Yeah let's be real, if she programmed a popup to appear over twitter with a message like "Don't slack off dummy UwU" and or something equally ill informed she would have been rebuked at worst.
To say that it wasn't the union overtones that got her fired is naive.
She’s young and probably a bit naive. I think it’s absolutely a reprimand-worthy offence, and I certainly understand that a security engineer maybe shouldn’t inject code like she did, but that’s why there are reviewers, but they ok’d it. I don’t think it’s something she should have been fired over. I made dumb mistakes early in my career too, after all.
Should she have done it? No, absolutely not. Not like that anyway. Should she have been reprimanded? Yes definitely. Should she have been fired? I don’t think so personally, not for a first time mistake at least (we don’t know if she did other things previously or not, of course)
Different viewing angle needed but Google does similar stuff themselves, e.g:
On Google.com if you present a Vivaldi user agent and arrive via a redirect, the search text box will be misaligned
On Google Docs if you present a Vivaldi user agent you will receive a warning
The problem is, she insisted to the world (and presumably to Google as well) that she did nothing wrong here. This is a pretty minor thing to fire someone over - but what other option does a company have, when someone makes it clear that they refuse to behave properly?
Security tools, and especially extensions that run with full browser access, are in an exceptionally trusted position. Employees who can inject code into arbitrary websites can in effect get administrator access to anything in the company, as Google is run almost entirely off of web apps of various kinds. It's actually hard to get more trusted than that: without a doubt this woman effectively had a greater level of access than Sundar Pichai or other senior executives.
If there's one thing you don't screw around with in any firm, its mis-using administrator access. Mis-use here means doing things that aren't related to your job description. You just don't do it! What she did would be like a logs engineer deleting internal access logs to cover up activity by political allies, or a GMail engineer spying on conversations between executives. It's complete madness to think you can abuse such a high level of trust in such a direct way and get away with it!
I used to have a certain type of Google account system administrator access. The way I used it was watched very closely, and deservedly so. Eventually it was removed because Google built better security systems that could restrict employee access more, and in my team were happy about this (for one, it meant we were less likely to be hacking targets). The idea of anyone abusing this sort of access for political reasons was unthinkable.
I honestly can't believe people here are defending this kind of behaviour. If Googlers feel it's OK to abuse root@chrome for unionisation related purposes, what else might they start doing? What about people perceived as 'bad'? Google needs to explain what happened here pronto, because apparently she was able to get this change through code review? So she had internal allies who approved her abuse of access? That is tremendously worrying.
Google is very rapidly burning the trust it requires for its business models to function. How can anyone trust the firm when 21 year old activists are able to manipulate Chrome for political causes and Google's own security procedures are unable to stop them?
This is reprimanding for the content of the message, not the scope of the code which would have actual security implications. Furthermore, it is a warning about not violating an actual company policy. This is not far off from the scope this pop-up tool is designed for. While it is clear that this was done as a response to google hiring this firm to dissuade folks from organizing, I could argue that it could be done to warn managers not to use the firms presence as permission to violate a specific policy + law. IANAL but this seems like extremely grey legal area. For example, this could be aimed at managers to remind them that even though this firm is hired, they cannot enforce a ban on organization according to that specific policy in the handbook. I think that's an appropriate use IMO, it would save the company some serious money and headache if it stopped a manager from illegally retaliating against organization.
I would not characterize this as evidence that this person is a security risk. It takes existing culture of google, including past incidents like changing the default desktop wallpaper for a protest that was happening, etc.
Also if this is true it is totally insane. Sounds like intimidation tactics to stop exactly what the pop-up warned against.
> They also dragged me into three separate interrogations with very little warning each time. I was interrogated about separate other organizing activities, and asked (eight times) if I had an intention to disrupt the workplace. The interrogations were extremely aggressive and illegal. They wouldn’t let me consult with anyone, including a lawyer, and relentlessly pressured me to incriminate myself and any coworkers I had talked to about exercising my rights at work.
I think you're assuming it's related to the message content, but that's not what Google are saying and it's not how corporations work in my experience. How you do something matters a great deal in any large bureaucracy. If Spiers wanted to remind people they could unionise there are communication systems that exist for people to talk to each other on their own initiative without approval, systems like email or even memegen.
Modifying the behaviour of people's web browsers isn't a channel intended for employees to push personal messages to each other and this should have been really obvious to her. She and her colleagues were trusted with a tremendous amount of power which could be readily abused (see my other comment on this thread), and the expectation was clear that it'd be used only within the bounds of what her management asked her to do, namely corporate security.
When she went outside those bounds and started using her immense technical privileges in ad-hoc ways, and (worse) making arguments like "I got a colleague to approve a code review so it was OK" she gave an extremely clear demonstration that management simply couldn't trust her. It's not about unionisation. It's about someone with the power to steal cookies from her own colleagues going rogue and deciding her own personal political priorities matter more than company policies she had agreed to follow.
Only sort of related, but one time some of the YouTube engineering team made a code change to kill off usage of Internet Explorer 6 by bypassing the usual code screening process to circumvent management. Their boss reprimanded them but eventually got in on it, without going through the appropriate channels. Then the Docs team saw the banner they showed YouTube users, thought they had actually received approval from management and used it as evidence to convince their managers to implement their own banner (who would have normally refused).
All they received was a small rebuke. In fact, management praised the team for the end result of decimating IE6 usage, as intended.
Then one of the architects of the scheme blogged about it in retrospect years later.
It was a configuration change so there were no dangers adding it, so she being a security engineer isn't relevant. The right punishment would be to tell her what channels she can use to send union messages and tell her to just do security related popups in the future. If she continued sending messages like this then fire her, but it is dumb that she got fired over something that would take literally 5 minutes to fix.
Google did tolerate exactly the same kind of behavior from the internal OS distribution team before, you could argue that security is even more important there than in a browser plugin.
I am not a Googler but I reiterate I know exactly 0 CSOs that would tolerate this. You providing an example outside of security team kindah reinforces my point.
Google has a lot of security teams since they do all of their infra themselves. The people who push security patches to peoples OS's is a security team, and they used that channel to push a message similar to this.
from an outsider perspective i can say that to me This is a security tool and it should show popup for restricted sites and/or flagged sites. if its intent was a general notification extension like office emails etc , nobody would have cared. But since it is a security tool even if your action is not malicious the expectation of security only updates is breached, which is what i believe is the core issue. More so the employee is a security engineer, the fact that this is most likely something they would be aware of and proceeded to do this change anyway is something which is extreme-ly worrying. It raises all sorts of questions like how safe is google infrastructure from rouge employees and how does this affect data collected by google and handled by googlers.
> "Yeah let's be real, if she programmed a popup to appear over twitter with a message like "Don't slack off dummy UwU" and or something equally ill informed she would have been rebuked at worst."
What? Granted, I've only worked for large businesses but that would be grounds for immediate termination at any company I've ever worked at.
From her description of her job position it seems like programming a popup to appear over twitter with a message like "Don't slack off dummy UwU" was exactly what Google wanted her to do in her job.
> As a security engineer who worked on the Chrome browser’s use within Google, Spiers wrote browser notifications so that employees could be automatically notified of the company’s policies and guidelines as they browse the internet. Spiers said that engineers regularly implement such code changes to make their jobs easier and share personal interests.
But programming a popup to appear over a union busting law firm website with a message that such and such law exists was not.
> Spiers wrote a few lines of code that created a pop-up message asserting Google employees’ labor rights whenever her co-workers visited the consulting firm’s website or Google’s community guidelines. The message reads: "Googlers have the right to participate in protected concerted activities." The pop-up would have been visible to anyone at Google.
> https://www.vice.com/en_us/article/jgexe8/google-fired-an-en...
I agree that "Don't slack off dummy" would have earned a rebuke, but I wouldn't be surprised if any controversial political activist message would have been grounds for termination, especially with Google's new policy regarding political activism in the workplace. She would likely have been rebuked if she had just posted a flyer in the cafeteria, but she modified an internal tool.
To say that it wasn't the union overtones that got her fired is naive.