

Bank Sends Email to Wrong Gmail User, Sues Google For His Identity - dnewcome
http://mashable.com/2009/09/24/bank-sues-google-identity/

======
mdasen
This begs the question, what was the bank doing emailing bulk sensitive data
in an insecure fashion?

It seems like the bank needs better security policies and thinks that it is
acceptable to go after innocent people rather than admit that they don't take
data security seriously. I understand getting caught in a situation like this.
It happens and while it might be a sign of bad policies, it might also just be
unlucky. What matters is how one handles these situations - and the bank isn't
handling it well. You have a data breech. Do you notify account holders
affected, help them change their account numbers, take responsibility, and put
in place policies that will prevent it from happening again? Or do you yell at
Google and go after some innocent Gmail user trying to hide yourself from
responsibility?

Heck, they even wanted their lawsuit to be confidential:
[http://www.informationweek.com/news/internet/google/showArti...](http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=220100410)

At least the judge decided that their embarrassment wasn't cause to keep the
lawsuit private.

~~~
mhb
<http://en.wikipedia.org/wiki/Begging_the_question>

~~~
lsb
People use "this begs the question" to mean "this begs [you to ask] the
question", and while it's not historically correct accurate, it's modern
usage.

People 100 years ago would have thought that Americans using "mad" to mean
"angry" instead of "crazy" was equally reckless.

~~~
hristov
This is not only historically inaccurate but it is currently inaccurate. The
fact that a lot of not very smart people use it does not mean we should add it
to the language.

I am usually not a stickler for these things, but this is very important
because the actually correct phrase "begging the question" has a very specific
meaning which is very difficult to convey in other words. Thus, if we allow a
bunch of idiots to hijack this phrase in their hopeless quest to sound
intelligent, we will lose a very useful phrase for which there is no present
substitute.

~~~
shib71
Actually the meaning is not that specific. To someone who hasn't had the
"official" meaning explained to them, the new one is much more natural.

If you're relying on this phrase to convey that idea then you're communicating
badly, because many readers will misunderstand.

------
roc
I actually have a similar story. As it turns out, I share a first initial and
last name with an incumbent congressman's campaign manager.

During their last campaign, I received quite a bit of wholly unsolicited email
bound for the manager. Despite a couple "I'm not the guy you're looking for"
emails, (i even sent one directly to his 'official' address on the campaign
website) I continued to receive the emails.

Most were fairly benign. Some were harmless, but definitely from the sausage-
making side of politics. Quite a few were... very personal. I can easily
imagine they'd leverage this precedent if they realized what I was getting.

So this whole topic hits pretty close to home when I wonder about what extents
these rulings might go to.

Would they turn over my account itself? Would they scour my outgoing messages
to see if I forwarded it? Would they pop open every archive I emailed to see
if that might contain the information? Would I be compelled to turn over
passwords and keys for secured archives? (violating my client's privacy as
well) Would they supply a list of IP addresses where I viewed the messages
(and might have made copies)? Would they demand access to those machines?

Exactly how much of mine (and thereby my associates) privacy would these
courts be willing to violate due no fault of my own?

~~~
electromagnetic
In this case they're suing google to acquire the users identity, and google
has said they're willing to give the user the chance to oppose the order.

As far as I know ownership of email hasn't been contested in court, but the
email was addressed to the accidental recipient, which even under mail
tampering laws wouldn't mean he had done anything wrong. The laws for mail are
to prevent me mail-box diving my neighbour or opening accidentally delivered
mail, however if the mail was mis-addressed to me then it's legally mine
through and through.

This email was mis-addressed, which wasn't the fault of the recipient. I
highly doubt the Judge will rule in the companies favour and risk setting a
precedent against federal mail laws for email, it would seem kind of absurd.

~~~
roc
If you're familiar with these laws: if I misaddress something to a PO Box,
will the government reveal the identity of the accidental recipient? Will they
if I ask nice, or must a court compel them? Is there any sort of requirements
that need to be met?

I realize that in this case they haven't asked for anything beyond identity
_yet_. But I'm forced to wonder what happens after they've ascertained
identity?

There's no need to _compel_ Google to reveal that person's identity unless
there's a follow-up action that they feel they can't execute unless they know
the identity of the unintended recipient.

So what is the follow-up action of stripping away this innocent person's
privacy? I'm forced to conclude it would be yet-another injustice.

~~~
pyre
I'm assuming that they want to 'have him by the balls' to use as a scapegoat
if any of that information is ever used for identity theft. The problem with
this is that I feel if they have such a convenient scapegoat, they will
probably rush to crucify him before investigating whether or not the
information could have been obtained through other avenues.

------
jgrahamc
Imagine that you are the owner of jgc.org and that there's a popular web site
called igc.org. Now imagine that amount of email you receive daily misdirected
to jgc.org.

A lot of this mail is mailing lists that didn't do double opt-in and hence
*@jgc.org got added to the list. But quite a lot is just personal mail.

For a while I used to receive the itineraries for the private jet of a famous
entrepreneur because they were meant to be CC:ed to someone at igc.org but
came to me instead.

~~~
mustpax
I imaging if you owned noreply.com you'd get a hefty amount of private
correspondence in as well. I bet there are plenty of services out there that
use noreply@noreply.com thinking it's the email equivalent of /dev/null for
some magical reason.

~~~
josefresco
I wrote an article a while back on this topic and whether the owners of
test.com, check the email account test@test.com.

Didn't get a good answer but I would imagine they _could_ see a lot of very
personal information come their way as many geeks I've known use that to test
their software.

~~~
jerf
Best practice as I understand it is to use emails that have the TLD "invalid",
or one of a couple of others that have been explicitly set aside as "never
will be issued" by RFCs. They also have the advantage of looking very out-of-
place, where @test.com may slip by.

~~~
psadauskas
Full list, and what they should be used for, here:
[http://en.wikipedia.org/wiki/Top-
level_domain#Reserved_domai...](http://en.wikipedia.org/wiki/Top-
level_domain#Reserved_domains)

For testing, I usually use test{n}@testname.test. I've so far managed to avoid
no-reply. If someone tries to reply to one of our message emails, I want to
know what problem they're having, and the context to go with it from what
message we sent them. "noreply" emails are anti-user-friendly.

------
tedunangst
Wouldn't it make more sense to link to the source?

[http://www.theregister.co.uk/2009/09/23/google_sued_for_gmai...](http://www.theregister.co.uk/2009/09/23/google_sued_for_gmail_user_identity/)

~~~
afed
Not if you're driving hits to your own blog posting.

~~~
unalone
Doesn't look like the poster works for Mashable. On the other hand, Mash is
where he saw the information, so why not post the link there? It's not a bad
thing to link to the site that you personally rely on for news.

------
MrMatt
Maybe they should be sending secure links to sensitive files rather than the
files themselves. At least they could regenerate the links rather than just
hope that the files get to the correct place.

~~~
kp212
Not 100% sure on this, but emailing sensitive customer info doesn't sound PCI
compliant. Maybe customers should look into suing this bank.

~~~
tedunangst
PCI compliance has nothing to do with how you handle your loan information.

------
dkokelley
This makes sense. The bank is doing what it should be doing, by bringing the
matter through proper legal channels. If Google just handed over the
information, they would be liable to the account holder. I personally hope
that the legal system finds the bank was negligent and denies access to the
guy's personal information.

Also, what are the 1,300 bank customers doing about this? I'm sure that a
class-action suit will be filed against the bank.

~~~
pyre
Apparently the bank didn't want them to know about it. Pursuing the gmail-
account owner is their way of dealing with the issue.

~~~
dkokelley
The bank has a duty to inform their customers that their identity may have
been compromised.

~~~
pyre
I agree, but apparently that bank doesn't.

------
tamas
I had this fun idea of registering an email address with an username being a
common noun. Although I found it strange that the address was still available,
but I didn't care too much about it, I was happy to have the account. (You
know, new inbox smell).

And then emails started to arrive to the address. Of course, lots of them were
spam-spam-spam-spam. But there were also some personal letters. For a while I
thought it was some mistake, and replied nicely to them pointing it out, and
tried to inquire about what could be the reason behind the confusion, but
never really figured out.

The mails kept coming, and I realized that they weren't even addressed to the
same person. Up to now I have at least 30 alteregos, giving out my email
address to their friends, relatives, and using it in an attempt to register on
web sites. Most of them seem to be female, so I get many mails trying to hit
on "me" after that talk on im or seeing my profile on some website, etc. Also
pictures of nieces, invitations to bbqs, and questions about my iron and if I
can bring it to "the club" next Tuesday.

I just hope I won't get sued one day.

------
ciupicri
So in order to find out who's behind a (Gmail) email address, all I have to do
is send an email and then claim that I didn't want to send it to that person.

------
mikeryan
This may actually be a good thing in the long run. Assuming Google wins the
case, this would set a good legal precedent around unsolicited email.

------
philwelch
My gmail account happens to be my first initial and last name. I get more mail
addressed to other P. Welch's than I get addressed to me, but probably because
I don't really use the account (I foolishly got it back when gmail accounts
were considered a status symbol and used it for online file storage).

------
DannoHung
There has to be some sort of precedent for this with physical mail.

On the other hand, I don't think that the bank is being unreasonable when you
consider that Google said, "Sorry, no, you'll have to file a suit about this
and proceed through legal channels."

~~~
jodrellblank
The bank is being unreasonable by pursuing this at all.

Whatever the outcome, they should contact the people with the accounts
involved and start changing details, and should update their data handling
practises.

Even in the best case that Google logs prove the user did not open the email,
it's still been through who knows what unsecured SMTP servers and is who knows
where in Google's replication and backup systems and available to an unknown
number of system and mail administrators.

What do they hope to gain?

------
covercash
If anything, I think the identities of the bank employees should be revealed
just so this nightmare gets put on their permanent records (the internet).

