Google Destroyed Missent Bank Info Email Unopened... As More Legal Questions Are Raised
from the still-doesn't-make-sense dept
Last week, Google was ordered to deactivate someone's Gmail account, because Rocky Mountain Bank had totally screwed up and sent the Gmail account holder an email by accident, which contained all sorts of confidential information. It's still not at all clear how Rocky Mountain Bank made such a monumental screw up, but we'll leave that aside for now. On Monday, the two companies asked the judge for permission to restore the email, after they realized that the email in question had never been opened, and Google had deleted it from its servers. Case closed?Well... not so fast. Paul Alan Levy, from Public Citizen, sees a number of serious problems with the whole episode, starting with the legal complaint in the first place -- which offered no opportunity for the email account user to speak up and argue for his or her own rights, against having the account deactivated. But just the legal proceedings themselves suffered from some serious problems:
First, the complaint. Rocky's complaint is based on the contention that, having botched its obligation to keep its own customers information secret, it was obligated under various state and federal banking regulations to seek to recover the information and prevent its further dissemination. The complaint further alleges that regulatory officials expressed their endorsement of efforts by the Bank to protect the confidentiality of the information. The complaint sought a declaratory judgment that Rocky Mountain was entitled to information about the account holder, and that Google was obligated to prevent use of the information sent to the account. It sought an injunction enjoining Google and the account holder from accessing or distributing the information mistakenly sent to the email account, and compelling Google to identify the account holder. But curiously absent from the complaint was any allegation about how either Google or the owner of the gmail account had violated the plaintiff's rights, or any assertion of a cause of action against either Google or the anonymous account holder, that would form the basis for granting relief against either. Nor did Rocky Mountain's papers explain why section 230 of the Communications Decency Act entitled it to bring an action against Google, or to obtain any relief against Google, even assuming that it had a claim against the gmail account holder. Without a cause of action and without a violation of the plaintiff's rights, why was Rocky Mountain entitled to relief, and why should the defendants be subjected to an injunction? Neither the complaint, nor the brief in support of the TRO, explains this.Oops. And, from there, Levy also wonders why Google was so quick to roll over without trying to defend the user's rights:
Second, the lack of federal court jurisdiction. Although the complaint identified only Google as a defendant, Rocky Mountain asked for relief against the anonymous gmail account holder, which is obviously, therefore, a defendant just as Google was. Indeed, if either Google or the account holder was the right defendant here, it is the account holder. But this poses a serious problem, because the law is clear that a Doe defendant cannot be sued under diversity jurisdiction. If there had been any party with any incentive to protect the Doe's rights in this case, that party could have pointed this jurisdictional defect out to the Court, which would therefore have been obligated to dismiss the case instead of issuing a TRO.
Rocky Mountain's papers recount that it asked Google for help freezing the account and identifying the account holder but that Google refused to do so without "a valid third party subpoena or other appropriate legal process." Yet despite the filing of plainly defective papers, there is no indication in the publicly filed papers that Google either opposed the requested order or insisted that it be given the opportunity to notify the Doe gmail user so that he or she could obtain counsel and oppose the requested order. Nor do the papers contain any discussion of efforts to notify either Google or the anonymous user about the requested order, even though Rule 65(b)(1) of the Federal Rules of Civil Procedure requires either notice to the parties sought to be enjoined, or a compelling explanation of why notice was not possible. (Because the Bank noticed the problem on August 13, and waited until September 17 to file its suit, it is hard to believe that a few more days' delay to give proper notice would have been catastrophic). And within a day of the issuance of the order (one day before the compliance deadline), Google provided the court with a document explaining how it had complied with the TRO and asked, jointly with Rocky Mountain, that the TRO be vacated.Indeed. It's certainly understandable why everyone wanted to make sure the data was not compromised, and in this case, it sounds like the account in question was probably inactive or rarely used (or the email went to spam). So everything may have ended up okay. But that's no excuse for potential violations of an individual's rights in trying to correct a mistake by the bank.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: confidential information, court order, deactivated, email
Companies: google, rocky mountain bank
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Could this be done intentionally?
This could potentially be a war like method of hampering the competitions productivity.
I wonder if this "loophole" can be misused or taken advantage of. Most companies would crumble in hours if their mail servers were unplugged as part of a court order.
Seems easy enough to pull off too. If spammers can send millions of emails via a cheap dedicated server, why couldn't a competitor?
[ link to this | view in thread ]
Re:
In a way it is nice that the email address is domant because this process can be hammered out without some poor Joe Bloggs stuck in the middle. The principles and actions can and should be scrutinised (as they are slowly being) to avoid these cases becoming more prevalent everytime a company screws up monumentally.
[ link to this | view in thread ]
To me, it just seems like it's a case of "a big oops happened, now someone has to pay. How can we engineer that?"
[ link to this | view in thread ]
Re: Re:
Did I miss something? Google didn't want to give anything out, they only took action upon court order. How are they appeasing a company with money and influe- oh, I suppose if you count the courts/government as a business.
[ link to this | view in thread ]
Why are they emailing such information?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Why are they emailing such information?
[ link to this | view in thread ]
"4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.
4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account."
And...
"8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see http://www.google.com/help/customize.html#safe). In addition, there are commercially available services and software to limit access to material that you may find objectionable."
Although I find this episode to have been handled quite badly, I don't think Google did anything wrong. Per their TOS, everything they did was well within their own power legally. I sort of remember reading this years ago when I signed up and it didn't really bother me then and it doesn't really bother me now. It's not like I rely on my email account to perpetually store confidential info. I save copies of important emails locally on my computer and really only would keep copies in my email account for convenience sake. Overall, I think the only person who screwed up here is the bank and that is where the focus should be.
[ link to this | view in thread ]
Yet another demonstration
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Thanks for the TOS
Does this mean the next time I hit send on some innappropriate email if I've got the $$$ I can get it deleted by court order? What did the bank prove to the court that forced Google to act?
The banks system failed, no one elses. As Scarr pointed out: "I haven't seen anyone ask what this would mean if the email was accidentally sent to a personally owned URL". Does this mean my website host has the same power as Google in this sort of case?
[ link to this | view in thread ]
What?
Given that the data were part of my plot to take over the world I am concerned. Let the data free!
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
In this case, while Google may not be at fault and while there may not be a legal recourse (I seriously hope there's a way to countersue the bank, and/or get the stupid judge some sort of reprimand... too bad judges are pretty much gods) it's still bad for business.
[ link to this | view in thread ]
Re:
To me, it just seems like it's a case of "a big oops happened, now someone has to pay. How can we engineer that?"
Well, banks contribute big to political campaigns. Banks get away with things like 'payroll' advances while they try to pay off legislators to ban competition. It's because bankers bascially run this greedy world, so they get their way.
If there are a couple things anyone should learn about this:
1. DO NOT use Google for ANY sensitive email at all period - I have already changed my bank over to another email address - my ISP.
2. Avoid that bank at all costs - if they screw up, they'll do a half-ass job at protecting you - I for one, would certainly not consider this case 'closed' just because Google supposedly deleted an 'unread' email.
[ link to this | view in thread ]
Re:
But are there email clients that can 'read' the email and not mark it read (like as in the preview pane in Outlook)? Or can they tell if you change the email back to 'unread'?
If it was my account, I would close it immediately.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
It makes you wonder...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
No matter what Google does they're faced between a rock and a hard spot. If they do nothing they can be accused of allowing sensitive information to be revealed to someone unnecessarily. That can cost them damages. If they do something, like temporarily disable the account or delete the E - Mail, that can also be a privacy issue. Google, as far as I can tell, ALMOST did the right thing, the only thing they should have done better is instead of closing the account altogether, find the specific E - Mail (ie: write some software to look for it without anyone having to read any other E - Mail) and delete only that specific E - Mail after ensuring it hasn't been read.
This isn't rocket science. Google appealing the process opens the door to the recipient reading the E - mail since appeals waste more time. That can be more liability for Google. They have to mitigate the damages ahead of time and they did. Stop being so hard on Google. BANK OF AMERICA SCREWED UP, NOT GOOGLE!!!!
[ link to this | view in thread ]
Of course, that raises the issue of 'what are fair damages?' - individuals and corporations are extremely different when it comes to what actual dollar figures represent so it seems the only fair way to determine this would be to say that the Doe was offlined for x days. The bank and Google should each be required to pay (x/365)*(GrossEarnings), effectively offlining them for those days as well.
If there's no fiscal consequences, there's no incentive for this not to become a DoS attack.
[ link to this | view in thread ]
Banks responsibility
[ link to this | view in thread ]
Re: Re:
Ha! If you trust your ISP any more than Google, then you fail at life. The point is not to send ANY unencrypted confidential data over insecure (read: ALL) lines. Anything short of end-to-end encryption can't be considered confidential. If you think your ISP wont go into CYA mode the moment they get a court order, you're bound for disappointment.
"2. Avoid that bank at all costs"
The is the real lesson to be learned. You can't fault any business for following court orders. You can only fault the business who distributes confidential information willy-nilly over insecure means.
You can't blame IE for that spyware you click-installed, you can't blame email for that drunken rant to your ex, and for the same reasons no one can blame Google for anything that happened in this Bank vs. Doe case.
[ link to this | view in thread ]
Re: Why are they emailing such information?
[ link to this | view in thread ]
Re: Why are they emailing such information?
It is safer just to deliver it personally or via secure messenger.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Just exactly who would you change to that would be any better?
[ link to this | view in thread ]
Re: Could this be done intentionally?
You're overlooking the fact that it takes a court order and most judges apply a different standard to companies than they do to individuals: They'll screw an individual over in ways that they'd never dream of doing to a company.
[ link to this | view in thread ]
Re:
Nobody's claiming that they did anything illegal. But if you think that nothing that's legal can be wrong, then you've got some moral issues.
[ link to this | view in thread ]
Re: Re: Re:
Google's internal logs will still show every access. You don't have access to their internal logs.
[ link to this | view in thread ]
Re: Re: Why are they emailing such information?
Are you drunk?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Think of the children!!
[ link to this | view in thread ]
Missing the Point
What if the email had been opened? Should they search this person's personal computer? Perhaps the person printed it. Their house must be searched! Perhaps they gave a copy to their friend or YOU!
If the government ever needs probable cause to search you or your belongings they can now just text you something sensitive by "accident".
In my opinion the gmail account holder has done nothing wrong and until they do something illegal with the data they should be left alone. If the user wants to save the data, or incorporate it into their latest work of art and hang it on their wall, or whatever, if it's not illegal then the government should keep out.
Once the bank has suffered actual damages or a law has been broken then the courts should get involved.
[ link to this | view in thread ]
Re: Missing the Point
Google happily choose to not exercise their legal option to contest the order. You're saying any company would do that? I'm saying you're full of it. Some companies would exercise their legal options.
The fact that the court issued the order is the disturbing part.
There's more than one disturbing aspect to this story. Google's behavior is also one of them.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Think your ISP is better ?
Many small ISP's would probably have rolled over with no court order when suits froma major bank came knocking.
I'm leaving my mail with Google where I can see they will at least hold out until forced by law.
(I think the law is what was at fault here, but Google have to follow it).
[ link to this | view in thread ]