The confidential email at the heart of a roundabout US lawsuit against Google was never opened, according to the bank that accidentally sent the missive to the wrong Gmail account. This summer, according to court documents, an unnamed employee with the Wyoming-based Rocky Mountain Bank was asked by a customer to send some loan …
But Google will give out my identity! Everyone will know that my real name is "asasdsasdas jkjkjljkjk", and my home country is Azerbaijan. At least, that's what I wrote when I signed up.
Seriously, why be worried? Who uses a Gmail account for anything seriously important, and who the heck puts all their personal data into it? Yes yes tracing IPs and whatnot. But seriously.
Rule of Law
"The case underlines what should be obvious to Google watchers: Though the company vows to protect your personal data, it can be compelled by court order..."
Look, you've ended every article on this subject with some similar piece of vague but dire warning and to me it seems a little like FUD.
Just tell us - do you think that it is wrong for Google to obey the rule of law? Because the law is that Google - and anyone else - can be compelled by court order. Banks, supermarkets, ISPs, doctors - shock horror, they'll give it up when the correct and due legal process is applied. It's an outrage! No of course it isn't.
Ok, now tell us - have Google ever claimed that this was not the case? Did anyone seriously at any time assume that Google had god-like, government-ignoring powers that distinguished it from every other corporate entity on earth? No, of course not.
Put up or shut up. Leave vague innuendo and threat to the likes of Microsoft Linux studies. Everything you've given as evidence suggests that Google did the right thing, i.e. nothing until they were compelled by law. You might disagree with the law, but you can't seriously complain because they obeyed it!
I smell a lawsuit
Seems Google had no choice in the matter but I hope the account owner sues the pants off the bank and that, somehow, the judge responsible gets HIS come-uppance. These people should at least take technical advice before they make what appears to be a knee-jerk reaction without the know-how to back it up.
"the wrong Gmail account"
Does that imply there was a "right Gmail account" to send highly sensitive data to?
Was the decision to temporarily suspend the user's account because the mail hadn't been opened? In which case, it would seem quite sensible.
Also, you describe the person sending the mail as a bank employee, would it be safe to assume they are a former bank employee?
It amazes me
that these companies are sending stuff like that through the tubes with no encryption anyway. One record is excusable if it's going to a customer, but still, even a zip file with a password on would be better than nothing.
it similarly amazes me when we sell our outsourced email DR platform too. Customers always ask about encryption and storage and whether we can see their emails. Fortunately we encrypt, but the tubes and routers that the messages pass through don't...
Repeat after me, "email is not secure"
"The case underlines what should be obvious to Google watchers: Though the company vows to protect your personal data, it can be compelled by court order or subpoena or natural security letter to divulge such info."
Sod that, I want to know whether or not the idiot at Rocky Mountain Bank got fired for sending personal data over an unsecured connection.
of the ability to "play" the UK Court system. As you will know Judges decisions vary greatly. There is a way to go before 1 Judge and if he makes decision you dont like then you can go again, and again and again etc etc UNTIL you hopefully find one that gives you what you want. Seems his Bank hit it first time.
Disabling mail account?!
So is it ok to blow up peoples post boxes if they get a misdirected postal packet?
Where's the investigation?!
A bank sends confidential, and I'm assuming completely unencrypted financial information about their clients to an external email address hosted on a third party mail server? There are so many security issues here it's ridiculous.
If this were a UK organisation, they'd have been investigated for their terrible data practices. Understandably, the bank panicked and tried to get the information deleted, even if they went about it in the worst way possible.
However what really concerns me is this: They don't seem to show any sign of conscience here, and no acknowledgement that they have done anything wrong beyond accidentally sending it to the wrong email address. There's no mention of a review of their current security practices, or of the employee involved being reprimanded, or of a plan to better train their employees regarding the security of confidential information.
If my bank acted so nonchalantly after a major security incident, I sure as hell wouldn't hang around and let it happen again.
Google A-OK With Me
I am actually encouraged that Google told the bank to piss off unless they have a court order. The bank would have threatened Google to do immediately what they wanted or else, and Google did not back down. I wish ISP's had at least this amount of backbone instead of telling the RIAA, MPAA, SOCAN, BPI, IRMA and such organizations user information because of intimidation tactics.
..be writing about wikipedians blogging about each other's tweets regarding tedious infidelities?
Apart from the irrelevant and out of context anti Microsoft babble at the end of your comment, I whole heartedly agree.
Isn't anybody bothered
that you can get a court to demand these details because of your own stupidity?
The court should have refused to compel Google, on the grounds that it was the bank's problem, not Google or the email customer's.
Bank says wasn't , so must mean was!
"... in an email to The Reg, the company declined to say what information was revealed."
"... according to a report from CNET News, the bank has said that the confidential message was never opened and that it has now been permanently deleted."
Oh the BANK says it wasn't opened, yet Google appears silenced. Easily translated by the masses as it WAS comromised and we've silenced Google who are happy to screw people anyhow, in my opinion.
Quit blaming the employee
The employee made a simple mistake while following instructions that, at best, demonstrated an overwhelming lack of common sense and complete ignorance of how to protect electronic data on the part of the manager/supervisor that issued the instruction. There are far bigger fish to fry than the schlub who committed the sin of following wrongheaded orders.
...the person who was the unintended recipient selected the 'mark as unread' option after they viewed it? Though I guess it doesn't matter, the bank would rather let people believe that it's unread and the information is safe. Maybe I'll go take a look at Wikileaks...
" ... natural security letter" ?
I think you mean a nashn'l security letter? Or perhaps natural selection now requires pre-approval (this is the States after all).
Mine's the one with "on the Origin of Species" in the pocket.
Careful - don't mix up two separate issues
1 - compliance. As any company, Google has to comply with local law, which raises interesting questions in itself about jurisdiction - Google Switzerland, for instance, has a problem as that is responsible for the whole EU but Swiss laws differ. So, for email security you'd like to hold it in a country that is fanatic about Data Protection and will require *evidence* or warrented suspicion before a warrant is issued (I would not call the UK RIPA 2000 a barrier to unauthorised snooping).
2 - custodial duties. Once a warrant has been issued, the question is what happens to the data released. You will find in most countries that there is are no real custodial duties imposed, so if you're a private banker or a GP you may find that your precious data is suddenly handled by a junior policeman. The joys of yelling "terrorist". There are, however, countries where data released under warrant is strictly controlled. In Switzerland, for instance, will you have an investigative judge, who is the only one to look at the released data. Only on evidence of crime can the exact data set that proves this be released for evidence.
I would not touch Gmail even if it was a Gstring, sorry. But I'm picky that way anyway, I intensely dislike people spying on me for dishonest reasons (I'm OK with proper due process, because I don't have anything to hide - I just hate abuse).
Oh, and I put my money where my mouth is - I just set up a new email system in Switzerland. Just have to write up the details..
On the bright side
At least the bank lost some money paying lawyers and were forced to follow due process... we can't help it if the due process was not to our liking..
Re: Disabling mail account?
“So is it ok to blow up peoples post boxes if they get a misdirected postal packet?”
Wouldn't that inconvenience many others who also use the same post box (assuming no others nearby and, perhaps, no nearby post office)? Wouldn't it be better to destroy (well, seal up) their _letter_ boxes?