"Nintendo leak: Google employee accessing private YouTube videos" would be clearer. Showing those videos "only" to a friend isn't really that relevant.
The friend is quite relevant. There is no expectation of a video stored on a Google system being private to Google employees, but there is an expectation that they will not take that information outside of Google.
> There is no expectation of a video stored on a Google system being private to Google employees
"No expectation" of it not being available to "some" employees maybe, but there is certainly ways to restrict access to only a need-to-know employees. Ideally no employees at all unless some sort of automated monitoring system flags it or there is an outside report.
Just like some social networks, I would "expect" only security and moderation people would have access to profiles but there are always stories of entire companies having unrestricted access.
It's unclear from the article where the access boundaries are in this case.
There should be auditing of such access as well. Companies need to post videos early in order to be sure they are available as soon as they launch a product. I wonder what kind of insider trading opportunities this has created for Google employees.
The private information is shared with Youtube/Google, so the assumption is that anyone who is an agent of Google is in on the secret. If it must only be in the hands of one or a small group of people at Google, you'd best go to those individuals directly, not through the overarching entity of Google as a proxy.
> so the assumption is that anyone who is an agent of Google is in on the secret
I think there is a difference here between "expectation" and "assumption".
Without the ability to do a third-party audit I agree the only reasonable assumption to make is that everyone is in on the secret and when dealing with sensitive information it should always be the assumption you go with.
However, as an expectation, I expect SaaS and social network providers (and by extension most of the HN crowd) to be better.
There may be a difference, but it seems you have them flipped. It is a reasonable assumption to think that they have controls to limit who is able to see information[1], but one must go in with the expectation that every acting agent has access.
[1] Of course, since you don't know who the individuals are, you still have to place your trust in every single agent that works for the entity you chose to entrust. As such, nothing is gained by restricting access. It remains that if it is important that it be private with only one or a few, you must go to those individuals you trust directly. Granting them private information by proxy will always be subject to man-in-the-middle-ing.
I think you have it backwards: an expectation is a standard (the term is used loosely here) that someone should be meeting. We expect people to do the right thing, but sometimes must, as in this case, assume they are doing the wrong thing.
Applied here, the expected and right thing to do is follow the principles of least access. However, we must assume google is not doing this, because there is insufficient evidence that they are, and there is actual evidence that they don't have sufficient controls to limit who is able to see information.