Japanese Gov't Accidentally Shares Internal Email Over Google Groups

itwbennett writes "An official at Japan's Ministry of the Environment created a Google Group to share email and documents related to Japan's negotiations during a meeting held in Geneva in January, but used the default privacy settings, which left the exchanges wide open. According to Japan's Yomiuri Shimbun newspaper, over 6,000 items, including private contact information of government officials, was publicly accessible. Michihiru Oi, a ministry official, said the ministry has its own system for creating groups and sharing documents, but it doesn't always function well outside of Japan, sometimes leading to 'poor connections' and a 'bad working environment.'"

They should always operate this way

[ebno-10db]

This mistake should be the standard way of working for all governments.

Re:

[Frontier Owner]

should, but the officials personal contact details, perhaps not.

Re:

[Anonymous Coward]

Personal contact details, shouldn't be publicized, but their official government contact details certainly should. And they shouldn't be using their personal accounts to conduct government business.

Re:

[ShanghaiBill]

Personal contact details, shouldn't be publicized, but their official government contact details certainly should.

A senior member of the government is going to receive thousands of emails every day from citizens, maybe a few dozen from staffers, and a few from family or friends. Those should be three different addresses.

Are you seriously suggesting that the number for the phone on Obama's desk in the Oval Office should be public information?

And they shouldn't be using their personal accounts to conduct government business.

A work email address is private information, but it is not a "personal account".

Re:

[davester666]

Tell that to Sarah Palin.

Security backfire?

[Urban Garlic]

So the article and summary hint at a common problem -- "the ministry has its own system for ... sharing documents", which "doesn't always function well outside of Japan". I've seen this in more than one enterprise, where the IT guys meet the need of users to securely move data around by buying or building a secure solution, and they pay very careful attention to the security, but less attention to the usability. Users will go for ease-of-use every time, and aren't thinking about security, so mistakes like this happen.

The obvious solution is to make the secure system easy to use, but usability itself is hard to get right, secure usability is very hard.

Re:

[Rich0]

Sounds like my company's smartphone policies. They whitelist specific models, and generally turn all of them down (well, unless their names start with an "i"). So, the 90% of company employees who aren't covered end up forwarding mail/calendars/etc to completely insecure outside services, where they're synced to their phones.

I guess the company gets plausible deniability out of the deal, but that's about it. The employees get a sub-standard experience compared to just being allowed to directly sync, and

Too Easy

[Anonymous Coward]

Come on guys. You can't make it too easy for the NSA or they'll suspect a honey pot.

Oh Japan..

[paysonwelch]

The scary thing is that they were using Google a private US company to share private international secrets. This is just sloppy in my opinion. I mean.. come on how seriously are they trying to protect this sensitive information if they are uploading it to third party servers which probably never delete data and just deep freeze it?

Japan is more advanced than us

[gubon13]

They've already accepted that Google has all of their information anyhow.

Re:

[KingMotley]

How exactly is Google a private US company?

Re:

[KingMotley]

Google is actually a publicly traded international company with headquarters in the US. Is it that the headquarters that is in the US that bothers you? Or that the CEO is from the US? What makes either of those things more suspect than if Google was run by a German national with headquarters in the US, or a CEO born in the US with headquarters in Germany? Or is it that Google does business in the US? So if google had a German CEO, HQ in Germany, and did some business in the US, does that make it more suspe

No problem here

[mu51c10rd]

That's ok...the NSA has all the data already anyway...

It's okay...

[hahn]

The only person who cares is the person who accidentally posted it.

You still risk jail time if you look at the files.

[140Mandak262Jamuna]

The way most official secrets acts are written, it has some boilerplate language with a whole bunch of "whereas" and "notwithstandings" and eventually boil down to making it a crime to access government secrets, no matter how trivial or non-existent the protections were nor how clueless and braindead the officials were. Usually it has no due-diligence requirements on the part of the government to protect the secret data. It is usually a crime to look at what the government considers secret even if it was done accidentally, inadvertently.

Laws are actually drafted by government officials and they insert enough language to protect their tails.

Default is off for sharing groups outside domain

[Anonymous Coward]

I"m surprised a Googler has not spoken up. I'm administrator for several Google Apps Business accounts and the source article is inaccurate. The default settings are to not share groups with outside domains. I really doubt the product marketed to governments is less restrictive than the Google Apps for Business. I don't work for Google - I'm an independent small business consultant.

I got it!

[sgt scrub]

I spotted a mistake in the post but will fix it for you real quick.

"An ex-official no longer at Japan's Ministry of the Environment created a Google Group to share email and documents related to Japan's negotiations during a meeting held in Geneva in January, but used the default privacy settings, which left the exchanges wide open."