Hacker News new | ask | show | jobs
by SV_BubbleTime 1454 days ago
>We have very strict and very well engineered data retention systems. When we say data is deleted, we mean it. Various levels of automation ensure the data is purged, and all data is tracked meticulously for violations across every datastore.

Ok, how would you know that is true?

How many ways can you think of would there be for your statement to be false?

If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see. Are the number of ways more than one? How valuable could deleted data be in the case of blackmail or espionage? Can you actually be confident that someone above or before you didn't write a false delete function?

I'm not implying, I'm suggesting that "things we know to be true" is a smaller list than people think.

You suspect WIPEOUT is real, but can't actually know, and you are inside. Why would I believe for even a second?
2 comments
davidgay 1454 days ago
Some of us actually work or worked on wipeout systems. And said systems are run by the team running the service that deals with the data.

Also all the source code (for all systems) is visible to all googlers.

This kind of conspiracy theory is really boring.

link
belter 1454 days ago
Maybe the conspiracy theories are because some have a very long memory:

"NSA taps into Google, Yahoo clouds, can collect data 'at will,' says Post"

https://www.cnet.com/tech/tech-industry/nsa-taps-into-google...

"National Security Letters"

https://www.eff.org/issues/national-security-letters

There is a reason behind the usual in court phrase of "..tell the truth, the whole truth, and nothing but the truth...". So, if a third party would get copies of the data, it would be true Google deleted it...It just not be "the whole truth".

link
leajkinUnk 1454 days ago
> How many ways can you think of would there be for your statement to be false?

Not as many as you might think.

The systems at Google may seem incredibly complicated--and they are--but when I worked there, the scenarios where somebody intercepts and exfiltrates data without your knowledge are extreme.

> If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see.

The way this data is stored, it is designed so that access to the data is logged and the logs have various alerts / auditing procedures to catch exfiltration attempts. SREs will periodically create user data and try out clever ways of destroying or exfiltrating it to test that these controls work. The Snowden leaks also cast a long shadow over work at Google, and since then, basically, all the traffic and data in storage has been encrypted in ways that make it difficult for state level actors to surreptitiously intercept it. These systems are a bit nightmarish to design, because there are competing legal/compliance reasons why data must be retained or must be purged. For example, certain data must be retained for SOX compliance, data may be flagged as part of an ongoing investigation, data may be selected for deletion for GDPR compliance, etc.

Obviously, it is POSSIBLE that someone is still exfiltrating data, but you have hundreds or thousands of smart engineers who are trying to prevent "insider risk" and "state level actors". People within the company are a big part of the threat model, and agencies like the CIA, Mossad, KGB, etc. are also part of the threat model.

The stack may be complicated, but it's also designed with defense-in-depth to prevent people at lower levels in the stack from subverting controls at higher levels in the stack. For example, people who work on storage systems may be completely unable to decrypt the data that their storage systems contain.

If you're going to get pissy about it, it's obviously true that we are not 100% certain that data is destroyed when we say it is. But this invokes a standard for "knowing" that precludes knowing the truth of any statement which is not an analytic statement.

You don't have to believe, even for a second, if you didn't work with the wipeout systems. That's fine. I'm not trying to convince that wipeout works as intended, because I know that I can't provide the evidence to you.

However, you seem to be arguing that other people don't know that the wipeout systems work--that it's somehow impossible to know.

link
SV_BubbleTime 1454 days ago
This is just Pascal's Wager.

I can't know, lots of people have opinions, so I should just side with the one (avoid Google) that gives me the highest likelyhood of happiness.

link
leajkinUnk 1454 days ago
You don't know, that's fine. You were saying that specific other people don't know either, which is weird.
link