For example, a product like Messenger alone has hundreds of engineers on it. Some subset may need temporary access to someone else's messages to debug something. That "someone else" may be an employee or bug report with consent. That's just engineers. There are other use cases.
-
-
Replying to @sweis @jeremiahg
Think abuse, anti-spam, bot API development, payments, business pages, law enforcement, etc. They really need a transparency report that breaks down all the actual access, use cases, and potential access.
1 reply 0 retweets 6 likes -
Replying to @sweis
So the ‘real’ answer is, basically all of engineering could have access to ‘my’ data [to a varying degree] at some point of another?
1 reply 0 retweets 8 likes -
Replying to @jeremiahg
Like always, the answer is "it depends". It depends on what data you are talking about. It depends if you are talking legitimate, logged access or an inside attacker. If the latter, it depends if you're including people who will be immediately detected or evade detection.
1 reply 0 retweets 5 likes -
Replying to @sweis @jeremiahg
For "messaging data" and "people who can request legitimate, monitored access", that is a tiny fraction of engineers.
1 reply 0 retweets 2 likes -
Replying to @sweis
We could keep this very easy. "How many Google employees have access to my email on Gmail — any part of it?” Is the specific enough? And, to whom would I direct the question to?
2 replies 0 retweets 1 like -
Replying to @jeremiahg
I would phrase it as "How many employees have accessed [data] in the last [timeframe] through legitimate access tools? How many users were accessed?" Asking who has access right now is not meaningful. ACLs can be dynamically generated, grants can be ephemeral, and access scoped.
1 reply 0 retweets 2 likes -
Replying to @sweis
Slight nuance. I want to know how many people have or have had access to [data] in said [timeframe], not necessarily just who DID access my [data]. How best then to phase?
1 reply 0 retweets 4 likes -
Replying to @jeremiahg @sweis
I really think that is like asking how long the coastline of britain is (i.e. the coastline paradox), you can get any answer you want depending on how many levels of indirection you're willing to think about or ignore. There is no simple answer.
1 reply 0 retweets 10 likes -
That’s mind boggling and frustrating. Feeling like member of congress or something. Think I have a simple question and there should be some kind of simple answer. Time to google 'the coastline paradox,’ ironically enough.
2 replies 0 retweets 4 likes
That is a confusing statement, maybe you really are only concerned about one level of indirection at one moment in time? It seems like a useless question that reveals absolutely nothing, but I suppose it is simpler. 
-
-
I trying to get the question down in as simple terms as possible in order to receive any type of specific answer. ie... "An email lands in my gmail inbox, how many employee have access enough to read it?"
3 replies 0 retweets 4 likes -
I’m curious as to the answer too, but with what assumptions? Are we talking about w/ or w/o tripping safeguards? Or just any technical ability to access whatsoever, even w/ lock out & termination? What timescale of persistence? Also including falsifying their own projects?
1 reply 0 retweets 2 likes - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.