Google Destroyed Missent Bank Info Email Unopened... As More Legal Questions Are Raised

from the still-doesn't-make-sense dept

Last week, Google was ordered to deactivate someone's Gmail account, because Rocky Mountain Bank had totally screwed up and sent the Gmail account holder an email by accident, which contained all sorts of confidential information. It's still not at all clear how Rocky Mountain Bank made such a monumental screw up, but we'll leave that aside for now. On Monday, the two companies asked the judge for permission to restore the email, after they realized that the email in question had never been opened, and Google had deleted it from its servers. Case closed?

Well... not so fast. Paul Alan Levy, from Public Citizen, sees a number of serious problems with the whole episode, starting with the legal complaint in the first place -- which offered no opportunity for the email account user to speak up and argue for his or her own rights, against having the account deactivated. But just the legal proceedings themselves suffered from some serious problems:
First, the complaint. Rocky's complaint is based on the contention that, having botched its obligation to keep its own customers information secret, it was obligated under various state and federal banking regulations to seek to recover the information and prevent its further dissemination. The complaint further alleges that regulatory officials expressed their endorsement of efforts by the Bank to protect the confidentiality of the information. The complaint sought a declaratory judgment that Rocky Mountain was entitled to information about the account holder, and that Google was obligated to prevent use of the information sent to the account. It sought an injunction enjoining Google and the account holder from accessing or distributing the information mistakenly sent to the email account, and compelling Google to identify the account holder. But curiously absent from the complaint was any allegation about how either Google or the owner of the gmail account had violated the plaintiff's rights, or any assertion of a cause of action against either Google or the anonymous account holder, that would form the basis for granting relief against either. Nor did Rocky Mountain's papers explain why section 230 of the Communications Decency Act entitled it to bring an action against Google, or to obtain any relief against Google, even assuming that it had a claim against the gmail account holder. Without a cause of action and without a violation of the plaintiff's rights, why was Rocky Mountain entitled to relief, and why should the defendants be subjected to an injunction? Neither the complaint, nor the brief in support of the TRO, explains this.

Second, the lack of federal court jurisdiction. Although the complaint identified only Google as a defendant, Rocky Mountain asked for relief against the anonymous gmail account holder, which is obviously, therefore, a defendant just as Google was. Indeed, if either Google or the account holder was the right defendant here, it is the account holder. But this poses a serious problem, because the law is clear that a Doe defendant cannot be sued under diversity jurisdiction. If there had been any party with any incentive to protect the Doe's rights in this case, that party could have pointed this jurisdictional defect out to the Court, which would therefore have been obligated to dismiss the case instead of issuing a TRO.
Oops. And, from there, Levy also wonders why Google was so quick to roll over without trying to defend the user's rights:
Rocky Mountain's papers recount that it asked Google for help freezing the account and identifying the account holder but that Google refused to do so without "a valid third party subpoena or other appropriate legal process." Yet despite the filing of plainly defective papers, there is no indication in the publicly filed papers that Google either opposed the requested order or insisted that it be given the opportunity to notify the Doe gmail user so that he or she could obtain counsel and oppose the requested order. Nor do the papers contain any discussion of efforts to notify either Google or the anonymous user about the requested order, even though Rule 65(b)(1) of the Federal Rules of Civil Procedure requires either notice to the parties sought to be enjoined, or a compelling explanation of why notice was not possible. (Because the Bank noticed the problem on August 13, and waited until September 17 to file its suit, it is hard to believe that a few more days' delay to give proper notice would have been catastrophic). And within a day of the issuance of the order (one day before the compliance deadline), Google provided the court with a document explaining how it had complied with the TRO and asked, jointly with Rocky Mountain, that the TRO be vacated.
Indeed. It's certainly understandable why everyone wanted to make sure the data was not compromised, and in this case, it sounds like the account in question was probably inactive or rarely used (or the email went to spam). So everything may have ended up okay. But that's no excuse for potential violations of an individual's rights in trying to correct a mistake by the bank.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Sep 30th, 2009 @ 4:53pm

    The first thing Google should have done is seen if the E - Mail was read. If not, it should have prevented it from being read from that time on.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 30th, 2009 @ 4:53pm

      Re:

      ie: without destroying the whole account, simply disabling that specific E - Mail and not the account and not other E - Mails.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    VladV, Sep 30th, 2009 @ 5:09pm

    I think that Google should ask a permission from the user/customer to get access to his account. It does not matter how long it might take.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    BulmaRO, Sep 30th, 2009 @ 5:14pm

    see, i sorta predicted something similar, i mean why do people asume we all know and check everything we get i mean if i get info from a bank i don't have an account with i inmediately delete it.. just not my business.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Overcast (profile), Sep 30th, 2009 @ 5:15pm

    Google's & Bank's Rights > People's Rights

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Overcast (profile), Sep 30th, 2009 @ 5:18pm

    And dang, I hate changing email addresses... but I'm thinking this warrants getting rid of gmail.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    scarr (profile), Sep 30th, 2009 @ 5:22pm

    I haven't seen anyone ask what this would mean if the email was accidentally sent to a personally owned URL. While that makes it far less likely to occur (unless it was plainly choosing the wrong address from a list), it seems crazy that joe@joescarparts.com should be taken to court for receiving an improperly sent email.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 30th, 2009 @ 11:21pm

      Re:

      What if the president got the E - Mail and his E - Mail account got shut down. What would Obama do then?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Bustagio, Sep 30th, 2009 @ 5:41pm

    I can't believe the civil liberties and civil rights groups are not in an uproar about what is a blatant violation by both the bank and the govt who actually issued the subpoena with no supporting information, this is a show of whom rights are more important then who's.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      slackr (profile), Sep 30th, 2009 @ 5:47pm

      Re:

      I agree, this should terrify all users of gmail or even of google's services, obviously their prioritites lie in appeasing those companies with money and influence. I would have thought that this raises an issue of who actually 'owns' the email account for services such as these and where the lines of privacy/ownership get drawn for cases such as these.

      In a way it is nice that the email address is domant because this process can be hammered out without some poor Joe Bloggs stuck in the middle. The principles and actions can and should be scrutinised (as they are slowly being) to avoid these cases becoming more prevalent everytime a company screws up monumentally.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Joe, Sep 30th, 2009 @ 6:05pm

        Re: Re:

        ^ "I agree, this should terrify all users of gmail or even of google's services, obviously their prioritites lie in appeasing those companies with money and influence."

        Did I miss something? Google didn't want to give anything out, they only took action upon court order. How are they appeasing a company with money and influe- oh, I suppose if you count the courts/government as a business.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Sep 30th, 2009 @ 6:28pm

          Re: Re: Re:

          I think what your missing is that Google was willing and eager to accomodate the bank's demands, but wanted the CYA of a court order to do it. Otherwise, Google would have argued against the court order.

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Robert, Sep 30th, 2009 @ 5:44pm

    Could this be done intentionally?

    Could a company intentionally mailbomb another company with confidential information... then go to the ISP and have their email system shut down on the same basis?

    This could potentially be a war like method of hampering the competitions productivity.

    I wonder if this "loophole" can be misused or taken advantage of. Most companies would crumble in hours if their mail servers were unplugged as part of a court order.

    Seems easy enough to pull off too. If spammers can send millions of emails via a cheap dedicated server, why couldn't a competitor?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 1st, 2009 @ 5:48am

      Re: Could this be done intentionally?

      Could a company intentionally mailbomb another company with confidential information... then go to the ISP and have their email system shut down on the same basis?

      You're overlooking the fact that it takes a court order and most judges apply a different standard to companies than they do to individuals: They'll screw an individual over in ways that they'd never dream of doing to a company.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    ERH, Sep 30th, 2009 @ 6:00pm

    Obviously the bank was at fault. Why is anyone else being punished? And why ISN'T the bank?

    To me, it just seems like it's a case of "a big oops happened, now someone has to pay. How can we engineer that?"

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Overcast (profile), Sep 30th, 2009 @ 8:40pm

      Re:

      Obviously the bank was at fault. Why is anyone else being punished? And why ISN'T the bank?

      To me, it just seems like it's a case of "a big oops happened, now someone has to pay. How can we engineer that?"


      Well, banks contribute big to political campaigns. Banks get away with things like 'payroll' advances while they try to pay off legislators to ban competition. It's because bankers bascially run this greedy world, so they get their way.

      If there are a couple things anyone should learn about this:

      1. DO NOT use Google for ANY sensitive email at all period - I have already changed my bank over to another email address - my ISP.

      2. Avoid that bank at all costs - if they screw up, they'll do a half-ass job at protecting you - I for one, would certainly not consider this case 'closed' just because Google supposedly deleted an 'unread' email.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Fred McTaker (profile), Oct 1st, 2009 @ 2:04am

        Re: Re:

        "1. DO NOT use Google for ANY sensitive email at all period - I have already changed my bank over to another email address - my ISP."

        Ha! If you trust your ISP any more than Google, then you fail at life. The point is not to send ANY unencrypted confidential data over insecure (read: ALL) lines. Anything short of end-to-end encryption can't be considered confidential. If you think your ISP wont go into CYA mode the moment they get a court order, you're bound for disappointment.

        "2. Avoid that bank at all costs"

        The is the real lesson to be learned. You can't fault any business for following court orders. You can only fault the business who distributes confidential information willy-nilly over insecure means.

        You can't blame IE for that spyware you click-installed, you can't blame email for that drunken rant to your ex, and for the same reasons no one can blame Google for anything that happened in this Bank vs. Doe case.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    dwind, Sep 30th, 2009 @ 6:11pm

    Why are they emailing such information?

    I don't understand how such information is emailed. One would think they'd fed ex something of this nature.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      DJ (profile), Sep 30th, 2009 @ 6:24pm

      Re: Why are they emailing such information?

      Welcome to the information age. Electrons are faster AND cheaper, so companies vastly prefer EFT over freight.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Fred McTaker (profile), Oct 1st, 2009 @ 2:28am

      Re: Why are they emailing such information?

      @dwind: Your statement carries the assumption that physical mail is any more secure than electronic messaging, and that assumption is false. There's plenty of ways to surreptitiously read both mediums, without either the sender or receiver knowing about it. Faxes and phones can also be tapped, and thus are equally insecure. The only safe form of communication is encrypted messaging, where the receiver has exclusive access to the primary key. PGP and SSL are the standard methods, and can be applied to any medium, though they are applied most easily to email and web communications.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        ChrisB (profile), Oct 1st, 2009 @ 6:57am

        Re: Re: Why are they emailing such information?

        What the hell are you talking about? You've just said that email is MORE secure than letter mail. AND it is more secure than fax and phone lines.

        Are you drunk?

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      rwahrens (profile), Oct 1st, 2009 @ 4:31am

      Re: Why are they emailing such information?

      I regularly tell my customers that regarding email, if they don't want to read it on the front page of the Washington Post tomorrow, don't email it. Of course, using encryption is really the answer, but most people don't know how to use it, and our employer doesn't encourage confidential information to be sent via email anyway.

      It is safer just to deliver it personally or via secure messenger.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 30th, 2009 @ 6:25pm

    Per Gmail TOS (http://www.google.com/accounts/TOS?hl=en):

    "4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.

    4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account."

    And...

    "8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see http://www.google.com/help/customize.html#safe). In addition, there are commercially available services and software to limit access to material that you may find objectionable."

    Although I find this episode to have been handled quite badly, I don't think Google did anything wrong. Per their TOS, everything they did was well within their own power legally. I sort of remember reading this years ago when I signed up and it didn't really bother me then and it doesn't really bother me now. It's not like I rely on my email account to perpetually store confidential info. I save copies of important emails locally on my computer and really only would keep copies in my email account for convenience sake. Overall, I think the only person who screwed up here is the bank and that is where the focus should be.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 30th, 2009 @ 8:26pm

      Re:

      It doesn't matter if it's legal or not. The implication is that they're suspending your service because either 1) you did something wrong or 2) they just don't want to continue providing the service (to anyone). If they said "hey, we decided you can't have an email with us because we read your messages and determined you're a Jew" there's no TOS that's going to prevent a lawsuit.

      In this case, while Google may not be at fault and while there may not be a legal recourse (I seriously hope there's a way to countersue the bank, and/or get the stupid judge some sort of reprimand... too bad judges are pretty much gods) it's still bad for business.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 1st, 2009 @ 5:54am

      Re:

      Although I find this episode to have been handled quite badly, I don't think Google did anything wrong. Per their TOS, everything they did was well within their own power legally.

      Nobody's claiming that they did anything illegal. But if you think that nothing that's legal can be wrong, then you've got some moral issues.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    John Fenderson (profile), Sep 30th, 2009 @ 6:26pm

    Yet another demonstration

    It's yet another demonstration of why nobody should trust Google with critical information. One should think twice about trusting any third party with important data (and why "cloud computing" is such a terrible idea), but particularly not Google, among others.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    slackr (profile), Sep 30th, 2009 @ 6:52pm

    Thanks for the TOS

    Seeing the TOS posted makes it clear that Google had the power to do what they did, however it still worries me that just because it is sensitive commercial information that somehow that allows a company/bank to get a court order to make Google act.

    Does this mean the next time I hit send on some innappropriate email if I've got the $$$ I can get it deleted by court order? What did the bank prove to the court that forced Google to act?

    The banks system failed, no one elses. As Scarr pointed out: "I haven't seen anyone ask what this would mean if the email was accidentally sent to a personally owned URL". Does this mean my website host has the same power as Google in this sort of case?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    davebarnes (profile), Sep 30th, 2009 @ 7:06pm

    What?

    "everyone wanted to make sure the data was not compromised"
    Given that the data were part of my plot to take over the world I am concerned. Let the data free!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 30th, 2009 @ 7:40pm

    Once again, US justice system == F.A.I.L.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    dsf, Sep 30th, 2009 @ 7:43pm

    This whole thing has been an insipid waste of time, including ours for following it. Google should have seen the email was unread, and deleted it off its servers once validating the sender. Case closed.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Overcast (profile), Sep 30th, 2009 @ 8:42pm

      Re:

      This whole thing has been an insipid waste of time, including ours for following it. Google should have seen the email was unread, and deleted it off its servers once validating the sender. Case closed.

      But are there email clients that can 'read' the email and not mark it read (like as in the preview pane in Outlook)? Or can they tell if you change the email back to 'unread'?

      If it was my account, I would close it immediately.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Overcast (profile), Sep 30th, 2009 @ 8:45pm

        Re: Re:

        To answer my own question - yes, I can read at least portions of the email and it never gets marked 'read' - simply through my Google home page with the 'gmail' widget.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Oct 1st, 2009 @ 5:57am

          Re: Re: Re:

          To answer my own question - yes, I can read at least portions of the email and it never gets marked 'read' - simply through my Google home page with the 'gmail' widget.

          Google's internal logs will still show every access. You don't have access to their internal logs.

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 30th, 2009 @ 11:29pm

      Re:

      I agree, I think everyone is making an entirely too big issue out of what Google did.

      No matter what Google does they're faced between a rock and a hard spot. If they do nothing they can be accused of allowing sensitive information to be revealed to someone unnecessarily. That can cost them damages. If they do something, like temporarily disable the account or delete the E - Mail, that can also be a privacy issue. Google, as far as I can tell, ALMOST did the right thing, the only thing they should have done better is instead of closing the account altogether, find the specific E - Mail (ie: write some software to look for it without anyone having to read any other E - Mail) and delete only that specific E - Mail after ensuring it hasn't been read.

      This isn't rocket science. Google appealing the process opens the door to the recipient reading the E - mail since appeals waste more time. That can be more liability for Google. They have to mitigate the damages ahead of time and they did. Stop being so hard on Google. BANK OF AMERICA SCREWED UP, NOT GOOGLE!!!!

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Oct 1st, 2009 @ 8:41am

        Re: Re:

        and it's also not like google did anything to initiate this situation (ie: filing a lawsuit), this situation was initiated upon them and they responded the best they could given the time constraints and the time required to think of the best way to respond on the fly.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Drew (profile), Sep 30th, 2009 @ 9:17pm

    It makes you wonder...

    What if they had sent this information to his US Postal Service mailbox? Could they have sued to confiscate (and destroy) it?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Eli (profile), Oct 1st, 2009 @ 1:20am

    Since we're not ever going to see the Doe come forward in this case to actually stand up for their rights, who has the right to file on their behalf for damages? It would be nice to see the bank and google each forced to pony up to fund a legal scholarship for someone wanting to study Copyright/IP law.

    Of course, that raises the issue of 'what are fair damages?' - individuals and corporations are extremely different when it comes to what actual dollar figures represent so it seems the only fair way to determine this would be to say that the Doe was offlined for x days. The bank and Google should each be required to pay (x/365)*(GrossEarnings), effectively offlining them for those days as well.

    If there's no fiscal consequences, there's no incentive for this not to become a DoS attack.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Graham, Oct 1st, 2009 @ 1:24am

    Banks responsibility

    It seems to me that the bank should be held to account for lack of effective data protection measures? They should not be e-mailing that kind of detail to ANYONE. Furthermore they should not be ABLE to e-mail that kind of detail. A complete breakdown of IT security policy, practice and systems ... THAT is what should be in the courtroom !!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jeff, Oct 1st, 2009 @ 1:03pm

    But...

    Think of the children!!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Andrew, Oct 2nd, 2009 @ 6:59am

    Missing the Point

    This isn't about what Google did. Any company would, it was a court order. The fact that the court issued the order is the disturbing part.

    What if the email had been opened? Should they search this person's personal computer? Perhaps the person printed it. Their house must be searched! Perhaps they gave a copy to their friend or YOU!

    If the government ever needs probable cause to search you or your belongings they can now just text you something sensitive by "accident".

    In my opinion the gmail account holder has done nothing wrong and until they do something illegal with the data they should be left alone. If the user wants to save the data, or incorporate it into their latest work of art and hang it on their wall, or whatever, if it's not illegal then the government should keep out.

    Once the bank has suffered actual damages or a law has been broken then the courts should get involved.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 2nd, 2009 @ 1:56pm

      Re: Missing the Point

      This isn't about what Google did. Any company would, it was a court order.

      Google happily choose to not exercise their legal option to contest the order. You're saying any company would do that? I'm saying you're full of it. Some companies would exercise their legal options.

      The fact that the court issued the order is the disturbing part.

      There's more than one disturbing aspect to this story. Google's behavior is also one of them.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Griff (profile), Oct 20th, 2009 @ 6:15am

    Think your ISP is better ?

    Google have the size and legal power to at least resist until court order.
    Many small ISP's would probably have rolled over with no court order when suits froma major bank came knocking.

    I'm leaving my mail with Google where I can see they will at least hold out until forced by law.

    (I think the law is what was at fault here, but Google have to follow it).

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This