David Barksdale, a 27-year-old former Google engineer, repeatedly took advantage of his position as a member of an elite technical group at the company to access users’ accounts, violating the privacy of at least four minors during his employment, we’ve learned. Barksdale met the kids through a technology group in the Seattle area while working as a Site Reliability Engineer at Google’s Kirkland, Wash. office. He was fired in July 2010 after his actions were reported to the company. [Update: Google has confirmed the security breach. An update appears below.]
It’s unclear how widespread Barksdale’s abuses were, but in at least four cases, Barksdale spied on minors’ Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he’d befriended, Barksdale tapped into call logs from Google Voice, Google’s Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid’s account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.
In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others’ privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he’d looked up behind the person’s back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.
The parents of the teens whose Google accounts were violated by Barksdale were hardly amused, however. Several attempted to cut off Barksdale’s access to their children and withdrew them from the technology group where they’d first encountered the Google engineer. (Barksdale was kicked out of the group after his abuses came to light.) In July, officials at Google were notified of Barksdale’s actions. We’ve obtained an email exchange between one person who complained about Barksdale to Google and Eric Grosse, an Engineer Director in Google’s security group at the company’s Mountain View, Calif. headquarters. Grosse quickly responded to the complaint with a curt email: “Thank you very much for reporting; we’ll investigate quietly and get back to you if we need anything more.”
If Google was already aware of Barksdale’s privacy violations, Grosse didn’t mention it. But while Google seemed initially helpful and friendly when dealing with those who’d notified Google of his conduct, they became increasingly tight-lipped as company officials realized the seriousness of the problem.
Later, when asked if Google had taken steps to deal with Barksdale, Grosse would only say, “I am personally satisfied that we’ve taken decisive steps to limit any additional risk.” When emailed again several weeks later about whether Barksdale was still employed by Google, or if the company had determined the extent of his privacy violations, Grosse refused to get into any specifics: “Google has taken the appropriate actions, I can’t say more.”
Right around the same time, Barksdale was quietly fired by the company.
Google has released a statement confirming it fired Barksdale for privacy violations:
“We dismissed David Barksdale for breaking Google’s strict internal privacy policies. We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls–for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly–which is why we take any breach so seriously.”
— Bill Coughran, Senior Vice President, Engineering, Google