
Senators Demand Google Hand Over Internal Memo Urging Google+ Cover-Up - nopacience
https://www.zdnet.com/article/senators-demand-google-hand-over-internal-memo-urging-google-cover-up/
======
sctb
Previously:
[https://news.ycombinator.com/item?id=18212759](https://news.ycombinator.com/item?id=18212759).

------
kodablah
> Three Republican senators have sent a letter to Google today demanding the
> company hand over an internal memo based on which Google decided to cover up
> a Google+ data leak instead of going public as most companies do.

That's a loaded first sentence. Here's another way of writing it: "Three
Republican senators have sent a letter to Google today asking the company to
please provide internal memo based on which Google decided to not disclose a
Google+ bug that could have leaked data instead of going public as very few
companies would."

Or break it up if that's too wordy. ZDNet and the writer of this article
should be ashamed of themselves. How much more clearly can you out yourself as
biased garbage?

To the contents of the letter itself [0], just answer the 8 questions straight
up, and give the memo. Doesn't appear like a witch hunt quite yet. On
questions 3, 4, and 5 just make it clear that software bugs are rampant, many
have the ability to get bad things when exploited, and on 6 either inundate
them with a deluge of security bugs or explain that there are probably
thousands. On #7, the answer better be an emphatic "yes" or I will be very
disappointed.

If it becomes more political, there needs to be legal requirements for
disclosing all security vulns (instead of just exploited ones) or they need to
recognize it's untenable to ask for them. Can't have it both ways and just
pick a company's vuln because of an article about them and not ask other
companies for theirs.

0 (PDF) -
[https://www.commerce.senate.gov/public/_cache/files/4852b311...](https://www.commerce.senate.gov/public/_cache/files/4852b311-0953-4ac8-ac43-a91dde229cc1/E300DA0C7659678AE0AE37AEB9746200.thune-
wicker-moran-letter-to-google-10.11.18.pdf)

~~~
ccnafr
> out yourself as biased garbage?

Biased based on your opinion.

I personally think this is a very big deal and I don't see anything wrong in
that sentence. If you think Google is innocent, just look at the facts.

1) They had an internal memo discouraging public disclosure. 2) They only came
clean with the leak after WSJ reached out for comment before the publication
of a story. 3) They buried the "leak" announcement in a gigantic blog post.
The blog post was meant to announce a new project, but about halfway through
the middle they disclosed a data-leaking bug. I'd say the tone of the article
is in response to Google's observed and recorded actions.

Yeah, I'd say the article and letter's tone is just about right.

~~~
kodablah
> I personally think this is a very big deal [...] Yeah, I'd say the
> article[...]'s tone is just about right.

That an article needs a "tone", and that it's right/wrong based on how big of
a deal the reader thinks it is, is the issue. I await robot news that is a
bulleted list of facts. We could argue about fact selection/placement, but
I'll take that over arguing a particular organization's collective side of the
bed they wake up on.

To your point, we disagree there wrt internal discussions of disclosure. What
will be real scary is when there is a chilling effect to even performing
rational discussion around these things. There is no such thing as disclose
all, and when there is no such thing as talking about it either, you'll wish
these rules were codified in law instead of applied selectively to issues you
are ok with.

~~~
tyrust
>I await robot news that is a bulleted list of facts.

Interesting that you mention this, I'm not convinced that this will be a
silver bullet. A couple of concerns that come to mind:

1\. Something must bridge the robot to the physical world. The selection of
which facts to include and exclude in this data source can create bias.

2\. From the data source, the robot then would make its own decision about to
to present facts, presumably performing some filtration of its own. Such a
robot can have bias [0].

To be clear, I definitely agree that robojournalism could be an improvement.
But we can't forget how it works and how it could be manipulated.

[0] - For example [http://blog.conceptnet.io/posts/2017/how-to-make-a-racist-
ai...](http://blog.conceptnet.io/posts/2017/how-to-make-a-racist-ai-without-
really-trying/)

------
cirenehc
I have never worked at any company that publishes every security bug
discovered internally. This is ridiculous.

~~~
sz4kerto
Depends on the industry. E.g. if you're working in defense or healthcare, then
just the possibility of a data leak might be something you're obligated to
report on. And a Google- or Facebook-size company might easily fall into the
category where even "near miss" events should be disclosed.

Basically you have to conduct an internal risk evaluation and depending on the
overall risk assessment, you need or don't need to publicly report on it. Of
course the bar is much lower than 'certain data leak'.

~~~
cirenehc
I have worked in healthcare related systems before that needs to be HIPAA
compliant, even for those systems public disclosure of a _vulnerability_ is
not a requirement. No software is bug free, and many seemingly benign bugs are
security vulnerabilities.

Try and name one company that reports all their bugs (security/non security)
discovered internally.

------
IX-103
Since the "memo" is part of a discussion between lawyers and execs wouldn't
the memo be considered privileged? That doesn't mean that Senators can't ask,
but if you set the expectation of handing out privileged information whenever
you're asked it kinda makes "privileged" communication not mean anything.

------
ccnafr
Please, do hand over that memo. I'll be watching this closely. I'd love to
read the entire thing, not just the parts that WSJ selected.

~~~
sololipsist
I have found over and over and over that when I read "memos" or "screeds" or
whathaveyou coming from the tech industry I inevitably find that a huge
portion of the media is pushing a narrative that is so uniform and so disjoint
from the actual content I have a hard time imagining how it wasn't coordinated
journo-pros-style.

~~~
recursive
James Damore?

~~~
sololipsist
That's an example, yes.

------
Bhilai
Google admitted that they don't keep any logs around. So in the absence of
logs, I am not sure how they are making the claim that their API was not
abused. So there is definitely more transparency required about their internal
investigation and how they are so certain. Just because Google has a great
security team, I would not put my blind faith on them.

~~~
skybrian
I don't believe they made that claim? They said they didn't have evidence that
the API was abused.

~~~
lmkg
They said that they kept logs for only two weeks, because the logs themselves
contained private information. Those logs contained no evidence of abuse.

------
fredgrott
Its somewhat a miss-leading title....

Can you cover-up legal activity? No, of course not..non-story here

