Say you’re like me, and have a gmail address of your real name, a name that happens to be shared by a bunch of other Susans around the world — and a lot of those Susans mistakenly give out your email address instead of their own. You’d think that’d be a mistake they’d only make once or twice, but no, there’s a couple Susans out there who’ve been sending me their email for years. Including things such as loan records, accounts of their AA meetings, and in one case, a copy of the title to their car.
Now, say that one of those misaddressed emails to was from a bank. Containing private banking data, tax records, and identifying info. Of 1,325 customers. Yeah, some bank employee in Wyoming just lost his shot at a promotion.
But it’s all right, no biggie. The bank can just sue Google and get your account deactivated, to make sure you never see the email they sent you.
There’s an attempted defense of Rocky Mountain Bank’s motion and the judge’s order here, concluding that:
At this point in the proceedings, I see less concern over Judge Ware’s order that Google disclose the status of the Gmail account and the identity of the account holder. The primary reason that Google could withhold this information would be to protect the privacy rights of its account holder. However, cases dealing with First Amendment rights — which get a higher level of protection than privacy rights — courts frequently permit disclosure of the identity of an anonymous speaker if the plaintiff shows that it has a facially valid cause of action and shows that it needs the information. While the Bank’s pleadings are light on legal citations, they do contain sufficient facts to satisfy both of these criteria.
I’m not buying it. First of all, that whole giant “failure to state a claim” issue should’ve precluded such draconian measures against an unambiguously innocent google account holder. Where the hell’s a 12(b)(6) motion when you need one? And secondly, the Bank’s motion wasn’t “light” on legal citations — it was void of them.
In Rocky Mountain’s Motion for a TRO [PDF], there just isn’t any law. The bank simply announces it is entitled to what it wants. What’s their rationale for why the TRO should be granted? Because they “ha[ve] an obligation, legal and otherwise, to protect the privacy of its customers.” That’s it. They are entitled to it, and they have some duties this would help them carry out, so they should get it. Why are they entitled and why is it the gmail account holder’s problem to help them fix it? Who the hell knows. Because they don’t cite to a single law or case. They’re just yapping.
It is not a legal argument to say “we will be harmed if Google does not do this, and it will not harm Google much to do this, therefore I should be entitled to get the power of the government to command Google to take the action I want.”
I call this the “we screwed up so we’re entitled to do whatever we want to fix it” defense.
All the defenses of the judge’s order center around the idea that this would have been disastrous for Rocky Mountain had it not been able to recover the data. And it would have been. But there’s a shocking blindness to the fact that what happened here was (1) someone sent an email they shouldn’t have, and (2) because they screwed up, they were able to get a court order to have the person’s email address deactivated.
One thing not being being discussed much is that it appears the misaddress was not the only issue. The inadvertent inclusion of 1,300 customer’s private info was an even bigger screw up. So what if the email had /not/ been misaddressed? Would Rocky Mountain have been legally entitled to get Google to shut down the email account of the original customer who requested that his info be sent to him? Under the logic of this ruling, yes, unquestionably.
And what if Google hadn’t been involved? What if it was a privately run email server? What’s to even limit this sort of motion to email accounts — what if it’d been a misaddressed snailmail delivered through a mail slot in someone’s door?
I understand there was a balance of harms here, and that, yes, the ending result was probably the most convenient for everybody involved. But a “balancing of harms” is not in and of itself relevant to anything.
There a lot of arguments, of varying strengths, that could made here against the ruling — due process? Prior restraint? Section 2703 or a Theofel-like suit under section 2701 of the stored communications act? — but they just don’t seem necessary. Because Rocky Mountain never managed to put forth an argument worth refuting in the first place.
I can’t believe the ruling went this way, it’s pure madness. So, say I hate someone – can I just email them sensitive material “accidentally”?
I’d probably have to have a friend willing to lose his or her job re: banking, because there’s no way the ruling would’ve gone this way if it had been one person suffering their own stupidity.
And the article you linked said that the email was sent a month prior! Whatever post-leak actions the bank would’ve had to take — and public humiliation — should’ve happened anyway If I was a customer, I wouldn’t consider my account safe just because J. Doe doesn’t /seem/ to have used that info he or she had for a month … I’d want new account, card, everything. Ten minutes is too late in internet time. At that point they should’ve considered the info leaked and owned up to it.