Evan Schuman: What if you can't trust your inbox?

IT professionals are familiar with the business advantages of cloud-based communications, primarily anytime, anywhere access to email, on virtually any device. They also know a good deal about the dangers, such as outages that can result in access from nowhere, at no time and on no devices. But a new and quite ominous danger was flagged only last week, when Goldman Sachs moved in a New York state court to force Google to delete an email that the financial firm had accidentally sent to a Gmail user.

A ruling in Goldman's favor would be a big deal to enterprises.

Ever since email became a popular business tool in the mid-'90s, companies have relied on email files as mini-archives. For years now, when anyone has put an offer in writing, it has tended to take the form of an email. If a client or partner reneged on the terms of an agreement, you forwarded the initial email, with relevant passages highlighted. If the recipients had any doubts, they could access their own email archives to find their copy of the message. If the two matched, everyone pretty much conceded the point.

All of that changes, though, if senders win the right to have emails zapped. Our trust in cloud-based email archives will evaporate. Processes will change. Users or IT might begin routinely saving important emails to hard disks, away from potential manipulation by Google or anyone else, or doing screen captures of their most important emails. And companies that get burned might decide to pull email back from the cloud -- a possibility that suggests that Google will fight Goldman Sachs tooth and nail on this. (Scary thought: How many small-scale cloud operations without Google's resources have already given in to similar demands, with no court order needed?)

This is a new issue for email, but we have seen before that cloud providers can exercise a lot of control over the things we entrust to them. Most notoriously, Amazon, as a result of a publisher dispute, has taken back and deleted legally purchased e-books, music, games and videos. Clearly, when you cloud your data, it is subject to manipulation by anyone controlling those systems.

The details of this case, as outlined in Goldman's filing, are interesting. At issue is one email that was accidentally sent to the wrong person.

The Financial industry Regulatory Authority (FINRA) requires financial firms to periodically generate reports about client investments. In addressing that FINRA requirement, Goldman's IT group sent the information needed for the report to its compliance department for validation. An unspecified outside technology consulting firm had been hired to assist with this process, according to the filing. On June 23, 2014, an employee of that consulting firm tried to send a copy of this report to a Goldman Sachs internal address, which would take the form of NAME@gs.com, "but instead mistakenly sent a copy of the internal report" to that same name but @Gmail.com. (Was this another autofill fail? The filing doesn't say.)

When it realized what had happened, Goldman sent a message to that Gmail address, but it never heard back, according to the court filing. Goldman then reached out to Google's incident response team to request that the email be deleted and was told that a court order was needed.

Thus the court filing, in which Goldman makes some arguments and claims that are quite frankly disconnected from the world of rational and reasonable thought. Goldman told the court: "Absent an immediate injunction to ensure that the mistakenly sent E-mail is not accessed in any way, our clients face the risk of an invasion of privacy and disclosure of sensitive, confidential information about themselves and their accounts. Further, Goldman Sachs faces the risk of unnecessary reputational harm if it cannot reassure its clients that their privacy is being properly safeguarded."

Wow. Those two sentences pack in a lot of misleading garbage. Where to start?

Well, how about that "unnecessary reputational harm"? Does that errant email threaten Goldman's reputation? Perhaps, but who among us has not accidentally sent an email to the wrong address? Of course, Goldman's customers could view it harshly, deeming the nature of the information that was handled negligently as requiring extra care. Fair enough. But how exactly does the need to "reassure its clients that their privacy is being properly safeguarded" become Google's responsibility? How does the court measure this (self-inflicted and perhaps earned) reputational harm against Google's interest in maintaining the trust of its cloud customers?

Then there's the question of remediating the harm that was done. If there is a real person behind that Gmail account, it seems fairly likely that Goldman's message was either deleted right away or forwarded to a bunch of people weeks ago. At this point, the damage is done. A favorable court ruling will do tons of damage to the business community, but it's not going to help this situation much, if at all.

No, what Goldman wants is to set a precedent. It wants to let Google and other cloud vendors know that they must do retroactive cleanup from typos whenever a large company asks for it.

So the second sentence from Goldman's argument that I quoted above is misleading. But the first sentence just isn't true. Goldman states that "absent an immediate injunction to ensure that the mistakenly sent E-mail is not accessed in any way, our clients face the risk of an invasion of privacy and disclosure of sensitive, confidential information." The statement would be true, absent that "absent" clause. But the reality is that Goldman's clients face that privacy risk no matter what the court rules.

What's at stake here is the integrity of business communications. Business people need to know that, once received, an email won't be changed, deleted or altered by anyone other than the recipient. People have come to expect that after almost 20 years of using Outlook and other packages that download all messages. The cloud is supposed to be advance from that, not a manipulation-ready downgrade.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritygoldman sachscloud computinginternetcloud storage

More about Amazon Web ServicesGoldmanGoogleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts