back to article Bank sues Google for identity of Gmail user

A US bank is suing Google for the identity of a Gmail user after a bank employee accidentally sent the user a file that included the names, addresses, tax IDs, and loan info for more than 1,300 of the bank's customers. In mid-August, according to court documents filed in a California federal court, the Wyoming-based Rocky …

COMMENTS

This topic is closed for new posts.
  1. EJ

    The problem here

    At first my reaction was "Why doesn't the Gmail user reveal their identity and tell the bank they've destroyed the file?" But the can of worms that opens up is if any ID theft occurs with those accounts involved in the pursuing months, the possibility exists that the bank could then somehow come back at the Gmail user holding them responsible or attempting to claim damages. And given how careful the bank seems to protect its customers' information, I wouldn't be so optimistic that the likelihood of a breach is low.

  2. Andre 4

    Huh what?

    Why should someone lose their privacy because a bank employee made an error?

    Besides, why are they sending any private information unencrypted through email? If it was encrypted, this would be a non-issue. Even if the employee got the right address, anyone could intercept an unencrypted file anywhere along the way.

    If they sent me such a file, they would have to buy it back off me. Lord knows, they would charge me a penalty if I made some banking error.

  3. Anonymous Coward
    Stop

    Real Story

    The important aspect here is the Bank, who did not encrypt the data using a secure password. This password could have been provided via telephone to the recipient.

    Google are absolutely in the right here.

  4. Anonymous Coward
    Thumb Up

    Banks, well being banks again!

    Too right!

    FFS, there are so many things wrong here aren't there?!

    Even Google can't just accept that someone who demands info over the phone or email, is who they say they are!

    Someone claiming to be from my bank phoned me the other day to say there had been dodgy activity on my cards and could I supply information! I refused point blank and asked for their name and said I would get their deptartment number from the headoffice reception, then call back! As it turned out, it was pukka and I had to get all my details changed as it was geniune, but you never know!

    I am always flabbergasted when people call work and start asking all sorts of technical questions about our setup, especially if it's about the networks. One guy even phoned to ask about our firewall kit and security measures, claiming to be from some security agency! I refused to discuss anything and politely told him to get stuffed! What annoys me is my colleagues actually start telling these cold-callers the info they want! How fuggin' stupid are you?!

  5. Anonymous Coward
    Dead Vulture

    Google is acting legally, but that is far from being "right"

    "Google, of course, is right to wait for a court order. And it's right to give the Gmail user involved the opportunity to oppose the order. But the tale is a reminder that in certain situations, the information giant will indeed be compelled to turn over private data."

    The longer the confidential information is left exposed, the greater the risk that thousands of people (we are talking about impacts to entire families, not just single people) are placed in, over a clerical error.

    I can not even imagine that Google would just sit idle and wait for a court order when identity theft is already so rampant. Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received, is a much better solution - to protect thousands of people for the rest of their lives from identify theft.

  6. mlo0352
    Stop

    uh oh

    They better not give the name away. The bank made a mistake, and gave something to the wrong person. Their fault. Too bad.

  7. Anonymous Coward
    FAIL

    That's why you use

    false info when registering to online email sites. However, the problem is that all your emails will probably identify you. What is the legal issue regarding accidentally sending private information to a wrong email address? Is it not the same as when transferring money to the wrong account? I remember reading a few days ago on the BBC News website where someone accidentally transferred thousands of pounds to the wrong person and they were told by the bank that the money is lost.

  8. Anonymous Coward
    FAIL

    um

    So let me get this straight... The bank's policy allows them to do something as unprofessional as sending confidential documents to a Gmail address... and then they can't even do that right?!

    I'm keeping my money under the mattress.

  9. Anonymous Coward
    Anonymous Coward

    What were they thinking?

    Remind me never to open an account with this bank. What were they thinking sending this kind of confidential information in an e-mail--regardless of the screw up of sending it to the wrong e-mail address? Do employees receive no training on how to handle confidential information? Do they think that an e-mail sent to the average e-mail address is some kind of magic secret between the sender and the recipient (setting aside special environments where e-mail is encrypted)? OK, yes, the average bank employee probably does think this.

  10. Gannon (J.) Dick
    IT Angle

    HITECH

    There's a simple solution. Since the Bank no doubt encrypts something, they should simply declare their blunder a disclosure of Medical Information then they would have the option of saying nothing more. Everybody (who matters) is happy.

  11. Anonymous John

    <Untitled>

    All Gmail knows about me is my IP address, and a few scambaiting names. And my non-USA ISP wouldn't give the bank my name and address without a court order.

    Gmail must have loads of defunct account. The owner may not even know about the email.

  12. Anonymous Coward
    FAIL

    Who gives identifying information to free email services?

    Who gives identifying information to free email services? Seriously, when you last signed up for a free email service did you provide your full name, contact details etc? I sure didn't. They don't need to know it and I see no reason to tell them. Looking at the Edit personal information section of my Google Account right now and they don't even ask for enough information to identify me. They ask for a Name, zip code (optional) and Country (optional).

    So I don't see how taking action against Google unless the court order also permits turning over the contents of emails in the account and those emails contain something useful like the person's full name and address. Other than that Google might be able to supply a list of IP addresses and then the Bank can try and tie them to a person by way of more legal action against ISPs.

  13. Anonymous Coward
    Anonymous Coward

    All your mail are belong to us.

    Why on earth would you send confidential information to a gmail address in the first place? Do you really believe Google doesnt data mine your email?

    Not only does the person who accidentally got the mail now have the information, but I guess Google now has it as well.

    Furthermore its very likely the person who got it, doesnt even know. I don't know how large a percentage of the gmail accounts are ghost accounts but I guess it will be a lot.

    I guess the next headline on el-Reg will be : Google starts a bank.

  14. Robin

    re: What were they thinking?

    "Do they think that an e-mail sent to the average e-mail address is some kind of magic secret between the sender and the recipient?"

    Lots of people do, I'm afraid! That and assuming that everybody only has one email address.

  15. Martin Gregorie

    @ AC 20:39

    "Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received, is a much better solution - to protect thousands of people for the rest of their lives from identify theft."

    How does that work then?

    For a mail to be quarantined so the sender has time to have second thoughts before the recipient gets it, the message must be held somewhere before its delivered. This must apply to *all* mail since the MTA can't know who is likely to screw up. You do realize that you can't quarantine mail after its been delivered, don't you?

    So, who do you expect to hold the delayed mail and for how long?

    Are you seriously suggesting that all e-mail should be delayed for 30 days?

    Kindly get a clue.

  16. Chris Malme

    Super wheeze!

    So if I wanted to find out the identity behind a Google account, all I have to do is accidentally send it some confidential data, then demand that Google puts me in touch with the recipient?

  17. Anonymous Coward
    Stop

    Recall the email - WTF ?

    How the fuck do you recall an email once it's been sent ?

    If I send an email it's immediately sent to my SMTP server which then passes it onto the SMTP server at the destination ISP, end of story.

    It's not like nipping down the post box and asking the guy in the van to give you your letter back when he collects them.

  18. Anonymous Coward
    WTF?

    If some twat sends me unsolicited email

    why the fuck does that suddenly give them the right to demand my identity?

    Tell them to shove it up their incompetent arses.

  19. Anonymous Coward
    Anonymous Coward

    @AC 21:12

    Who gives identifying information to free email services?

    I tried to open an anonymous account just the other day with Gmail and at the end of the sign up process was asked for a mobile number for "verification" purposes, they didn't get it of course, I just used yahoo instead.

    I'm guessing if someone isn't not too bright they might fall for this con.

  20. copsewood
    Big Brother

    crooked trick

    Where I used to live the low life used to kick a ball over a fence where they planned to carry out a burglary. By claiming ownership of the ball they were pretending to have rights to access the garden containing the ball with a view to using the opportunity to break into the house from the relative invisibility of the back garden. If caught in the back garden by the property owner they would use recovery of the ball as excuse for trespass.

    It looks as if this bank is attempting this same kind of inherently crooked trick. They want to compromise the privacy of the email account holder so they email some information to this address and then use bullying tactics to assert ownership of all the details needed to identify the email account owner.

    Google are acting entirely correctly to tell them to go away and prove they have the legal right to what they claim and to warn the email account holder about this attempted security compromise.

  21. David 141

    Unsolicited bank email

    If you got unsolicited email that appear to be coming from some bank you'd never heard of, what would you do with it?

    Chances are it's been flagged as spam and deleted long ago.

  22. Anonymous Coward
    Thumb Down

    Martin Gregorie; AC 20:39 -- Google is acting legally, but that is far from being "right"

    @ AC 20:39 #

    By Martin Gregorie Posted Wednesday 23rd September 2009 21:26 GMT

    Anonymous @20:39 posts, "Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received, is a much better solution - to protect thousands of people for the rest of their lives from identify theft."

    Martin Gregorie @21:26 posts, "How does that work then? For a mail to be quarantined... This must apply to *all* mail since the MTA can't know who is likely to screw up. You do realize that you can't quarantine mail after its been delivered, don't you? So, who do you expect to hold the delayed mail and for how long? Are you seriously suggesting that all e-mail should be delayed for 30 days? Kindly get a clue."

    If Google's search engine is worth it's weight in spit, they could find that email (source and destination email addresses), find out if it has not been read/picked up, and isolate a single email (move it) until they receive the court order, or just move it back after a period of time of not receiving a court order. The article mentions a single email - not all emails traveling through the MTA.

    Reading the article, it seems the gmail recipient did not respond to the bank's first or second email. These emails may have never have been picked up. The longer the Google delays investigation, as the article suggests, the shorter the opportunity to protect every day people becomes. This lends credence to the idea of being able to find/move the single email in question.

    Many people who use Google use it as a web GUI, which means the email is sitting on the server. Many other people who use Google use an IMAP client, where the email is stored primarily on the server. Sure, if the recipient already received the email and was using Google through an ancient POP3 protocol - there might be nothing able to be done.

    Waiting until a court order before starting any cursory investigation is criminal since the effects could be so long lasting and devastating to the lives of so many people.

    Should the bank be held responsible? Sure... but no amount of punishment could compensate for over 1000 people having their identities stolen, filing court papers declaring their identities stolen, carrying a copy of the court order around with them EVERYWHERE, and always being afraid that some day they may be improperly arrested because someone else with their identity may have committed a crime.

    Anyone who has gone through the process of identity theft clearly understands what is at risk - this risk lasts the REST OF THEIR LIVES... no amount of compensation or punishment would ever fix a problem which would last the rest of their lives.

    If someone is to "kindly get a clue" - it should be Google. Immediately find the email, try to move it (until a court order comes in), move it back if no order comes in. GMail is not guaranteed to be timely, it is store-and-forward, the rest of the email would be available, just the one email (which the person was not supposed to receive) would be affected.

  23. Steve Evans

    OMG...

    So someone who can't type an email address accurately is sending commercially sensitive data over an unencrypted communication medium...

    Why on earth was there even a flat-file containing all this information laying about for this employee to accidentally send?!

    I agree with A/C 02:45, Google should quarantine the email whilst waiting for confirmation, but I don't blame them for being careful, I'm sure there are 101 laws in the US about interfering with with the postal service which some lawyer or other would love to try to apply to email systems.

  24. Anonymous Coward
    FAIL

    @AC 02:45

    If the data wasn't encrypted, it was too late to do anything the instant the email left the company's servers. You do realise that this confidential information already passed through multiple relays on its way to google's servers? Any of which could have kept a copy.

    The bank should be notifying its customers about a potential data breach every single time they send anything unencrypted through email, regardless of whether it was addressed to the right person or not.

    Your suggestion also gives a great way to stop any email that you don't want getting through. Tell the ISP that it contains confidential information and was sent in error. ISP then holds it in "quarantine" pending your court filing. Which you never file.

  25. Phil A
    FAIL

    & the user is where?

    There's a pretty good chance that the gmail user is outside of US jurisdiction and just ignored threats from the bank (or couldn't understand English?).

  26. Jeff 14
    FAIL

    A bank proves themselves completely incapable of handling personal data

    then requests the personal details of one of Google's customers..

    Even the big nosey isn't going to fall for that one..

    and as for 'quarantining' the e-mail.. follow it through to it's natural conclusion; anyone could call claiming to be from anywhere.. asking google to 'quarantine' a particular e-mail.. chaos, panic and hilarity ensues in many zany and whacky scenarios..

  27. Il Midga di Macaroni
    Paris Hilton

    Recalled emails

    For those that don't know, there IS a feature that allows emails to be recalled - but only if it hasn't been read. The fact that recalling was unsuccessful says to me that the recipient DID receive the email - which therefore allows us to assume he/she received the bank's request to delete it. Lack of a response implies non-cooperation. The bank are right to do all they can to protect their clients' personal details (apart from funding the invention of the time machine and not making the blunder in the first place) - but Google are also right to protect their own clients' details.

    And to all the tinfoil hatted Google scaremongers - the same would happen if you use POP and a local mail client. Instead of Google your ISP would be telling the bank to apply for a subpoena. And your ISP has your billing address and credit card number as well as your mobile number. If you want to be safe from identity theft, steal your neighbour's wifi and do everything at about 2400 baud.

    Paris because her daddy's hotels have unstealable wifi (encrypted with your room number!)

  28. Anonymous Coward
    Anonymous Coward

    @AC 24th September 2009 02:45

    I agree with the people requesting you acquire a clue of one sort or another.

    However damaging it may be to the bank (tough shit, their fuck up) or the bank's customers (caveat emptor - time to get another bank) it is not Google's job to police the interweb any more than it is the postal services' job to burgle your house looking for unread letters if someone claims they posted the wrong thing to you by mistake.

    More importantly it would be far more damaging to Google's business if they did start quarantining, deleting or otherwise mucking about with people's personal mail on the say so of any Tom, Dick or Harry.

    IANAL but also this might go some way towards damaging Google's oft used safe harbour type defences (ie that they do not process the data they hold).

    You might not like Google's stance here but you are in the minority.

  29. Bilgepipe

    Real Account?

    I wonder if they are sure it's even a real account? What happens if you send an email to a Gmail account that doesn't exist, do you get a "Can't deliver" server response?

    Google's response to the court order might well be "no-one."

  30. Mickey Porkpies
    Unhappy

    who is the gmail user

    I am not going to tell them,.,,,oops

  31. TeeCee Gold badge

    Re: Recall the email

    Presumably the dumb luser responsible was used to being able to hit the "recall" button in Outlook (or whatever - all the business-quality email clients I've used support it, even those back in the "green screen" days) when they fucked up sending mail to their colleagues.

    No doubt someone's busily pointing out to this berk the difference between internal and external email with the aid of the large clue stick.

  32. Kevin Johnston

    Wrong end of the glass again

    It seems that once again people are not reading the article fully and in depth before commenting.

    The details sent out by the bank were not encrypted because they were not supposed to have been included. Blaming the bank for not encrypting them misses this point.

    Google are, quite rightly, not releasing any information until the bank put themselves on record with the court to define exactly what they have done and why they should have the details of the recipient. Until this is done it is all just 'media mis-representation - your honour'.

    The 1300+ people whose identity is at risk are the customers of the bank, not Google or the unknown email recipient. The bank made the error and the bank carries the responsibility to fix it. The obvious first step is for them to directly contact all these people with a view to changing account numbers/names/passwords etc to make the information they sent out irrelevant.

  33. M7S
    Thumb Up

    Good on Google

    If the bak had posted it using snailmail and not received confirmation that the householder had destroyed them (perhaps they might be away on a trip, or its a holiday home), you wouldnt expect them to send the boys round with a battering ram to search the house for the paperwork without going to court either.

    If I'd received an email purporting to be from a bank I dont use, perhaps titles something like "confidential customer data" i'd assume it was a scam and delete without reading. I get so many of these I dont recall any in particular, and might treat the follow-ups in the same way. I can see why they are trying take this action but there shouldnt be any short-cuts.

  34. Anonymous Coward
    Anonymous Coward

    Bit late, really

    Repeat after me, "email is not in any way secure or private". Redundant, of course, if you send it to the wrong person.

  35. Anonymous Coward
    Anonymous Coward

    They should not reveal the owner

    If the court says they SHOULD reveal the owner, then you could de-anonymize anyone by simply sending them a claimed sensitive document 'by-accident'.

    Secrets are only secrets until someone reveals them.

    It serves no purpose for the bank to harass the person they sent the email to and he is under no requirement to respond to their requests.

    But it shows again the importance of privacy doesn't it!

  36. Anonymous Coward
    Paris Hilton

    Not usually a fan of Google

    But I completely support them in this. The Bank doesnt have a leg to stand on. Google has every right to tell them to kindly go fuck themselves.

    WTF is someone sending details like this to a WEB email provider?! That alone would be cause for me to close my account. If any of these details are found on a russian server being sold on IRC, then the bank is 100% liable, legally and morally NOT Google.

    The employee should be fired at the very least and their boss should also go. The bank should be fined by the SEC for failure to secure the data.

    There should also be an investigation into who was supposed to receive the email. What kind of idiot asks for 1300 odd bank details to their GMAIL address.

    Paris because she knows about things ending up being sold on the internet

  37. nickrw

    @AC 21:37

    It means the bank employee was an outlook user - it has a 'recall' facility for sent messages but it relies on the recipient using outlook too. I believe you just see an email referencing the original message saying "XYZ wants to recall message ABC" if you're using another mail client.

  38. Anonymous Coward
    Stop

    Defunct account?

    What if the GMail account is defunct and the user no longer uses it. He/she will still be identified because they used to have a GMail account and not because they actually knew anything about the bank's email.

  39. SuperTim

    @ Kevin Johnston - errr no?

    While there was a file which shouldnt have been sent at all, the original data request was sent to the wrong email address, thereby causing an issue. I am sure one account isnt seen as a big deal, but legally there is no difference.

    The very fact that they hold files with sensitive financial data in documents which have no encryption is wrong.... hell i bet there isnt even a password on that excel file!

    This all seems very non-compliant. I am sure there are SOX and ISO 9001 issues with the way bankers send this type of data.

  40. Anonymous Coward
    Anonymous Coward

    Recall

    I am sure the Recall feature only works in Exchange type situations..

    I have just tried it on my Gmail & Hotmail account and can not recall anything.

  41. Anonymous Coward
    Anonymous Coward

    @AC

    AC wrote: "Sure, if the recipient already received the email and was using Google through an ancient POP3 protocol - there might be nothing able to be done."

    Err, depends the might not have their email client set to copy emails to their local machine and then delete from the server.

  42. Paul 4

    RE:nickrw

    Even outlook dose that.

    Some people are just stupid though. I get several people a month sending me credit card info by email. I keep telling them not too, but they still do. To lazy to get up and use the fax to send them.

  43. jane 3

    A little learning ...

    @Macaroni

    "For those that don't know, there IS a feature that allows emails to be recalled - but only if it hasn't been read. "

    For those who don't know very much, that only works if your recipient is using Outlook. Try it on my mailer and you will get no joy. You won't be able to tell if I have read the mail either. If the Gmail account was set to forward mail to another account, again, no joy.

  44. Simon B
    Flame

    Give the bank a Darwin!

    ... so the bank contacted Google to determine what could be done to ensure that the confidential info remained confidential.

    Google's response should be don't fking send confidential data in plain format, or even allow such massive amounts of confidential data to be witten to a file!!! How DUMB is this bank? For ONCE I'm shaking googles hand. NICE ONE!!!

    I think the bank deserve a Darwin for that!

  45. Anonymous Coward
    Anonymous Coward

    Spot the IT support servitors

    Who gives a fuck if you can recall an email or not. There's a more important issue at the centre of all this.

  46. Anonymous Coward
    Anonymous Coward

    Why o why is the employee still there?

    Why is there an employee in a bank who is dumb enough to send an email to someone containing ANY data about a client, just because someone on the phone tells them to?

    My bank wont send anything by email even if I ask them to after confirming my identity and details because they understand that email is not secure.

    This guy (or girl) should be fired.

  47. Anonymous Coward
    Anonymous Coward

    Don't know about you, but when I get a recall request

    the first thing I do is read the email to see what they sent by mistake!

    A couple of years ago, my company attempted to secretly stitch up a pay deal. Then one of the directors' PAs accidentally copied a mail to everybody in the office, instead of to the office manager. The desperate attempt to recall it was of course futile and we were able to stop their attempted shenanigans.

    If it had been sent to me, I'd have read it, on the basis that it was addressed to me. After all, if you send me a letter, the contents become my property, not yours. I can't see how this is any different.

  48. Gordon is not a Moron
    Black Helicopters

    So...

    do I do the moral thing and just delete the e-mail or should I wait until the bank offers me money to return the data?

    Anonymous because.... oh bugger!

  49. Anonymous Coward
    Anonymous Coward

    Change them for your time

    If they send an email by accident and want it deleting then explain that the only secure way to remove all trace is to completely flatten / secure wipe / reinstall all your PCs/Servers etc.

    Let's just call it 20,000GBP and send them an invoice.

  50. Chris Shaw

    April Fools?

    Surely this is all bullshit, because any bank that send unencrypted sensitive data via email should be heavily fined by the regulators.

    I really hope the people who actually think the "recall" feature in Exchange (ONLY) is actually any use in this scenario, aren't working in IT, because that kind of stupidly we really could do without.

  51. kain preacher
    Flame

    million dollar question

    What is the bank going to do once they get the detials? Demand that he or she formats their HD?? Take the computer .

    @ac 02:45 GMT

    "Waiting until a court order before starting any cursory investigation is criminal since the effects could be so long lasting and devastating to the lives of so many people.."

    Um so privacy laws many nothing to you..

    If the police suspect you have kid napped some they still need to go to court to get a court order to search your house.

  52. WelshTom
    WTF?

    Unencrypted communication

    Why are the banks sending confidential information using unencrypted means of communication?

  53. Dick
    Joke

    I just received an email

    Respected Sir or Madam

    May I crave your indulgence to open this business discussion through e-mail.

    I am Mr.F. Williams Jones, and my uncle Mr. E. Williams Jones has recently passed away here in Nigeria after a long a fruitfull time on this earth. Although deeply saddened by his death the the family has been blessed to discover that he had $50M in 1,300 sudonymous accounts at the Creaky Mountain Bank in The United States of America in the great state of Colorado.

    The family deperately needs this money to continue our plianthorpic work improving the standard of living of the Nigerian people. Howvere due to the excessive regulation and corruption here in Nigeria we would lose much of this money if we approache the govement to bring it to us.

    So we are seeking partners to help us, we will reemburse you well for you gracious help. We would provide you the creedentials for one or moor (your choice) accounts, all we need you to do is empty the account and forward 50% of the balance by Western Union to acc 9776r418545y Lagos Nigeria.

    Esteamed Sir or Madam, we hope for a positive reaction from you

    Rispectfully

    F. William Jones

  54. Anonymous Coward
    Boffin

    Take care bank serfs

    To those who believe that recalling email is a feature of Outlook, strictly it is a feature of Microsoft Exchange Server 2000 or later. The recipient must also be using an Exchange Server account (on the same server it seems). You cannot recall a message sent to someone’s ISP POP3 account, or for that matter a Gmail account, even if you’re using Outlook (though there have certainly been times when I have wished I could).

    If the recipient of a recall email is not using Outlook, but is using, say, the Gmail web interface, he will see only the header with an attached winmail.dat file. If the user receives the mail via the Internet, even is he is using Outlook and even if it is unopened, it cannot be recalled. The Message Recall email is however likely to draw attention to the offending email.

    It is also possible to recall messages if you are using IBM Lotus Notes and Domino V8, where apparently the ability to recall mail was ‘one of the most requested features’ until it was introduced (I bet it was, particularly amongst users in banks). Message Recall works only on mail that is routed over NRPC. This means that neither mail routed to the Internet nor internal mail routed over SMTP can be successfully recalled.

    I hope that’s clear. The gory details are at http://office.microsoft.com/en-us/outlook/HA010917601033.aspx and http://www.ibm.com/developerworks/lotus/library/notes8-recall/

  55. IT Dog's Boy
    FAIL

    Wow

    So I can sue because I made a mistake? Really?

    So the next time I get pulled over I'm going to sue the highway patrol because I "unintentionally exceeded the speed limit" I tried to unspeed but the delorean was in the shop and it didn't work.

    Note to self, never use this bank they are on par with facebook in the data security department.

  56. Anonymous Coward
    Anonymous Coward

    @Lee: 07:44 GMT

    Lee Posted Thursday 24th September 2009 07:44 GMT, "However damaging it may be to the bank (tough shit, their fuck up) or the bank's customers (caveat emptor - time to get another bank) it is not Google's job to police the interweb any more than it is the postal services' job to burgle your house looking for unread letters if someone claims they posted the wrong thing to you by mistake."

    I don't think anyone has defended the bank - just over 1000 families who have had their privacy compromised via a mistake.

    It is not Google's job to police the internet, no - but if they receive an email from a large institution as to whether an email went out by mistake, which could cause problems for the rest of those families lives - trying to locate and temporarily stowing the email until a court order is received is very reasonable.

    "More importantly it would be far more damaging to Google's business if they did start quarantining, deleting or otherwise mucking about with people's personal mail on the say so of any Tom, Dick or Harry."

    The email is a communication between 2 people. The person sending the email is requesting something to be done with the email that they sent - this person has as much say so as the recipient.

    I did not advocate giving up the privacy information, merely suggesting that if the person who originated the email, who is at least half the email owner, indicates than an illegal action has happened, Google should use due diligence to stop the possible action when notified, and follow through with whatever is necessary once the court order is received.

    Anything less is irresponsible. If it were your information, you would be very upset.

  57. Anonymous Coward
    Thumb Down

    @Kevin Johnston: Wrong end of the glass again #

    Kevin Johnston Posted Thursday 24th September 2009 08:28 GMT, "The bank made the error and the bank carries the responsibility to fix it. The obvious first step is for them to directly contact all these people with a view to changing account numbers/names/passwords etc to make the information they sent out irrelevant."

    It is not a simple process to: change your address, change your social security number, change your birth date, change your birth location, change your educational history, change your job history, etc.

    When something like this happens, a bank can not erase your identity.

    The first thing to do is to try to get the email stopped, to limit the immediate damage. The second step is to make the contact to all the people, to protect against future damage.

  58. Anonymous Coward
    IT Angle

    @AC: 2039GMT ; @AC: 07:13 GMT

    AC @20:39 GMT, "Quarantining the identified email for a temporary period of time (i.e. 30 days), upon the request of the sender, until the court order is received"

    AC @ 07:13 GMT, "Your suggestion also gives a great way to stop any email that you don't want getting through. Tell the ISP that it contains confidential information and was sent"

    Ummm, no.

    If it was the sender making the request, and the quarantine was for a set period of time (i.e. x days), as the original AC suggested - then abuse according to your concern would not be a problem.

    Why should not a sender not be able to request an email to be stopped, at any time, if it is technically possible to do so?

    Here is a question that I have: If the email was not received by the recipient, then would the sender still own it?

    (I bet banks will be banning gmail real soon from their email systems!)

  59. Anonymous Coward
    FAIL

    kain preacher - million dollar question

    article

    "Google, of course, is right to wait for a court order."

    @ac 02:45 GMT

    "Waiting until a court order before starting any cursory investigation is criminal since the effects could be so long lasting and devastating to the lives of so many people.."

    @kain preacher 13:34 GMT

    "Um so privacy laws many nothing to you.. If the police suspect you have kid napped some they still need to go to court to get a court order to search your house."

    um, the sender of the email is requesting the action... no privacy involved, if the concern in the letter, since the sender knows the content of the email.

    it is more like: the parent (sender) watched their child (email) get placed into the wrong taxi, parent yells to the taxi cab driver to stop because their child is inside going to the wrong destination, the taxi cab driver decides to wait for a court order before stopping the taxi, and the taxi cab driver delivers the child to some undisclosed location only the taxi cab driver knows.

    The taxi cab driver (Google) not stopping or returning the girl to the parents (sender) when requested instead of sending the child (email) to an unknown location is more like your analogy of kidnapping.

    No where did AC indicate that Google should violate any privacy of the recipient, but explicitly indicated that they should wait for the court order before doing anything like that.

  60. Anonymous Coward
    Big Brother

    simpler solution

    Wouldn't it have been simpler to have emailed the account holder directly. And who in their right mind trusts personal information to the cloud ?

  61. Anonymous Coward
    Unhappy

    simpler solution tried

    AC@13:30 - Wouldn't it have been simpler to have emailed the account holder directly. And who in their right mind trusts personal information to the cloud ?

    This was already tried, according to the article.

    Obviously, the bank screwed up - citizens should not be paying the price for someone elses mistake for the rest of their lives.

    Providers should help protect others when mistakes are brought to their attention, when possible steps do not violate the law.

  62. David 141
    WTF?

    Google = dog?

    There appears to be no legal basis (except for some rather far-fetched appeals to common law) to the bank's complaint, but Google probably couldn't care less.

    http://www.digitalmedialawyerblog.com/2009/09/rocky_mountain_bank_v_google_w_1.html

    "What is striking is that nowhere in its motion papers did the Bank cite any legal basis, such as a statute or case, that would empower the Court to order Google to disable the Gmail account ..."

    Frankly I think that the case should have been thrown out because the bank failed to specify any actual harm or damages.

  63. Anonymous Coward
    Boffin

    webmaster

    I get lots of this bank crap everyday "Your account has been compromised, etc" please click on this Russian/China/Nigerian link to get yourself hacked. Delete or ignore it.

    If Rocky Mountain National Bank of idiots were to send me a file it would be treated the same way.

    Also what about forwarding the files? I have a new personal email server and forward all my various email accounts to it. (20+ Yahoo and 5+gmail accounts, + others).

This topic is closed for new posts.

Other stories you might like