New from 404 Media: we’ve obtained an internal Google... | Joseph Cox

Joseph's posts Post Back to profile

New from 404 Media: we’ve obtained an internal Google database detailing thousands of privacy/security incidents. Everything from Street View collecting license plate data, to childrens’ voices being recorded. Most not previously reported

https://www.404media.co/google-leak-reveals-thousands-of-privacy-incidents/

Google has accidentally collected childrens’ voice data, leaked the trips and home addresses of car pool users, and made YouTube recommendations based on users’ deleted watch history, among thousands of other employee-reported privacy incidents, according to a copy of an internal Google database which tracks six years worth of potential privacy and security issues obtained by 404 Media.

Individually the incidents, most of which have not been previously publicly reported, may only each impact a relatively small number of people, or were fixed quickly. Taken as a whole, though, the internal database shows how one of the most powerful and important companies in the world manages, and often mismanages, a staggering amount of personal, sensitive data on people's lives.

Like 3 June at 13:10 | Open on infosec.exchange

14 comments

Here is just a very small sample of what is included in this database that we obtained and verified.

https://www.404media.co/google-leak-reveals-thousands-of-privacy-incidents/

Some other incidents marked with high priority or are otherwise notable in the database include:

¢ A filter that was supposed to stop childrens’ voices from being collected was not correctly applied.

¢ A person modified customer accounts on AdWords, what Google’s ad platform was named at the time, to manipulate affiliate tracking codes on EIEN

¢ The global security team warned that it was expecting a dawn raid of a Google office in Jakarta in April 2017 (a similar incident did happen in September 2016).

e Waze carpool’s feature leaked the trips and home addresses of other users.

* A Google employee accessed private videos in Nintendo’s YouTube account, and leaked information ahead of Ninendo’s planned announcements. An internal interview concluded the activity was “non- intentional,” the report says.

e Sabre, a travel agent that Google uses, was compromised and Google employee payment information was exposed.

e A quirk in Android’s keyboard meant that children were pressing the microphone button, resulting in Google logging audio from children as part of the launch of the YouTube Kids app.

¢ YouTube made recommendations based on videos users had deleted from their watch history, which was against YouTube’s own policy.

3 June at 13:14 | Open on infosec.exchange

Adam Shostack :donor: :rebelverified:

@josephcox I wonder if that Sabre incident is covered in mandatory breach notices?

3 June at 13:26 | Open on infosec.exchange

Allen Very Serious Versfeld

@josephcox Damn though, that "Recommendations based on what you delete" sounds awesome, I would LOVE to be able to send a "Never show me anything like this again" signal. No wonder it was against policy.

3 June at 13:30 | Open on mastodon.monoceros.co.za

@uastronomer @josephcox huh? That IS possible. That's the signal you send by saying not interested or don't recommend channel!

3 June at 20:30 | Open on mastodon.social

Laukidh :ablobcool:

@josephcox @neurovagrant oh, I have that issue with YouTube recs based on deleted history.

3 June at 13:21 | Open on infosec.exchange

@josephcox @Laukidh @neurovagrant I have a strong suspicion that they lack enough people to properly implement these features

3 June at 14:11 | Open on functional.cafe

@Laukidh @josephcox @neurovagrant Sometimes we do need a team bigger than what a pizza and feed to build big systems

3 June at 14:13 | Open on functional.cafe

@josephcox @davidgerard “There is no #cloud, just someone else’s (buggy) computer.”

3 June at 14:20 | Open on social.sdf.org

rickf

@josephcox AKA just another day on the internet in 2024. 😡

3 June at 14:28 | Open on indieweb.social

Looks like a list of bugs rather than deliberate wrongdoing.

3 June at 16:30 | Open on techhub.social

@cek
Agreed. A culture where employees can speak up without fear of reprisal when they find a problem is good.

This result is making these lists public is to make Google employees less likely to admit to mistakes. It doesn't decrease the number of mistakes.

3 June at 17:26 | Open on indieweb.social

@josephcox Colour me shocked …

3 June at 21:00 | Open on mstdn.ca

Kevin Karhan :verified:

@josephcox @404mediaco @404media amy plans to share said data with #journalists, #privacyAdvocates, #lawyers and / or #regulators?

If not, why??

3 June at 22:44 | Open on infosec.space

Binary Large Octopus

@josephcox I'd say even one more reason for #decentralization and #selfhosting, but such an incident shouldn't even surprise anyone anymore by now.

4 June at 12:51 | Open on hachyderm.io