Nintendo leak:employee accessing private YouTube videos(gamesradar.com) |
Nintendo leak:employee accessing private YouTube videos(gamesradar.com) |
> A new report on old privacy incidents [2017] suggests that at least one Nintendo leak came from a Google employee showing off private YouTube videos to a friend.
I think you're overvaluing the power of recruiting agencies
"Google says it was "non-intentional" because they only showed it to a friend", I don't think they purposely leaked it for internet clout
https://www.404media.co/google-contractor-used-admin-access-...
https://news.ycombinator.com/item?id=40577812
YouTube employees or contractors might also have leaked unannounced PlayStation news:
One of the open secrets about how advertising works in the modern era is that brand synergy demands planning years in advance. Google employees, back in the day, could see the marvel cinematic universe release plan out to several years if they knew where to look, as well as console launch dates, major product releases, and other things of that nature. This is because the advertising sector has high-touch, high-value customers, and those customers expect their marketing plan to go off without a hitch. So Googlers have to make time and schedule things like DiRT testing and new feature validation sensitive to those schedules; Warner Bros isn't going to want to hear it if their Superman ad dropped 2 days early because a feature flag was misconfigured.
When Google was smaller, this was fine. But as a 100,000 person company, I believe it is completely infeasible to expect every Googler to keep those secrets. At those scales, you can't really even use the threat of firing to maintain secrecy because you can't really guarantee that the person who's going to replace the fired one is going to be more loyal. So inevitably, either Google locks down its internal infrastructure (turning it into a company other than the kind of company it was in the past), they cap their employee growth (which implies capping their growth in general), or they start losing high value customers who can't trust them to keep a secret.
In practice, they are definitely doing the first two to some extent and that is changing the flavor of the company internally. Part of the secret sauce of old Google is it didn't keep secrets from itself.
Pretty much all these sites can view every bit of content you submit to them for moderation purposes. Many of them state your data can teach learning models.
If you really want it private, you don't want it on the cloud/social media sites.
There absolutely is for anyone who cares to use it. That sort of defeatist mindset is super counterproductive, and ends up putting more people in harm's way.
We're talking about people choosing to upload unencrypted content to a cloud service that is obviously publicly available. The security/privacy properties of this action I think should be obvious even to less technical users.
The actual article headline really does make reading the article pointless.
Part of Nintendo leak was Google employee sharing private YT video with friend
https://www.404media.co/google-contractor-used-admin-access-...
"Google Contractor Used Admin Access to Leak Info From Private Nintendo YouTube Video"
This is how companies harm users by using low-trust, low-attachment contractors to handle private data.
>regardless of privacy
Maybe you should read the TOS before you use services, you don't have any of that.
A general rule is people don't know shit when it comes to legal definitions. When you have a video it's private to you. When you give that video to a friend it's 'private' between both of you. And when you put a private video on youtube it's 'private' between you and the conglomerate entity of hundreds of thousands of people and all their contractors called Google.
Now the contractor did break the rule and shared it, but your idea of private as no one will see it is the broken expectation.
If it isn't end-to-end encrypted, then the platform operator has access.
"No expectation" of it not being available to "some" employees maybe, but there is certainly ways to restrict access to only a need-to-know employees. Ideally no employees at all unless some sort of automated monitoring system flags it or there is an outside report.
Just like some social networks, I would "expect" only security and moderation people would have access to profiles but there are always stories of entire companies having unrestricted access.
It's unclear from the article where the access boundaries are in this case.
I think there is a difference here between "expectation" and "assumption".
Without the ability to do a third-party audit I agree the only reasonable assumption to make is that everyone is in on the secret and when dealing with sensitive information it should always be the assumption you go with.
However, as an expectation, I expect SaaS and social network providers (and by extension most of the HN crowd) to be better.
> There absolutely is for anyone who cares to use it
> Sysadmins are also people.
is it your contention that the sysadmins at those organizations don't care about computer security? Or that users are responsible for knowing whether their organizations' sysadmins care about computer security?
If it was an unlisted video, the moderator would just need to know the reference code (URL) for the video, and could share it with anyone.
Even then, many older people in the US will call someone 18-20 "kids", even though they're technically adults.
As a US English speaker I took it to mean "a bunch of young and immature people, probably on their first job" when I heard "most people are just kids", not that they're literally hiring 12 year olds or something.
Also, it looks like you're right for at least the states I normally deal with. Looking back the first job I had started when I was still 15, I must have just blended those shift schedule restrictions during the rest of my time working as 16-17 as well. So yeah, I guess that's probably true.
In my head I felt like my peers in college were "kids". I didn't feel like we were "adults" until we were in our mid-20s.
Why WOULDN'T youtube use child labor if it's cheaper?
I take it you're also arguing Y Combinator also uses child labor? Mozilla? Spotify? Your employer? I mean, why WOULDN'T they?
I imagine you probably probably hire child labor as well. After all, why WOULDN'T you?
Its probably child labor that keeps this site running. After all, why WOULDN'T they hire kids to keep this site up?
Or maybe there are reasons why people avoid child labor in many places.
Violating labor laws with children is actually really common, and plenty of places DO abuse young labor. It is NOT avoided
Do you think all the workers in your company's call center in some random country are all truthfully 18? Hell, do you think none of them are working against their will?
I made the parent comment exactly for this discussion. Do not assume corporations have a moral compass. They do not care and will outsource each and everything if that is cheaper than handling stuff themselves.Why is it chaeaper to pay some people to get the law on your side than actually start doing normal human moral behaviour? Why can they actually outsource responsibility at all? Strange planet we live on.
[1] Of course, since you don't know who the individuals are, you still have to place your trust in every single agent that works for the entity you chose to entrust. As such, nothing is gained by restricting access. It remains that if it is important that it be private with only one or a few, you must go to those individuals you trust directly. Granting them private information by proxy will always be subject to man-in-the-middle-ing.
Applied here, the expected and right thing to do is follow the principles of least access. However, we must assume google is not doing this, because there is insufficient evidence that they are, and there is actual evidence that they don't have sufficient controls to limit who is able to see information.
However, you make a fair point that it is reasonable to assume that entities you trust are willing to go above and beyond, for various reasons.
I do agree there's too much illegal child labor going on in the US and around the world, but its a stretch to assume everyone hires child labor.
Otherwise, why won't you stop hiring child labor? You've probably hired someone to do some kind of work around your home at least once, I take it you most definitely hired children then. After all, apparently everyone does it.
Why WOULDN'T mrguyorama hire child labor to do the plumbing around his home or to do his lawn work?!
If I had a lawn and a neighborhood with young children who were bored during the summer, I WOULD hire a child to mow it, and in fact I am hiring a child (girlfriend's younger brother) to watch our cat during a vacation!
Before child labor was significantly stamped out through aggressive labor laws, average people hired child labor all the time. Little timmy was out selling papers, little stephanie selling flowers, Paul was cleaning the chimney, and every other kid was working in the coal mine or textile mill, for absurdly low wages (even for the time!), with absurdly high injury rates, for 12 hour days.
Child labor was HUGE, and if we don't aggressively stamp it out, it WILL creep back into what we largely consider normal. Southern US states are already trying to push laws onto the books that weaken the laws against child labor.
I don't know how to make this more clear: If Youtube could get away with hiring 10k literal children and pay them peanuts to do all the moderation work, they would, conscience and honor and ethics be damned, like they always are.
I mean christ, look at Roblox!
To clarify, I am the second person here telling you that that is not the expectation. The expectation, and/or the right thing to do, and/or "the standard we expect them to meet", is that Google follows the standard security principle of least privileged access, meaning each employee can only access data they need to see, with proper permission acquired beforehand, auditing during, and abuse-detection & alerting afterwards.
Unfortunately, they don't meet this expectation that we have of them. Your own expectations and/or standards might be lower, like you described.
Your question of "why" boils down to asking, What is to be gained by employing the principles of least privileged access, as well as proper authorization, auditing, and alerting? The answer to that question is beyond the scope of this post, but I trust that you understand or can understand the benefits of these principles.
Yes, the expectation is that Google, and therefore its agents, are trustworthy. You would not give them your information otherwise. Who happens to working at Google at some moment in time is irrelevant. You have chosen to entrust an entity with a revolving door of individuals. Absolutely no expectation of who will access the information is defined, fundamentally. If that is important, you must go to the individuals directly.
You might assume that Google will "do the right thing" by working to keep the information away from those who don't need it, but that is entirely up to them. Hell, they might even do that, but then cycle all of their agents through positions where access is needed... In the end, if they choose not to, nothing about the trust expectation has changed.
That is your expectation, not the expectation. 2 people have told you what the expectation is. You, 1 person, have shared that you have a different expectation. This is okay, but you aren't speaking for us, or for the majority here, only yourself.*
The expectation is the one that we have cited, nothing less. It's great if they meet your expectations, but that's not good enough for us.*
Speaking only for myself here, I believe there's a reason that the principles I cited exist, rather than 'the company lets any employee access anything with no permission or record of it'.
* – paragraphs void and I am wrong when majority changes: I've gotta listen to the people, too! ;)
Furthermore, getting back to the topic at hand, expectations in an exchange cannot be defined by an individual. They must be defined and agreed upon by all acting entities. Google has made its end of the exchange clear with no evidence of wavering just for Nintendo, implying that Nintendo shared in the standard list of expectations.
It's unclear, but you appear to be accusing myself and at least 1 other poster of being "software", presumably some sort of insult about how our posts are somehow similar to chatgpt output?
I think now is a good time for me to disengage.
There was nothing about the quality of that output or an attempt to insult the software. By what mechanism could software even be insulted?