This is page 2 of:
The Legal View: When Google Grabs And Posts Your Password, Can You Sue?
Technically, Google “published” the index of the document. But this document was already “published” online. Indeed, Google could not have prevented its crawler from indexing the document—once the crawler found it (although the document could later be removed from the index). Google had no idea that the document was sensitive, nor did it have a particular duty to the retailer to not index what it believed was “public” information.
So, did Google’s crawler “break in” to the retailer’s store? Was there a “trespass?” If so, Google may have both civil and criminal liability. If not, the retailer is out of luck. Should Google have known that this particular document was not intended to be public? The retailer certainly didn’t “invite” Google to index its documents. The retailer did not give Google “permission” to post the index to its documents. The document could have contained really sensitive information, including PCI data, health data or worse. Does Google have no liability here, or is this the Wild West—if it can be found online, it can be posted for all to see.
The real problem here—from both a legal and a practical point of view—is that no humans are involved. If a “person” were to find a document in an unlocked or unsecured office, that person would likely be able to make a judgment about whether that document was supposed to be publicly accessible. But with billions of documents “accessible” online, it is simply not practical to have a human index them. Indexing is what Google does—and, usually, this indexing helps retailers. It is the crawling and indexing that enables users to find the retailer, locate products or services, find a local store, contact key personnel, respond to marketing pitches and even find coupons or specials. Indexing is good. But indexing becomes bad when the retailer—or some other third party—makes something “available” that it doesn’t want indexed. But the crawler can’t tell that. So even though the crawler, in some way, “took” a document it shouldn’t have, and in a sense “published” that document, and did those things for commercial purposes (to help Google make money), it is unlikely that Google would have significant liability for these actions.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
-Marc
April 7th, 2011 at 5:35 pm
Google indexing turns up a multitude of sins. For example the well published fact that because many credit cards share the first eight digits, try googling the first 8 digits of your own card, and you will in all likelyhood find a few lists of cards completely un-secure. The other is googling somethign like “drivers licence” or “passport” in images.google.com and see how many people have scanned their passport or drivers licence and published it on the web (and of course, some US states use social security numbers as passport numbers”.
April 11th, 2011 at 11:37 pm
Google didn’t “post” the password, they did.
The analogy of putting the document in an unlocked office is flawed. Everything on a public facing web server is the same as putting it on a bulletin board on the outside of your retail location. Google is nothing but a photographer, driving by and taking pictures of whatever they see on the bulletin board, and making that information available.
If they didn’t want their non-world-facing data exposed, they should have at least posted the web-equivalent of a “No Photographs” sign: a robots.txt file. Not that these are in any way enforceable, and should never be mistaken for a security measure, but at least Google obeys them.
Having login credentials in a document posted on a public web server is as negligent as leaving your car keys in your running vehicle while you hop in for a soda at the sketchy 7-11 in a bad neighborhood. In many jurisdictions, it’s actually illegal to be that negligent. This is from a recent Texas ad campaign: http://www.txdmv.gov/protection/auto_theft/hold_key.htm
In this case the web shouldn’t be treated much different.