Unlikely, but it could happen. A judge recently ordered a person’s Gmail account to be shut down. Why? Because that person received an email from a bank. The email was not supposed to be sent to that person, and it contained account information that person was not supposed to see.
The order, issued Wednesday by U.S. District Court Judge James Ware in the northern district of California, also requires Google to disclose the Gmail account holder’s identity and contact information. The Gmail user hasn’t been accused of any wrongdoing.
The Rocky Mountain Bank, in Wilson, Wyoming, sent names, addresses, SS numbers, and some financial information of well over one thousand customers to some random Gmail address. It then sent an email asking the unintended recipient to destroy the attachment without opening. The bank did not get a response, so the bank contacted Google. Google blew the bank off, in accordance with its policies. What happened next is a bit complex, but essentially, a US federal court ordered the account suspended.
“It’s outrageous that the bank asked for this, and it’s outrageous that the court granted it,” says John Morris, general counsel at the Center for Democracy & Technology. “What right does the bank have and go suspend the email account of a completely innocent person?”
Personally, I think this could have been handled quite differently, by both the bank and by Google.
Personally, do you think that it could have been handled differently by the judge?
Why do I run my own e-mail and web server? Oh yeah, right.
The bank wanted to retrieve that one attachment. The judge should have ordered Google to delete the attachment from their servers and had the account holders identity revealed enough for someone to make a real contact with that person and determine if they ever opened or saved the file. Simply closing the account without first making an effort to do either of those seems punitive and completely unnecessary. Of course, Google could have made some kind of an effort to help the bank make contact with the account holder (perhaps with Google acting as a middleman to assure the privacy of the account holder). Also, if canceling the account is the extent of the judge’s order, then it still leaves the bank in a state of not knowing whether the file was ever opened or whether those accounts are still secure or whether the privacy of their account holder was compromised.
It looks like the judge’s decision was pretty crappy any way you look at it.
The bank should be fined; no one else has done anything wrong.
I agree with John McKay. This was a heavy handed way of handling it. If I was the gmail user I’d now file a suit against the bank under ECPA.
I’m with Albatross. Running your own web server is pretty easy; email is a hard problem but it’s not insurmountable if you start small. Still, there’s a reason we pay sysadmins.
Having worked for Excite.com from 1996 – 2001, I know what goes on behind the scenes at places like Yahoo, Google, etc. (I keep in contact with my old coworkers…) Even if we assume everyone working at Google, top to bottom, really subscribe to their motto “Don’t Be Evil” and their shareholders and board of directors agree, you are still at the mercy of the court system, Department of Justice, FBI, etc.
The FBI has been particularly pernicious with their National Security Letters, demanding customer information and prohibiting the unfortunate recipient from talking about it. After abusing the power (as expected), the FBI has (possibly?) been reined in, but that’s only one example of how a third-party can interdict or intercept your communications leaving you with no recourse.
And it makes no difference if your email is particularly “interesting” to law enforcement (i.e. you’re a suspect.) In the incident mentioned in the original post, nobody cared about the user or his traffic, just the junk the bank fat-fingered and sent to him by mistake.
My mail server physically resides in my house at the end of a DSL line. If the Feds want to rummage through it, they can get a search warrant like anyone else. Or break into my house and take it. Either way, I’m aware they’re looking at me. Using an online provider means they can intercept and block my traffic and I’ll never know because the NSL legally prohibits anyone who could tell me what’s going on from doing so. I don’t like running mail services, but that’s the price I pay for paranoia.
Here’s the $64,000 question: Why were SSNs sent in the clear to a random Gmail account? Isn’t there some regulation that prohibits that? SOX, perhaps? Surely with PGP, GPG, and other personal encryption software available for almost every email client, there’s no reason not to encrypt the files so only the intended recipient can read them. I know, I can hear the bank manager or his secretary whining that that’s too hard. Tough darts, buddy. You’re a bank, you deal with sensitive info, you’re allegedly regulated – security is the cost of doing business. Do it right or get out of the market.
The depositors, regulators, and board of directors should be reaming out the responsible manager. My bet is that the dumb asshole will probably get a promotion for unleashing the flying monkeys, er, lawyers and law enforcement on the random Gmail user whose only crime was having a Gmail account.
While I agree that it’s a shitty decision and the whole thing could have been done better, I think the real lesson here is if you get an email from a bank (or anybody) that isn’t intended for you and then an email explaining the situation to you, comply and respond telling them you’ve complied.
I don’t know about anybody else, but having my email disabled sounds terrible. I would gladly co-operate with anybody to avoid that.
I guess there is some possibility that the emails from the bank were dismissed as some kind of new spam or phishing or something.
I delete dozens of emails a day that look like spam. Many are emails that look like they are from banks. Instant delete. I dont’ even read email from my own bank because I have told them not to send me emails, I assume they don’t, and thus, anything with that bank name on it must be spam.
The problem is deeper than all these details. The problem is the social security numbers. That is the weak link in the chain!
Do they even know that the Gmail account is in active use?
Greg: “The problem is the social security numbers. That is the weak link in the chain!”
SS numbers shouldn’t be in the chain at all. They can be trusted to be secret as much as your street address. They are addresses to data records, and were never even intended to be secret in cryptographic sense.
There are numerous better ways to securely authenticate people. The banks, of all companies, should have their own ID management solutions. Ask any Scandinavian bank for details. They even do extra business by offering their on-line secure authentication service to web shops. Here in Finland even the tax collector trusts your bank authentication – but not your SS number.
I really get irritable about the way SS numbers are used too Lassi. I mean for fucks sake, my SS number is integrated in my school email address – how bloody damned stupid can you get.
While I actually do get email alerts from my credit union, they provide no information about my account excepting the alert that my debit account had dipped below a certain point. Anything else that comes in from a bank – or claims to, never makes it to my inbox. I would be happy to cooperate with folks in the event of a problem, but in case of a problem like this, I would never be aware it happened. I suspect that few gmail users would be, as it is gmail’s general spam filter that keeps it all out.
And I would totally be fucked about if my main gmail account were closed. I email anything important to myself for safe keeping – precisely because google fucking rules when it comes to keeping shit safe. Unlikely or not, I have opened yet another gmail account and will be forwarding everything I need safe to that one as a backup.
I ultimately suspect the biggest problem here, is that the judge wasn’t tech savvy enough to understand the problems with his ruling – not the least being that no one actually knows if the information was secured by simply deleting the account, much less that it wasn’t the only way to solve the problem.
If I got an email apparently from a bank that I didn’t bank with, then another email from the same place asking for me to delete the attachment, both of them would be binned instantly, unread. So I’d be an entirely innocent party, like any other sensible person.
Haven’t the banks heard of phishing? I get about 10-15 emails a day from ‘banks’. The incompetence of banks in all areas of expertise is astounding.
@Bob
Did you get a permanent IP address from your ISP?
In the case of the judge, he probably has no idea of how people use their accounts for research and storage. Does anyone know if the Law library is online? Does the judge use it?
I attempt to keep up on anthropology, hence reading Greg’s blog, but there are so many other areas that there is no way I could keep up with all of them. The judge has chosen his areas to watch and it is apparent cyberlaw is not one he follows.
I think it is more a situation of not understanding ramifications and just not being tech savy. I am friends with many people who, even though they own computers, do not use them. Other people in their family do, but not them.
#11
I have had a similar experience: being the recipient of email that contained information intended for someone else (but nearly as egregious as this case with SS numbers etc.) I too am very suspicious of phishing so did nothing but put in the trash the first couple of times. When it continued to happen I did a search for the firm sending the emails and found them to be legit so I contacted them and informed them that I was deleting the attachments but that they had the wrong email address and they needed to fix the situation. I also figured out who they were intending the email for and I contacted that person as well. I don’t think I had to do any of this but I was not comfortable not getting it straightened out.
The bank should not be fined; they should be sued in civil court for all reasonable consequent damages resulting from their incompetence. EG: permanent loss of email, permanent loss of the account, the effort involved for having to identify all prior correspondents and notify them of the replacement address, et cetera.
I’d also feel punitive damages would be in order, since this was the result of initial criminal negligence on the part of the bank’s agent.
Of course, the bank forcing Google to shut down the account might be a moot point. I have several gmail accounts and they all forward to one main account so I only have to monitor one but can log into others to reply. Additionally, I only recently began keeping my mail online. Before that I used POP and stored it all on my computer. I have mail in my Eudora mailbox as far back as 1997 . . and YES, I’m saving it for a reason.
So there’s no guarantee that shutting down this account helped. If this user did the same thing, that file is on his/her computer. So much for bullying people, stupid bank.
This just blows my mind. I’m sorry, but Rocky Mountain Bank was in the wrong here. Totally in the wrong. They should have reprimanded their employee instead. I would have to question as to WHY did the employee have to email ANYONE a list of sensitive information? Do people NOT know or realize that emailing from one address to another is NOT safe or confidential as we are lead to believe. Emails can be intercepted along the route by hackers and those who use script programs to spy on mail servers and such.
I sincerely hope that Rocky Mountain Bank customers have heard about this story and hope that they close their accounts at Rocky Mountain Bank PRONTO and find another bank to do business at. Rocky Mountain Bank needs to take responsibility of their own f**k up instead of blaming someone else or trying to pretend that a criminal phantom exists when it doesn’t.
Just who the hell does Rocky Mountain Bank think they are to take away someone’s right to have an email account? Corporations like them seriously disgust me. I hope that whoever the person is that had their email account taken away, I hope that person sues the living sh** out of Rocky Mountain Bank AND Google.
Google disabled 200 user accounts when someone goofed up the migration from private servers to Google servers and those users were somehow allowed to read other people’s email. It’s just easier for Google to shut you down than to fix the problem.