Last week, Google was ordered to deactivate
someone's Gmail account, because Rocky Mountain Bank had totally screwed up and sent the Gmail account holder an email by accident, which contained all sorts of confidential information. It's still not at all clear how Rocky Mountain Bank made such a monumental screw up, but we'll leave that aside for now. On Monday, the two companies asked the judge for permission to restore
the email, after they realized that the email in question had never been opened
, and Google had deleted it from its servers. Case closed?
Well... not so fast. Paul Alan Levy
, from Public Citizen, sees a number of serious problems with the whole episode
, starting with the legal complaint in the first place -- which offered no opportunity for the email account user to speak up and argue for his or her own rights, against having the account deactivated. But just the legal proceedings themselves suffered from some serious problems:
First, the complaint. Rocky's complaint is based on the contention that, having botched its obligation to keep its own customers information secret, it was obligated under various state and federal banking regulations to seek to recover the information and prevent its further dissemination. The complaint further alleges that regulatory officials expressed their endorsement of efforts by the Bank to protect the confidentiality of the information. The complaint sought a declaratory judgment that Rocky Mountain was entitled to information about the account holder, and that Google was obligated to prevent use of the information sent to the account. It sought an injunction enjoining Google and the account holder from accessing or distributing the information mistakenly sent to the email account, and compelling Google to identify the account holder. But curiously absent from the complaint was any allegation about how either Google or the owner of the gmail account had violated the plaintiff's rights, or any assertion of a cause of action against either Google or the anonymous account holder, that would form the basis for granting relief against either. Nor did Rocky Mountain's papers explain why section 230 of the Communications Decency Act entitled it to bring an action against Google, or to obtain any relief against Google, even assuming that it had a claim against the gmail account holder. Without a cause of action and without a violation of the plaintiff's rights, why was Rocky Mountain entitled to relief, and why should the defendants be subjected to an injunction? Neither the complaint, nor the brief in support of the TRO, explains this.
Second, the lack of federal court jurisdiction. Although the complaint identified only Google as a defendant, Rocky Mountain asked for relief against the anonymous gmail account holder, which is obviously, therefore, a defendant just as Google was. Indeed, if either Google or the account holder was the right defendant here, it is the account holder. But this poses a serious problem, because the law is clear that a Doe defendant cannot be sued under diversity jurisdiction. If there had been any party with any incentive to protect the Doe's rights in this case, that party could have pointed this jurisdictional defect out to the Court, which would therefore have been obligated to dismiss the case instead of issuing a TRO.
Oops. And, from there, Levy also wonders why Google was so quick to roll over without trying to defend the user's rights:
Rocky Mountain's papers recount that it asked Google for help freezing the account and identifying the account holder but that Google refused to do so without "a valid third party subpoena or other appropriate legal process." Yet despite the filing of plainly defective papers, there is no indication in the publicly filed papers that Google either opposed the requested order or insisted that it be given the opportunity to notify the Doe gmail user so that he or she could obtain counsel and oppose the requested order. Nor do the papers contain any discussion of efforts to notify either Google or the anonymous user about the requested order, even though Rule 65(b)(1) of the Federal Rules of Civil Procedure requires either notice to the parties sought to be enjoined, or a compelling explanation of why notice was not possible. (Because the Bank noticed the problem on August 13, and waited until September 17 to file its suit, it is hard to believe that a few more days' delay to give proper notice would have been catastrophic). And within a day of the issuance of the order (one day before the compliance deadline), Google provided the court with a document explaining how it had complied with the TRO and asked, jointly with Rocky Mountain, that the TRO be vacated.
Indeed. It's certainly understandable why everyone wanted to make sure the data was not compromised, and in this case, it sounds like the account in question was probably inactive or rarely used (or the email went to spam). So everything may have ended up okay. But that's no excuse for potential violations of an individual's rights in trying to correct a mistake by the bank.