Title is difficult to decipher, here’s what it’s about:
> A new report on old privacy incidents [2017] suggests that at least one Nintendo leak came from a Google employee showing off private YouTube videos to a friend.
"Nintendo leak: Google employee accessing private YouTube videos" would be clearer. Showing those videos "only" to a friend isn't really that relevant.
The friend is quite relevant. There is no expectation of a video stored on a Google system being private to Google employees, but there is an expectation that they will not take that information outside of Google.
> There is no expectation of a video stored on a Google system being private to Google employees
"No expectation" of it not being available to "some" employees maybe, but there is certainly ways to restrict access to only a need-to-know employees. Ideally no employees at all unless some sort of automated monitoring system flags it or there is an outside report.
Just like some social networks, I would "expect" only security and moderation people would have access to profiles but there are always stories of entire companies having unrestricted access.
It's unclear from the article where the access boundaries are in this case.
There should be auditing of such access as well. Companies need to post videos early in order to be sure they are available as soon as they launch a product. I wonder what kind of insider trading opportunities this has created for Google employees.
The private information is shared with Youtube/Google, so the assumption is that anyone who is an agent of Google is in on the secret. If it must only be in the hands of one or a small group of people at Google, you'd best go to those individuals directly, not through the overarching entity of Google as a proxy.
> so the assumption is that anyone who is an agent of Google is in on the secret
I think there is a difference here between "expectation" and "assumption".
Without the ability to do a third-party audit I agree the only reasonable assumption to make is that everyone is in on the secret and when dealing with sensitive information it should always be the assumption you go with.
However, as an expectation, I expect SaaS and social network providers (and by extension most of the HN crowd) to be better.
its from one of the content moderators. they are all hired and managed through recruiting agency. there was over 10k of us while I was there. and most people are just kids with one week of on boarding doing short term contract. whoever did it is blackballed by biggest recruiting agency in the world. way to get your life crazy difficult over reddit points
A lot of these tank "leaks" are just PDF's of manuals you can buy on ebay. They're restricted but legal to own. It only becomes illegal when you export them to other countries.
I believe what GP is referring to is the Air Force National Guardsman who's going to jail for leaking classified intelligence on a discord server to prove he was right. I don't think it was actually about tanks, just that it happened in a WarFrame discord (or something like that).
Great, "it was only a friend" is the same thing anyone says when caught revealing a secret that was meant to "remain between us". That's a load of horseshit for an excuse.
No, it's not. Typically moderators can view content that needs moderation, i.e. is visible to other users. There is no reason to give them access to all private videos, which are different from unlisted.
Yes it is. You can keep saying "no it's not" until the cows come home, but every single bit of unencrypted content (and possibly well known hashes of encrypted content) is subject to moderation on any large corporate property.
In many states its legal for people 16-18 to work, usually with limitations on hours worked per shift/week an what kind of jobs they can do.
Even then, many older people in the US will call someone 18-20 "kids", even though they're technically adults.
As a US English speaker I took it to mean "a bunch of young and immature people, probably on their first job" when I heard "most people are just kids", not that they're literally hiring 12 year olds or something.
I can't say I know the law in every state so I typically don't say absolutes like that. If that's true, thanks for clarifying/correcting.
Also, it looks like you're right for at least the states I normally deal with. Looking back the first job I had started when I was still 15, I must have just blended those shift schedule restrictions during the rest of my time working as 16-17 as well. So yeah, I guess that's probably true.
Violating labor laws with children is actually really common, and plenty of places DO abuse young labor. It is NOT avoided
Do you think all the workers in your company's call center in some random country are all truthfully 18? Hell, do you think none of them are working against their will?
When companies can get away with it (read: they abide by all laws) why would they not? It is cheaper and money is prime directive number one. Do you actually think companies make money and have a finely tuned moral compass at the same time?
I made the parent comment exactly for this discussion. Do not assume corporations have a moral compass. They do not care and will outsource each and everything if that is cheaper than handling stuff themselves.Why is it chaeaper to pay some people to get the law on your side than actually start doing normal human moral behaviour? Why can they actually outsource responsibility at all? Strange planet we live on.
Related side note: I've always had a suspicion that one of the ideas I was working on using Google Colab was viewed by an employee and leaked, because someone wrote a blog post with the exact same idea (very niche) before I got round to releasing mine (I ended up not bothering due to being gazumped), and a Google Colab employee tweeted that blog post. (Puts on tin foil hat.. I stopped using Colab after that.)
While it says that your personal data may be seen by human reviewers to troubleshoot, address abused or make improvement based on your feedback, it does not mention that your data will be used to generate ideas for blog posts.
They seem to be making a big deal out of nothing. These are all cases where someone did something, it was reported/discovered, and it was investigated and handled by security/global investigations.
This sort of thing is extremely bad news for Google.
One of the open secrets about how advertising works in the modern era is that brand synergy demands planning years in advance. Google employees, back in the day, could see the marvel cinematic universe release plan out to several years if they knew where to look, as well as console launch dates, major product releases, and other things of that nature. This is because the advertising sector has high-touch, high-value customers, and those customers expect their marketing plan to go off without a hitch. So Googlers have to make time and schedule things like DiRT testing and new feature validation sensitive to those schedules; Warner Bros isn't going to want to hear it if their Superman ad dropped 2 days early because a feature flag was misconfigured.
When Google was smaller, this was fine. But as a 100,000 person company, I believe it is completely infeasible to expect every Googler to keep those secrets. At those scales, you can't really even use the threat of firing to maintain secrecy because you can't really guarantee that the person who's going to replace the fired one is going to be more loyal. So inevitably, either Google locks down its internal infrastructure (turning it into a company other than the kind of company it was in the past), they cap their employee growth (which implies capping their growth in general), or they start losing high value customers who can't trust them to keep a secret.
In practice, they are definitely doing the first two to some extent and that is changing the flavor of the company internally. Part of the secret sauce of old Google is it didn't keep secrets from itself.
Well that's what happens when you put a McKinsey shrill at the helm and let them go on a mass hiring then mass layoff spree while bending a knee to activist investors to lower wages. You end up with employees who dgaf.
From my experience with any kind of work that concerns interesting, private (multimedia) data, all of it will be used and abused by employees. I once worked on the backend for the tax return calculations and people there were just looking up anyones private (financial) data left and right, e.g. to see how much their dates were making, where they were living, when exactly they were born, etc...
Pretty much all these sites can view every bit of content you submit to them for moderation purposes. Many of them state your data can teach learning models.
If you really want it private, you don't want it on the cloud/social media sites.
People know what "private" means. If a company calls something private, but it isn't, then they're the ones who need to reconsider what it means, and call their service something else.
A general rule is people don't know shit when it comes to legal definitions. When you have a video it's private to you. When you give that video to a friend it's 'private' between both of you. And when you put a private video on youtube it's 'private' between you and the conglomerate entity of hundreds of thousands of people and all their contractors called Google.
Now the contractor did break the rule and shared it, but your idea of private as no one will see it is the broken expectation.
Yes, indeed, people do know that when I say "I have some private information to share with you", it means I am going to let another party in on the secret.
Articles like this and the endless stream of hacks & leaks are important reminders that there is no such thing as computer security. If your data is on a networked computer, you should consider it semi-public.
There absolutely is for anyone who cares to use it. That sort of defeatist mindset is super counterproductive, and ends up putting more people in harm's way.
We're talking about people choosing to upload unencrypted content to a cloud service that is obviously publicly available. The security/privacy properties of this action I think should be obvious even to less technical users.
Sysadmins are also people. Also I've been pushing for informative security scoring for publicly used services for over a decade. If you're in the field, it's pretty obvious which services are at high risk of being breached, but that really should be something more accessible to the general public, like FDA letter grading for restaurants.
> There absolutely is for anyone who cares to use it
> Sysadmins are also people.
is it your contention that the sysadmins at those organizations don't care about computer security? Or that users are responsible for knowing whether their organizations' sysadmins care about computer security?
I mean how many times have we seen people leak military information on world of tanks (or whatever). These people know they'll get court martialed and still do it anyway. These people doing moderating are getting paid near minimum wage to look at the worst things on the internet, you can blame the individual, but the entire moderation system is setup with cheap contractors they burn out and replace at high rates. Systemic failure is guaranteed.
> A new report on old privacy incidents [2017] suggests that at least one Nintendo leak came from a Google employee showing off private YouTube videos to a friend.