Google has resolved a lawsuit from a US bank that accidentally sent 1,300 confidential tax IDs to an innocent Gmail account, but not before the web giant complied with a court order to shutdown the account and disclose certain account info. It's unclear what information was disclosed. In mid-August, according to court documents …
Was it necessary to kill the poor bloke?
Could Google just have simply removed the offending email from the account? Did we really have to nuke the whole damned thing?
Paris, remove when offensive.
How to shut down a Gmail account ,easy !
Send one email containing confidential information. Go to Court immediately and ask for an Order closing recipent email account. Done.
And the bank?
So where's the complaint charging the bank with criminal stupidity? and yes I mean the bank, for employing a cretin as much as the cretin that sent the email.
How do you know...
>a clear violation of the user's constitutional right to communicate.
..The account is held by a US Citizen?
"a clear violation of the user's constitutional right to communicate"
What are your reporters smoking?
Come on - it's a gmail account! While I can see the implications of this if the bank had sent the data to my mail server it's more than likely that the incoming email was flagged as spam and deleted ...
...although I assume that all of the myriad of bank user details are now including in Google's data mining user-base?
A bit pointless shutting down the account. It was more than likely read and deleted or even downloaded and stored locally over POP3/IMAP within a few hours of being sent. Not many people go a week or so before checking their email. As a message purporting to be from a bank and having an attachment, it may well have been labelled as spam and never seen by the recipient.
Shutting down an email account probably wasn't an unconstitutional move by the judge when there are dozens of alternative means of communication and the account owner is free to open up another email account (although something tells me it won't be with Google). If the judge had ordered his account shut down, his internet and phone disconnected and the USPS to stop collecting his mail, that would be unconstitutional but not just one method.
Not that I think it was right to order the account shut down though. The user probably isn't best pleased about their contacts and past messages disappearing into the wild blue yonder but I'm sure the Gmail T&Cs disclaim any responsibility for those...
This is, of course, assuming the account was even active. Perhaps the reason they didn't get a response to requests to delete the message is because the account was unused...
why the hell?
why the hell were they emailing a document like that to a gmail account anyways? shouldnt they use a secure ftp server or something to do that?
Sack the bank employee ... No .... Get a court order on the account holder?!
WTF is going on? Will the Police be breaking down doors to homes who are suspected of having received the child benefit database?!
..... gmail account holder should for potential loss of business because s/he can't get into their email.
Damn, this is crazy. So now to shut down somebody's account all you need to do is send them some sensitive material and then say "oops, my bad"? The bank screwed up, and then Google and its user, both completely innocent, are screwed? Well, more the user than Google, but they do get the bad press -- can they refuse to comply with the court orders, and at what price?
the author writes: "a clear violation of the user's constitutional right to communicate". Going a bit overboard much? Nobody is stopping them from communicating, they're only being stopped from using that account. Hell, they could just as easily set up another one in a couple of minutes.
Hyperbole of this type detracts from the basic facts of the article.
The 28th Amendment?
Wow, I thought that only participants at health care town halls and "tea parties" were allowed to make bombastic assertions about the constitution. The temporary suspension of a user who couldn't be bothered to reply to the bank's original entreaties is hardly a crisis of civil liberties.
... does the innocent gmail user sue when he loses access to all his emails, gets his PCs confiscated, and his business goes down the pan?
as now seems both in th Uk and the US, you are guilty until proven innocent, and this case in just another on the list. I sincerely hope that the innocent parties including Google sue for abuse of process, including the judge and the legal team in the case. Such evidence in this case should have been investigated before coming to court, and the court case should never have taken place... worse the judge has compounded his incompetence by failing to lift the embargo. I hope it costs them $ millions
Now that the innocent party has had his GMail account shut down, if he managed to get a local copy of the database, surely Wikileaks is the place for it? Put simply, fuck 'em.
"a clear violation of the user's constitutional right to communicate"
So without their gmail account, they are unable to communicate????? I smell masculine cow pats. Most people can talk, sign, write letters, use their other email accounts, use instant messaging, use SMS, among many other methods I'm sure!
Suspending a gmail account for one week is not exactly the end of the world.
Before someone claims that it could put someone out of business if they run their business through that gmail account, I'll point out that gmail is not business class, and if they want business class email, they aught to pay for it.
I think that, for once, google have done just the right thing - wait for the correct legal proceedings, then comply fully.
Why shut it down?
What possible reason was there to shut the account down? Once Google has deleted the relevant email it is an entirely innocent account with no link to this bank's idiocy. What on earth is gained?
Yes, the owner could have set up another account. Why should they have to? Why should they lose access to any emails sent to that old account? Why should they spend time and money notifying all their contacts that their email has changed? When they can't get at the list of their contacts because it's on their Google email!
If th court wanted to avoid the bank's confidential data being emailed to the wrong address they should have shut down the bank's email not that of their innocent victim.
Google operates within the law of the land!
Shocker! I can't believe a publically traded company would comply with the law of the country in which it operates... what irresponsible behaviour! They should be ridiculed, tarred, feathered, and taken behind the bike sheds and shot..
(where's the 'dripping with sarcasm' icon?)
@most of the respondents above
re: Why shut it down?
Christoph hit the nail on the head.
Also, if the retards at the bank had a policy of using encryption on any sensitive data that leaves the bank, then the Gmail recipient wouldn't have been able to access any of the content anyway.
Sending plain text confidential banking data to a 3rd party should be an immediate sacking offence.
Typical merchant bankers
They screw up and then, rather than take a resonable, measured approch they just shit in the pool, inconveniencing everyone. You can bet that the piggie eyed managers in the bank will be congratulating eacvh other on yet another smashing of the little people while drinking the most expensive alcohol they can lay their slimey hand on and votingin themselves another 50% pay rise.
Just more proof they should all be put on the B Ark.
Was probably dormant
Since they nuked the account, it was almost certainly a dead/dormant account and so zapping it was a non-issue. Were it active, they would most likely have just killed the email (as other mail contents would most likely have be sufficient to identify the user)
Google have protected their users to the extent permitted by law. No fault there.
Of course the bank idiot who sent it should be fired...
... did Google have to remove the email as suggested above? Please point out where a bank has snail mailed a document to the wrong address and subpoenaed the mail company (US Mail, Royal Mail, whatever) to get it back, or indeed bust into the person's house and taken the letter back if already delivered.
How is this any different? If I fancied indulging in a bit of reductio ad absurdum I'd say what right would the bank have to repossess the house/PO Box to achieve the same end?
re: Why shut it down?
To add to that - I sync my google contacts, mail, calendar and docs via one main account... and then have satalite accounts that are managed by this central one for home/work/anon* stuff.... so if I had my main account deleted/blocked, it would be hell as I pretty much run my life out of that account these days.
But in my mind, one of three things just happenned.
1 - the system is crap and somebody just potentially got G-raped by courts of years worth of mail/contact/etc information that he/she will never get back.
2 - Google just deactivated an account that's been unused for a year or so
3 - Google just deactivated an account somebody was using to forward mail to another account, and next week we will hear of how the bank is demanding details of where the email was forwarded to, and so on, and so on! :)
Incidentally, I'm more bothered about the DVLA giving out my car reg and personal details to anybody with a penny than I am a bank sending me an email, then google going to court for me just to get my account deactivated... also, if this account was active, the second I find out things are in motion, I would be exporting all my mail/docs/calendar/etc as portable files so I don't lose everything!
* - I'm aware nothing is ever truly anon on the web.. by anon I mean useless names that I use to sign in with on forums and comments sections of half decent websites! :)
Every comment thread needs a Golgafrincham reference.
"And whatever Google divulged, the case shows - yet again - that whatever the web giant's intentions, it can be compelled to release user info."
I'm at a loss to understand how this is a revelation to anyone.. OF COURSE Google can be compelled to release user info, they don't exist in some other dimension beyond the reach of governments and law enforcement.
Oh, the Horror!
“...an innocent Gmail user has been shutdown - a clear violation of the user's constitutional right to communicate.”
Yes. I agree. And Google Voice MUST be made to connect to the dial-a-porn $9.99/minute locations at their same (free) cost, as AT&T asserts. The tiniest restriction on one person's Free Speech rights is FABULOUSLY worse than ALL OTHER rights of ALL OTHER PEOPLE COMBINED, regardless of the cause.
Except... this somewhat misstates the facts. This one user was denied access to his GMail for a short period of time. He presumably had several other email accounts, as I'll guess most GMail users do. No restriction on free speech, nor browsing. So, the text should read,
“*ONE* unfortunate GMail user was temporarily cut off from access to his account. This must have been disconcerting but (s)he cannot ask for money back because none ever changed hands. Whatever communications the user might have wanted to make were delayed or displaced. A review of press reports indicate that far more severe outages impact millions of internet users per year but this one is somehow newsworthy because some clueless legal official used a cannon to aim at a mouse.”
Lack of foresight by posters
I am astounded by the amount of "shutting down his account doesn't restrict his/her communication" comments being posted by people who, from their comments, should know better.
Yes, you are correct, it probably would be easy to set up a new Gmail account *to send mail*. But you forget that:
(a) most gmail people keep their contacts on gmail - a new account wouldn't help them unless they remembered everyone's email address... and if they did, they wouldn't have them as contacts.
(b) a lot of small companies (mom-and-pop operations) use Gmail as their contact address. Now all of a sudden, they can't answer e-mails send to them by customers, suppliers, etc... After a week of this, it is very likely such a small operation would fold due to lack of communication.
So yes, sue the f*ing back for complete and utter stupidity in not only loosing the data in the first place but for such a completely bone-headed way of using an A-Bomb to kill a roach.
Is this really news?
* Google sticks to its usual policy of not providing information unless ordered to do so by a court.
* Google complies with a court order to provide information, i.e. obeys the law and/or justice system
* Google complies with a court order to shut down the mail account concerned for the duration - but apparently would not have done this otherwise.
So... the real story here is the one already reported, which is that some moron in a bank sent sensitive info to the wrong place. And now a judge who probably just wants to play safe with a technology they may not be intimately familiar with has ordered the account closed until he/she knows what's actually going on.
Gosh. Exciting stuff...
Mine's the one with the leaflet from the Campaign for Real News in the pocket.
_ _ _ _ ING BANKS
I worked for one of those big banks based in Amsterdam for a short while. They got my postcode wrong and sent my entry card by post to the address of someone who lived a few streets away. Being an honest citizen he sent it back. Had this happened in the US and had the recipient decided to chuck it in the bin, the post office would probably have been forced to board up his letter box.
re: Carter Cole
It should have been sent via sftp or connect:direct using vpn or secure+. The files themselves should have also been encrypted with 3DES or AES192 or better. Any user and bank account information should be sent like this between banks and 3rd parties and also stored and transmitted like this internally (VPN/IPSEC only needed between different network levels) until it is needed. That is if you want to be visa and mastercard compilant.
"Nobody is stopping them from communicating,"
Yes they are and it is unnecessary. The user will not be able to read emails sent to that account and, if they routinely use Google contacts, they won't have access to their contacts in order to inform them of the fiasco. If it does happen to be someone's primary email account, this might cause them considerable inconvenience.
The user might have been on holiday, sick or otherwise unable to access his/her account or, as others have suggested, anti-spam measures may have prevented the user from ever seeing either of the bank's emails. It is utterly stupid to shutdown the account, even for a short period - all that was necessary was for Google (once satisfied with the legal documentation) to check if the email had been read or downloaded and then delete it from the user's account. IMHO, the judge is almost as stupid as the bank employee concerned.
The bank is utterly irresponsible to be sending customer data to any email accounts, especially to personal external email accounts. It would be interesting to know what part of the bank's policy and procedures allows customer data to be treated in this fashion.
many commenters are missing an important point
yes Google did initially refuse to hand over data without a court order, and yes they then complied with said [absurd imho] order when it arrived.
However there is no indication anywhere I can find that Google argued against the order or took steps to protect either the mail recipient or more astoundingly Google's own reputation*
If it was my mailbox I would have expected Google to have argued that the order was absurd, unlawfully punitive and uncalled for and pushed back for the judge to simply affirm that any unlawful use of the data would be punished with the full force of the law.
Look, it is likely that the mailbox was dormant, but you need to view this in the wider contexts and what any reasonable person / judge / legislature would do would be to take action against the bank for making the mistake and then instruct the recipient that they have an obligation to delete the data and not misuse it rather than use a bloody big hammer to crack a small and already cracked nut.
*This action will not make people rush out to open gmail accounts, or store their personal data on Google's cloudy offerings.
move along, nothing important here to see ...
Right on Big Al,
Yes with have a snafu. issue is to minimise it and protect, if possible, the victims of the leak. They know where its gone. They haven't presumably had a "I shouldn't have received it and i've deleted it - do you want to check?" response from the mailbox. Presumably both the Bank and Google have sent polite requests but received no reponse ...
Which means the account is dormant - so no probs with the freeze - or the user knowingly has the data and won't talk in which case a freeze is probably too late but what else is there to do?
Of course my assumptions may be wrong - however I would argue they are more probable then the assumptions made by others in order to condemn the usual suspects (Google, the Judge, the lawyers, my puppy dog ...)
This is a rather terrible precedent to set and I'm a little disappointed that Google seem to have given in.
On the other hand, Google can't deny a court order. They remain blameless.
The employee at the bank is primarily at fault but the judge who issued the order should go down too, along with the a-hole in the bank's legal department who is arrogant enough to believe that the law works differently for such an institution.
One more example of how "the institution is bigger than the individual."
So you further inconvenience the bank customers because a Court (note Court, not Google) has forced your account to be closed.
If anything should be published on Wikileaks it should be the email address and signature details of the idiot who sent the email...
If they are going to send that chap an email to let him know that his gmail account is shut lol
Missing the bigger point
The issue to me is not that his Gmail account is shut down. An inconvenience maybe, but not a huge one.
The bigger issue is that the court has ordered his contact information to be handed over. At which point one would imagine he would be receiving visits from law enforcement agencys who will be searching his house and his computers for copies of this file.
If I was on the receiving end of that because of a bank fuck up I'd be counter-sueing faster than you can say "SWAT Team".
"On the other hand, Google can't deny a court order. They remain blameless."
But they could contest the order initially and then appeal against the order once delivered (admittedly they would have to comply during the appeal). They did neither (that I can tell) or at least neither effectively so I think it unreasonable to claim that Google remain blameless.
Reminds me of....
The collective noun for Bankers....
It's just... pathetic
I honestly think it's pathetic how the bank can claim the moral high ground here. In my opinion, the court should have refused their court order plea on grounds that their internal security is simply shit, and if they used sensible methods of communication for secure data then this would not have happened!
Constitutional right to communicate???????????
There is no constitutional right to communicate. There is a right to free speech, not free communication. In fact, the US Postal Service holds a monopoly on first class mail, long one of the most significant forms of communication in the past. That monopoly is supported by the taxation of communication, the postage stamp being evidence thereof. The right of free speech has no corresponding obligation to listen, therefore there can be no right of communication.
And that's all I have to say about that.
There seems to be a lot of assumption that the account was dormant, but no explanation of why this is assumed.
Is this because there was no reply to the second email from the bank? Because if so, that is a ludicrous assumption.
I get dozens of emails from various banks every day. I see the 'from' address as I skim through the spam folder checking for false positives. My eye doesn't even pause on them - they just get zapped.
If one got through the spam trap into my inbox, as soon as I saw who it was from, my finger would hit the delete key by reflex before I had time to glimpse the body text.
If I did read a message saying "reply to this message or your email account will be shut down" then again I would hit DEL by reflex.
I don't have *time* to read all the spam and phishbait. And no reason to do so. And no wish to do so.
This reporter must have been drunk when he wrote this...
"In any event, the account of an innocent Gmail user has been shutdown - a clear violation of the user's constitutional right to communicate. And whatever Google divulged, the case shows - yet again - that whatever the web giant's intentions, it can be compelled to release user info. ®"
1) Read Google's ToS.
2) The gmail account is free, so what damages can you claim?
3) Google could have divulged the user's name, address, etc to the bank besides shutting down the account.
4) Yeah, the data was probably read, transferred, etc... but the law still requires the bank to make a best effort at minimizing the risks of identity theft.
5) And *shock*. A US company can be compelled to release information under a court order.
I wonder if the author knows what LE subpoena is used for...
Utter fail on the part of the Left wing pinko commie author who probably failed their civics class.
A reasonable outcome for a difficult situation
"Judge James Ware of the US district court for the northern district of California issued a temporary restraining order on Wednesday, insisting that Google deactivate the account. The judge also ordered Google to disclose - to the court and the bank - whether the account was dormant or active and whether the confidential file was opened or otherwise manipulated. If the account was not dormant, Google was ordered to divulge the user's identity and contact information. In a joint court filing, both parties said that Google had complied with the order. "
Had the recipient of the email responded to the second bank email, there would not have been a restraining order issued.
If the account was dormant, this process may not have even effected the email recipient.
The protection of thousands identities of over 1000 people were at stake, the recipient was either unaware or possibly preparing to act fraudulently, and the bank is on it's way to being sufficiently punished by popular opinion.
Once the person refused or did not answer the bank's email, this route seemed reasonable - albeit slow.
Two sides to it ...
Every day a forum I moderate gets hit by spammers who register with email addresses like email@example.com . If the bank sent my details to one of these addresses, I'd be terrified. In fact I wish Google would shut down these bullshit accounts.
If on the other hand it was a regular, in-use gmail account, how hard is it hard for big G to set up another account, differing by one letter e.g. firstname.lastname@example.org -->email@example.com and simply spoof the new address to a copy of the data in the 'dormant' account?
And of course, both Google and the email account holder have a claim against the bank for the inconvenience caused by the idiocy of one of its employees.
And to those asking why this is significant - its because an email address is an important part of many people's identity these days, and having a judge shut it down because of someone else's incompetence is just plain wrong.
Had this happened in the US and had the recipient decided to chuck it in the bin, the post office would probably have been forced to board up his letter box.
You know this how ?? If it happened in the US there is nothing the bank could do. Once mail is delivered that's it . No recourse. I don't know why its different with e-mail
My fault :-) I forgot to put a smiley in the sentence so you had no way of knowing I was joking. Now where is the smiley for sarcasm? :-)
But really that was my point entirely. The fact is that if this had been snail mail nobody would have blamed the recipient and yet because it is email some judge has decided the account should be closed as if somehow that will help recover the lost items.
Actually I'll side with google.
They didnt cave into the banks demands and sent them packing. A judge ordered the bank to do something so the bank did. Sure google wasnt willing to "fight" the order but hey, at least they didnt just roll over.
"whatever Google divulged, the case shows - yet again - that whatever the web giant's intentions, it can be compelled to release user info"
But of course! As can the banks in a reverse situation, there are plenty of cases of even the mighty Lichtenstein being compelled to release peoples information!
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market