Security

Editors' note: This is a guest column. See Larry Downes' bio below.

It's been a bad week for those, like me, who feel the debate over data privacy too often casts information businesses as evil Halloween monsters, determined to terrorize and humiliate their customers just for the fun of it.

On Monday, the Federal Trade Commission held the first of three conferences on privacy and technology, at which a parade of consumer advocates and legal scholars warned of an imminent data apocalypse.

Recent events seemed, alas, to support that view. Sprint, for example, reported that over the last 13 months, it has received more than 8 million requests for GPS data about customer location and movement from law enforcement agencies. (Sprint is now determining the number customers affected, estimated to be in the thousands.)

Verizon and Yahoo filed objections to a Freedom of Information Act request that asked how much the companies charge to comply with government surveillance orders, claiming that release of the information would "shock" and "confuse" customers.

Then, Google's notoriously private CEO, Eric Schmidt, brushed aside a CNBC's reporter's question about concerns that users are putting too much trust in his company, saying, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Most disturbing at all is what happened over at Facebook, the social-networking behemoth that now hosts more than 350,000,000 members. Based in part on complaints by government agencies in Canada and Europe, the company announced in July that it had begun testing a more comprehensive and simplified set of privacy settings, promising to give users "even greater control over the information they share and the audiences with whom they share it."

After months of what looked like careful planning, Facebook implemented its new privacy policy and user tools this week.

The announcement landed flat on, well, flat on its face. A chorus of the usual suspects, including the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California cried multiple fouls, objecting both to the nature of the changes and the way in which they were being imperiously foisted on users. "Under the banner of simplification," said Electronic Privacy Information's Center's Marc Rotenberg, "Facebook has pushed users to downgrade their privacy."

First, a word about the changes themselves. In a detailed exegesis published on Wednesday, EFF's Kevin Bankston divided the revisions into three categories: the good, the bad, and the ugly.

In the good column, Bankston noted that all Facebook users are being required to review their privacy settings and have been given new tools to simplify the process. For each individual post to their page, users can now limit who among their friends gets to see what. In the bad department, EFF doesn't like the recommended settings, which pretty much let everyone see everything.

The ugly, however, are genuinely ugly. The version of a user's Facebook page open to Facebook members and nonmembers alike will now show the user's name, profile picture, location, and gender, as well as a complete list of her friends. Most of that information can no longer be controlled other than by not providing it in the first place. (Facebook has already backtracked on the public availability of friends information.) And users can no longer opt out of letting Facebook and third-party applications, such as all those quizzes and tests my friends seem to spend most of the day filling out, access at least some information from their account and that of their friends.

Logic behind privacy policy changes
I understand why Facebook wants these changes. Given the sheer number of Facebook users, it's increasingly difficult to find friends when presented with a list of dozens of profiles with matching names and no other information.

As the company moves to find ways of making money from its network, moreover, open access to information about users is not just important--it's essential. Constraining the company's ability to publish and otherwise monetize that information limits the chances Facebook and other social-networking sites can continue to secure funding, compete in a wide-open market, and ultimately survive as a commercial enterprise.

That, at least, is the kind of reasonable explanation for the changes the company could have provided. Instead, it announced the new policy and implemented it at the same time, leaving no opportunity for user review or comment. According to EFF's Bankston, Facebook didn't disclose the creation of the new category of "publicly available information,"--that is, information about a user that cannot be controlled--until "the very day it is forcing the new changes on users." (Facebook did, in fact, allow a one-week comment period on a draft of the new policy, which is more than 5,000 words long, in early November.)

The company's reliance on good relations with its users makes the ham-fisted and tone-deaf nature of these changes both "shocking" and "confusing." After a minirevolt erupted earlier this year over changes to Facebook's terms of service, in which the company seemed to grant itself a more generous license for user data, a chastened CEO Mark Zuckerberg quickly reversed course.

More than that, Zuckerberg promised that future modifications would be developed in collaboration with users on an open-source model. "Our terms aren't just a document that protects our rights," Zuckerberg wrote on the company's blog, "it's the governing document for how the service is used by everyone across the world. Given its importance, we need to make sure the terms reflect the principles and values of the people using the service."

Exactly. So why didn't Facebook learn from its own painful lesson? While the company tested the new features with some users and solicited comments on the privacy policy over the last several months, Facebook reported in November that the number of comments it received on its draft proposal "did not reach the threshold to hold a vote." That's not a good thing.

Lessons not learned
Despite the high level of emotion, rightly or wrongly, that users attach to the topic of privacy, the new policy and tools simply arrived, providing some new protections even as existing controls were unceremoniously removed. Did the company think no one would notice? These and other recent privacy gaffes and missteps have unfortunate consequences.

Consumers, already uneasy about how increasingly intimate information is being handled online, will trust companies less, raising the potential for government regulations and new privacy agencies to fill a perceived void. That would be a dangerous result, and ultimately a counterproductive one.

Introducing new layers of regulatory bureaucracy will slow the pace of exciting innovations in information technology that have kept users engaged in the first place. And interjecting government oversight over any data raises the possibility of misuse of that information by other parts of the government, a problem made all too clear by continued revelations about secret surveillance under the wide umbrella of the Patriot Act and other antiterrorism measures.

The reality is that most information services do a good and responsible job of balancing user interests in controlling information access with value derived from transactional and other data that pay for much of what happens online.

Though often implicit, users today trade the use of information about their activities, purchases, and interests for innovative and often free services that analyze and aggregate that data. Such services help cell phone users locate their friends with Loopt, consumers simplify their search for products and services on Amazon and eBay, and connect with each other in the low transaction cost world of social-networking applications such as Facebook and Twitter.

The real problem: PR
The real problem here is not of policy but rather of public relations. Start-up companies increasingly invest early and often in legal counsel, in part to navigate the complex waters of intercompany relationships and in part to avoid potentially lethal litigation from patent trolls, unhappy competitors, and a global army of business regulators.

At the same time, marketing, as well as public and government relations, get little attention, as companies believe that enthusiastic users are now the best form of PR a young company can get and at a price that can't be beat.

Maybe so. But as information exchanges have moved from the purely pedestrian business-to-business networks of the 1980s to the everything-and-everybody sharing that characterizes our increasingly digital lives, companies who discount or dismiss the emotional and even irrational attachment consumers have to information about themselves do so at their peril.

It's not that Google, Facebook, and others need to change in any fundamental way how they do business. They must rather rethink the casual, careless, and often conceited way with which they communicate to users, business partners, regulators, and other stakeholders. When the lawyers lead, everyone loses.

For companies like Facebook today and everyone else tomorrow, users and the data they provide are not just the most valuable asset; they are the only asset. As consumers absorb that fact, they will increasingly use the tools of online communities--ironically, tools provided by social-networking sites themselves--to express their dissatisfaction with unequal exchanges of information for value. Better to collaborate with them now than to negotiate later, at the end of a gun.

Facebook, as Mark Zuckerberg correctly noted, is a kind of virtual nation, where terms of service and other policy documents serve as Constitution and governing law. As such, changes to both policy and practice require honest deliberation and engagement with the residents.

They can no longer be delivered as fait accompli. For one thing, it's pretty easy for virtual citizens to revolt against a government they don't like, or simply pack up and move somewhere less tyrannical. Easier than it is in the physical world, in any case.

Google CEO Eric Schmidt is the latest Silicon Valley CEO to draw ire after suggesting that folks seeking privacy might not want to look to the Internet to find it.

"I think judgment matters," Schmidt said, appearing on CNBC (see video below). "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines--including Google--do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities."

In some senses, Schmidt was merely stating the truth about the U.S. law as it currently stands. However his "maybe you shouldn't be doing it in the first place" comments, in particular, seem to have raised the hackles of privacy advocates and others.

Among the most interesting reactions was a posting on a Mozilla veteran's personal Web page suggesting that users might want to switch to Bing because of its better privacy policy.

"That was Eric Schmidt, the CEO of Google, telling you exactly what he thinks about your privacy," Mozilla Director of Community Development Asa Dotzler said on his personal blog, referring to the CNBC comments. "There is no ambiguity, no 'out of context' here. Watch the video."

From there, Dotzler shows how one can easily switch Firefox's search engine from Google to Bing, adding, "Yes, Bing does have a better privacy policy than Google."

To be fair, that Patriot Act and other laws apply just as much to Microsoft as it does to Google. Still, I think Dotzler's posting raises some interesting issues. Plus, it's particularly noteworthy that a Mozilla worker is willing to raise the issue given how the lion's share of Mozilla's revenue comes from the Google traffic generated from Mozilla's search bar.

The difference, in my opinion, isn't that Microsoft is somehow subject to different laws than Google, or even that it would behave differently in the face of a government challenge (both companies kowtow in China, for example). Rather, the two companies seem to have a different approach toward privacy issues.

Google's attitude tends to focus on the great benefits that open information can, and often does have. Plus, of course, its stance is an outgrowth of the fact that Google has built its business around gaining revenue by doing the best job of organizing that information.

That shows up in all kinds of ways. Mozilla Developer Relations Director Christopher Blizzard noted in a Twitter posting that sites users visit in Chrome get sent to Google.

"Everyone knows that every site you visit and all address bar searches in Chrome go to Google, right?" Blizzard wrote. (I sent an e-mail to Mozilla seeking its corporate take on things, but did not immediately get a response.)

Microsoft's approach, meanwhile, stems no less from its economic interest, but its zeal is tempered by years of heavy regulation and consumer backlash.

These differences in attitudes, and shifting tides in the center of power in the tech industry, I expect to be major issues in the coming years as regulators and consumers decide where to place their attention.

That said, Schmidt is hardly the first to point out that the idea of privacy on the Internet might be outmoded. "You already have zero privacy. Get over it," former Sun CEO Scott McNealy famously intoned, drawing many of the same criticisms.

Obviously, privacy advocates argue that protections must extend to the Internet. In a blog posting, security expert Bruce Schneier makes a passionate argument, although I think it is interesting that he digs up an essay from 2006 to make his reply.

"Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance," Schneier wrote. "We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need."

So what do you think? Is privacy a basic human need, or a quaint, outdated notion, or is it, paradoxically, both of those things?

Google is taking legal action to stop companies from allegedly using the search giant's name to trick people into paying for supposed work-at-home kits advertised online and in e-mails.

The company filed a lawsuit on Monday in federal court in Salt Lake City against Pacific WebWorks and other, unnamed defendants alleging trademark infringement and dilution, unfair competition, federal cyberpiracy, and violation of consumer sales practices. The lawsuit can be amended to add the names of additional defendants as they are uncovered.

"This action seeks to stop a widespread Internet advertising scam that is defrauding the public by misusing the famous Google brand," the suit says. "The scam victimizes unsuspecting consumers by prominently displaying the famous Google mark, by suggesting sponsorship by the plaintiff Google Inc., and by urging consumers to obtain a kit supposedly showing them how to make money working from home with Google."

A call to Pacific WebWorks seeking comment on allegations of fraud was not returned on Monday.

This screenshot shows one of the fake news sites being used to trick people into paying for work-at-home kits that ostensibly are being offered by Google. There is no Google Adwork program.

(Credit: Google)

People are targeted either via online ads, pop-up ads, or promotional e-mails that promise information on how to make money by working at home. The ads typically display the Google brand prominently and include a link to a site with what looks like legitimate news articles, blog postings, or social-networking posts and sites featuring testimonials from people claiming to have made thousands of dollars per month from the program.

Consumers are asked to pay an "instant access" fee for access to a members-only portal or a "shipping and handling fee" for a DVD that supposedly explains how to make money through the program, according to the lawsuit. Many victims who pay the fees, typically a few dollars, either do not get DVDs, they receive DVDs that contain viruses or they get access to an unrelated free site, such as Google's online help center, the suit says.

Meanwhile, people who have provided their credit card information, e-mail, and home addresses find that their credit cards are thereafter charged $50 to $79.90 every month, according to the lawsuit. Consumers find it difficult, if not impossible, to cancel the charges or get refunds, the suit alleges.

The defendants are part of a network that reuses Web sites and shares tools to perpetuate the scams with little effort, the lawsuit alleges. For instance, the same templates are used to generate fake testimonials, blogs, and news stories, often ones that are customized to the location of consumers, the lawsuit alleges.

There are numerous affiliates but Pacific WebWorks is believed to be one of the main operators behind many of the schemes, said Jason Morrison, a search quality engineer at Google.

"These scams play upon some powerful methods of persuasion. Not just by using Google's logo, but we often see 'as seen on CNN, Fox News and ABC,'" he said in an interview. "I don't know if people understand how easy it is to copy an image file on a Web page. They also try to use social proof by creating a fake blog, with a photo of the blogger from his wedding, the new car he bought, and explaining how he lost his job. They go to great lengths to string people along."

Google works to remove the fraudulent ads from its search results and ad network and to keep new fraud sites from popping up in the index, but new ones are created all the time, according to Morrison.

He suggested that people do some Web research before answering any ads and look to see if consumers have complained online about the company, as well as be skeptical of any offers that sound like they are too good to be true. Victims should contact their bank or credit card company and report fraudulent-looking results found in Google searches here and fraudulent-looking ads here.

More information from Google about the scams is in this Google blog post.

This isn't the first action taken against alleged work-at-home scams. The U.S. Federal Trade Commission obtained an injunction and asset freeze in Nevada against a group of sites operating a scam using the "Google Money Tree" name this summer. Some fraudulent sites were removed, but thousands remain, Google said.

Last month, a class action suit was filed in state court in Illinois against Pacific WebWorks by Barbara Ford, who is described as "elderly, retired and on a fixed income."

Ford claims she clicked on an ad on her AOL home page with a fake news article describing how one woman made $5,000 a month with the program. She alleges she paid $1.97 for a "Google Business Kit" and that her credit card was also charged $79.90. She called the company to request a refund and never received one, according to the lawsuit.

There also are a number of complaints listed about Pacific WebWorks on the Rip Off Report Web site.

Google wants to speed up a key part of the Internet's inner workings called the Domain Name System and is inviting technically savvy folks to try their ideas out.

The DNS is a crucial part of the Internet. It converts the text addresses people can remember into the numeric Internet Protocol addresses actually used to locate information on the Internet. For example, CNET.com's IP address is 216.239.122.102.

When you visit a Web page, a DNS server that's part of a vast distributed network often must perform that conversion--called resolving a host--many times. With the Google Public DNS service, Google wants to be that server.

"Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' Web-surfing experiences faster, safer, and more reliable," said product manager Prem Ramaswami in a blog post introducing the Google Public DNS service.

Google's search service already has made it central to the workings of the Internet. If its DNS service becomes popular, Google could become even more significant.

For those who want to give it a whirl, Google posted instructions on using the Google Public DNS service. For those worried about what traces your Web surfing will leave in Google's records, check the Google DNS privacy page.

... Read the full post at CNET's CES 2010 blog

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.

(Credit: Google)

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.

Google's biggest threat is no longer Microsoft. It is itself.

As the company harvests copious quantities of personal data, it becomes dramatically better at serving customer needs...

...and at freaking them out over privacy concerns.

In other words, Google gets stronger with every Google Doc created, every Google Voice call dialed, and every Gmail e-mail sent. It becomes stronger because data is the heart of the Web's biggest businesses, as Redmonk analyst Stephen O'Grady implies.

But in so doing Google also becomes more threatening to the very consumers it is trying to serve.

Google Dashboard is meant to change this by putting consumer data back in the hands of consumers. It's a move that follows on Google's earlier pledge to "open data" and its Data Liberation Front.

Yes, but will he give me better search?

(Credit: U.S. Army)

As CNET reports, Dashboard lets people review the personal data Google has stored for them, delete it, and alter future collection policies. It's a great way for Google to mollify concerned users, putting control back in their hands.

Still, it's almost certainly never going to be used by the vast majority of Google users. Ever.

Why? Because for all our hand-wringing over privacy--and for good reason--the reality is that most of us, most of the time, really don't care. Or, rather, if accessing useful services or getting work done more efficiently requires some privacy concessions, we gladly concede.

It's not that we don't value our privacy. It's just that in many contexts, we value other things as much or more. We weigh the risks versus the benefits, and often the benefits trump the privacy risks.

It's the same thing with file formats. For years we've been agonizing over Microsoft's lock-in of customers through proprietary file formats (.pst, .doc, etc.). Now Microsoft is opening up the specifications for file formats like .pst (Outlook file format), and yet it will almost certainly change little to nothing in what products most people use most of the time.

People don't use Microsoft Office because they're forced to. They do so because it's convenient. (Yes, an argument can be made that it's convenient because Microsoft has forced network effects through lock-in.)

This, incidentally, is exactly the reason that Wednesday night I declared a ban on Microsoft Office in our family in favor of Google Docs--and didn't opt for OpenOffice (which we also use). I got sick of having to recover documents and perform other IT tasks related to a locally installed office suite, open source or proprietary. And I find it easier to let Google handle the back-end IT operations.

I wasn't trying to evade lock-in. I was trying to increase personal happiness.

Am I concerned about Google snooping on the documents we write and store in Google Docs? Let's just say I worry more about my time fixing Office than whether Google gleans any information from my 12-year old's seventh-grade essay.

Dashboard leaves Google in the prime position of being able to honestly say that it doesn't control user data, while still delivering increasingly beneficial services based on that data. It will not change the way that the vast majority of consumers use Google, but it just might change the way they think about Google.

A very smart move by Google, one that all data-driven businesses should emulate.

Follow me on Twitter @mjasay.

As of 2:15 p.m. Tuesday e-mail delivery had started to return to normal for some Postini customers, although problems remained.

(Credit: Screenshot by Tom Krazit/CNET)

Some customers of Google's Postini e-mail security product experienced significant problems Tuesday, with reports of hours-long delays in e-mail delivery that are still affecting some customers.

Threads throughout Google's Postini forums spread involving the issue, which seemed to begin overnight on System 7--one of several systems used by the service--and was still affecting some customers as of Tuesday afternoon, although e-mail delivery had resumed for others. Users also reported problems accessing the management consoles used to log into the Postini service, preventing them from understanding exactly what was happening.

Postini, acquired by Google in 2007, offers e-mail security services to businesses. Postini scans all e-mails directed to the networks of its customers for viruses, malware, and spam, passing along the genuine messages to the network once they have been cleared. However, Tuesday it appeared that for a significant portion of the morning, all messages for customers using System 7 were blocked before they reached their destination, and customers could not log into their accounts to see what was going wrong.

A Google representative acknowledged the e-mail delivery delays in a statement. "We're aware of an issue that's causing a delay in mail delivery for some Postini customers in the US, and are working to fix it as quickly as possible. We know how important mail is to our users, so we take issues like this very seriously, and apologize for the inconvenience. We encourage anyone having technical difficulty to visit the Postini support portal at https://www.postini.com/support/support_login.php."

It has not been a good week for the cloud. Hosted applications and services such as Postini were sure to get a second look following the debacle at Microsoft involving the Sidekick and possible data loss.

It's also another example of Google's growing pains with customer support. Google Checkout customers reported significant issues for over a month without any resolution, and angry e-mail administrators on Postini's message boards complained that Google support personnel were very difficult to reach during Tuesday's issues.

Google support technicians promised some Postini customers--who pay between $12 per user per year and $25 per user per year--that their e-mails were not lost, which is at least some good news for customers affected by the problems. But running a business without e-mail in the 21st century is a very difficult thing to do.

Hotmail users aren't the only ones who've been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.

The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.

Google described the issue as an "industrywide phishing scheme." BBC News said it has seen two lists posted online with "more than 30,000 names and passwords" from Gmail, Yahoo, AOL, Microsoft's Windows Live Hotmail, and other service providers.

"We recently became aware of an industrywide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google representative told me in an e-mail.

The representative said that Google immediately "forced passwords resets on the affected accounts."

In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.

Despite Google's and Microsoft's awareness of the problem, it doesn't seem that users are out of the woods just yet. Google's representative told CNET that it will continue to force password resets on any newly affected user accounts.

Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

Google's admission that Gmail users were affected by the phishing scheme comes on the heels of Microsoft acknowledging that over 10,000 Live Hotmail accounts were compromised by the scam. The passwords apparently first hit the Internet on October 1.

Updated at 9:10 a.m. PDT to include Google's comments.

A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.

The e-mail, sent by an employee of Jackson, Wyo.-based Rocky Mountain Bank on August 12, contained names, addresses, Social Security numbers, and loan information of more than 1,300 bank customers.

The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.

"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.

"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. "Rocky Mountain Bank acted to protect its customer's confidential information. That objective was accomplished. The matter is now closed and the TRO (temporary restraining order) entered on September 23, 2009 is now vacated."

Asked for comment, a Google spokesman said: "To protect the privacy of our users, we do not comment on their use of Google services."

The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?

And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.

Update 4:35 p.m. PDT:The bank did not take any action against the worker who sent the e-mail, the bank's lawyer said.