Goldman Sachs Wants Google to Delete an Accidental Email [UPDATED]

By: Josh Wolford - July 3, 2014

Update: Google has reportedly complied with Goldman Sachs’ request.

“Google complied with our request that it block access to the email,” said a Goldman spokeswoman“It has also notified us that the email account had not been accessed from the time the email was sent to the time Google blocked access. No client information has been breached.”

Original: There’s a pretty interesting case on the docket in New York. It’s one that involves a single email, sent by mistake – but the decision could set an interesting precedent regarding emails and the right for people to retroactively unsend.

Goldman Sachs is taking Google to court and are seeking a court order to compel Google to delete a single email sent in error.

Reuters reports that a Goldman Sachs contractor, tasked with testing internal processes within the company’s reporting requirements, accidentally sent an email containing confidential client information to a random Gmail user.

It was a case of a simple typo, wherein the contractor sent the email to [blank]@gmail.com instead of [blank]@gs.com.

Google’s position is pretty clear – we’ll delete the email, but only with a court order. Until then, you’re out of luck.

Goldman’s basic argument is that all Google has to do is delete one single email – an action that would be far from taxing. To Google, a single email means nothing, but to Goldman Sachs that email represents a breach of privacy for its clients.

“Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs…by contrast, Google faces little more than the minor inconvenience of intercepting a single email – an email that was indisputably sent in error,” says Goldman Sachs.

When you think about it, it’s a pretty interesting case. A ruling in favor of Goldman Sachs would send a message that Google is compelled, in some circumstances, to delete already-sent emails as long as they were sent in error.

Josh Wolford

About the Author

Josh WolfordJosh Wolford is a writer for WebProNews. He likes beer, Japanese food, and movies that make him feel weird afterward. Mostly beer. Follow him on Twitter: @joshgwolf Instagram: @joshgwolf Google+: Joshua Wolford StumbleUpon: joshgwolf

View all posts by Josh Wolford
  • Loki57

    What was a contractor doing using actual client data for system testing in the first place? Perhaps Goldman Sucks deserves some attention from FINRA for reckless disregard of responsible business practices over that, and the contractor (which may well be a huge accounting firm’s software division) as well?

    If this report in fact contained massive amounts of client data, all the worse for both of those parties. If it was some small amount, then GS is lying to manipulate Google to be more evil, even if such reckless disregard for industry standards and law is serious even over minor scale incidents.

    To use a Postal Service equivalent, what GS demanded was that it be helped by USPS to send some thugs they hired from down by the docks in Mountain View, to the correct house where that mail had been dropped through the mail slot in the door, to perpetrate a felony breaking and entering, and Federal Postal and not just state misdemeanor theft before the homeowner noticed the mail had arrived.

    There may be legal restrictions on what the recipient does with unsolicited received mail’s content, but the mail is by law theirs to keep even if misaddressed.

    GS might have done better to offer to pay Google for its assistance in contacting the mailbox owner by additional means, including other email addresses, or voice or SMS if linked to the account, with an offer to pay the recipient $5000 for agreeing to let Google delete that item with an unread status (of course items can be read and then marked unread – perhaps Google should disclose how detailed its logs of such acts are or aren’t?).

    Tough on GS if they created a legal trap by their own recklessness. It’s not the first time, and in some industries there are inherent traps. A few comparisons….

    In some states, there’s mandatory public health reporting of certain diseases, in conflict with Federal privacy laws. Some providers coerce patients to contract release of such info, but such contracts have many ethical and legal issues.

    Walmart in one case had too few cashiers, and a person got in line with a case of beer 10 minutes before the state legal cutoff time. The cashier fumbled a prior customer, slowing the line even more. The cashier mindlessly sold the beer 3 minutes after legal cutoff, not detected by their software either (easier to explain for a smaller merchant). A manager noticed a case of beer heading for the exit after that completed sale, and told the customer he couldn’t allow it to leave the store under state law.

    In that case the manager intimidated and threatened the customer, who allowed the store to reverse the sale, and the customer acted unlikely to file a police complaint or state alcohol regulatory complaint. At that point, the customer owned the product and had every right to leave with it, even if it was illegal for the store to allow that, or make the sale when it did in the first place. That’s a no win situation for the store, other than prevent the incident up front. In the bigger picture, we might question why the Supreme Court has in specific precedents endorsed arbitrary Blue Laws based in historic religion to remain over alcohol policies, even when those same laws are proven unConstitutional overall?

    Back in the days years ago before Larry Lessig was ever tapped as a prospective Microsoft prosecutor, Microsoft was pushing Internet Explorer updates that would partially remove drivers for some brands of mice other than their own, particularly if scroll wheels or third buttons were present, before those were common. Lessig had never considered (based on my discussions with him) how that’s also equivalent to breaking into someone’s house and tampering with their computer. It varies slightly from the Goldman mail case though, as it’s more like a furnace contractor being given a key to do work when the owner isn’t home, and tampering with something other than the authorized work.

    Goldman’s contractor deserves to get nailed, along with GS, in this case. Anyone with accounts with them has standing to file FINRA and SEC complaints. They at this point should pay the mail recipient for a lawyer in Federal District practice to review the issues present, typically $25,000 for an entry level fee, plus damages higher than that for playing. Goldman deserves the public scrutiny and humiliation that use of live client info for testing invites. It’s up to FINRA and SEC to determine the legal issues and sanctions to penalize this abuse, and prevent a recurrence.

    In other cases where I’ve seen contract work practices of that bigass accounting firm that does software work for the financial industry and government, “D&T” has not even come close to what might be called responsible job performance, never mind best practices. Not sure if it’s them in this case, but there are issues that could benefit from using the mail theft attempt aspects of this case as a trigger to review larger problems and a need for better standards.

  • http://www.bizdevweb.com SecurityGuy

    Interesting, wonder how long the email was in the mistaken mailbox and if it was accessed. If so, deleting it doesn’t matter info was breached and GS is required to go through the process of disclosing breached info to customers and improve their internal process. Also, Google reaching into peoples email and deleting messages requested by GS or other big business with legal support is another very slippery slope :-)

  • Loki57

    The other major issue to this case, which is discussed in zero of 50
    pages to Goldman’s 6 recent legal filings on June 27th, is the
    responsible use of encryption for any confidential information, before
    it’s ever sent over open internet connections subject to illicit
    sniffing by governments and businesses alike, as well as routine TOS
    covered technical maintenance or inspection at times, by unknowable
    third parties.

    Never mind a reckless address error or use of live info for testing by
    contractors. Why is legally restricted information on client accounts
    being sent via systems that aren’t by design secure? FOSS (free and
    open source) PKS (public key security) email tools exist at a huge cost,
    of zero dollars, but humans bothering to use them. None of Goldman’s
    claims hold water (nor Rocky Mountain Bank’s), when their core operating
    practices at their core are grossly reckless and the main issue in need of policy and systemic change.

    I’ll share direct links to the case documents in a separate post here. Lawyers, it seems, have delusions of grandeur as to their virtual reality games, and too often fail to deal in the rock, paper, scissors game where often, engineering and economics trump law to shape reality.

  • Loki57

    New York’s court naming structure is a bit odd, with their “Supreme
    Court” being a lower tier entry court, and not a final review court as
    that name implies in most other jurisdictions.

    Here’s Goldman’s Proposed Order to Show Cause, which rationalizes its
    properly illegal claims and adds a Motion for Replevin, around a bad
    2009 ruling linked below. Replevin is a process to recover one’s own
    property. Under US law for mail, there is no prior owner interest in
    property delivered to someone not requesting same, while IP, content use
    or disclosure, and such laws, are not about chattel subject to
    Replevin.

    https://iapps.courts.state.ny.us/fbem/DocumentDisplayServlet?documentId=YoaLWTa99YE_PLUS_G5JaNoIc2Q==&system=prod

    The Case INDEX NO.: 156295-2014E

    GOLDMAN, SACHS & CO. v GOOGLE, INC.

    http://iapps.courts.state.ny.us/iscroll/SQLData.jsp?IndexNo=156295-2014&Submit2=Search

    Both the judge and Plaintiff Counsel in “Rocky Mountain Bank v Google”
    in 2009 should have been sent to the involuntary loony bin as dangerous
    and delusional, based on what GS’s counsel is using as precedent in this
    Affidavit:

    https://iapps.courts.state.ny.us/fbem/DocumentDisplayServlet?documentId=PUYbZshTa9Dg36S6KWPwfw==&system=prod

    That’s based on bank counsel requesting, and the judge mindlessly
    signing off on, an order to shut down an unknown GMail account, with no
    information as to whose it was or what consequences might result, in
    order to help a bank that screwed up and recklessly sent someone
    confidential information. The GMail account holder might have been in
    the middle of moving, dealing with medical issues, or run a business
    with pending deals that would be lost with greater damages than the
    bank’s potential loss, with ZERO evidence of an actual, versus
    hysterical, claim of tipped scales. Note also how the bank admits an
    obligation to give notice of breaches, but claims it can avoid that if
    Google is ordered to tamper with email and shut down the user’s
    account.

    A reasonable penalty for those abuses by the judge and bank would be to
    shut down any of their personal and business accounts suddenly, and let
    the victim of the bank’s error choose which content to delete, plus be
    banned from doing business in either law or banking for a few years.

    Google, apparently after too much experience, has in this current case
    at least tried to define narrow conditions for a temporary suspension of
    the single problem email only, and avoid any broad fishing expedition
    with unknown potential harm.

    Note how in 50 pages of court filings, Goldman avoids identifying the
    scofflaw reckless contractor. That contractor, as to the business
    entity and individual, should be required to go on public record with
    testimony of first hand knowledge, rather than tolerate GS managers and
    counsel saying they know about this problem by a third party as hearsay, and won’t
    even say who the actual actor is.

  • Bill

    If Google is charged with removing the email, that’ll be setting a pretty bad precedent. GS needs to accept their responsibility in this, and do what they have to do to mitigate the damages. As Loki57 pointed out, why was actual client data being used for testing? That’s just common sense, street level, dumb.