

Misfired e-mail was never viewed by Gmail user - designtofly
http://news.cnet.com/8301-27080_3-10363663-245.html

======
jcromartie
Shouldn't it be possible, with what we know about cryptography available
today, for banks and other companies to do business _without_ having to
regularly pass around files containing thousands of their customers' _most
personal_ identification credentials like names, addresses, SSNs and account
numbers?

~~~
DannoHung
Not on the approved list of corporate software, requisition for the approved
software that can do the same thing was denied due to budgetary reasoning.

~~~
callahad
How do you combat this sort of thing? My employer is set to impose a software
registry upon its employees -- any open source tool, at all, has to be
registered. Proprietary but free packages, like Adobe Reader or Opera, do not
need to be reported.

I've yet to find a compelling argument against this. Or at least one that's
persuasive to our legal department.

~~~
pyre
How much 'proprietary but free' software is malware, spyware, etc? Using
examples of well-known software like Opera or Adobe Reader is a straw-man in
favor of the 'OpenSource is bad' argument.

What -- in particular -- does the legal department have against Open Source
software? Is FireFox somehow a legal-risk as opposed to Opera? Even though
it's been vetted by a larger installed user-base? Or is it just because there
is no 'single entity' that they can sue/point fingers at when/if something
goes wrong? There are plenty of anonymously authored non-opensource pieces of
software out there.

I think that it would make more sense to have either: 1) have to register
_all_ software on the list or 2) have to register all 'non-popular' software
(i.e. Firefox/Opera ok, random OSS/proprietary software needs to be registered
though).

~~~
callahad
From what I've been able to ascertain, our counsel's primary concern is that
the mere _availability_ of the source creates risk in terms of the
introduction of copyleft code into our proprietary products. They're also
afraid that, were an issue to arise, they wouldn't be able to settle it as a
business matter as they would with a large corporation like Adobe or Opera.

We also have a number of customers requiring that we provide indemnification
against any open source software infringement claims, which has sent our
counsel down the path of wanting a full registry and approval process for all
open source software on developer workstations.

The positions I've taken -- the workload, the fact that the registry doesn't
adequately protect us from the surreptitious introduction of copyleft code
snippets, etc. have all fallen on deaf ears. I'm trying to figure out what
other arguments I might be able to bring to the table.

~~~
pyre
> _They're also afraid that, were an issue to arise, they wouldn't be able to
> settle it as a business matter as they would with a large corporation like
> Adobe or Opera._

You might remind them that not all proprietary software comes from large
corporations and many of the smaller guys might be more willing to pursue the
legal 'issues' to the fullest extent of the law.

> _The positions I've taken -- the workload, the fact that the registry
> doesn't adequately protect us from the surreptitious introduction of
> copyleft code snippets, etc. have all fallen on deaf ears. I'm trying to
> figure out what other arguments I might be able to bring to the table._

I would point them in the direction of people that have purposely included
open source code in proprietary projects (e.g. the recent ScummVM on Wii
issue) to try and instill the fact that registering all open source tools that
are being used will not protect them from a developer that is trying to 'cut
corners.'

If I have Firefox installed on my computer that _DOES NOT_ mean that I have
the source code 'at my fingertips' as well. The same could be said of Vim or
Emacs. And unless your employer is building developer tools, I doubt that any
of your developers is going to try and include code from the Vim or Emacs
codebase. It just doesn't make sense.

------
Mankhool
Using unecrypted emails and web based email services for corporate
communication is really bad judgement. In Canada one of our banks used to fax
confidential documents to a scrapyard operator in West Virginia - for years.
<http://tinyurl.com/ycdeqm8>

~~~
nixme
Please don't use URL shorteners on HN. It masks the domain making it difficult
to gauge the context of a link (in this case theglobeandmail.com).

~~~
idm
Check out this URL unshortener extension for Firefox:

<https://addons.mozilla.org/en-US/firefox/addon/9549>

Also posted to HN here (upvote if you want others to know about it):

<http://news.ycombinator.com/item?id=853586>

------
dschobel
_"Rocky Mountain Bank, working with Google (through court order), confirmed on
Thursday of last week that the e-mail containing client information was never
opened and has now been permanently destroyed by Google's system," Tina
Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail
response to questions. "As a result, no customer data of any sort has been
viewed or used by any inappropriate user during this data lapse," Martinez
wrote_

So basically they got unbelievably lucky. It doesn't change the fact that
Google was prepared to bust down this guy's virtual door because someone said
they accidentally slipped some data in his mail-slot.

It's still all very troubling.

~~~
dtf
To be fair to Google, they did nothing until ordered by a US court. Is there
any more you can ask?

~~~
dschobel
I think what's troubling is really a combination of two independent
circumstances.

First, one company has access to tons of my personal data. I trust this
company, they seem well intentioned and they have a very reasonable privacy
policy. It's also extremely useful to me to have all of my data (email,
personal contacts, calendar) in one place and accessible via a web-interface.

 _However_ , when you throw in the second variable, namely, the mixed-bag
which is the US judicial system it can all be torpedoed with the flick of a
wrist.

I really would have preferred to have seen the judge tell the bank "tough
shit" and have _someone_ (either the email recipient or EFF) put up more of a
legal resistance to this court order.

~~~
dtf
True, the court system is rather unpredictable in this new territory. To me it
seems reasonably fair though - as the owner of the account was unreachable,
and many other people's private data was at stake. I would say that Google
followed the rules properly, even if the bank didn't.

I found the Liskula Cohen blogger case much more troublesome, and the ongoing
TCI Journal case is especially disturbing.

------
tlb
Instructive to read the original outrage here:
<http://news.ycombinator.com/item?id=844228>

But in the end, they did the reasonable thing: delete the email and move on.

------
naveensundar
The interesting thing is that Google can easily read data in Gmail. I would
have been happier if it was actually encrypted using the user's password or a
one way hash of the user's password.

~~~
jonah
I like that idea, but what do you do when someone changes their password?
Decrypt/Reencrypt all their messages?

~~~
dchest
Easy: encrypt a random encryption key with password (I mean, with a key
derived from password). Then encrypt content with this random key. When user
changes password, re-encrypt the same key using a new password. No need to re-
encrypt contents, because it's still encrypted with the same key.

This is how it's done in most disk encryption software, for example,
FileVault.

------
sfphotoarts
"permanently destroyed by Google's system" - I find that hard to believe with
all there duplication of data across locations and hardware.

------
chanux
You send me an email by mistake. And you want my email provider to delete my
account.

I love this world.

