this is the second one of these that hit HN this week? other was a post deleted from reddit. seems like possible explanations here are:
- standard 'loveint' at support depts (many companies with personal data have stories about abusing system access to look at personal info of SO / randos)
- illicit group operating within or adjacent to goog doing some kind of espionage or ransom model
- google-haters inventing or amplifying a pattern of behavior? (but with what motivation)
- not obvious if the phones are passwordless, or if insiders are using a 'universal unlock' feature to decrypt pixel devices -- if the latter, is that a bigger story than the stalking?
if this is only happening to passwordless phones, still an abuse of trust, but I'm okay with 'don't send passwordless phone to support' as a consumer best practice.
Google has the private keys for all firmware, boot ROM, and OS binaries. So they can create a far wider array of “gain access” tools than I’ve seen any thread consider yet.
> someone else reported the same thing happened to them on Reddit recently, using the same RMA for a similar phone at the same Texas facility.
Taking the story as true, it'd seem to be case 1.
Taking the story as not true (case 3.), she's in a professional position where publicity wouldn't hurt.
Her report looks questonable (not necessarily false):
> They deleted Google security notifications in my backup email accounts.
If the accounts were backup, and she's a security-conscious person as she claims in the same post, how did they do that? They were backup, so they couldn't use the main account to reset them. I can think of the accounts being opened in different browsers, but it doesn't seem a very plausible scenario.
It’s pretty common in the United States for people to default to “is she lying / seeking attention / getting revenge” when women report mistreatment by others, especially when sexuality is involved (as it is here). It’s a rampant and unfortunate gender bias, that is not well understood by many US men or by anyone beyond our borders.
> not well understood by many US men or by anyone beyond our borders.
Is this satire, or did you actually mean to generalize _the entire world_ outside of the US with a statement that is still ostensibly politically controversial today (both in and out of the US)?
Or, you know, her story just makes absolutely no sense and is clearly non-factual. And if it were real she should be telling her story to a judge, not to Twitter.
The assumption that anything a(n attractive) woman says is true is the real "rampant and unfortunate gender bias", to be honest. And yet somehow they never seem to be penalized even when they admit filing false reports, defamation, etc.
lol. Because people aren't always rational. And what does the NYT or her fame have to do with it? Anyone can lie at any time. And accusing someone of lying isn't ad hominem.
> victims making up stories in which they are the victim are exceedingly rare, in reality.
Not in my experience working retail/hospitality jobs. And lots of people crave attention. I see no reason to give either party more credence than the other absent evidence.
But consider how many people shop. It's pretty likely that the number of people running retail scams is a small percentage. Doesn't make them any less soul-sucking to deal with, but that's not really the same thing.
Eh, ok fair. I was thinking like, percentage of consumers with legitimate complaints vs those with scams. I think that's relevant to the overarching discussion of "believe victims", but I agree at the complaint department the common denominator doesn't matter.
It's clear you have never heard of "innocent until proven guilty", so I'll explain it to you. You're actually supposed to believe the person accused until they've been proven guilty.
Victims making up stories in which they are the victim is INCREDIBLY COMMON.
>Really weird to immediately shoot/ad hominem the messenger
They said "If true, it's probably reason 1. If not true, here's a reasonable motivation." Hardly immediately shooting the messenger, more answering questions asked
Off topic: is it just me or is Twitter becoming much more hostile to users who aren’t logged in? I can’t click anything (mobile safari) without being nagged by a modal to sign up/log in.
I lost my Google account because of this and no one at Google wants to take accountability for it.
Even as a Google One client.
I'm afraid of what's going to happen to it because it has my social security attached to it's payment profile (business Profile too)
As a Pixel user who has sent their device in for repair, how does the repair tech get past the device authentication and into the device? (I'm assuming the user had a device password/passcode set). If possible, this seems like a glaring security issue for Pixel users.
Has Google at any time ever asked a user for their password to do a repair? I remember a physical Apple Store (real, Apple Inc., in California) asking me for my password for a laptop hardware repair. They were OK with my declining to do so.
"somehow" they turned off the lock screen requirement. I'm thinking they guessed the lockscreen gesture, perhaps it was weak or there were finger marks on the screen.
According to the Google support site, all Pixels are encrypted by default. So, this shouldn't even be possible...unless perhaps there was no lock code on the device?
Do you have a source for that? I didn't think the phone's encryption key or password was backed up to Google. The help pages say that if you forgot your PIN, you should reset your phone.[1][2]
Of course Drive and Photos files are in Google servers and aren't E2E encrypted, but I don't think that's what you're talking about.
Full disclosure I work at Google but on nothing related to this.
I think out in the real world they are insecure because it's easy to shoulder-surf and get a peek at the pattern being input. Overall they are probably similar to pin codes... some people just have 0000 as their pins, or draw an L for a pattern.
Sending a phone in for repair negates the shoulder-surf issue but yeah.
I think it's easy to guess patterns because people all use one of a small number of simple patterns. Everyone uses the geometrical equivalent of hunter2 or 123456, but they irrationally think it's more secure because it's a pattern.
1. Easy to view & remember.
2. The oil smear is visible in reflected light, and that pattern is not quickly overwritten by using the device.
3. Typical gesture patterns mean gestures start from similar positions (high) and are frequently unoriginal.
4. Gestures are simpler than the equivalent code (e.g. the passcodes 1397 and 1235987 are gesturally identical)
5. In practice the reality of finger sizes mean that join-the-dots encourages users to draw a gesture using only adjacent dots (e.g. connecting dot 1 to 2, 4 or 5, rather than 1 to 6 or 8.)
Did she say she got a notification for what picture she viewed? She said "activity logs", which I'm not sure exactly what she means, but it might mean [1] which shows files that have been recently viewed.
Full disclosure, I work at Google but not on anything related to this.
IIRC you get a notification the first time someone views a photo (or maybe for any specific photo?) in a shared album. Maybe the Googler or Googlercontractor was dumb enough to share the album with himself for later perusal?
Hmm. I wonder how this person got notifications even though their phone was offline to avoid being wiped. I also wonder why this person got notifications. Most services don't send you notifications just because you used a device which is already logged in.
Complete and total duplicate of https://news.ycombinator.com/item?id=29404954 and again with absolutely no evidence even though there are apparently tons of evidence left by this person doing this with absolutely no cuation (security notifications left in trash etc).
I see no reason to doubt her story. When someone says "something bad happened to me" then "I don't think it did, prove it" is quite rude in my opinion.
On the other hand, I also see no direct connection to Google. The victim also said in the comment chain:
> also to be clear I have been on Google support and Pixel support dozens of time all week BEFORE the hack happened, asking them to investigate why my phone marked delivered by FedEx 'disappeared' at the warehouse. At any time someone could have offered me any security advice?!
This could just as easily be a delivery driver or warehouse worker stealing the phone and putting fake info on the website. I don't think Google's workers would be dumb enough to do this to their customers' phones, my suspicion is that it went wrong somewhere in the supply chain.
Either way, Google is responsible for their warranty and return policy. If the delivery driver stole her phone or if someone broke into the delivery warehouse, that's on Google picking bad logistics partners. If the repair company Google partners with is doing this, the problem is with Google. If someone over at Google itself is doing this than that's an even bigger problem.
Either way, I hope the victim can get the help she needs and that Google finds the problem and prevents it from happening to anyone else. Not that I have high hopes for Google's support team taking this seriously…
To be clear, I'm not accusing the poster of being a liar. But remember that companies are made of people, and it's not fair to accuse them of doing something nefarious, or perhaps even criminal, without at least a modicum of evidence. Social media is a powerful tool for generating both influence and motivation; we are not well-served by stirring up angry mobs over naked accusations, especially over something that might even be a misunderstanding.
I'm willing to disambiguate between a company and its employees provided that the company identifies the employee by name, gives an appropriate punishment, and puts into place practices to mitigate damage in the future.
Until they do, the company is represented by its employee. The 'corporate veil' works both ways after all.
Even after identification the company still bears responsibility, given individuals act within processes and controls established by the company. If these are not sufficient (and that’s a very small if in the presence of faults) then the company is as culpable as the employee and is definitely the one who is culpable as far as the customer is concerned. The employee responsibility is for the company itself to pursue in a different process to making its customer whole.
Companies tries to do many thing to hide crimes and its not the first time. Apple, probably in 2016, tried to hide their malice when they paid millions to their own tech who posted a customer's nude on Facebook. And why do you need modicum when she has already mentioned fedex related thing and she is not the first one to find such issues?
> The tech giant agreed a settlement with the 21-year-old after two employees at a repair facility uploaded the images from a phone she had sent to Apple to be fixed, resulting in “severe emotional distress”.
> The incident emerged during a legal dispute between Pegatron, which had reimbursed Apple for the settlement, and its insurers, which in turn refused to foot the bill. Apple was not directly named in the lawsuit, and was referred to simply as a “customer” throughout, in an effort to keep the matter confidential.
> And why do you need modicum when she has already mentioned fedex related thing and she is not the first one to find such issues?
Because there is plenty of wrong information, whether misinformation or disinformation, flying around the internet.
Perhaps even in your comment, when you claimed
> Apple, probably in 2016, tried to hide their malice when they paid millions to their own tech who posted a customer's nude on Facebook.
> Apple paid an unknown multimillion-dollar sum to a woman after iPhone repair technicians uploaded nude photos from her phone to Facebook. The Telegraph reported the 2016 payment based on court documents recently tied to Apple’s name, and Apple confirmed the incident in a statement to The Verge.
I think this will suffice. I read it and the verge seems to be legit thing to trust.
Did you even read my comment? I linked directly to the telegraph article that the Verge sources from.
And you wrote that Apple paid the technicians who uploaded the woman’s media to Facebook, when that is not written anywhere.
To summarize
1: you ask otterley why they would need a modicum of evidence to believe something
2: in the same comment, you post misinformation or disinformation
3: you are presented with a request for the source of the erroneous information you posted. You are also presented with a source regarding the same incident that portrays a different sequence of events.
4: you then post another article which links back to the original source that was already presented to you, but which still does not claim what you originally claimed.
5: this is why otterley says you need a modicum of evidence
Ok, first of all you said its a misinformation and disinformation and I provided the verge link where they says exactly "Apple confirmed the incident in a statement to The Verge." And now you are saying "you then post another article which links back to the original source that was already presented to you, but which still does not claim what you originally claimed." Yes it links back but it also mentions they have confirmed it with apple.
You are intentionally trying to summarize in a way that favors you tbh . Also i trust verge over some random people on internet trying to say its misinformation or disinformation. And regarding the first one I already mentioned the fedex thing.
1. You claimed "Apple, probably in 2016, tried to hide their malice when they paid millions to their own tech who posted a customer's nude on Facebook."
2. You are asked to substantiate above claim.
3. You could not (your verge link says no such thing), so you simply chose not to address the misinformation or disinformation that you posted.
A simple "I was incorrect about my recollection of this event" would have sufficed.
1. "Apple paid millions after iPhone repair techs posted a customer’s nude photos to Facebook"
2. "The incident became public because Pegatron reimbursed Apple for the settlement, then sued its own insurance provider for refusing to cover the payment."
3. " The Telegraph reported the 2016 payment based on court documents recently tied to Apple’s name"
4. Apple confirmed the incident in a statement to The Verge.
Doesn't this imply
Apple, probably in 2016, tried to hide their malice when they paid millions to their own tech who posted a customer's nude on Facebook.
Ok, by 4 it is confirmed that the source (Telegraph) you have mentioned is correct right? Yes I am holding a premise that the verge is legit source. By 1 they paid millions and their tech posted a customer's nude photo on facebook. I said they hided the statement because of 2.
If your phone disappears after being delivered to the warehouse, what evidence would you like to see? There’s precious little you can show/do. Maybe a screenshot of an online delivery receipt?
Don’t forget the story of our previous cybersecurity lead of the nation, Rudy Giuliani, that posted a link by mistake by not having a space after a period and g-20.In became a link and someone bought the domain and Rudy blamed Twitter employees for sabotage.
If you follow the types of anecdotes posted on reddit of the trials and tribulations of Fi users seeking customer support for device replacement, empty phone shipments, etc., this report comes as absolutely no surprise. They are contracting out all these customer-facing services to the lowest bidder, in typical Google style.
The parent never said "criminal" charges against Google.
Thats not just bad service. If the third party is an official agent of Google, then Google can be liable (monetary penalties). Now, proving that in practice is a question for the civil courts.
Now, if I was looking for a new Android device and I saw all these reports, I would definitely think twice before purchasing a Google Pixel.
People lie about this kind of stuff all the time. Every day. And no, there's usually no penalty for it because proving that something didn't happen is even more difficult than proving that something did happen. And even when the person freely admits that they lied there's still usually no penalty.
I cannot remember the last time someone got prosecuted or sued for libel for falsely accusing a business of something. It happens numerous times every day. I would be willing to bet nothing happens to this person if their claim turns out to be false.
I know that the US has a very high bar for defamation claims. It is common knowledge that you can make things up in yelp reviews or twitter or wherever with no big consequences.
It's important to question the validity of it at the same time taking it seriously.
I found odd that the victim is talking about class action lawsuit and accussing a man of "mansplaining" her (it could just have been a woman saying it). This is just toxic twitter behavior that takes innocuous comments from people and putting it in the bin of sexism, racism, or something that is accusatory in nature to gain a false sense of moral superiority over others.
> "Or maybe reset your phone before giving it to others (for any purpose)?"
Yeah that's not a nice thing to say as well. But I don't sense any sexist aspect in there. Personal shots can be ignored instead of adding more fuel to the fire.
> Not sure why you are trying to detract of the alleged incident by trying to claim the victim is being "toxic".
I don't think I was, just pointing out a couple of odd aspects of people going off on Twitter without proof. I did say we should take this seriously but also expect hard proof to back up their claims.
I believe tweets like this gets put on Twitter for several reasons:
1) Victim receives unsatisfactory response from Google (or no meaningful response from Google which I have personally experienced). They seek public attention to get Google to acknowledge the issue.
I did notice some victim-blaming, which isn't right. But I do think that if you're going to accuse someone of serious malfeasance that might be a criminal act, a little more than a naked accusatory Tweet thread is needed.
Yeah, I'm kind of tired of the “mansplaining” cop out. I've been "mansplained" before many times, and I'm a man. It's usually just someone who likes to bloviate to other humans regardless of their sex.
Mansplaining is still a useful term, and no longer just refers to the original man-explaining-to-woman scenario. A woman can also mansplain, but that’s often called “womensplaining”. The truth is that most of the time it’s still a man doing it, and their target is most often a woman, so it’s still worth calling out in those situations.
The word isn’t toxic, the behaviour is toxic. It’s easy to say “let’s not fixate on identities” when your particular identity doesn’t lead to other people treating you worse.
Unless someone wants to leak internal information, there is no such thing in either case, as far as we know. These services are almost certainly contracted to third parties.
Sure, and then they made sure it couldn't connect so that it didn't wipe itself, but somehow it still connected to send security alerts to her and manipulate her Gmail account.
Stop making excuses for her. Take a moment to think critically. It's a heaping steaming pile of obvious bullshit.
Really? Your first reaction is that she must be making it up? This is hardly a far fetched scenario. I’m guessing she didn’t bother posting screenshots because most people wouldn’t automatically assume she is lying.
Yes. Given the timing of things (why even make this public?), the low likelihood of the event, and crucially the lack of any evidence, I see the preponderance of the probabilities weighing against her claims.
Why not make it public? That’s often what leads to action being taken. I don’t see any reason to believe there’s a low likelyhood of the event occuring. And she’s not making a legal case, it’s just a tweet. The lack of evidence in her tweets does not mean there’s an actual lack of evidence.
Please review the stated history of events—-it IS extremely unlikely.
She is making a case in the court of public opinion.
Granted she has more clout than the “average joe” (and the very fact that this is even being discussed is evidence for it) but ANY case without corroborating evidence is just hearsay.
She should “put up or shut-up” and the levels of “put” required are so minimal that her PR credibility before the “court” on this matter has a very short half-life.
> Granted she has more clout than the “average joe” (and the very fact that this is even being discussed is evidence for it) but ANY case without corroborating evidence is just hearsay.
An anonymous poster on reddit had a similar issue a few days ago [0]. Their comment got 331 points on HN while this one got 257 points so far. The anonymous one got more points.
Indeed, she did copy this story directly from an anonymous poster on Reddit, other than making up some details that don't even make sense given the rest of her story. And yet people still believe her.
If there's one thing Google has down-pat, it's their mobile device security. I know that might sound silly, but it's true. I don't trust Google as a company overall, but the Pixel devices outshine any other when it comes to device security, hardware keystores, etc.
Interesting to see you get the causality potentially wrong. I take it that because of the book perhaps the author felt emboldened to share their story -- which they otherwise might be pressured to hide. Do you see how that might be a possibility?
What if your thesis was "I expect to only see reports of sexism from people with clout because they're the only ones that can actually tell the truth without getting their lives ruined?"
I dont have a phone because I have enough trouble keeping my life private from the govt, let alone anyone else in society. Its bad enough science stole my privacy!
I find phones amusing because of all the trouble and strife they bring.
There are pro's and cons for phones, I get it, but should I be that accessible to anyone who can dial the right number combination or use a war dialler?
This comment fits in just as well with a phone from the 1870s as a phone from the 2020s. I can just imagine someone saying this about the neighbors' party line.
Next time something bad happens to you, please post about it here so we can say how amusing it is that you exist. Do you see how condescending this is? Billions of people use smartphones.
I've had NSO like activity on my phone, I've had hacking on my phone since the 90's. So what I have learnt with the law is, firstly it generally needs evidence although there are some rare situations where accusations are enough. Even when you have evidence, this can still generally be removed or the police prevented from seeing it.
External influences, control when your phone drops down to 2G and I have not seen any phone manufacturer put in an option to terminate calls and prevent calls being made on 2G. Things like the PinePhone and Librem are missing a trick.
The other problem with technology is the sheer number of options or inability to access and modify in order to make secure. Whether we like it or not, our lives are in the hands of others.
I gave up a long time ago when I realised how many legal ways there are to kill people. Its quite clever really but some institutions have had hundreds of years to perfect their dark arts.
This is actually a lot more sane than you might think, and quite doable. There's no reason any critical data needs to reside on your phone, you can have it all on a different computer or cloud or somewhere safe.
Seeing the fact that every government, company, and criminal seem(s) to be highly motivated to exfiltrate data from your phone, perhaps it's one of the less safe places to store PII/critical data in the first place. (And that's before considering that it's highly portable and can simply be lost. )
If the critical data isn't on your phone in the first place, then you can't lose it.
But since your phone has network access, and as long as you have a decent data plan, your data need only be one tap away anyway.
- standard 'loveint' at support depts (many companies with personal data have stories about abusing system access to look at personal info of SO / randos)
- illicit group operating within or adjacent to goog doing some kind of espionage or ransom model
- google-haters inventing or amplifying a pattern of behavior? (but with what motivation)
- not obvious if the phones are passwordless, or if insiders are using a 'universal unlock' feature to decrypt pixel devices -- if the latter, is that a bigger story than the stalking?
if this is only happening to passwordless phones, still an abuse of trust, but I'm okay with 'don't send passwordless phone to support' as a consumer best practice.