Japanese Gov't Accidentally Shares Internal Email Over Google Groups

itwbennett writes "An official at Japan's Ministry of the Environment created a Google Group to share email and documents related to Japan's negotiations during a meeting held in Geneva in January, but used the default privacy settings, which left the exchanges wide open. According to Japan's Yomiuri Shimbun newspaper, over 6,000 items, including private contact information of government officials, was publicly accessible. Michihiru Oi, a ministry official, said the ministry has its own system for creating groups and sharing documents, but it doesn't always function well outside of Japan, sometimes leading to 'poor connections' and a 'bad working environment.'"

The cloud.

Default allow.

It's as secure as the desktop ca. 1995.

If you still take humanity seriously, it's only because you're dull.

They should always operate this way

[ebno-10db]

This mistake should be the standard way of working for all governments.

Re:They should always operate this way

[Frontier+Owner]

should, but the officials personal contact details, perhaps not.

Re:They should always operate this way

Personal contact details, shouldn't be publicized, but their official government contact details certainly should. And they shouldn't be using their personal accounts to conduct government business.

Re:They should always operate this way

[ShanghaiBill]

Personal contact details, shouldn't be publicized, but their official government contact details certainly should.

A senior member of the government is going to receive thousands of emails every day from citizens, maybe a few dozen from staffers, and a few from family or friends. Those should be three different addresses.

Are you seriously suggesting that the number for the phone on Obama's desk in the Oval Office should be public information?

 

And they shouldn't be using their personal accounts to conduct government business.

A work email address is private information, but it is not a "personal account".

Re:They should always operate this way

I suppose this is what they mean by security through obscurity.

Re:They should always operate this way

[davester666]

Tell that to Sarah Palin.

Security backfire?

[Urban+Garlic]

So the article and summary hint at a common problem -- "the ministry has its own system for ... sharing documents", which "doesn't always function well outside of Japan". I've seen this in more than one enterprise, where the IT guys meet the need of users to securely move data around by buying or building a secure solution, and they pay very careful attention to the security, but less attention to the usability. Users will go for ease-of-use every time, and aren't thinking about security, so mistakes like this happen.

The obvious solution is to make the secure system easy to use, but usability itself is hard to get right, secure usability is very hard.

Re:Security backfire?

[Rich0]

Sounds like my company's smartphone policies. They whitelist specific models, and generally turn all of them down (well, unless their names start with an "i"). So, the 90% of company employees who aren't covered end up forwarding mail/calendars/etc to completely insecure outside services, where they're synced to their phones.

I guess the company gets plausible deniability out of the deal, but that's about it. The employees get a sub-standard experience compared to just being allowed to directly sync, and the companies data gets mirrored who-knows-where.

Too Easy

Come on guys. You can't make it too easy for the NSA or they'll suspect a honey pot.

Oh Japan..

[paysonwelch]

The scary thing is that they were using Google a private US company to share private international secrets. This is just sloppy in my opinion. I mean.. come on how seriously are they trying to protect this sensitive information if they are uploading it to third party servers which probably never delete data and just deep freeze it?

Re:Oh Japan..

[KingMotley]

How exactly is Google a private US company?

Re:Oh Japan..

[KingMotley]

Google is actually a publicly traded international company with headquarters in the US. Is it that the headquarters that is in the US that bothers you? Or that the CEO is from the US? What makes either of those things more suspect than if Google was run by a German national with headquarters in the US, or a CEO born in the US with headquarters in Germany? Or is it that Google does business in the US? So if google had a German CEO, HQ in Germany, and did some business in the US, does that make it more suspect?

Re:Oh Japan..

Welcome, KingMotley.

News stories you missed while hiding under a rock:

1. PRISM
2. ...

Japan is more advanced than us

[gubon13]

They've already accepted that Google has all of their information anyhow.

No problem here

[mu51c10rd]

That's ok...the NSA has all the data already anyway...

It's okay...

[hahn]

The only person who cares is the person who accidentally posted it.

What was in it?

[Iniamyen]

How much of it was tentacle porn?

You still risk jail time if you look at the files.

[140Mandak262Jamuna]

The way most official secrets acts are written, it has some boilerplate language with a whole bunch of "whereas" and "notwithstandings" and eventually boil down to making it a crime to access government secrets, no matter how trivial or non-existent the protections were nor how clueless and braindead the officials were. Usually it has no due-diligence requirements on the part of the government to protect the secret data. It is usually a crime to look at what the government considers secret even if it was done accidentally, inadvertently.

Laws are actually drafted by government officials and they insert enough language to protect their tails.

As long as they don't leak their military secrets

I know, I know. Japan has a very competent national defense force and they are all a great bunch of guys.

Re:You still risk jail time if you look at the fil

I was just about to say something about this... Given past history, you'd likely be accused of "hacking" for going onto a publicly accessible Google Group.

Pwned

Your privacy might be worth a lot to you, but to Google it's something they can sell for $$$. Google makes cash out of selling ads. Not out of protecting privacy.

Re: You still risk jail time if you look at the fi

Um no?

Only people with security clearances are not allowed to view classified information without authorization, at risk of losing their clearance.

It's not illegal for everyone else to view it. See pentagon papers FFS, and the government does due diligence to keep classified information secret including punishing those who leak it, EVEN accidentally, WTF are you talking about? We can even get in trouble for not having the proper cover sheet for classified papers.

Default is off for sharing groups outside domain

I"m surprised a Googler has not spoken up. I'm administrator for several Google Apps Business accounts and the source article is inaccurate. The default settings are to not share groups with outside domains. I really doubt the product marketed to governments is less restrictive than the Google Apps for Business. I don't work for Google - I'm an independent small business consultant.

I got it!

[sgt+scrub]

I spotted a mistake in the post but will fix it for you real quick.

"An ex-official no longer at Japan's Ministry of the Environment created a Google Group to share email and documents related to Japan's negotiations during a meeting held in Geneva in January, but used the default privacy settings, which left the exchanges wide open."