Evan Schuman: What if you can't trust your inbox?
- 08 July, 2014 22:40
IT professionals are familiar with the business advantages of cloud-based communications, primarily anytime, anywhere access to email, on virtually any device. They also know a good deal about the dangers, such as outages that can result in access from nowhere, at no time and on no devices. But a new and quite ominous danger was flagged only last week, when Goldman Sachs moved in a New York state court to force Google to delete an email that the financial firm had accidentally sent to a Gmail user.
A ruling in Goldman's favor would be a big deal to enterprises.
Ever since email became a popular business tool in the mid-'90s, companies have relied on email files as mini-archives. For years now, when anyone has put an offer in writing, it has tended to take the form of an email. If a client or partner reneged on the terms of an agreement, you forwarded the initial email, with relevant passages highlighted. If the recipients had any doubts, they could access their own email archives to find their copy of the message. If the two matched, everyone pretty much conceded the point.
All of that changes, though, if senders win the right to have emails zapped. Our trust in cloud-based email archives will evaporate. Processes will change. Users or IT might begin routinely saving important emails to hard disks, away from potential manipulation by Google or anyone else, or doing screen captures of their most important emails. And companies that get burned might decide to pull email back from the cloud -- a possibility that suggests that Google will fight Goldman Sachs tooth and nail on this. (Scary thought: How many small-scale cloud operations without Google's resources have already given in to similar demands, with no court order needed?)
This is a new issue for email, but we have seen before that cloud providers can exercise a lot of control over the things we entrust to them. Most notoriously, Amazon, as a result of a publisher dispute, has taken back and deleted legally purchased e-books, music, games and videos. Clearly, when you cloud your data, it is subject to manipulation by anyone controlling those systems.
The details of this case, as outlined in Goldman's filing, are interesting. At issue is one email that was accidentally sent to the wrong person.
The Financial industry Regulatory Authority (FINRA) requires financial firms to periodically generate reports about client investments. In addressing that FINRA requirement, Goldman's IT group sent the information needed for the report to its compliance department for validation. An unspecified outside technology consulting firm had been hired to assist with this process, according to the filing. On June 23, 2014, an employee of that consulting firm tried to send a copy of this report to a Goldman Sachs internal address, which would take the form of NAME@gs.com, "but instead mistakenly sent a copy of the internal report" to that same name but @Gmail.com. (Was this another autofill fail? The filing doesn't say.)
When it realized what had happened, Goldman sent a message to that Gmail address, but it never heard back, according to the court filing. Goldman then reached out to Google's incident response team to request that the email be deleted and was told that a court order was needed.
Thus the court filing, in which Goldman makes some arguments and claims that are quite frankly disconnected from the world of rational and reasonable thought. Goldman told the court: "Absent an immediate injunction to ensure that the mistakenly sent E-mail is not accessed in any way, our clients face the risk of an invasion of privacy and disclosure of sensitive, confidential information about themselves and their accounts. Further, Goldman Sachs faces the risk of unnecessary reputational harm if it cannot reassure its clients that their privacy is being properly safeguarded."
Wow. Those two sentences pack in a lot of misleading garbage. Where to start?
Well, how about that "unnecessary reputational harm"? Does that errant email threaten Goldman's reputation? Perhaps, but who among us has not accidentally sent an email to the wrong address? Of course, Goldman's customers could view it harshly, deeming the nature of the information that was handled negligently as requiring extra care. Fair enough. But how exactly does the need to "reassure its clients that their privacy is being properly safeguarded" become Google's responsibility? How does the court measure this (self-inflicted and perhaps earned) reputational harm against Google's interest in maintaining the trust of its cloud customers?
Then there's the question of remediating the harm that was done. If there is a real person behind that Gmail account, it seems fairly likely that Goldman's message was either deleted right away or forwarded to a bunch of people weeks ago. At this point, the damage is done. A favorable court ruling will do tons of damage to the business community, but it's not going to help this situation much, if at all.
No, what Goldman wants is to set a precedent. It wants to let Google and other cloud vendors know that they must do retroactive cleanup from typos whenever a large company asks for it.
So the second sentence from Goldman's argument that I quoted above is misleading. But the first sentence just isn't true. Goldman states that "absent an immediate injunction to ensure that the mistakenly sent E-mail is not accessed in any way, our clients face the risk of an invasion of privacy and disclosure of sensitive, confidential information." The statement would be true, absent that "absent" clause. But the reality is that Goldman's clients face that privacy risk no matter what the court rules.
What's at stake here is the integrity of business communications. Business people need to know that, once received, an email won't be changed, deleted or altered by anyone other than the recipient. People have come to expect that after almost 20 years of using Outlook and other packages that download all messages. The cloud is supposed to be advance from that, not a manipulation-ready downgrade.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.
Read more about security in Computerworld's Security Topic Center.