A US bank is suing Google for the identity of a Gmail user after a bank employee accidentally sent the user a file that included the names, addresses, tax IDs, and loan info for more than 1,300 of the bank's customers. In mid-August, according to court documents filed in a California federal court, the Wyoming-based Rocky …
The problem here
At first my reaction was "Why doesn't the Gmail user reveal their identity and tell the bank they've destroyed the file?" But the can of worms that opens up is if any ID theft occurs with those accounts involved in the pursuing months, the possibility exists that the bank could then somehow come back at the Gmail user holding them responsible or attempting to claim damages. And given how careful the bank seems to protect its customers' information, I wouldn't be so optimistic that the likelihood of a breach is low.
Why should someone lose their privacy because a bank employee made an error?
Besides, why are they sending any private information unencrypted through email? If it was encrypted, this would be a non-issue. Even if the employee got the right address, anyone could intercept an unencrypted file anywhere along the way.
If they sent me such a file, they would have to buy it back off me. Lord knows, they would charge me a penalty if I made some banking error.
The important aspect here is the Bank, who did not encrypt the data using a secure password. This password could have been provided via telephone to the recipient.
Google are absolutely in the right here.
Banks, well being banks again!
FFS, there are so many things wrong here aren't there?!
Even Google can't just accept that someone who demands info over the phone or email, is who they say they are!
Someone claiming to be from my bank phoned me the other day to say there had been dodgy activity on my cards and could I supply information! I refused point blank and asked for their name and said I would get their deptartment number from the headoffice reception, then call back! As it turned out, it was pukka and I had to get all my details changed as it was geniune, but you never know!
I am always flabbergasted when people call work and start asking all sorts of technical questions about our setup, especially if it's about the networks. One guy even phoned to ask about our firewall kit and security measures, claiming to be from some security agency! I refused to discuss anything and politely told him to get stuffed! What annoys me is my colleagues actually start telling these cold-callers the info they want! How fuggin' stupid are you?!
Google is acting legally, but that is far from being "right"
"Google, of course, is right to wait for a court order. And it's right to give the Gmail user involved the opportunity to oppose the order. But the tale is a reminder that in certain situations, the information giant will indeed be compelled to turn over private data."
The longer the confidential information is left exposed, the greater the risk that thousands of people (we are talking about impacts to entire families, not just single people) are placed in, over a clerical error.
I can not even imagine that Google would just sit idle and wait for a court order when identity theft is already so rampant. Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received, is a much better solution - to protect thousands of people for the rest of their lives from identify theft.
They better not give the name away. The bank made a mistake, and gave something to the wrong person. Their fault. Too bad.
That's why you use
false info when registering to online email sites. However, the problem is that all your emails will probably identify you. What is the legal issue regarding accidentally sending private information to a wrong email address? Is it not the same as when transferring money to the wrong account? I remember reading a few days ago on the BBC News website where someone accidentally transferred thousands of pounds to the wrong person and they were told by the bank that the money is lost.
So let me get this straight... The bank's policy allows them to do something as unprofessional as sending confidential documents to a Gmail address... and then they can't even do that right?!
I'm keeping my money under the mattress.
What were they thinking?
Remind me never to open an account with this bank. What were they thinking sending this kind of confidential information in an e-mail--regardless of the screw up of sending it to the wrong e-mail address? Do employees receive no training on how to handle confidential information? Do they think that an e-mail sent to the average e-mail address is some kind of magic secret between the sender and the recipient (setting aside special environments where e-mail is encrypted)? OK, yes, the average bank employee probably does think this.
There's a simple solution. Since the Bank no doubt encrypts something, they should simply declare their blunder a disclosure of Medical Information then they would have the option of saying nothing more. Everybody (who matters) is happy.
All Gmail knows about me is my IP address, and a few scambaiting names. And my non-USA ISP wouldn't give the bank my name and address without a court order.
Gmail must have loads of defunct account. The owner may not even know about the email.
Who gives identifying information to free email services?
Who gives identifying information to free email services? Seriously, when you last signed up for a free email service did you provide your full name, contact details etc? I sure didn't. They don't need to know it and I see no reason to tell them. Looking at the Edit personal information section of my Google Account right now and they don't even ask for enough information to identify me. They ask for a Name, zip code (optional) and Country (optional).
So I don't see how taking action against Google unless the court order also permits turning over the contents of emails in the account and those emails contain something useful like the person's full name and address. Other than that Google might be able to supply a list of IP addresses and then the Bank can try and tie them to a person by way of more legal action against ISPs.
All your mail are belong to us.
Why on earth would you send confidential information to a gmail address in the first place? Do you really believe Google doesnt data mine your email?
Not only does the person who accidentally got the mail now have the information, but I guess Google now has it as well.
Furthermore its very likely the person who got it, doesnt even know. I don't know how large a percentage of the gmail accounts are ghost accounts but I guess it will be a lot.
I guess the next headline on el-Reg will be : Google starts a bank.
re: What were they thinking?
"Do they think that an e-mail sent to the average e-mail address is some kind of magic secret between the sender and the recipient?"
Lots of people do, I'm afraid! That and assuming that everybody only has one email address.
@ AC 20:39
"Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received, is a much better solution - to protect thousands of people for the rest of their lives from identify theft."
How does that work then?
For a mail to be quarantined so the sender has time to have second thoughts before the recipient gets it, the message must be held somewhere before its delivered. This must apply to *all* mail since the MTA can't know who is likely to screw up. You do realize that you can't quarantine mail after its been delivered, don't you?
So, who do you expect to hold the delayed mail and for how long?
Are you seriously suggesting that all e-mail should be delayed for 30 days?
Kindly get a clue.
So if I wanted to find out the identity behind a Google account, all I have to do is accidentally send it some confidential data, then demand that Google puts me in touch with the recipient?
Recall the email - WTF ?
How the fuck do you recall an email once it's been sent ?
If I send an email it's immediately sent to my SMTP server which then passes it onto the SMTP server at the destination ISP, end of story.
It's not like nipping down the post box and asking the guy in the van to give you your letter back when he collects them.
If some twat sends me unsolicited email
why the fuck does that suddenly give them the right to demand my identity?
Tell them to shove it up their incompetent arses.
Who gives identifying information to free email services?
I tried to open an anonymous account just the other day with Gmail and at the end of the sign up process was asked for a mobile number for "verification" purposes, they didn't get it of course, I just used yahoo instead.
I'm guessing if someone isn't not too bright they might fall for this con.
Where I used to live the low life used to kick a ball over a fence where they planned to carry out a burglary. By claiming ownership of the ball they were pretending to have rights to access the garden containing the ball with a view to using the opportunity to break into the house from the relative invisibility of the back garden. If caught in the back garden by the property owner they would use recovery of the ball as excuse for trespass.
It looks as if this bank is attempting this same kind of inherently crooked trick. They want to compromise the privacy of the email account holder so they email some information to this address and then use bullying tactics to assert ownership of all the details needed to identify the email account owner.
Google are acting entirely correctly to tell them to go away and prove they have the legal right to what they claim and to warn the email account holder about this attempted security compromise.
Unsolicited bank email
If you got unsolicited email that appear to be coming from some bank you'd never heard of, what would you do with it?
Chances are it's been flagged as spam and deleted long ago.
Martin Gregorie; AC 20:39 -- Google is acting legally, but that is far from being "right"
@ AC 20:39 #
By Martin Gregorie Posted Wednesday 23rd September 2009 21:26 GMT
Anonymous @20:39 posts, "Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received, is a much better solution - to protect thousands of people for the rest of their lives from identify theft."
Martin Gregorie @21:26 posts, "How does that work then? For a mail to be quarantined... This must apply to *all* mail since the MTA can't know who is likely to screw up. You do realize that you can't quarantine mail after its been delivered, don't you? So, who do you expect to hold the delayed mail and for how long? Are you seriously suggesting that all e-mail should be delayed for 30 days? Kindly get a clue."
If Google's search engine is worth it's weight in spit, they could find that email (source and destination email addresses), find out if it has not been read/picked up, and isolate a single email (move it) until they receive the court order, or just move it back after a period of time of not receiving a court order. The article mentions a single email - not all emails traveling through the MTA.
Reading the article, it seems the gmail recipient did not respond to the bank's first or second email. These emails may have never have been picked up. The longer the Google delays investigation, as the article suggests, the shorter the opportunity to protect every day people becomes. This lends credence to the idea of being able to find/move the single email in question.
Many people who use Google use it as a web GUI, which means the email is sitting on the server. Many other people who use Google use an IMAP client, where the email is stored primarily on the server. Sure, if the recipient already received the email and was using Google through an ancient POP3 protocol - there might be nothing able to be done.
Waiting until a court order before starting any cursory investigation is criminal since the effects could be so long lasting and devastating to the lives of so many people.
Should the bank be held responsible? Sure... but no amount of punishment could compensate for over 1000 people having their identities stolen, filing court papers declaring their identities stolen, carrying a copy of the court order around with them EVERYWHERE, and always being afraid that some day they may be improperly arrested because someone else with their identity may have committed a crime.
Anyone who has gone through the process of identity theft clearly understands what is at risk - this risk lasts the REST OF THEIR LIVES... no amount of compensation or punishment would ever fix a problem which would last the rest of their lives.
If someone is to "kindly get a clue" - it should be Google. Immediately find the email, try to move it (until a court order comes in), move it back if no order comes in. GMail is not guaranteed to be timely, it is store-and-forward, the rest of the email would be available, just the one email (which the person was not supposed to receive) would be affected.
So someone who can't type an email address accurately is sending commercially sensitive data over an unencrypted communication medium...
Why on earth was there even a flat-file containing all this information laying about for this employee to accidentally send?!
I agree with A/C 02:45, Google should quarantine the email whilst waiting for confirmation, but I don't blame them for being careful, I'm sure there are 101 laws in the US about interfering with with the postal service which some lawyer or other would love to try to apply to email systems.
If the data wasn't encrypted, it was too late to do anything the instant the email left the company's servers. You do realise that this confidential information already passed through multiple relays on its way to google's servers? Any of which could have kept a copy.
The bank should be notifying its customers about a potential data breach every single time they send anything unencrypted through email, regardless of whether it was addressed to the right person or not.
Your suggestion also gives a great way to stop any email that you don't want getting through. Tell the ISP that it contains confidential information and was sent in error. ISP then holds it in "quarantine" pending your court filing. Which you never file.
& the user is where?
There's a pretty good chance that the gmail user is outside of US jurisdiction and just ignored threats from the bank (or couldn't understand English?).
A bank proves themselves completely incapable of handling personal data
then requests the personal details of one of Google's customers..
Even the big nosey isn't going to fall for that one..
and as for 'quarantining' the e-mail.. follow it through to it's natural conclusion; anyone could call claiming to be from anywhere.. asking google to 'quarantine' a particular e-mail.. chaos, panic and hilarity ensues in many zany and whacky scenarios..
For those that don't know, there IS a feature that allows emails to be recalled - but only if it hasn't been read. The fact that recalling was unsuccessful says to me that the recipient DID receive the email - which therefore allows us to assume he/she received the bank's request to delete it. Lack of a response implies non-cooperation. The bank are right to do all they can to protect their clients' personal details (apart from funding the invention of the time machine and not making the blunder in the first place) - but Google are also right to protect their own clients' details.
And to all the tinfoil hatted Google scaremongers - the same would happen if you use POP and a local mail client. Instead of Google your ISP would be telling the bank to apply for a subpoena. And your ISP has your billing address and credit card number as well as your mobile number. If you want to be safe from identity theft, steal your neighbour's wifi and do everything at about 2400 baud.
Paris because her daddy's hotels have unstealable wifi (encrypted with your room number!)
@AC 24th September 2009 02:45
I agree with the people requesting you acquire a clue of one sort or another.
However damaging it may be to the bank (tough shit, their fuck up) or the bank's customers (caveat emptor - time to get another bank) it is not Google's job to police the interweb any more than it is the postal services' job to burgle your house looking for unread letters if someone claims they posted the wrong thing to you by mistake.
More importantly it would be far more damaging to Google's business if they did start quarantining, deleting or otherwise mucking about with people's personal mail on the say so of any Tom, Dick or Harry.
IANAL but also this might go some way towards damaging Google's oft used safe harbour type defences (ie that they do not process the data they hold).
You might not like Google's stance here but you are in the minority.
I wonder if they are sure it's even a real account? What happens if you send an email to a Gmail account that doesn't exist, do you get a "Can't deliver" server response?
Google's response to the court order might well be "no-one."
who is the gmail user
I am not going to tell them,.,,,oops
Re: Recall the email
Presumably the dumb luser responsible was used to being able to hit the "recall" button in Outlook (or whatever - all the business-quality email clients I've used support it, even those back in the "green screen" days) when they fucked up sending mail to their colleagues.
No doubt someone's busily pointing out to this berk the difference between internal and external email with the aid of the large clue stick.
Wrong end of the glass again
It seems that once again people are not reading the article fully and in depth before commenting.
The details sent out by the bank were not encrypted because they were not supposed to have been included. Blaming the bank for not encrypting them misses this point.
Google are, quite rightly, not releasing any information until the bank put themselves on record with the court to define exactly what they have done and why they should have the details of the recipient. Until this is done it is all just 'media mis-representation - your honour'.
The 1300+ people whose identity is at risk are the customers of the bank, not Google or the unknown email recipient. The bank made the error and the bank carries the responsibility to fix it. The obvious first step is for them to directly contact all these people with a view to changing account numbers/names/passwords etc to make the information they sent out irrelevant.
Good on Google
If the bak had posted it using snailmail and not received confirmation that the householder had destroyed them (perhaps they might be away on a trip, or its a holiday home), you wouldnt expect them to send the boys round with a battering ram to search the house for the paperwork without going to court either.
If I'd received an email purporting to be from a bank I dont use, perhaps titles something like "confidential customer data" i'd assume it was a scam and delete without reading. I get so many of these I dont recall any in particular, and might treat the follow-ups in the same way. I can see why they are trying take this action but there shouldnt be any short-cuts.
Bit late, really
Repeat after me, "email is not in any way secure or private". Redundant, of course, if you send it to the wrong person.
They should not reveal the owner
If the court says they SHOULD reveal the owner, then you could de-anonymize anyone by simply sending them a claimed sensitive document 'by-accident'.
Secrets are only secrets until someone reveals them.
It serves no purpose for the bank to harass the person they sent the email to and he is under no requirement to respond to their requests.
But it shows again the importance of privacy doesn't it!
Not usually a fan of Google
But I completely support them in this. The Bank doesnt have a leg to stand on. Google has every right to tell them to kindly go fuck themselves.
WTF is someone sending details like this to a WEB email provider?! That alone would be cause for me to close my account. If any of these details are found on a russian server being sold on IRC, then the bank is 100% liable, legally and morally NOT Google.
The employee should be fired at the very least and their boss should also go. The bank should be fined by the SEC for failure to secure the data.
There should also be an investigation into who was supposed to receive the email. What kind of idiot asks for 1300 odd bank details to their GMAIL address.
Paris because she knows about things ending up being sold on the internet
It means the bank employee was an outlook user - it has a 'recall' facility for sent messages but it relies on the recipient using outlook too. I believe you just see an email referencing the original message saying "XYZ wants to recall message ABC" if you're using another mail client.
What if the GMail account is defunct and the user no longer uses it. He/she will still be identified because they used to have a GMail account and not because they actually knew anything about the bank's email.
@ Kevin Johnston - errr no?
While there was a file which shouldnt have been sent at all, the original data request was sent to the wrong email address, thereby causing an issue. I am sure one account isnt seen as a big deal, but legally there is no difference.
The very fact that they hold files with sensitive financial data in documents which have no encryption is wrong.... hell i bet there isnt even a password on that excel file!
This all seems very non-compliant. I am sure there are SOX and ISO 9001 issues with the way bankers send this type of data.
I am sure the Recall feature only works in Exchange type situations..
I have just tried it on my Gmail & Hotmail account and can not recall anything.
AC wrote: "Sure, if the recipient already received the email and was using Google through an ancient POP3 protocol - there might be nothing able to be done."
Err, depends the might not have their email client set to copy emails to their local machine and then delete from the server.
Even outlook dose that.
Some people are just stupid though. I get several people a month sending me credit card info by email. I keep telling them not too, but they still do. To lazy to get up and use the fax to send them.
A little learning ...
"For those that don't know, there IS a feature that allows emails to be recalled - but only if it hasn't been read. "
For those who don't know very much, that only works if your recipient is using Outlook. Try it on my mailer and you will get no joy. You won't be able to tell if I have read the mail either. If the Gmail account was set to forward mail to another account, again, no joy.
Give the bank a Darwin!
... so the bank contacted Google to determine what could be done to ensure that the confidential info remained confidential.
Google's response should be don't fking send confidential data in plain format, or even allow such massive amounts of confidential data to be witten to a file!!! How DUMB is this bank? For ONCE I'm shaking googles hand. NICE ONE!!!
I think the bank deserve a Darwin for that!
Spot the IT support servitors
Who gives a fuck if you can recall an email or not. There's a more important issue at the centre of all this.
Why o why is the employee still there?
Why is there an employee in a bank who is dumb enough to send an email to someone containing ANY data about a client, just because someone on the phone tells them to?
My bank wont send anything by email even if I ask them to after confirming my identity and details because they understand that email is not secure.
This guy (or girl) should be fired.
Don't know about you, but when I get a recall request
the first thing I do is read the email to see what they sent by mistake!
A couple of years ago, my company attempted to secretly stitch up a pay deal. Then one of the directors' PAs accidentally copied a mail to everybody in the office, instead of to the office manager. The desperate attempt to recall it was of course futile and we were able to stop their attempted shenanigans.
If it had been sent to me, I'd have read it, on the basis that it was addressed to me. After all, if you send me a letter, the contents become my property, not yours. I can't see how this is any different.
do I do the moral thing and just delete the e-mail or should I wait until the bank offers me money to return the data?
Anonymous because.... oh bugger!
Change them for your time
If they send an email by accident and want it deleting then explain that the only secure way to remove all trace is to completely flatten / secure wipe / reinstall all your PCs/Servers etc.
Let's just call it 20,000GBP and send them an invoice.
Surely this is all bullshit, because any bank that send unencrypted sensitive data via email should be heavily fined by the regulators.
I really hope the people who actually think the "recall" feature in Exchange (ONLY) is actually any use in this scenario, aren't working in IT, because that kind of stupidly we really could do without.