Judge Orders Google To Deactivate User's Gmail Account

In a highly unusual move, a federal judge has ordered Google to deactivate the email account of a user who was mistakenly sent confidential financial information by a bank.

The order, issued Wednesday by U.S. District Court Judge James Ware in the northern district of California, also requires Google to disclose the Gmail account holder's identity and contact information. The Gmail user hasn't been accused of any wrongdoing.

The ruling stems from a monumental error by the Wilson, Wyo.-based Rocky Mountain Bank. On Aug. 12, the bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address. When the bank realized the problem, it sent a message to that same address asking the recipient to contact the bank and destroy the file without opening it. No one responded, so the bank contacted Google to ask for information about the account holder.

In keeping with its privacy policy, Google told the bank it would have to get a court order to obtain such data. The bank then filed papers asking a court to order Google to disclose the information and deactivate the account.

The bank attempted to file its papers under seal, but U.S. District Court Judge Ronald Whyte denied that request. Earlier this week, the case was transferred to Ware from Whyte.

Some lawyers say the Ware's order is problematic because it affects the Gmail account holder's First Amendment rights to communicate online, as well as his or her privacy rights.

"It's outrageous that the bank asked for this, and it's outrageous that the court granted it," says John Morris, general counsel at the Center for Democracy & Technology. "What right does the bank have and go suspend the email account of a completely innocent person?"

He adds: "At the end of the day, the bank obviously screwed up. But it should not be bringing a lawsuit against two completely innocent parties and disrupting one of the innocent party's email contact to the world."

Eric Goldman, director of the High Tech Law Institute at Santa Clara University, adds that the judge's order could have significant ramifications for the Gmail account holder. "Losing an email account is a big deal," he said. "It's very disconcerting to think that a judge could simply order my account deactivated."

Tags: email, legal
Recommend (1068)
9 comments about "Judge Orders Google To Deactivate User's Gmail Account".
  1. Tom Kalikajaros from Kaliaris , September 24, 2009 at 8:08 p.m.

    I find it disturbing that a Bank feels it is OK to transmit confidential info over the Internet unencrypted in the first place.

    This Bank would be subject to privacy and security legislation at a Federal and State level. They should be investigated by the respective authority for breaches of legislation.

    I would not feel safe being a customer with this Bank. They should be named and shamed.

  2. Tim Devine from Webcastr.com , September 24, 2009 at 11 p.m.

    We are outraged by this development and encourage you to join the discussion here:

    http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=71658425&gid=2230327

  3. John Grono from GAP Research , September 25, 2009 at 9:18 a.m.

    I agree with Tom's call for "name and shame". I suppose the bank will ask for a government handout to handle the encryption for distribution of confidential and sensitive information. Do you think $100m would cover it?

  4. Adam Tuttle from Addroid , September 25, 2009 at 11:36 a.m.

    This is truly outrageous but I do sense that a giant counter suit will be brought against the bank, one that they'll likely lose.

  5. Andre Szykier from maps capital management , September 25, 2009 at 12:39 p.m.

    If you look at the terms of services of your Gmail account you will see :

    "2.3 ...(b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services."

    and,

    "8.2 You should be aware that Content presented to you as part of the Services, including but not limited to advertisements in the Services and sponsored Content within the Services may be protected by intellectual property rights which are owned by the sponsors or advertisers who provide that Content to Google (or by other persons or companies on their behalf). You may not modify, rent, lease, loan, sell, distribute or create derivative works based on this Content (either in whole or in part) unless you have been specifically told that you may do so by Google or by the owners of that Content, in a separate agreement."

    If a court order requests blocking a Gmail account, Google is covered under (b).

    If you "modify, rent, lease, loan, sell, distribute or create derivative works based on this content..." Google is covered by (8.2)

    If the Gmail account holder doe nothing, meaning they receive emails but do not respond, then their 4th amendment rights could be infringed.

    However, this case could be a test for the term "vicarious liability" on behalf of Google because it provides a service that in its execution caused the bank to be in violation of government disclosure laws: HIPPA for medical data and Sarbanes Oxley for financial data are two good examples.

    We should recall that law firms, when sending faxes always use the cover page to protect themselves from faxing to an errant number or wrong recipient; however, under law, facts disclosed in this fashion do not put the recipient in any legal risk. Using this model, a smart judge would say, same rule applies to email.

    You don't see the phone company turning off a phone line with a fax machine simply because no one returned the calls. Why should Google? Tough call...

    I suspect that faxing rules are not the same as email rules.

    The Web does not have a clear way of determining identity in account registration. People can set up anonymous avatars online and use them as proxies for registering with services elsewhere.

    So does Google violate a real person's 4th amendment rights or the fictitious avatar who exists only in the cloud?
    Signed: sylvie chen (Avatar)

  6. Stacey Schaller from SBS Advertising , September 25, 2009 at 1:14 p.m.

    The point of the ordeal is that some individual at the bank goofed. They hit the wrong button. Now, the bank is liable for Millions in fines and lawsuits. Their objective is to limit the damage their error caused their clients (and this error could easily have been caused by a new employee or intern in training).

    They attempted to make contact with the email owner, but in not hearing from them, had to take action to reduce the possibility that that private information would damage the bank customers.

    As I see it, this is the best of no good alternatives. There is not problem with Google reinstating the account once the file with the data is destroyed and the bank has made contact with the owner of the account. If the owner has no malicious intent, they the should, at the bank's expense, allow the secure deletion of the file from any computers they may own — and that would be the end of the story. :)

    No happy ending exactly, bust certainly not a disaster...

  7. Piper Burnette from Montag & Caldwell, Inc. , September 25, 2009 at 2:47 p.m.

    How sad. Both emails are probably sitting in the user's SPAM box. Even if one of them did make it to the inbox, why would anyone open an email from an unknown bank? Assuming you don't want a trojan hanging out on your pc that is...

  8. John Jainschigg from World2Worlds, Inc. , September 28, 2009 at noon

    Umm ...

    If this is a normal gmail account, rather than one configured as a no-hold email forwarder, the letter from the bank is sitting in the user's inbox, which is in a database on a Google server.

    It would therefore be elementary (once appropriate court-order were granted) to remove that single piece of mail (so the user can't read, forward or print it), trace it through Google's mail system to remove additional copies in caches (should these exist) and that's the end of the story.

    The notion of canceling this person's email service is stone idiotic. Lawyers and others unfamiliar with how technology works should sit on their hands and recuse themselves from discussion of how to repair problems technology causes.

  9. Stephen Samuel from Just Another Radical , September 28, 2009 at 1:58 p.m.

    What's the cause of action?

    Refusal to respond to a threat?

    If I get an email from a bank (whether I normally deal with it or not) ... ESPECIALLY that says, "we demand that you do 'X' or nasty things will happen", I will, by default, delete it unread. I would also suggest to most people that they do the same.

    The only people likely to take such an email seriously would be the uninitiated.

    In other words, the only people likely to have read either the original, problematic, email are people who wouldn't have known what to do with the purported contents of the messages.

    In any case, the US constitution supposedly includes the right to

    Remain Silent, and

    Not incriminate yourself.

    Cutting off someone's email simply because (s)he engaged the constitutional right of silence, and, possibly the right to NOT read someone's email (The right of free listening is a side effect of the right of free speech) seems legally obscene.