
This would be an excellent chance for Google et al. to just drop the permission of them reading Gmail users' e-mail from the terms of service. If they have no intention of doing it, why leave it open in the terms?
I agree, the lawyer denies it, then says we have the right to do so now and in the future. And adds, though I can't imagine when we ever would.
The right to snoop through your email is the problem (the algorithmic searching to place ads I can understand some people finding annoying but that is the bargain for using Gmail - it isn't that I am talking about - it is the snooping for whatever purpose Google has for reading your emails by a person at Google).
That you promise to not do what you give yourself the right to do is not worth much of anything. I don't imagine this lawyer would sign off on legal contracts that had bad clauses that the other side said "no, leave the contract the way it is, just trust us to not ever use that clause."
There maybe cases where they need to read emails for debugging purposes (eg fixing a spam filtering problem). Perhaps this should require explicit permission.
