[panarky]

> We want to have confidence that the administrators who run the systems that access user data cannot abuse their powers.

So "Binary Authorization for Borg" is a defense against getting Snowdened.

[shadowgovt]

It's more a defense against getting NSA'd (via the specific threat model of an attacker secretly replacing a security service with an implementation that looks very similar but is much easier to crack).

[skybrian]

More generally you might say it supports rule of law. If something happens according to procedure then it's ok.

You might not think that's much of a guarantee, but it beats the alternative where things happen due to shadow processes.

[mayakacz]

I think that's right. I would strengthen that statement slightly - it's about ensuring that no actor - whether an insider, or someone who has stolen their credentials, or otherwise compromised them - can perform an action that single handedly accesses user data, without it being known to another actor - via access logs, via approvals, etc.

In terms of the upstream introduction of a new vulnerability, Binary Authorization for Borg can only verify that the code was in fact merged. See the section on third party code, "When importing changes from third party or open source code, we verify that the change is appropriate (for example, the latest version)."

Disclosure: I work at Google and helped write this whitepaper on Binary Authorization for Borg.