Fuck encrypting the email itself -- it should only contain a link to an https site that the intended recipient has credentials to log into (preferably with multi-factor auth). This is what real, grownup banks do!
My understanding is they were breaking regulation by not. The company I work for does customer opinion surveys. We occasionally do some for a large national bank. When we send data, of any form to the bank we are required to encrypt the email before we send it. This is just for something like random customer surveys not even at the level of actual account data.
"Hi, you received an email from us yesterday with confidential information. Please contact us immediately and destroy the file. It's the email with the subject 'Re: Do we have a way to back up our data?'"
There's absolutely no reason for it to have been done. That type of information should only be available to pre-approved, secured email addresses. And that certainly should be a company.com address, not gmail.com.
The only plausible "excuse" would be that an employee decided to take a shortcut thinking that no harm would be done (and no one would know) and had a "oh f*ck!" realization when it went to the wrong address (and don't they wish they were using GMail with Undo!). This is still unacceptable. If it was a common and accepted practice, it's inexcusable.
What the fuck was a bank doing sending the confidential information of thousands to a GMail account in the first place?
Maybe the employees were so irritated with Microsoft outlook they have been using Gmail instead. But seriously if I were a member of that bank I would be withdrawing my money right away. If there security procedures are so lax that they send a confidential email such as that through Gmail then they aren't responsible enough to hold anyone's money.
Don't count on a bank handling data security well.
Here's a story for ya', I won't use the bank's real name, but it rhymes with HSBC.
Anyway, a while back, I was logging into my online banking and the password no longer worked. So I called tech support to see what's up. They said, oh yeah, your password can't be more than 8 characters now. If it was more than that previously, it got truncated [not sure they actually used that word], so try the first 8 characters. So what does this tell you about the way they were/are storing my password?
+1 for frisco (hopefully most of us) that understands the basics of a one-way hash!! The more precise answer is they at least were storing password in plaintext.
It could be that the bank was hashing the passwords all along, but just truncating the user's input before hashing it and comparing it to the saved value. Not that I think this is what happened, but I'm just saying it could be.
If they did that, his old password would still work. His use of "no longer" implies that the password used to work before the policy change.
Unless at some point they started rejecting long passwords just for being long, without checking them against the database. And this is just not plausible.
From their point of view, if someone can read the database on their mainframe, that's already doomsday. They put all their security outside that perimeter, but no further layers like encrypting table columns inside.
They store passwords the same way they've always stored PIN codes (where encrypting would be pointless): there's a ALPHA(8) field right next to the NUMERIC(4) field for your PIN. Those design decisions are from an era where adding an extra VARCHAR(64) to store a MD5 password times 100 million accounts cost real money. It was probably the right decision.
Rather than sneer at the older generation, try to see the constraints they worked within. It opens your mind to imagine what "right decisions" now will seem silly to later generations. Non-GC languages with threads kludged in? Program syntax limited to ASCII? Silicon? IPv4 & NATs?
Online banking system have not been around that long. I do understand banking systems (the legacy stuff) and online banking (the newer front end stuff) particularly well as I built some of them. When I say built, I mean the company I founded wrote the code and I was the lead architect for what was used in many online banking systems.
Access to your accounts online should entail a system just for online access which is separate from and has a tightly controlled internal interface to the legacy bank system. I realize some banks may not have done it this way.
I spent my early career integrating with and sometimes replacing legacy mainframe systems. I have much respect for the old constraints programmers had. If a bank gets their online access wrong for anything written in the last 10 to 15 years its probably due to a decision to not architect the solution properly rather then a programmer being ignorant.
Does Google have any incentive to fight this? I find myself wishing that they would just reply with "No, that is ridiculous."
Why, WHY?, would someone be held legally responsible for not replying to an email!? That is the most ridiculous and stupid thing I've ever heard in my life. The bank messed up, we all mess up, but isn't it within his legal right to publicly distribute that list if he wanted?
Obviously he didn't, but it's not his problem that they sent it to him!
Frustrating. Maybe I should move my email to my own servers.
Err.. Offtopic: I can't see how many points the parent comment has. That's weird. I see the uparrow, followed by "by mikeyur 8 hours ago", but the "N points" part is missing.
Perhaps, but unless he signed an NDA or something it's actually pretty hard for the bank. US copyright law gives an implicit license to the recipient - and data cannot be copyrighted so reformatting would actually make that difficult. All, of course, modulo the bank's success in making it expense enough to get their way without a decisive legal position.
Once he received the email from the bank about the mistake he would be in definite hot water if he distributed the list. I believe even if he hadn't recieved the email from the bank he would still be in trouble if he distributed it but I'm less certain of that. IANAL of course so take this with a grain of salt.
There are many things wrong with this order, but the most obvious ones are:
1. Both the emails could be in the spam folder of an account which the user is heavily dependent on.
2. In the future, to deactivate somebody's account just send a sensitive mail to that account.
My question is what does deactivating the e-mail account accomplish? If I received that e-mail and I intended to sell it or use it for my own malicious purposes, I would have saved the data off somewhere by now. Deactivating the e-mail account doesn't seem to accomplish anything.
It prevents the user from selling off the data if this is an infrequently checked account (i.e. the user has not had a chance to even make the decision to sell the info).
Then why didn't the court just authorize google to delete that particular attachment? It's on their servers after all. Google can also see whether the attatchment has been downloaded. There's absolutely no reason why the account should be suspened.
Maybe a 'real world' example is in order. If the bank accidentally mailed confidential information to a random person's PO Box, then sent a mail to that person's PO Box requesting that they return the package... it would be a similar scenario. The package was sent to the wrong place and the bank is obscured from knowing the identity of the real person behind that address.
This judge's ruling is akin to allowing the bank to force the Postal Service to remove that person's PO Box account and burn all the mail inside of it in an attempt to destroy the confidential information. This is wrong on so many levels it's not funny.
1) The bank has no confirmation that the confidential information has has not been already removed from the PO Box.
2) The bank is destroying all of that person's other mail and preventing future mail from reaching that person in an attempt to correct their mistake (which is only related to a single piece of mail).
If the judge wanted to allow them access to the PO Box to remove the mail, then so be it. The current ruling makes no sense. As alex_c said, someone making important decisions about a matter (technology or otherwise) CANNOT use ignorance as an excuse. Some person that's never used a computer can be as technologically ignorant as they like, but someone that holds a position of responsibility is a different issue.
Hopefully "deactivate" simply means preventing the owner of the account from logging in. It is possible to deactivate an email account while storing incoming email and preserving the contents of that person's account - just in a way inaccessible to them. That way, it could simply be temporary - especially if appealed.
It's an absolutely terrible decision, but I think (hope?) it will be more akin to them changing the lock on your PO Box and not allowing you to access its contents until the situation is cleared up. Clearly not an acceptable decision, but it's better than permanently losing everything and can be appealed by the account's holder.
Plus, if the deactivation was a destruction of the person's data, that would put the bank at huge liability I would have to think. People have important emails and I don't think any jury would side with the bank. Imagine presenting that case to a jury. "The bank screwed up and to cover their ass, they destroyed all my email - all my personal and professional communications; important documents. . ."
Google isn't the postal service and has no contractual obligations to its email users. The judge might well think anyone who allows his livelihood to depend on a freebie that Google can withdraw any time it wants is an 'idiot'. Who could blame him?
The only other way that a person can get email on the internet is through a hosting/colo/vps service. Hosting services are notoriously quick to just turn over information at the sign of any trouble. If this user's email was hosted on a hosting service that he/she had paid for, chances are that his/her information would have been handed over to the bank as soon as the words 'lawyer' and/or 'court' were mentioned.
It's funny then that Google -- with their free service -- has shown more compassion for this user's privacy rights than a paid service would have. (Note that I realize this 'compassion' is out of need to protect a brand, yadda yadda yadda)
And in any case, since Google has no 'contractual obligations' to its email users, do you think that it would be right and proper for the judge to order Google to shut down all free gmail addresses in the hopes that it would prevent problems for this bank? Afterall, it's a free service right? All of those users are idiots, right?
Just as a datapoint, my wife once received a comprehensive account history including balance, full social security and PIN. Very scary to have all that information in one document, imagine if it had been my wife's information instead of some random Korean national whose address bore no similarity to hers!
We took the document to the bank of course, they promised to "fix" her address, entirely unconcerned at the fact that they had just mailed out random personal information to a different customer. We're no longer with that bank.
I think people on this board especially understand that something as simple as an email account can directly affect our means of making a living and can have very serious consequences, therefore we understand that a blanket deactivation could be the equivalent of "to help me fix my mistake, you must lose your job."
To non-geeks loosing an email account isn't as big of a deal, so it's easy to see why a judge would not realize the significance.
I wonder if anyone has heard anything at all from the holder of the Gmail account? I mean it could very well be that the emails just ended up in spam, but I think it more likely that the email account simply isn't used anyway.
That said it is obvious that no one wants their email account to be terminated, especially not those who use it for business, and if the court has that power to simply deactivate someone's account then something is very wrong with our judicial system.
I know many non-geeks who would consider losing their email account a big deal and would be upset. More than just geeks rely on their online identities to talk and work.
The problem is more general, that the current set of lawyers, policy makers and the like just aren't familiar with anything digital. Given 20 years, when the current law students/other 20-somethings, who have grown up with the Internet, iPhones and a constant connectivity to anyone you want, start getting into policy creating offices and sitting as judges, I expect to see many changes to the way issues like this are handled.
While the bank obviously made a monumental screw up, Google's initial response to the bank is at least in part to blame. Regardless of the privacy rights of the person who's Gmail account it is, there obviously should be an interest in protecting the confidential information of the 1,300 customers.
Google could have responded by helping the bank recover and delete the file, as well as sending an unmissable notification to the Gmail user.
This would set a pretty nasty precedent in which Google would be helping companies delete files from individuals email accounts without their knowledge.
Wouldn't that be the definition of what we'd call Evil?
I think they did the correct and ethical thing by following their privacy policy.
An 'unmissable' notification from Google wouldn't be anymore unmissable than the request email sent by the bank. Which is why the bank wanted Google to disclose the identity of the user. If Google deleted a users emails and disclosed their identity to a third party then Google would be in breach of their own privacy policy. They would be exposing themselves to litigation, hence the requirement for a court order.
Except that it could have ended up, possibly along with the original email, in a never read spam folder. Google has more direct means of reaching an account holder.
Apparently, the judge who ordered this doesn't have very good judgement:
"In 1998, Judge Ware was reprimanded by the Judicial Council of the Northern District Court of California for fabricating the story of being the brother of Virgil Ware[5], a 13 year old black boy shot by teenage racists in Alabama in 1963 on the same day as the 16th Street Baptist Church bombing. According to a story Judge Ware had told many audiences, he was riding his bike with his brother Virgil on the handlebars when Virgil was shot and killed by white racists.[6] The incident was a real one, however it happened to a different James Ware,"
And sometimes move for an appellate court order staying the order of the trial court, if the trial court's order would have an irreversible bad effect.
It seems to me that the person to appeal would be the holder of the Gmail account. If no one hears from him, which is likely (The Gmail account is probably abandoned), then nothing will happen.
I just hope that this doesn't set a precedent in future cases.
I would hope that Google would see it in their interests to appeal. Considering the judge's history, odds are an appeal would go through pretty well and Google gets to keep its reputation in tact for a relatively low cost.
There are other methods to help out the bank without setting this precedent.
If you fuck up and are re-elected, that's one thing. If you fuck up but have a lifetime appointment, well, I can't see the benefit to the people he represents to keep him on the bench.
There should be some way to fight this. It is not acceptable for some one send you a wrongly addressed email and then make court deactivate your email account. I wonder how could a Judge rule this way?
Imagine the consequence if it was sent via an old-fashioned method: snail mail or fax. Clearly the remedy would not be to destroy the home, office or deactivate the phone line of the receiver. It's an extremely poor understanding of technology but sadly, not at all surprising.
I don't understand why the order is to deactivate the account, and not just recover/delete the email and maybe release the identity of the account owner?
1. If I "accidentally" send an email to the bank I could get the court to kick the bank off the interwebs.
2. If I send a sensitive snail mail "accidentally" to the bank, can I get the court to lock down the bank's premises and order a search for my mail (and any copies of it)?
2. If I send a sensitive snail mail "accidentally" to the bank, can I get the court to lock down the bank's premises and order a search for my mail (and any copies of it)?
That is a good point if we assume that physical mail is the same as internet mail and if we assume that an email account is a location just like a physical location.
Rather single minded response, I'm not sure what you are asking. To spell it out, asking who is paying his salary is to ask a number of questions (I think you've immediately assumed conspiracy):
- If it is the people/government are they getting their money's worth?
- If he's taking backhanders is it corruption?
- If it's neither of these what is the motivation for this sort of justice?
Perhaps I don't understand the make-up of the federal government in the US but it's presumably has to answer to the citizens.
How do they know he didn't already download a copy and keep it? (not that I think they ought to pursue that, I just think that if the bank is worried about their security - they screwed themselves over long ago!)
Does anyone know what sort of precedent is set for the rights someone has who unintentionally receives confidential information? I think that it would apply directly here.
I wonder.. the easy reaction to this is "Don't use a third party for your e-mail" which is easy enough if you're a geek, but then if you have your own server/domain, could you end up with a court order taking your server or domain off the air under similar circumstances?
I imagine that if you didn't reply to requests in that instance they would just go to your hosting provider. If you were your own hosting provider, then they would just take your to court, and if you didn't show up then the ruling would be in the bank's favor.
The bank was completely out of line to request this. What they should have done was to insure every single person on that list against identity theft for the rest of their lives. Then, if a significant number of them did have their identities stolen, request the identity of the gmail user; only then would their be evidence of wrongdoing on the part of the gmail address owner.
Reasoning for de-activing the account: gmail account holder has not replied to follow up emails from the bank to destroy email and sensitive content. Therefore it is possible that the account is dormant and/or infrequently used. If that is the case, deactivation insures that the sensitive data is protected if the user happens to at this late date access their gmail account and lo and behold, surprise email from idiot bank. (This also applies if sensitive data is in the spam folder.)
Reasoning for disclosing identity: gmail account is active and frequently accessed, but the user (for whatever reason) has decided not to respond to the idiot bank. This raises the possibility that s/he has malicious intent of misusing the idiot bank's customers' information. Therefore lets find out who this person is in case the idiot bank's customers' information happens to show up elsewhere on the internet.
Dude the guy/gal does not have to respond to any email unless he wants to. This is not a conversation. It was a request to communicate, and s/he can decide to remain silent.
> Dude the guy/gal does not have to respond to any email unless he wants to.
Obviously. (There is nothing in the earlier comment that in any way addresses the recipient's rights.)
Equally obvious is the fact that the bank in question certainly has to take every possible measure to limit the impact of their stupid mistake. Its possible (ianal) that they even have a legal obligation to do so.
If I were the owner of the gmail account in question, and I were planning to sell or otherwise misuse the bank's customers' information, I would certainly reply to the bank and claim to have deleted the file. In fact, I would actually delete the email, but I'd have already transferred the data to some very heavily encrypted storage elsewhere(deniable encryption, of course).
Google most likely doesn't that care much; it's not their email account being terminated. They go through the proforma requirement that a judge sign off on or require whatever, then stick it to their customer since it's no longer their fault.
Wouldn't it be funny if this person had a desktop client auto-fetching their e-mail via POP3, and released the data just to spite the judge & bank afterwards?
I will be happy to hear which was this bank so that I put my money of there if I have account. I wouldn't like my money support an institution with such poor practices and with such disrespect for people's privacy.
104 comments
[ 2.9 ms ] story [ 173 ms ] threadWhat the fuck was a bank doing sending the confidential information of thousands to a GMail account in the first place?
The point is that there is an organisation. And some people are responsible for security.
And yes, it will cost.
The only plausible "excuse" would be that an employee decided to take a shortcut thinking that no harm would be done (and no one would know) and had a "oh f*ck!" realization when it went to the wrong address (and don't they wish they were using GMail with Undo!). This is still unacceptable. If it was a common and accepted practice, it's inexcusable.
Maybe the employees were so irritated with Microsoft outlook they have been using Gmail instead. But seriously if I were a member of that bank I would be withdrawing my money right away. If there security procedures are so lax that they send a confidential email such as that through Gmail then they aren't responsible enough to hold anyone's money.
Here's a story for ya', I won't use the bank's real name, but it rhymes with HSBC.
Anyway, a while back, I was logging into my online banking and the password no longer worked. So I called tech support to see what's up. They said, oh yeah, your password can't be more than 8 characters now. If it was more than that previously, it got truncated [not sure they actually used that word], so try the first 8 characters. So what does this tell you about the way they were/are storing my password?
123456 -> hash code 1
123 -> hash code 2 (which doesn't exist in their db)
Unless at some point they started rejecting long passwords just for being long, without checking them against the database. And this is just not plausible.
They store passwords the same way they've always stored PIN codes (where encrypting would be pointless): there's a ALPHA(8) field right next to the NUMERIC(4) field for your PIN. Those design decisions are from an era where adding an extra VARCHAR(64) to store a MD5 password times 100 million accounts cost real money. It was probably the right decision.
Rather than sneer at the older generation, try to see the constraints they worked within. It opens your mind to imagine what "right decisions" now will seem silly to later generations. Non-GC languages with threads kludged in? Program syntax limited to ASCII? Silicon? IPv4 & NATs?
Access to your accounts online should entail a system just for online access which is separate from and has a tightly controlled internal interface to the legacy bank system. I realize some banks may not have done it this way.
I spent my early career integrating with and sometimes replacing legacy mainframe systems. I have much respect for the old constraints programmers had. If a bank gets their online access wrong for anything written in the last 10 to 15 years its probably due to a decision to not architect the solution properly rather then a programmer being ignorant.
Why, WHY?, would someone be held legally responsible for not replying to an email!? That is the most ridiculous and stupid thing I've ever heard in my life. The bank messed up, we all mess up, but isn't it within his legal right to publicly distribute that list if he wanted?
Obviously he didn't, but it's not his problem that they sent it to him!
Frustrating. Maybe I should move my email to my own servers.
Not that I agree with the ruling.
This judge's ruling is akin to allowing the bank to force the Postal Service to remove that person's PO Box account and burn all the mail inside of it in an attempt to destroy the confidential information. This is wrong on so many levels it's not funny.
1) The bank has no confirmation that the confidential information has has not been already removed from the PO Box.
2) The bank is destroying all of that person's other mail and preventing future mail from reaching that person in an attempt to correct their mistake (which is only related to a single piece of mail).
If the judge wanted to allow them access to the PO Box to remove the mail, then so be it. The current ruling makes no sense. As alex_c said, someone making important decisions about a matter (technology or otherwise) CANNOT use ignorance as an excuse. Some person that's never used a computer can be as technologically ignorant as they like, but someone that holds a position of responsibility is a different issue.
It's an absolutely terrible decision, but I think (hope?) it will be more akin to them changing the lock on your PO Box and not allowing you to access its contents until the situation is cleared up. Clearly not an acceptable decision, but it's better than permanently losing everything and can be appealed by the account's holder.
Plus, if the deactivation was a destruction of the person's data, that would put the bank at huge liability I would have to think. People have important emails and I don't think any jury would side with the bank. Imagine presenting that case to a jury. "The bank screwed up and to cover their ass, they destroyed all my email - all my personal and professional communications; important documents. . ."
It's funny then that Google -- with their free service -- has shown more compassion for this user's privacy rights than a paid service would have. (Note that I realize this 'compassion' is out of need to protect a brand, yadda yadda yadda)
And in any case, since Google has no 'contractual obligations' to its email users, do you think that it would be right and proper for the judge to order Google to shut down all free gmail addresses in the hopes that it would prevent problems for this bank? Afterall, it's a free service right? All of those users are idiots, right?
We took the document to the bank of course, they promised to "fix" her address, entirely unconcerned at the fact that they had just mailed out random personal information to a different customer. We're no longer with that bank.
To non-geeks loosing an email account isn't as big of a deal, so it's easy to see why a judge would not realize the significance.
That said it is obvious that no one wants their email account to be terminated, especially not those who use it for business, and if the court has that power to simply deactivate someone's account then something is very wrong with our judicial system.
Google could have responded by helping the bank recover and delete the file, as well as sending an unmissable notification to the Gmail user.
Wouldn't that be the definition of what we'd call Evil?
I think they did the correct and ethical thing by following their privacy policy.
Google did the right thing by showing the bank what it means to stick to a privacy policy.
"In 1998, Judge Ware was reprimanded by the Judicial Council of the Northern District Court of California for fabricating the story of being the brother of Virgil Ware[5], a 13 year old black boy shot by teenage racists in Alabama in 1963 on the same day as the 16th Street Baptist Church bombing. According to a story Judge Ware had told many audiences, he was riding his bike with his brother Virgil on the handlebars when Virgil was shot and killed by white racists.[6] The incident was a real one, however it happened to a different James Ware,"
http://en.wikipedia.org/wiki/James_Ware_%28judge%29
I just hope that this doesn't set a precedent in future cases.
I would hope that Google would see it in their interests to appeal. Considering the judge's history, odds are an appeal would go through pretty well and Google gets to keep its reputation in tact for a relatively low cost.
There are other methods to help out the bank without setting this precedent.
http://en.wikipedia.org/wiki/James_Ware_(judge)#Noted_ruling...
Judges are supposed to be beyond doubt, if a judge has done something like that their career should be over.
If you fuck up and are re-elected, that's one thing. If you fuck up but have a lifetime appointment, well, I can't see the benefit to the people he represents to keep him on the bench.
1. If I "accidentally" send an email to the bank I could get the court to kick the bank off the interwebs.
2. If I send a sensitive snail mail "accidentally" to the bank, can I get the court to lock down the bank's premises and order a search for my mail (and any copies of it)?
That is a good point if we assume that physical mail is the same as internet mail and if we assume that an email account is a location just like a physical location.
If I go buy 12 trillion dollars worth of ice cream and it melts, the government will pay me to do it again.
This time I will try and find a freezer, I promise!
- If it is the people/government are they getting their money's worth?
- If he's taking backhanders is it corruption?
- If it's neither of these what is the motivation for this sort of justice?
Perhaps I don't understand the make-up of the federal government in the US but it's presumably has to answer to the citizens.
At some point, you would have to respond to them.
Reasoning for de-activing the account: gmail account holder has not replied to follow up emails from the bank to destroy email and sensitive content. Therefore it is possible that the account is dormant and/or infrequently used. If that is the case, deactivation insures that the sensitive data is protected if the user happens to at this late date access their gmail account and lo and behold, surprise email from idiot bank. (This also applies if sensitive data is in the spam folder.)
Reasoning for disclosing identity: gmail account is active and frequently accessed, but the user (for whatever reason) has decided not to respond to the idiot bank. This raises the possibility that s/he has malicious intent of misusing the idiot bank's customers' information. Therefore lets find out who this person is in case the idiot bank's customers' information happens to show up elsewhere on the internet.
Obviously. (There is nothing in the earlier comment that in any way addresses the recipient's rights.)
Equally obvious is the fact that the bank in question certainly has to take every possible measure to limit the impact of their stupid mistake. Its possible (ianal) that they even have a legal obligation to do so.
Would we have even heard about this?