Slashdot Mirror
Goldman Sachs Demands Google Unsend One of Its E-mails
rudy_wayne (414635) writes A Goldman Sachs contractor was testing internal changes made to Goldman Sachs system and prepared a report with sensitive client information, including details on brokerage accounts. The report was accidentally e-mailed to a 'gmail.com' address rather than the correct 'gs.com' address. Google told Goldman Sachs on June 26 that it couldn't just reach into Gmail and delete the e-mail without a court order. Goldman Sachs filed with the New York Supreme Court, requesting "emergency relief" to avoid a privacy violation and "avoid the risk of unnecessary reputational damage to Goldman Sachs."
Ha. Hahahaha. Ha.
Already blocked
[FUCK BETA]
If this is interesting information, it has already been copied from the Google server to somebody's personal computer.
Barbara Striesand never returns my e-mails either.
Massive privacy breach....e-mailed a report...containing sensitive details...e-mailed...
The problem here isn't that it was sent to the wrong account. It's that it was e-mailed AT ALL.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
"avoid the risk of unnecessary reputational damage to Goldman Sachs." I'd say it's too late for that now, mate.
At least every lawyer type e-mail I get has a giant disclaimer at the end if you are NOT the intended recipient. Perhaps GS should have considered using that? Over paid dopes.
...companies in the world.
This is a test case for them, it's all about control and it's all about the money.
Do you guys remember this: "Give me control of a nation's money and I care not who makes the laws."?
Well, you better remember it - and understand what it means, because your FREEDOM is at stake!
Cryptic to you?
READ BETWEEN THE LINES!
What this world is coming to - is for you and me to decide.
This all seems fairly reasonable to me.
You have enough people doing enough things, eventually someone is going to make a stupid mistake. In hindsight there is probably plenty of stuff that could have or should have been in place to prevent this, but then there always is when looking back at a problem.
Google seems to be acting reasonably. Putting a process in place where companies can quickly and conveniently "take back" emails seems like a bad idea. Requiring a court order ensures that this goes through a strict process and is well documented. Google doesn't seem to be "fighting" this so much as saying "get a court to tell us to and we'll happily do it for you".
And I don't get the impression that Goldman Sachs is pounding their fists on the desk here either. They are doing everything they can to repair or prevent damage caused by a mistake they made. They are seeking out the court order and probably other stuff internally.
Step back and see what Goldman Sachs is asking. What if they are lying? How does Google know what Goldman Sachs is asking is valid. What would happen if the user was suppose to get email, suddenly finds that email not longer present because Goldman Sachs or someone else asked Google to delete it.
Think Potsy, think.
There are more than a few email filtering products, some designed specifically to prevent sensitive data from being emailed at will via heuristics designed to detect sensitive information.
You would think as heavily regulated as Goldman is they would have these kinds of systems in place to prevent this kind of thing from happening.
The real question is: should the court order such an action, and under what conditions?
Analogy alert: GS mistakenly sends me a letter by physical mail, then asks the post office (or asks a judge to order the post office) to send a mailman round, break into my house, and retrieve the letter. That clearly won't happen; worst case is that the judge would order me to surrender the letter. In case of email, is Google (under their terms & conditions and the letter of the law) allowed to "break into" my mailbox and remove the offending letter? And should they be?
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Well, that's what the court is for. They get to decide if deleting this email is the right thing to do or not.
Who else would you suggest? Goldman Sachs is out, obviously. Would you rather Google be the one to decide?
...and used Microsoft's legal team. They would have gotten the gmail.com and google.com domains and then it would just have been a matter to use Microsoft name servers to commit a DoS attack against gmail's hackers, erm, users.
The Federal judges in Nevada are suckers for a good story, I hear, even if it's blatantly false.
How the fuck did they reach anyone at Google to get that response?!
Or what if this email was going to be evidence in a case against Goldman Sachs.
This is exactly why this goes through the courts. Sorting stuff like this out is kinda why courts exist.
Is google gonna have to run tech support everytime someone mistakenly sends an email?
Should the USPS intercept a letter upon request everytime someone made a mistake in sending it out?
No, it's not doggone reasonable. In fact, it's so unreasonable, that only a company with the pull of Goldman Sachs can demand it.
Do you think you go to google with the same request, they'll bow down to you? Do you think the courts would have granted it so fast?
Of course not, because it's a drain on their resource to help some dumbass rectify his own damn mistake.
Aren't these legally binding? :-)
Not an entirely accurate analogy. You own the house (and even if you didn't, the *mailbox* from which you retrieved the letter is distinct from the dwelling where you're likely to store it afterwards).
In gmail's case, google *owns* everything, and they just let you use the storage and mailbox assigned to you. So given a court order, they could remove the email without technically accessing anything that's actually yours.
Now, if the recipient makes a local copy, then your "break into my house" analogy would be more accurate, applying to the copy in the recipient's system.
What's shocking is that google has locked the user out of their email account while this is happening.
I agree. I think the most reasonable action is to try to contact the owner of this email address and explain the situation.
Maybe give him $1000 to sign a retroactive non-disclosure agreement. Odds are it's just a random normal person
that would gladly take $1000 to keep quiet. I get confidential emails for a large company that has a similiar domain
to one I own all the time. I probably average about 20 a day. I sometimes notify them but I mostly just delete them
and move on with my day. I sometimes feel bad as many of them are things like "I didn't receive my shipment" but
it's no different than it going into a black hole elsewhere and never getting read.
As always, the analogy is flawed.
If the court ordered someone to break into your house and delete the attachment you saved locally, your analogy would hold. As it is, what GS is asking would be analogous to the court ordering the post office to remove the letter from your PO Box. Seems much more reasonable to me.
Write boring code, not shiny code!
make the same request when I accidentally reply-all to save myself 'reputational damage'? Or does this only work for large companies with lots of money?
Someone should tell Goldman Sachs that you cannot unsend an email. Usenet articles can be cancelled, even though most servers ignore cancels, but like snail mail, once email is posted it cannot be recalled.
What I'm wondering is whether or not the person whose email account was blocked because they received an email from Goldman Sachs has any form of legal recourse against Goldman Sachs.
Here is a lesson from this:
This is why divisions with critical info use some form of IRM/RMS. A mistake with a document being sent results in an encrypted document landing in the destination mailbox. Not a good thing, as the name and length of the file is readable... but not a complete leak either -- damage is mitigated. Plus, in Outlook this is as simple as clicking "do not forward" when attaching a document.
The parent has it right. These are two companies doing proper process/procedure to deal with a fuck-up, and nothing more.
Everyone makes mistakes. I understand that. I make mistakes too.
But here's what I don't get. I am sending an email to dude@gs.com and accidentally type dude@gmail.com. But I also I just happen to have dude@gmail.com's PGP key and a sufficient trust path to know the key is correct, for the confidential information in question? That's the part I simply don't believe. All of Goldman Sachs' protestations that the sender just happened to also know dude@gmail.com and that they key was verified, ring hollow.
Of course, the silliness here, is that Goldman Sachs isn't really saying that happened. I'm totally making up the bullshit about their "protestations." And that is the problem, because if the information is confidential and if this is important enough to go to court over (and maybe it really is), then their routine security practices are a joke and they should have a reputation for having complete disregard for protecting confidential information. They are telling the public that they can't be trusted. So, everyone: listen to them.
You get what you pay for.
Yes, Goldman Sachs bought themselves a nice compliant government. I would say they got a bargain.
“He’s not deformed, he’s just drunk!”
As disturbing is that the threat of "reputational damage" is enough to get a court on your side.
The United States government should not be helping people or business protect their reputation from their own mistakes. It opens a floodgate to potential abuses. This request should have been laughed out of court. "You screwed up, bub; you deal with the consequences."
I can see this ruling being used as a precedent in many future law cases.
After 2008, Greek crisis etc what damage will this do to their reputation?
Unfortunately your analogy is also flawed... the mail _was_ addressed to the recipient. GS "wrote" the wrong address on the envelope.
My question is, what law gives a court the right to do such thing? While there may well be laws that compel companies to keep their own data private, I find it hard to believe there is a law that gives a court the right to undelete stuff in a scenario like this. Courts don't tend to do stuff no matter how reasonable unless there is some law that says they should.
The disturbing thing about this is that the real owner of that mail box, whoever he may be, doesn't get to show up in court and put forward his viewpoint.
The ancient Roman Horace (65-8 bce) said: "Once a word has been allowed to escape, it cannot be recalled."
More recently, Omar, the Tentmaker (died ca 1123 ce) said:
"The moving finger writes; and, having writ,
Moves on: nor all your Piety or Wit
Shall lure it back to cancel half a Line,
Nor all your Tears wash out a Word of it."
How would you feel if the postman was just supposed to check to see if it was still in your box, and take it if it was?
I'd be fine with that, provided a court was the one to decide it should be done.
Your gmail account is your mailbox, not your house. If you were to save the contents of that message somewhere else, that would be akin to bringing the letter inside from the mailbox.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I disagree with your disagreement of the analogy. What if your house is rented or you have put the physical letter is in a safety deposit box in the bank? In both these cases the physical location is owned by someone else and you are just renting the space. Is this any different from you renting the e-mailbox space on the google (or other ISP) servers?
google locked THIS EMAIL.
big difference.
"Some states do in-fact, prohibit a person from opening mail that is not addressed to them, in which case it would still be a crime to open your wife's mail."
It IS addressed to him, that's sorta the point.
If the email contained credit card numbers and such and you don't want to go to jail then $1000 is fairly generous.
You could possibly figure out how to sell it on the black market but most people are not willing to break the law and
risk jail time especially if their identity is already known. Now, on the other hand, if it's stuff that I could sell to a
newspaper about corruption then I would probably be willng to sell it to the highest bidder.
If the mail has not yet been delivered, then Google can stop the deliver and bill Goldman for the cost of stopping the delivery. If it has already been delivered, it is the property of the recipient. You can't do anything about it. At best Goldman can go after the recipient and get a gag order from the court. But Google is out of the picture.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Is this any different from you renting the e-mailbox space on the google (or other ISP) servers?
Yes. It's called "Contractual Terms" or "EULA".
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
I can see one way that the court is authorized by law to do that. Under common law, we each have a duty to not be reckless about doing things that might cause harm to another. Had Google chosen to deliver the email after having been notified that it could bring harm to Goldman _and_its_customers, Goldman could then file a suit for negligence. The judge or jury would then decide if Google failed to exercise ordinary care in preventing the leak, or if they did all that a reasonable person would do to protect the customers.
If Goldman intended to file such a suit, the normal and proper legal procedure would be for them to request a temporary injunction ordering Google not to release the information until the suit was settled. That is well and good because if Goldman were to win, Google can't very well take back the information they've already released.
Since Google didn't object to the request, why make Goldman formally declare their intent to file a suit for negligence if Google doesn't comply? Everybody knew that was result in an injunction, and a perfectly proper one, so why not save time and just go straight to the injunction hearing? The court can issue an injunction in the end, and I don't know of any common law or statutory requirement for pointless rounds of paperwork when everybody agrees it'll end up as an injunction hearing.
Maybe. The GP raises an interesting point though.
Is the "address" (johndoe123@example.com) the same as its user (Mike Somehow who uses the previously mentioned e-mail address)?
Real life example: I rent an apartment which was previously occupied by a foreign citizen. I receive snail mail addressed to:
- The owner
- Previous renter
- Me
- My wife
- Unspecified recipient (SPAM)
- Others (named people who don't live at my address).
I am legally entitled to open mail addressed to me and "unspecified recipient". Now, in case of an e-mail address, the same could apply. The actual recipient might not be the one who "lives" there, and there might be elements that specifically mention a different recipient than me. Since an e-mail is a non-physical item, I can't really "return without opening" but I could destroy it (after or instead of reading its contents).
Is this covered by the GMail EULA? I confess I've never read the whole damn thing.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
I'm going to weep when they get this power. Because it's Goldman Sachs and you know they will.
Sometimes the truth is arrived at by adding all the little lies together and deducting them from all that is known.
Good point. What if it's proof of illegal activity. The account holder should forward it to the police, several different news outlets, and wikileaks just in case. ;P
And then do it again using something other than Gmail just in case they put up a filter to prevent that.
As far as I'm concerned, Goldman Sachs totally screwed up by sending confidential information to a member of the public in the first place. Their error is not sufficient reason for Google to panic or violate the trust of their entire user base just to fix someone elses stupidity.
Can, Should, and Will Only Due So With A Valid Court Order are very different things.
;)
Sure they can, but how do you think every user of Google products will think if any company out there can say, "oops, didn't mean to send that, google, go fix my screw up and delete that from peoples inboxs."?
Should they do it? Maybe, but again, at this point we only have Goldman Sachs word that they 'should'. Maybe their entire story was fabricated and it was proof sent out by a whistleblower. Maybe it wasn't sent by a whistleblower, but it is proof of illegal activity that should be turned over to the appropriate legal or regulatory agency. We only have the companies word for it, and do companies ever lie about stuff like that?
So Google is going with "Will only due so with a valid court order" on this. Good choice. You won't piss off the customers because a court made you do it, and you won't get yourself in legal trouble because a court made you do it. Yep, this is the right choice if they have any functioning brain cells at all.
There's also a fourth option of just plain refuse. Claim the mail system is sacrosanct and it won't be messed with. Of course there are two big problems with this. First is almost nobody will believe you. Second is you are then looking at a big as legal battle you probably won't win because you are not the federal government. That's why I didn't list this one in the beginning, though I did mention it at the end to avoid having a million responses pointing this one out.
That's my say, disagree or whatever
I am very sure Google lawyers will be pointing out to Goldman lawyers the exact clause and paragraph where Goldman pledged the everlasting life and soul of all the board of directors to Google when they clicked on the "accept" button of the EULA agreement of the Gmail.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Through a combination of carelessness and cluelessness, this employee managed to put hundreds of millions if not billions of dollars of customer funds at risk.
Sending information like this via email is where the mistake happened, not mistyping the address. Email is not secure even if it is sent to the right address you have no control over how it gets there and it could be easily intercepted and read enroute. Their reputation loss has already occurred by admitting that they use email for highly sensitive information like this.
why? it's not like we're dealing with a little old lady or a church. if goldman sachs wanted to cut a deal with me, why wouldn't I exploit that as much as possible? I have no inclination to do them a solid.
my brother, who works in finance, has a favorite expression for when he gets the extreme upper hand in a deal. "ripping their faces off".
Then I demand Goldman Sachs to undo the financial crisis to avoid unneccessary reputational damage to myself.