Friday, October 2, 2009

Rocky Mountain Bank TRO for Google user info

SANS NewsBites is a great source of information and current news in the IT/Security world.

Sometimes the articles and commentary are insightful. Sometimes they are entertaining. Sometimes they are disturubing.

(If you aren't already subscribed, you'll have to wait a few days and find the archive at this link: )

Now, I'm certainly no expert. Certainly no fancy decorations or degrees. But I think that William Hugh Murray is reaching far on points of e-mail handling.

A weak argument against Gmail user privacy goes like this:

"A well intended and behaved user would have acknowledged the bank's communication. While I am sure that I could dream one up, it is hard to find a legitimate interest that this user has in refusing to acknowledge the bank's communication. Nice people do not try to turn the innocent errors of others to their own advantage."

Reality: Security experts counsel recipients to NOT respond to an e-mail that fits these criteria:
  • unknown sender
  • attachment that was not expected
  • unknown sender demanding that you reply/respond/click/call
  • email purporting to come from a bank, especially one which you do not use

Reality: No contact was made from that email account. No blackmail. No asking of reward money or cash to cover "expenses". Why is this account holder labeled as not "nice"?

Reality: It doesn't take a fanciful dream to come up with reasons to ignore e-mail. Spare the drama in an expert opinion. I ignore email from my own mother. Sorry, Mom. It happens. I guess I'm not "nice" either.

He summarizes:
"Finally, the right that Google is defending is the right of its user to be rude, the right to anonymity, not to free speech or political speech, and not to one's name, public or private. Said another way, of all the interests of Google or their customer, they are defending the least
compelling one."
Reality: Rudeness is not a compelling reason to fork over my identity to an unrelated third party.

Reality: Ignoring a message from a foreign bank is not rude. It's considered good security practice. Or am I dreaming here? Maybe I should click that link and update my Ally Bank account information ASAP.

Reality: Google should not have to defend the privacy rights of their users from the incompetence of others. If that bank mailed me physical printouts of proprietary information...maybe I'd consider contacting them. Bank-related email is sorted with the detritus of erectile dysfunction pills. I don't read all of those to make sure that some pharm-tech didn't accidentally send me a secret formula.

His conclusion:

"I do not think that we have to worry that this order will establish any precedent at all. It will not establish a precedent that puts the rights of the negligent or their victims ahead of those of innocent third parties. While it is already far too easy to get ISPs to identify their users, this case is not likely to make it any easier and has some hope of making it harder."

Reality: Precedent is always set when any authority having jurisdiction makes a decision. If the range marshal tells me to pick up my golf ball, he can tell me that it's "just this once" and I'll believe him. Beyond that...lawyers love precedent. It won't be forgotten.

I think that marginalizing Google's concern for user privacy based on rudeness, niceness, good intentions, or playing fair is disingenuous.  This is the real world, not some 1950s elementary school playground.

If you send me an e-mail message, it does not give you the right to suspend my account and snoop into my identity.

If you were incompetent or just made a typo...not my fault.

If your intel was so mission-critical that you don't have time to make it obsolete....well, that's a different security issue. Methinks that "" should not be in the list of allowable e-mail addresses for secure distribution. But I'm no expert. Maybe you should hire one.

Ahhh, if only someone could invent a way to encrypt message traffic or filter outbound mail...

If protecting intellectual property is the reason for granting the TRO and demanding action and private information...what's to stop the abuse? Need the identity of a detractor, informant, employee, or the dude who's dating your wife? All you'd have to to is send a spreadsheet, file the suit, pound your chest, and wait.

Does that sound nice?

So, you mailed a bank customer account list to my house. You looked through your outgoing traffic logs (you have those, right), and sent someone to my house. Can you lock me out and ransack the property?

Does that sound nice?

I know. It's all because I didn't respond to your e-mail that says, "Hi. I'm a bank. We need some confidential information."

We won't know the ramifications of this for a while. Or, until the next case against Google comes up where a third party is trying to discover the identity of a writer who is not being nice to a property developer accused of bribery.

Wow. That's a lot of not being nice.