We have very strict and very well engineered data retention systems. When we say data is deleted, we mean it. Various levels of automation ensure the data is purged, and all data is tracked meticulously for violations across every datastore.
It's one of those systems I wish we talked about more -- it's a marvel to behold just how much work goes into retention policies and the automation that drives it.
So that includes all online and offline + offsite backup systems, presumably? And hopefully any such data is "de-trained" from all applicable ml models and systems, of course.
Without going into too many details, yes. The trick is that you can key sensitive data, encrypt it, and delete it by throwing away the key.
I don't know if Google can do de-training (depends on how the training data is generated), but generally if the trained data can't be tagged for removal it also can't be reversed from the output of the training.
Have you considered the possibility that someone on the inside works for an intelligence agency (domestic or foreign) and is secretly exfiltrating the data for the purpose of obtaining blackmail material?
In the PRISM disclosure of 2013, the slide deck stated that the NSA had direct access to Google's systems. The deck claimed "collection directly from the servers". That, by its very design, goes around all the safeguards people are discussing here.
It's definitely been considered because it has definitely happened before (explore the history of Google cutting ties with China for about a decade).
... in response, Google took measures to prevent that category of insider-knowledge attack. With audited builds, zero-trust internal model (xref BeyondCorp), and infrastructure cross-checked by multiple human beings to guard against hardware-level attacks, such an insider attack is infinitesimally probable now.
The cloud documentation suggests a deletion period of 180 days; so for cloud data, at least, when it says it is "deleted" it seems to mean it will be [fully] deleted within half-a-year. https://cloud.google.com/docs/security/deletion
Former google employee, no knowledge of current situation, not involved in any of this stuff even when I worked there: different types of data get handled differently. If material is important enough then it's going to be backed up onto tape for disaster recovery purposes. If a user then requests it be deleted, that's a huge pain - the easiest thing to do is just wait until that tape has rotated out of backup, which may take a while.
More sensitive user data is likely to be handled differently - both for privacy reasons and because it's honestly just not as important to keep hold of it (a user's cloud data gets lost? That's a big deal. A user's location history data gets lost? Meh), so it's unlikely to end up in long-term backup storage.
Why would the Google Cloud data deletion policy for 1/ paying 2/ enterprise customers deleting their own data that they 3/ opted in to store, and then 4/ opted in to delete have anything to do with the retention policy for Google Maps' 1/ free 2/ consumer customers having data deleted by Google that the customer 3/ did not choose to store, and then 4/ did not choose to delete?
At least 4 meaningfully different qualifiers about the situation for entirely separate parts of Google.
I note that the announcement is VERY VERY SPECIFIC about the data being gone from the opt-in "Location History" feature (with the capitals and everything).
It does NOT say that every copy Google has is deleted. It just says that the user-visible copy is gone.
What about, say, Sensorvault? Or whatever other internal systems I don't know about?
This would run afoul with data retention laws, which Google strongly adheres to. So it can't be true. It might be true for some definition of it, but not materially when it comes to records access.
Let me ask you about an edge case: someone carries out an arson attack against a clinic providing abortion services and inadvertently leaks clues to their identity when gloating about it on social media, which information finds its way into the hands of law enforcement.
(to downvoters, that's something that happens and I have a specific and recent case in mind)
I think the downvotes are because your description doesn't make any sense. Can you rephrase the scenario to better describe what you mean?
Are you saying "Someone carries out an arson attack, they (the attacker) leaks clues to their (the attacker's) identity when gloating about it on social media, and those gloat-posts find their way to law enforcement?"
How does that scenario relate to Google data retention? Google data retention has nothing to do with Twitter policies.
It relates to Google data retention because law enforcement's next move might be to ask Google for geofenced location data from the 72 hours preceding the attack in hopes of confirming the arsonist's identity.
>We have very strict and very well engineered data retention systems. When we say data is deleted, we mean it. Various levels of automation ensure the data is purged, and all data is tracked meticulously for violations across every datastore.
Ok, how would you know that is true?
How many ways can you think of would there be for your statement to be false?
If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see. Are the number of ways more than one? How valuable could deleted data be in the case of blackmail or espionage? Can you actually be confident that someone above or before you didn't write a false delete function?
I'm not implying, I'm suggesting that "things we know to be true" is a smaller list than people think.
You suspect WIPEOUT is real, but can't actually know, and you are inside. Why would I believe for even a second?
There is a reason behind the usual in court phrase of "..tell the truth, the whole truth, and nothing but the truth...". So, if a third party would get copies of the data, it would be true Google deleted it...It just not be "the whole truth".
> How many ways can you think of would there be for your statement to be false?
Not as many as you might think.
The systems at Google may seem incredibly complicated--and they are--but when I worked there, the scenarios where somebody intercepts and exfiltrates data without your knowledge are extreme.
> If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see.
The way this data is stored, it is designed so that access to the data is logged and the logs have various alerts / auditing procedures to catch exfiltration attempts. SREs will periodically create user data and try out clever ways of destroying or exfiltrating it to test that these controls work. The Snowden leaks also cast a long shadow over work at Google, and since then, basically, all the traffic and data in storage has been encrypted in ways that make it difficult for state level actors to surreptitiously intercept it. These systems are a bit nightmarish to design, because there are competing legal/compliance reasons why data must be retained or must be purged. For example, certain data must be retained for SOX compliance, data may be flagged as part of an ongoing investigation, data may be selected for deletion for GDPR compliance, etc.
Obviously, it is POSSIBLE that someone is still exfiltrating data, but you have hundreds or thousands of smart engineers who are trying to prevent "insider risk" and "state level actors". People within the company are a big part of the threat model, and agencies like the CIA, Mossad, KGB, etc. are also part of the threat model.
The stack may be complicated, but it's also designed with defense-in-depth to prevent people at lower levels in the stack from subverting controls at higher levels in the stack. For example, people who work on storage systems may be completely unable to decrypt the data that their storage systems contain.
If you're going to get pissy about it, it's obviously true that we are not 100% certain that data is destroyed when we say it is. But this invokes a standard for "knowing" that precludes knowing the truth of any statement which is not an analytic statement.
You don't have to believe, even for a second, if you didn't work with the wipeout systems. That's fine. I'm not trying to convince that wipeout works as intended, because I know that I can't provide the evidence to you.
However, you seem to be arguing that other people don't know that the wipeout systems work--that it's somehow impossible to know.
Many years ago, I worked for a contractor where we required clearance. We hired this one sysadmin "stick it to the man" type of guy that was extremely well educated and talented.
When he got to the part of the form that asked if he has ever consumed drugs, he said "yes" as he should have by being honest. The follow up question asks something along the lines of, "If yes, will you ever consume drugs again?"
The jack-ass decided to answer "I won't not do them again..." We fired him a few days later.
With these sort of things, it's better to tell the truth and get fired than to lie, and wonder if you're going to get prosecuted somewhere down the line for lying to a federal agent. Jobs aren't so rare; you should think twice before lying.
Edit: Yes, it is better to work at a car wash than to get convicted for lying to federal agents. Don't believe me? Ask any federal prisoner if they'd be willing to work at a car wash in exchange for their freedom.
Are those questions about illegal drugs or all drugs? Can you answer you don't take drugs when you smoke or drink alcohol? What if you have Marijuana in a country where it is legal? What about alcohol in a country where it is not? Is the trouble for the government that you are willing to go against the law, or that yoj could be under influence?
"In the last seven (7) years, have you illegally used any drugs or controlled substances? Use of a drug or
controlled substance includes injecting, snorting, inhaling, swallowing, experimenting with or otherwise
consuming any drug or controlled substance.
[...]
In the last seven (7) years have you intentionally engaged in the misuse of prescription drugs, regardless of
whether or not the drugs were prescribed for you or someone else?
[...]
In the last seven (7) years has your use of alcohol had a negative impact on your work performance, your professional or personal relationships, your finances, or resulted in intervention by law enforcement/public
safety personnel?"
It's a questionnaire to get a security clearance in the US. Pretty sure it's only from a US perspective and you'd be disqualified if you lived abroad where these concerns would make any sense.
I agree. One of the most amazing things about watching this project unfold is just how quickly it went from 0 to 100 with minimal overhead. It's amazing to watch companies and individuals push the boundaries of what is possible with just the push of a button.
Take a look at Google Cloud IAP -- it's essentially a stripped down version of BeyondCorp for public use on Google Cloud. I've used this as a customer of Google's with great success, it really does just work.
> Let's make towns have downtowns, with beautiful brick roads, scenic ponds with some ducks, perhaps a waterfall, some nice cafes, a lawn with benches, some parks, some nature, trees, live music, a library and museums.
You would think! I live in Santa Monica, California, and we have exactly that in our downtown area. The retail shop turnover is insane -- a large amount of shops come and go from the area, despite the massive amount of foot traffic the area sees every weekend (and most weekdays during the summer).
No... SM is a bit wack. The prices are so high, only big businesses can afford to be there. So most stores are big franchises. And it's too touristy for any culture. Main St is better, and towards Venice.
I would also nominate DTLA. Downtown is lit. Parking is wack though.
Consumers are no longer interested in old retail chains. They follow influencers and their original brands, but they're mostly direct to consumer, and everything arrives in two days anyway.
SM is loud and very touristy. Buskers are allowed amps for their guitars and I can't count the number of languages spoken. It's more of an airport terminal than anything approaching 'local'. God have mercy on you at the pier. I'd go Culver City, as a better 'local' kinda thing, but even then you need to get up to SB to really stand a chance of a quiet coffee on the street.
> Parking is wack though.
Literally all of LA is like this. Pro-tip, in SM, park at the library. Cheaper and easier to get in/out.
Even Beverly Hills has great parking. The major bottleneck downtown is parking right now and has been for a while. SM moved fast to build multiple parking structures... and that's where all the foot traffic comes from. Not sure why DTLA is so nonchalant about this. Don't see any construction whatsoever.
You don’t see any construction in DTLA? Are we both living in 2017?
It seems like every other day a new 40+ story mixed-use tower, with requisite parking structure, is breaking ground around here.
The thing that baffled me about downtown’s parking situation was how so many otherwise undeveloped parking lots managed to stick around given the opportunity cost of land downtown. That was until I realized a production crew can’t set up base camp in a parking garage.
> Not sure why DTLA is so nonchalant about this. Don't see any construction whatsoever.
Presumably because LA finally managed to make a section of the city livable and they don't want to hasten its demise. Parking has pretty massive costs for quality of life and the livability of a city.
LA is just in a weird transition point right now, where even a furious pace of transit building isn't going to remake the car-centric infrastructure overnight.
Third street promenade is a disaster area from the perspective you describe. It's a classical tourist funnel designed to extract the most from them.
As noted in another comment, Main St. is a bit better with some ok food, bars and coffee shops, but the retail side doesn't offer much. Most likely out of sheer need for survival due to super expensive lease rates, most retail is oriented towards tourists, with a little bit reserved for ultra wealthy of the area.
It's a tourist trap mall that looks like a downtown complete with a fair bit of mixed use residential+retail+commercial dense-ish developments.
The point that people overlook there is that the aesthetics—indoor mall vs outdoor pedestrian-friendly throughway through a central part of a town—don't actually matter nearly as much as thought, since if you went at 10AM on a Thursday you'd think it was just a nice little downtown with a surprisingly high amount of retail in a small town next to LA.
And there are definitely good cafes, parks, and a library, yet all you're seeing here is still just a lot of people complaining about it. So maybe those aren't the critical components the OP seems to think they are.
There's no reason you couldn't turn the space and structure of a stereotypical 80s mall into a different sort of organizing space, without a whole "we need traditional looking downtowns" push.
I concur. High foot traffic does not result in steady state retail om the local streets. I've lived in the far east and despite heavy mom and pop representation, the turnover is insane _and_ due to lack of aircon in the mom and pops, people flock to malls due to free aircon.
