I am a little bit mystified at the expressions of shock and outrage (yes, "outrage") at the news that Judge Ware has granted Rocky Mountain Bank's request for a TRO deactivating a Gmail account to which the bank had carelessly e-mailed detailed financial information on 1,325 bank customers.
Apparently this development alarms the many people out there in cyberspace who have the same attachment to their e-mail accounts as the National Rifle Association does to firearms.
The victims here are the bank customers, whose personal information is now certainly residing on several Google servers and possibly countless other online locations. The reasoning in the bank's motion for a temporary restraining order and the declaration of its president strikes me as unassailable. The bank has a duty to do what it can to safeguard the personal, financial information of its customers.
The bank's customers are presently at risk of identity theft. The bank's shareholders are at risk of seeing their investment wiped away by a nasty data breach incident. Inaction, not action, is what should provoke "outrage" in these circumstances.
Google is also doing the right thing, following its privacy policy and the Electronic Communications Privacy Act by insisting on a court order before turning over information about its users. Now it has just such an order. Google's lawyer, Al Gidari of Perkins Coie in Seattle, filed an appearance in the case this afternoon. In another case, Google offered only token opposition, see the "Skanks of NYC" ruling, a precedent that may be relevant here.
As for the owner of the Gmail account, who has not yet been identified and who did not respond to the bank's subsequent attempts to contact him or her via the Gmail account, it is very difficult to see what rights might have been infringed by the bank's action against the account. Speculation about whether computer users have First Amendment claims against private computer network operators is interesting but fanciful.
Here are three cases that say computer users have no First Amendment rights against network operators:
- Kinderstart.com v. Google Inc., No. 06-2057 (N.D. Cal., July 13, 2006) (Google has no First Amendment duty to protect free speech rights of websites it indexes);
- Howard v. America Online Inc., 208 F.3d 741 (9th Cir. 2000)(interactive computer network is not a common carrier under Communications Act, not a state actor for First Amendment purposes);
- Estavillo v. Sony Computer Entertainment, No. 09-3007 (N.D. Cal., Sept. 22, 2009)(Sony Playstation 3 Network owed no First Amendment duty to user terminated for allegedly violating terms of use).
I'm not aware of any cases going the other way, or cases remotely suggesting that the owner of the Gmail account at issue in the Rocky Mountain Bank case has been denied due process or any other constitutional or statutory right. Hey, he or she has already gotten more due process than you get at Twitter.
Venkat has more to say here.
I'm confused by your three case citations. It's well-understood that private network operators aren't bound by the First Amendment because they are not state actors. But here, the court was ordering a prospective deactivation of an email account for a user who had done nothing wrong. This relief order looks much more like a prior restraint than cases where a non-state actor makes an analogous decision. Eric.
Posted by: Eric Goldman | September 27, 2009 at 08:56 AM
I know "confused" is your nice way of saying I missed something. And I guess I did. Because I couldn't see where the Gmail account holder was doing anything worthy of First Amendment protection. I'm not sure exactly how this would work, but first there would need to be some sort of expressive conduct, yes? Oh well, apparently this is going to remain an academic discussion. Google and the bank settled up this weekend. The bank must have obtained what it wanted.
Posted by: Thomas O'Toole | September 28, 2009 at 12:45 PM
I agree with you and I think the issue may be blown out of proportion. The account has been deactivated temporarily according to the order granting the TRO. Furthermore, it prohibits the user as well as Google from accessing the account. Finally, Google must tell the Court and the Bank the status of the account. When Google finds that it has not been accessed and that the email has been deleted or removed to the Bank’s satisfaction, then the account will likely be restored. That much is clear to me from the order. This is line of thinking is further bolstered by the motion to vacate the TRO reactivating the account.
I think the First Amendment issues are also exaggerated. I view the temporary restrictions on access to the Gmail account by the court order as nothing more than time, manner, and place restrictions on speech. Additionally, the lack of Gmail access does not prevent the person from using another account to speak, or use his account at a later time to speak. It is also possible that the Gmail account may belong to a someone other than a “person” under the 14th Amendment. Given the global nature of Google’s users, the US constitution may not even apply.
I think the temporary deactivation of the Gmail account is the appropriate response under the circumstances. After all, the bank must abide by the GLBA Safeguards Rule and respond to the incident in this fashion. The interagency guidelines establishing information security programs require that the bank “[t]ak[e] appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.” (12CFR Part 30 App. B for the OCC version). Given the ease with which such information can be sent onto other email accounts, preventing the Gmail user from accessing the information is necessary under the circumstances.
However, I am not sure that Google needed the court order in order to disable the account. While I was unable to find a provision that authorized Google to suspend an account without terminating it, Google’s ToS states “[y]ou acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account.” Therefore, the ToS appears to authorize suspensions in service.
Furthermore, Google’s Privacy Policy states that it can share information with third parties where “[w]e have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.” Therefore, Google did not necessarily need the court order in order to disclose the information. However, considering that Google takes a lot of criticism for privacy, the requirement of a court order before suspending the account may have made sense from a PR standpoint.
Posted by: Mehmet Munur | September 29, 2009 at 08:01 PM