Anybody have tabs on the original non-dupe thread? It doesn't appear to be anywhere near the front page, despite the fact that this is arguably the day's biggest tech story, and the news is around 2 hours old.
Earliest trending thread about this topic was 'Google Exposed User Data, Feared Repercussions of Disclosing to Public ' [1] linking to WSJ [2].
There's a relevant moderator post [3] on the Google PR piece thread [4], which suggests that concerns about the WSJ article's paywall have resulted in a manual moderator intervention to let the Google PR piece inherit the WSJ article's rank on the page. This is unfortunate, because a company PR piece that buries the lede is hardly equivalent to a critical news report.
How is this confusing? An internal review found a potential exploit. They investigated and found it hadn't been exploited. They fixed it. They just publicly announced it.
I have zero affiliation with Google, but none of this is remotely sinister.
> Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
> Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.
They didn't announce it, they followed their internal policies which told them NOT to announce it. This is what people are upset about.
> The WSJ reports that the company chose not to report it because of fear of “immediate regulatory interest” that would lump Google in with Facebook, according to one source’s description of the incident.
If this source is to be believed, the decision not to announce was less policy-driven than they are claiming. It sounds more like they were intentionally keeping the issue (and potential breach) secret, which naturally bit them in the ass when word eventually got out.
"Whenever user data may have been affected, we go beyond our legal requirements"
Cool. So they usually do more than they're legally obligated to. This time they didn't, and various people/commentators are fetching their fainting salts.
Regardless of whatever anonymous sources at the WSJ say, I really don't care about why they did it. They followed their legal obligations and - even more important to me - I have no ethical or professional issues with the way they managed the incident.
> The announced it. Perhaps you think it should have been sooner?
Yes, they did. After it was investigated by the WSJ, 6+ months after the fact. I'm not a real stickler about disclosure timelines beyond "wait for the patch please", but "only after it leaks several months later" still rubs me the wrong way.
> They followed their legal obligations and - even more important to me - I have no ethical or professional issues with the way they managed the incident.
Ethical standards vary widely. Personally, in the category of "Things Google has done that raise ethical concerns", I don't think this incident is significant enough to bother mentioning. But I do think it sits in a bit of a moral gray area.
Google et al constantly try to force you into their systems, for a while you had to have a google+ account to be able to use hangouts. So when I had to use hangouts I felt it necessary to create a dummy-account that I only used for hangouts (and tried my best to ensure my google+-profile was as locked down as possible). Thanks for that one!
I'm terrified every time there is a new android update (or new device) that I will accidentally missclick something and bam, all your photos are now synced to google photos. If not instantly some genius will simplify the experience and make all your photos public since that's what everyone should want anyway.
Do I have a youtube account? I don't know(!). I've tried my best to avoid it.
I you use Android, you should always use a separate (dummy) Google account for it. It is equally important to use non-Google apps for Google services such as Gmail and YouTube, otherwise they'll link your accounts anyway.
I've got a separate google account for pretty much each google service I use. Which isn't much, the only one of value is my android-account that manage my app-store purchases.
Unfortunately, yes, it is trivial for google to link the accounts together. But I truly doubt they would do that, and they can not be certain that just because they are used on the same device that they have the same owner.
But the trick is to not store anything sensitive on any of them. If google started require a phone number linked to the accounts I'd quickly investigate the option of generating dummy (but not one-time use) numbers. And if that fails I'd just stop using those services.
23 comments
[ 1.8 ms ] story [ 45.2 ms ] threadI feel a PR piece shouldn't be the only post if there's subtext like "a security/privacy flaw" that affected millions.
Also the comment thread for the Google PR post seem to be mainly about how little Google+ was used and various issues around its launch.
Here's the link if anyone's interested: https://news.ycombinator.com/item?id=18169243
Thanks for posting this, you saved me a bunch of time digging for it.
There's a relevant moderator post [3] on the Google PR piece thread [4], which suggests that concerns about the WSJ article's paywall have resulted in a manual moderator intervention to let the Google PR piece inherit the WSJ article's rank on the page. This is unfortunate, because a company PR piece that buries the lede is hardly equivalent to a critical news report.
[1] https://news.ycombinator.com/item?id=18169027 [2] https://www.wsj.com/articles/google-exposed-user-data-feared... [3] https://news.ycombinator.com/item?id=18169719 [4] https://news.ycombinator.com/item?id=18169243
Which was a WSJ article: https://www.wsj.com/articles/google-exposed-user-data-feared...
I have zero affiliation with Google, but none of this is remotely sinister.
> Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.
They didn't announce it, they followed their internal policies which told them NOT to announce it. This is what people are upset about.
> The WSJ reports that the company chose not to report it because of fear of “immediate regulatory interest” that would lump Google in with Facebook, according to one source’s description of the incident.
If this source is to be believed, the decision not to announce was less policy-driven than they are claiming. It sounds more like they were intentionally keeping the issue (and potential breach) secret, which naturally bit them in the ass when word eventually got out.
You are reading - at this very second - a duplicate of a post linking to https://blog.google/technology/safety-security/project-strob... talking about this very security flaw. The announced it. Perhaps you think it should have been sooner?
"Whenever user data may have been affected, we go beyond our legal requirements"
Cool. So they usually do more than they're legally obligated to. This time they didn't, and various people/commentators are fetching their fainting salts.
Regardless of whatever anonymous sources at the WSJ say, I really don't care about why they did it. They followed their legal obligations and - even more important to me - I have no ethical or professional issues with the way they managed the incident.
Yes, they did. After it was investigated by the WSJ, 6+ months after the fact. I'm not a real stickler about disclosure timelines beyond "wait for the patch please", but "only after it leaks several months later" still rubs me the wrong way.
> They followed their legal obligations and - even more important to me - I have no ethical or professional issues with the way they managed the incident.
Ethical standards vary widely. Personally, in the category of "Things Google has done that raise ethical concerns", I don't think this incident is significant enough to bother mentioning. But I do think it sits in a bit of a moral gray area.
Google et al constantly try to force you into their systems, for a while you had to have a google+ account to be able to use hangouts. So when I had to use hangouts I felt it necessary to create a dummy-account that I only used for hangouts (and tried my best to ensure my google+-profile was as locked down as possible). Thanks for that one!
I'm terrified every time there is a new android update (or new device) that I will accidentally missclick something and bam, all your photos are now synced to google photos. If not instantly some genius will simplify the experience and make all your photos public since that's what everyone should want anyway.
Do I have a youtube account? I don't know(!). I've tried my best to avoid it.
Unfortunately, yes, it is trivial for google to link the accounts together. But I truly doubt they would do that, and they can not be certain that just because they are used on the same device that they have the same owner.
But the trick is to not store anything sensitive on any of them. If google started require a phone number linked to the accounts I'd quickly investigate the option of generating dummy (but not one-time use) numbers. And if that fails I'd just stop using those services.
Google now requires a phone number when creating a new google account - I wanted to make a new one yesterday... and decided not to make one after all.