Google acknowledged Wednesday that two employees have been terminated after being caught in separate incidents allegedly spying on user e-mails and chats.

David Barksdale, 27, was fired in July after he reportedly accessed the communications of at least four minors with Google accounts, spying on Google Voice call logs, chat transcripts and contact lists, according to Gawker, which broke the story Wednesday.

Google has acknowledged that it fired Barksdale for violating company privacy policy, and acknowledged that it was the second such incident of its kind at the company. Nonetheless, the company insists that it maintains careful control over employee access to user data, and said it's amping up its log-monitoring to guard against similar violations in the future.

The controversy comes as Google faces criticism over admissions that its street-view cars collected private content from Wi-Fi networks while roaming streets in the United States and several other countries. Google blamed the Wi-Fi collection on a "programming error" and a failure in oversight to catch the problem for three years.

The new reports of rogue employee demonstrate that Google is not immune to the ages-old problem of the corrupt insider, even as it gathers more sensitive data about Americans than most government agencies possess.

In the case of one 15-year-old boy Barksdale met through a technology group in Seattle, Washington, he allegedly tapped into the boy's Google Voice call logs after the boy refused to tell him the name of his new girlfriend. Barksdale then reportedly taunted the boy with threats to call the girl.

Barksdale also allegedly accessed contact lists and chat transcripts of account holders and, after one teen blocked him from his Gtalk buddy list, reversed the block. A source told Gawker that Barksdale's intent didn't appear to be to prey on minors for sexual purposes, but simply to goad them and impress them with his level of access and power.

The family of at least one victim complained to Google about Barksdale's activity. After the company investigated, Barksdale was fired.

Google apparently did not report the incidents to law enforcement, although the employees could potentially have infringed federal and state statutes related to unauthorized computer access and stored communications, according to legal and privacy experts. Reuters quotes an anonymous source who says that "law enforcement was not called in after the Barksdale breach was uncovered, because one of the families involved asked to remain anonymous."

Barksdale, based in Kirkland, Washington, was employed as an engineer with the company's Site Reliability team. The team members, as part of their responsibilities for troubleshooting technical issues related to the site and Google's products, have access to users' accounts. Apparently Barksdale exceeded this authorized access to spy on a group of specific people he'd met.

Another former site reliability engineer told Gawker that Google gives such engineers unfettered access and "does not closely monitor SREs to detect improper access to customers' accounts, because SREs are generally considered highly experienced engineers who can be trusted."

Google revealed to TechCrunch that a second Google employee had also been caught violating user privacy and was also dismissed. Google didn't reveal any details about what or when this occurred, other than to say the other case didn't involve minors.

Bill Coughran, a Google senior vice president of engineering, wrote in a statement that Barksdale was fired for "breaking Google’s strict internal privacy policies."

"We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls – for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective," said Coughran. "That said, a limited number of people will always need to access these systems if we are to operate them properly -– which is why we take any breach so seriously."

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said that although Google wasn't obligated to report the issue to police, it probably should have done so anyway.

"To the extent that it impacts the interests of individuals outside the company, I don't think it's sufficient for Google to handle it as an internal matter, which is why there probably needs to be a criminal investigation to ensure that the safety and well-being of others has been protected," he told Threat Level. "Google's HR department can't sign off completely on whether this individual has been appropriately sanctioned for his conduct."

Mark Rasch, a former U.S. federal prosecutor, says that while deciding to report on such incidents is a judgment call for companies, keeping the matter quiet was probably the wrong approach for Google to take in this case.

"Violations of privacy are serious violations," said Rasch, currently director of cybersecurity and privacy consulting at Computer Sciences Corporation. Rasch says that internal privacy breaches will increase as more and more employees and contractors have access to vast databases of consumer data.

Photo: Rene Tillmann/AP

See Also: