Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ok, I'll bite. How does Google, in your opinion, treat user data?


Data is divided into many different logs, with engineers having access only if it's needed for their role. Access can be at the per-log level or the per-column level: working on Ads JS I had access to raw frontend logs, but I didn't have access to the identities of the users sending those queries (if I'd needed that for a project I could have applied and had my need reviewed). Every few months you need your access renewed, so if you've switched roles you stop having access. What queries you run are logged, and I believe there was some sort of random auditing of those logs to make sure people were running queries that made sense, though I never interacted with that part.

(I left Google in June.)


So basically very primitive security compared to say how banks are handling client data in jurisdictions like Switzerland (one of my daily tasks). The fact that dev can have access to PROD logs just by himself unsupervised (even if for obviously good reasons from his/company point of view) is a big fat red flag.

That all mentioned here clearly means google doesn't have data privacy at the core of their priorities and this won't change unless forced by fines/regulation, just like banks. Slightly disappointed when reading this, but I guess I shouldn't have expected more.


> The fact that dev can have access to PROD logs just by himself unsupervised (even if for obviously good reasons from his/company point of view) is a big fat red flag

What's wrong with granting engineers access to PII-less logs[1] by default? How does that compromise privacy?

I'm willing to bet your bank differed on the following ways from Google in absolute numbers and per-engineer:

* handled significantly less requests per second - at least 2 orders of magnitude - therefore lower log volumes

* shipped less changes to prod per unit time, so fewer problems to investigate

1. No IP client address, raw session id or username


Likely better than 99.999999999% of the companies you interact with.


It doesn’t matter. When we talk about “having access to user data,” we’re talking about a humans being able to look at, I.e, the user logs of a former lover and doing something bad with it.

But that’s not the real danger of Google having this data. The danger is in ML. Google’s entire business model is predicated upon using information about you to change your behavior, and to sell on the market predictions of your future behavior.


> It doesn’t matter. When we talk about “having access to user data,” we’re talking about a humans being able to look at, i.e, the user logs of a former lover and doing something bad with it.

Google is one of the few companies known to have caught, fired, and officially publicly named an employee who did something like this:

https://techcrunch.com/2010/09/14/google-engineer-spying-fir...

Most tech companies about which people don't routinely raise this type of concern have far weaker security controls against (and detection systems for) this threat model than Google does.

That said:

> But that’s not the real danger of Google having this data. The danger is in ML. Google’s entire business model is predicated upon using information about you to change your behavior, and to sell on the market predictions of your future behavior.

I'm of two minds of this. I'm not thrilled about how much data Google combines and unnecessarily insists on collecting in order to allow things like the Google Assistant and Google Maps to provide full functionality. At the same time, many of Google's assistance and search services are better than their competitors exactly for this reason. I primarily wish they were more transparent in this area with fewer dark patterns and more user control, with forcing users to pick between excessive data sharing and inadequate access to Google services.

Disclosure: I have worked for Google in the past, but not since early 2015. I certainly am not speaking for them here.


> Google is one of the few companies known to have caught, fired, and officially publicly named an employee who did something like this

Not disagreeing with your broader point, but that specific employee was not caught by Google but was reported externally by parents of the minors after abusing access for months. I suspect the incident you linked predates - and was the impetus for - many controls that were subsequently added

Speaking speculatively: I've never worked for Google


Obvious typo corrections following the end of the edit window:

> I'm of two minds of this.

I'm of two minds on this.

> with forcing users to pick between

without forcing users to pick between


Google Maps and Google Assistant could work with that data and Google could also choose not to be surveillance capitalist robber barons.


Vacuum everything constantly and then horde it like Smaug, if Smaug was an unscrupulous salesman in a polyester suit?

But somehow this is ok because within Google the common employee doesn’t have access, but is rather incentivized to make the vacuum or selling more efficient?


Are you under the impression that the rest of FAANG doesn't do this? If so, I've got some big news for you...

When people talk about 'security' at Amazon/Microsoft/Google/Apple, they're describing audit performance and ISO compliance. From a business perspective, that's really the only thing that matters. Everything else is played pretty fast-and-loose. Both Apple and Microsoft have been caught backdooring their infrastructure for foreign governments, if anyone out there still has faith in these companies then I hope they stop taking life advice from VC heads.


> Are you under the impression that the rest of FAANG doesn't do this?

All data collection practices are not equal.

>Google Tracks 39 Types of Private Data, the Highest Among Big Tech Companies

Google takes the cake when it comes to tracking most of your data. This should not surprise, given that their entire business model relies on data.

Twitter and Facebook both save more information than they need to. However, with Facebook, most of the data they store is information users enter.

Apple is in a league above Amazon in protecting user privacy. It is the most privacy-conscious firm out there. Apple only stores the information that is necessary to maintain users’ accounts.

https://stockapps.com/blog/google-tracks-39-types-of-private...


You are giving Apple too much credit here. Apple can plaintext any iMessage if they wish with their signing keys for the servers that exchange user encryption keys. Why do you think the CCP demanded control of those servers for chinese residents? Just because Apple has a profit model other than adtech does not mean they are making choices that prioritize immutable privacy.

Apple could have folded, like even (old) Google did, and refused to comply with the CCP but shareholders would have been too upset seeing the price go down.

Successful publicly traded companies will almost always do the most profitable thing legally possible, no matter how evil.


Businesses must follow the laws of the jurisdictions they operate in. Technology cannot outrun the legal system for long.


I agree with your second paragraph, but I don't understand the point of the first? Are you saying that Google can be forgiven, since its competitors do the same?


They're saying everyone does it and it's NOT OK for all of them.


Disagreeing with the practices of one company doesn’t indicate support of companies with potentially similar practices.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: