There are many things wrong with this order, but the most obvious ones are:
1. Both the emails could be in the spam folder of an account which the user is heavily dependent on.
2. In the future, to deactivate somebody's account just send a sensitive mail to that account.
My question is what does deactivating the e-mail account accomplish? If I received that e-mail and I intended to sell it or use it for my own malicious purposes, I would have saved the data off somewhere by now. Deactivating the e-mail account doesn't seem to accomplish anything.
It prevents the user from selling off the data if this is an infrequently checked account (i.e. the user has not had a chance to even make the decision to sell the info).
Then why didn't the court just authorize google to delete that particular attachment? It's on their servers after all. Google can also see whether the attatchment has been downloaded. There's absolutely no reason why the account should be suspened.
Maybe a 'real world' example is in order. If the bank accidentally mailed confidential information to a random person's PO Box, then sent a mail to that person's PO Box requesting that they return the package... it would be a similar scenario. The package was sent to the wrong place and the bank is obscured from knowing the identity of the real person behind that address.
This judge's ruling is akin to allowing the bank to force the Postal Service to remove that person's PO Box account and burn all the mail inside of it in an attempt to destroy the confidential information. This is wrong on so many levels it's not funny.
1) The bank has no confirmation that the confidential information has has not been already removed from the PO Box.
2) The bank is destroying all of that person's other mail and preventing future mail from reaching that person in an attempt to correct their mistake (which is only related to a single piece of mail).
If the judge wanted to allow them access to the PO Box to remove the mail, then so be it. The current ruling makes no sense. As alex_c said, someone making important decisions about a matter (technology or otherwise) CANNOT use ignorance as an excuse. Some person that's never used a computer can be as technologically ignorant as they like, but someone that holds a position of responsibility is a different issue.
Hopefully "deactivate" simply means preventing the owner of the account from logging in. It is possible to deactivate an email account while storing incoming email and preserving the contents of that person's account - just in a way inaccessible to them. That way, it could simply be temporary - especially if appealed.
It's an absolutely terrible decision, but I think (hope?) it will be more akin to them changing the lock on your PO Box and not allowing you to access its contents until the situation is cleared up. Clearly not an acceptable decision, but it's better than permanently losing everything and can be appealed by the account's holder.
Plus, if the deactivation was a destruction of the person's data, that would put the bank at huge liability I would have to think. People have important emails and I don't think any jury would side with the bank. Imagine presenting that case to a jury. "The bank screwed up and to cover their ass, they destroyed all my email - all my personal and professional communications; important documents. . ."
Just as a datapoint, my wife once received a comprehensive account history including balance, full social security and PIN. Very scary to have all that information in one document, imagine if it had been my wife's information instead of some random Korean national whose address bore no similarity to hers!
We took the document to the bank of course, they promised to "fix" her address, entirely unconcerned at the fact that they had just mailed out random personal information to a different customer. We're no longer with that bank.
Google isn't the postal service and has no contractual obligations to its email users. The judge might well think anyone who allows his livelihood to depend on a freebie that Google can withdraw any time it wants is an 'idiot'. Who could blame him?
The only other way that a person can get email on the internet is through a hosting/colo/vps service. Hosting services are notoriously quick to just turn over information at the sign of any trouble. If this user's email was hosted on a hosting service that he/she had paid for, chances are that his/her information would have been handed over to the bank as soon as the words 'lawyer' and/or 'court' were mentioned.
It's funny then that Google -- with their free service -- has shown more compassion for this user's privacy rights than a paid service would have. (Note that I realize this 'compassion' is out of need to protect a brand, yadda yadda yadda)
And in any case, since Google has no 'contractual obligations' to its email users, do you think that it would be right and proper for the judge to order Google to shut down all free gmail addresses in the hopes that it would prevent problems for this bank? Afterall, it's a free service right? All of those users are idiots, right?
I think people on this board especially understand that something as simple as an email account can directly affect our means of making a living and can have very serious consequences, therefore we understand that a blanket deactivation could be the equivalent of "to help me fix my mistake, you must lose your job."
To non-geeks loosing an email account isn't as big of a deal, so it's easy to see why a judge would not realize the significance.
I know many non-geeks who would consider losing their email account a big deal and would be upset. More than just geeks rely on their online identities to talk and work.
The problem is more general, that the current set of lawyers, policy makers and the like just aren't familiar with anything digital. Given 20 years, when the current law students/other 20-somethings, who have grown up with the Internet, iPhones and a constant connectivity to anyone you want, start getting into policy creating offices and sitting as judges, I expect to see many changes to the way issues like this are handled.
I wonder if anyone has heard anything at all from the holder of the Gmail account? I mean it could very well be that the emails just ended up in spam, but I think it more likely that the email account simply isn't used anyway.
That said it is obvious that no one wants their email account to be terminated, especially not those who use it for business, and if the court has that power to simply deactivate someone's account then something is very wrong with our judicial system.
Apparently, the judge who ordered this doesn't have very good judgement:
"In 1998, Judge Ware was reprimanded by the Judicial Council of the Northern District Court of California for fabricating the story of being the brother of Virgil Ware[5], a 13 year old black boy shot by teenage racists in Alabama in 1963 on the same day as the 16th Street Baptist Church bombing. According to a story Judge Ware had told many audiences, he was riding his bike with his brother Virgil on the handlebars when Virgil was shot and killed by white racists.[6] The incident was a real one, however it happened to a different James Ware,"
If you fuck up and are re-elected, that's one thing. If you fuck up but have a lifetime appointment, well, I can't see the benefit to the people he represents to keep him on the bench.
I would hope that Google would see it in their interests to appeal. Considering the judge's history, odds are an appeal would go through pretty well and Google gets to keep its reputation in tact for a relatively low cost.
There are other methods to help out the bank without setting this precedent.
And sometimes move for an appellate court order staying the order of the trial court, if the trial court's order would have an irreversible bad effect.
It seems to me that the person to appeal would be the holder of the Gmail account. If no one hears from him, which is likely (The Gmail account is probably abandoned), then nothing will happen.
I just hope that this doesn't set a precedent in future cases.
Don't count on a bank handling data security well.
Here's a story for ya', I won't use the bank's real name, but it rhymes with HSBC.
Anyway, a while back, I was logging into my online banking and the password no longer worked. So I called tech support to see what's up. They said, oh yeah, your password can't be more than 8 characters now. If it was more than that previously, it got truncated [not sure they actually used that word], so try the first 8 characters. So what does this tell you about the way they were/are storing my password?
+1 for frisco (hopefully most of us) that understands the basics of a one-way hash!! The more precise answer is they at least were storing password in plaintext.
It could be that the bank was hashing the passwords all along, but just truncating the user's input before hashing it and comparing it to the saved value. Not that I think this is what happened, but I'm just saying it could be.
If they did that, his old password would still work. His use of "no longer" implies that the password used to work before the policy change.
Unless at some point they started rejecting long passwords just for being long, without checking them against the database. And this is just not plausible.
From their point of view, if someone can read the database on their mainframe, that's already doomsday. They put all their security outside that perimeter, but no further layers like encrypting table columns inside.
They store passwords the same way they've always stored PIN codes (where encrypting would be pointless): there's a ALPHA(8) field right next to the NUMERIC(4) field for your PIN. Those design decisions are from an era where adding an extra VARCHAR(64) to store a MD5 password times 100 million accounts cost real money. It was probably the right decision.
Rather than sneer at the older generation, try to see the constraints they worked within. It opens your mind to imagine what "right decisions" now will seem silly to later generations. Non-GC languages with threads kludged in? Program syntax limited to ASCII? Silicon? IPv4 & NATs?
Online banking system have not been around that long. I do understand banking systems (the legacy stuff) and online banking (the newer front end stuff) particularly well as I built some of them. When I say built, I mean the company I founded wrote the code and I was the lead architect for what was used in many online banking systems.
Access to your accounts online should entail a system just for online access which is separate from and has a tightly controlled internal interface to the legacy bank system. I realize some banks may not have done it this way.
I spent my early career integrating with and sometimes replacing legacy mainframe systems. I have much respect for the old constraints programmers had. If a bank gets their online access wrong for anything written in the last 10 to 15 years its probably due to a decision to not architect the solution properly rather then a programmer being ignorant.
Fuck encrypting the email itself -- it should only contain a link to an https site that the intended recipient has credentials to log into (preferably with multi-factor auth). This is what real, grownup banks do!
My understanding is they were breaking regulation by not. The company I work for does customer opinion surveys. We occasionally do some for a large national bank. When we send data, of any form to the bank we are required to encrypt the email before we send it. This is just for something like random customer surveys not even at the level of actual account data.
What the fuck was a bank doing sending the confidential information of thousands to a GMail account in the first place?
Maybe the employees were so irritated with Microsoft outlook they have been using Gmail instead. But seriously if I were a member of that bank I would be withdrawing my money right away. If there security procedures are so lax that they send a confidential email such as that through Gmail then they aren't responsible enough to hold anyone's money.
"Hi, you received an email from us yesterday with confidential information. Please contact us immediately and destroy the file. It's the email with the subject 'Re: Do we have a way to back up our data?'"
There's absolutely no reason for it to have been done. That type of information should only be available to pre-approved, secured email addresses. And that certainly should be a company.com address, not gmail.com.
The only plausible "excuse" would be that an employee decided to take a shortcut thinking that no harm would be done (and no one would know) and had a "oh f*ck!" realization when it went to the wrong address (and don't they wish they were using GMail with Undo!). This is still unacceptable. If it was a common and accepted practice, it's inexcusable.
1. If I "accidentally" send an email to the bank I could get the court to kick the bank off the interwebs.
2. If I send a sensitive snail mail "accidentally" to the bank, can I get the court to lock down the bank's premises and order a search for my mail (and any copies of it)?
2. If I send a sensitive snail mail "accidentally" to the bank, can I get the court to lock down the bank's premises and order a search for my mail (and any copies of it)?
That is a good point if we assume that physical mail is the same as internet mail and if we assume that an email account is a location just like a physical location.
Does Google have any incentive to fight this? I find myself wishing that they would just reply with "No, that is ridiculous."
Why, WHY?, would someone be held legally responsible for not replying to an email!? That is the most ridiculous and stupid thing I've ever heard in my life. The bank messed up, we all mess up, but isn't it within his legal right to publicly distribute that list if he wanted?
Obviously he didn't, but it's not his problem that they sent it to him!
Frustrating. Maybe I should move my email to my own servers.
Perhaps, but unless he signed an NDA or something it's actually pretty hard for the bank. US copyright law gives an implicit license to the recipient - and data cannot be copyrighted so reformatting would actually make that difficult. All, of course, modulo the bank's success in making it expense enough to get their way without a decisive legal position.
Err.. Offtopic: I can't see how many points the parent comment has. That's weird. I see the uparrow, followed by "by mikeyur 8 hours ago", but the "N points" part is missing.
Once he received the email from the bank about the mistake he would be in definite hot water if he distributed the list. I believe even if he hadn't recieved the email from the bank he would still be in trouble if he distributed it but I'm less certain of that. IANAL of course so take this with a grain of salt.
Imagine if someone emailed confidential data to various of the folks involved in the court case, and then demanding its return under the same terms as this decision. This decision would then become a whole new form of denial of service.
There should be some way to fight this. It is not acceptable for some one send you a wrongly addressed email and then make court deactivate your email account. I wonder how could a Judge rule this way?
Imagine the consequence if it was sent via an old-fashioned method: snail mail or fax. Clearly the remedy would not be to destroy the home, office or deactivate the phone line of the receiver. It's an extremely poor understanding of technology but sadly, not at all surprising.
Does anyone know what sort of precedent is set for the rights someone has who unintentionally receives confidential information? I think that it would apply directly here.
The bank was completely out of line to request this. What they should have done was to insure every single person on that list against identity theft for the rest of their lives. Then, if a significant number of them did have their identities stolen, request the identity of the gmail user; only then would their be evidence of wrongdoing on the part of the gmail address owner.
How do they know he didn't already download a copy and keep it? (not that I think they ought to pursue that, I just think that if the bank is worried about their security - they screwed themselves over long ago!)
Wouldn't it be funny if this person had a desktop client auto-fetching their e-mail via POP3, and released the data just to spite the judge & bank afterwards?
I have a serious question about this entire thing.
Does this set a precedence for future "mistakes" by large companies to deactivate and identify accounts simply because they send compromising information?
Put another way, what if you wanted to "nuke" someones gmail account - do you simply need to send "confidential information" then ask for the court order?
It is certainly a far fetched and expensive plan, but the question is really about precedence this case has set.
I spoke to a lawyer friend about this entire thing:
"The judge should have conducted a "balancing test" in which he asked whose rights it was more important to protect: those of hundreds of people whose account information was in the hands of some schmuck, or those of the schmuck who won't be able to email that dirty joke to his Mom if his email is suspended. It seems that the rights of the hundreds of account holders are more important, but you can protect their rights without suspending the schmuck's email address (and that is where I agree with Mr. Morris). The court could have ordered him to turn over all of the data he inadvertently received and swear under oath that he did not retain any further copies and that he did not distribute the copies to anyone else. Once that is done, if it turns out that the sensitive information was compromised in any way, the account holders can hold the bank accountable AND the schmuck. If the schmuck is a decent guy -- and if an IT professional certifies that he purged all the data and that it was not otherwise disseminated to outsiders -- then the story should end there and there is no First Amendment violation."
I think this balance test makes way more sense than what happened in this case.
The schmuck can't "turn over" the data and there's no conceivable way to verify that he deleted it, so this scenario just puts the blame on him if any of that data ever leaks and there's nothing he can do about it.
Also, I'm no legalologist, but I don't see how the rights of the bank's customers are being violated. Their agreement with the bank has been severely breached, but that's between them and the bank. Violating the schmuck's fundamental rights to correct someone else's mistake doesn't seem very balanced to me.
I wonder.. the easy reaction to this is "Don't use a third party for your e-mail" which is easy enough if you're a geek, but then if you have your own server/domain, could you end up with a court order taking your server or domain off the air under similar circumstances?
I imagine that if you didn't reply to requests in that instance they would just go to your hosting provider. If you were your own hosting provider, then they would just take your to court, and if you didn't show up then the ruling would be in the bank's favor.
Google most likely doesn't that care much; it's not their email account being terminated. They go through the proforma requirement that a judge sign off on or require whatever, then stick it to their customer since it's no longer their fault.
Rather single minded response, I'm not sure what you are asking. To spell it out, asking who is paying his salary is to ask a number of questions (I think you've immediately assumed conspiracy):
- If it is the people/government are they getting their money's worth?
- If he's taking backhanders is it corruption?
- If it's neither of these what is the motivation for this sort of justice?
Perhaps I don't understand the make-up of the federal government in the US but it's presumably has to answer to the citizens.
I will be happy to hear which was this bank so that I put my money of there if I have account. I wouldn't like my money support an institution with such poor practices and with such disrespect for people's privacy.
I don't understand why the order is to deactivate the account, and not just recover/delete the email and maybe release the identity of the account owner?
Reasoning for de-activing the account: gmail account holder has not replied to follow up emails from the bank to destroy email and sensitive content. Therefore it is possible that the account is dormant and/or infrequently used. If that is the case, deactivation insures that the sensitive data is protected if the user happens to at this late date access their gmail account and lo and behold, surprise email from idiot bank. (This also applies if sensitive data is in the spam folder.)
Reasoning for disclosing identity: gmail account is active and frequently accessed, but the user (for whatever reason) has decided not to respond to the idiot bank. This raises the possibility that s/he has malicious intent of misusing the idiot bank's customers' information. Therefore lets find out who this person is in case the idiot bank's customers' information happens to show up elsewhere on the internet.
If I were the owner of the gmail account in question, and I were planning to sell or otherwise misuse the bank's customers' information, I would certainly reply to the bank and claim to have deleted the file. In fact, I would actually delete the email, but I'd have already transferred the data to some very heavily encrypted storage elsewhere(deniable encryption, of course).
Dude the guy/gal does not have to respond to any email unless he wants to. This is not a conversation. It was a request to communicate, and s/he can decide to remain silent.
> Dude the guy/gal does not have to respond to any email unless he wants to.
Obviously. (There is nothing in the earlier comment that in any way addresses the recipient's rights.)
Equally obvious is the fact that the bank in question certainly has to take every possible measure to limit the impact of their stupid mistake. Its possible (ianal) that they even have a legal obligation to do so.
While the bank obviously made a monumental screw up, Google's initial response to the bank is at least in part to blame. Regardless of the privacy rights of the person who's Gmail account it is, there obviously should be an interest in protecting the confidential information of the 1,300 customers.
Google could have responded by helping the bank recover and delete the file, as well as sending an unmissable notification to the Gmail user.
This would set a pretty nasty precedent in which Google would be helping companies delete files from individuals email accounts without their knowledge.
Wouldn't that be the definition of what we'd call Evil?
I think they did the correct and ethical thing by following their privacy policy.
An 'unmissable' notification from Google wouldn't be anymore unmissable than the request email sent by the bank. Which is why the bank wanted Google to disclose the identity of the user. If Google deleted a users emails and disclosed their identity to a third party then Google would be in breach of their own privacy policy. They would be exposing themselves to litigation, hence the requirement for a court order.
Except that it could have ended up, possibly along with the original email, in a never read spam folder. Google has more direct means of reaching an account holder.
