[thu2111]

Probably a bit naive?

Security tools, and especially extensions that run with full browser access, are in an exceptionally trusted position. Employees who can inject code into arbitrary websites can in effect get administrator access to anything in the company, as Google is run almost entirely off of web apps of various kinds. It's actually hard to get more trusted than that: without a doubt this woman effectively had a greater level of access than Sundar Pichai or other senior executives.

If there's one thing you don't screw around with in any firm, its mis-using administrator access. Mis-use here means doing things that aren't related to your job description. You just don't do it! What she did would be like a logs engineer deleting internal access logs to cover up activity by political allies, or a GMail engineer spying on conversations between executives. It's complete madness to think you can abuse such a high level of trust in such a direct way and get away with it!

I used to have a certain type of Google account system administrator access. The way I used it was watched very closely, and deservedly so. Eventually it was removed because Google built better security systems that could restrict employee access more, and in my team were happy about this (for one, it meant we were less likely to be hacking targets). The idea of anyone abusing this sort of access for political reasons was unthinkable.

I honestly can't believe people here are defending this kind of behaviour. If Googlers feel it's OK to abuse root@chrome for unionisation related purposes, what else might they start doing? What about people perceived as 'bad'? Google needs to explain what happened here pronto, because apparently she was able to get this change through code review? So she had internal allies who approved her abuse of access? That is tremendously worrying.

Google is very rapidly burning the trust it requires for its business models to function. How can anyone trust the firm when 21 year old activists are able to manipulate Chrome for political causes and Google's own security procedures are unable to stop them?

[wetpaste]

This is reprimanding for the content of the message, not the scope of the code which would have actual security implications. Furthermore, it is a warning about not violating an actual company policy. This is not far off from the scope this pop-up tool is designed for. While it is clear that this was done as a response to google hiring this firm to dissuade folks from organizing, I could argue that it could be done to warn managers not to use the firms presence as permission to violate a specific policy + law. IANAL but this seems like extremely grey legal area. For example, this could be aimed at managers to remind them that even though this firm is hired, they cannot enforce a ban on organization according to that specific policy in the handbook. I think that's an appropriate use IMO, it would save the company some serious money and headache if it stopped a manager from illegally retaliating against organization.

I would not characterize this as evidence that this person is a security risk. It takes existing culture of google, including past incidents like changing the default desktop wallpaper for a protest that was happening, etc.

Also if this is true it is totally insane. Sounds like intimidation tactics to stop exactly what the pop-up warned against.

> They also dragged me into three separate interrogations with very little warning each time. I was interrogated about separate other organizing activities, and asked (eight times) if I had an intention to disrupt the workplace. The interrogations were extremely aggressive and illegal. They wouldn’t let me consult with anyone, including a lawyer, and relentlessly pressured me to incriminate myself and any coworkers I had talked to about exercising my rights at work.

[thu2111]

I think you're assuming it's related to the message content, but that's not what Google are saying and it's not how corporations work in my experience. How you do something matters a great deal in any large bureaucracy. If Spiers wanted to remind people they could unionise there are communication systems that exist for people to talk to each other on their own initiative without approval, systems like email or even memegen.

Modifying the behaviour of people's web browsers isn't a channel intended for employees to push personal messages to each other and this should have been really obvious to her. She and her colleagues were trusted with a tremendous amount of power which could be readily abused (see my other comment on this thread), and the expectation was clear that it'd be used only within the bounds of what her management asked her to do, namely corporate security.

When she went outside those bounds and started using her immense technical privileges in ad-hoc ways, and (worse) making arguments like "I got a colleague to approve a code review so it was OK" she gave an extremely clear demonstration that management simply couldn't trust her. It's not about unionisation. It's about someone with the power to steal cookies from her own colleagues going rogue and deciding her own personal political priorities matter more than company policies she had agreed to follow.