Over the years I’ve asked a number of [security] engineers who worked at social networks roughly how many employees have access to my private messages. They never seemed to know or wanted to tell me.
-
-
Replying to @jeremiahg
I know this answer. The reason that nobody will tell you is that you lack context. When you repeat the number, you're not going to be able to explain why it is what it is. All people will remember is the number.
1 reply 1 retweet 15 likes -
Replying to @sweis @jeremiahg
For example, a product like Messenger alone has hundreds of engineers on it. Some subset may need temporary access to someone else's messages to debug something. That "someone else" may be an employee or bug report with consent. That's just engineers. There are other use cases.
1 reply 0 retweets 5 likes -
Replying to @sweis @jeremiahg
Think abuse, anti-spam, bot API development, payments, business pages, law enforcement, etc. They really need a transparency report that breaks down all the actual access, use cases, and potential access.
1 reply 0 retweets 6 likes -
Replying to @sweis
So the ‘real’ answer is, basically all of engineering could have access to ‘my’ data [to a varying degree] at some point of another?
1 reply 0 retweets 8 likes -
Replying to @jeremiahg
Like always, the answer is "it depends". It depends on what data you are talking about. It depends if you are talking legitimate, logged access or an inside attacker. If the latter, it depends if you're including people who will be immediately detected or evade detection.
1 reply 0 retweets 5 likes -
Replying to @sweis @jeremiahg
For "messaging data" and "people who can request legitimate, monitored access", that is a tiny fraction of engineers.
1 reply 0 retweets 2 likes -
Replying to @sweis
We could keep this very easy. "How many Google employees have access to my email on Gmail — any part of it?” Is the specific enough? And, to whom would I direct the question to?
2 replies 0 retweets 1 like -
Replying to @jeremiahg
I would phrase it as "How many employees have accessed [data] in the last [timeframe] through legitimate access tools? How many users were accessed?" Asking who has access right now is not meaningful. ACLs can be dynamically generated, grants can be ephemeral, and access scoped.
1 reply 0 retweets 2 likes -
Replying to @sweis
Slight nuance. I want to know how many people have or have had access to [data] in said [timeframe], not necessarily just who DID access my [data]. How best then to phase?
1 reply 0 retweets 4 likes
I really think that is like asking how long the coastline of britain is (i.e. the coastline paradox), you can get any answer you want depending on how many levels of indirection you're willing to think about or ignore. There is no simple answer.
-
-
That’s mind boggling and frustrating. Feeling like member of congress or something. Think I have a simple question and there should be some kind of simple answer. Time to google 'the coastline paradox,’ ironically enough.
2 replies 0 retweets 4 likes -
Replying to @jeremiahg @sweis
That is a confusing statement, maybe you really are only concerned about one level of indirection at one moment in time? It seems like a useless question that reveals absolutely nothing, but I suppose it is simpler.
1 reply 0 retweets 3 likes - 8 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.