In the past three years since Google Docs launched, several notable security flaws have emerged. The most recent exploitation of user’s accounts (massive amounts of pharma-related spam — read more here at ARN) may leave you wondering about the safety of your Google account and, furthermore, about the safety of your documents stored in their cloud.
Previous Security Holes
Last year, there was a Google Docs security error that inadvertently shared documents with users who previously, but no longer, had approved access to the files. This hole was acknowledged and fixed. (See this Google blog entry for more.) Then, the following three security holes came to the attention of Ade Barkah and several other users. On his blog, Barkah goes in to further detail, but in a nutshell:
- Permissions of the document do not extend to images contained inside. Images embedded in documents could be accessed by a direct link by any users, if they have the URL.
- “Drawings” in documents keep a revision history that is available to users with “view-only” permissions, making redacted diagrams unintentionally available.
- In certain cases, users whose permissions have been revoked can reinstate themselves to have access. This is related to the “forward invitation” feature, which can be disabled.
On Google’s blog, they claim the above problems are misunderstood features. This response raises concerns, especially since the casual user may not fully understand these features. What information should Google Docs be trusted with, and how should “final” copies of documents be distributed?
How Safe Is Safe Enough?
Google Docs is a fantastic tool. In fact, this post was written in Google Docs. Why? Because the security of this document is not all that crucial. But, you’ve been warned. Truly sensitive documents probably shouldn’t be stored, viewed, shared or edited in Google Docs or on any third-party server.
I’ll agree, the security should be better, but it’s a free tool. To make you feel better about using Docs on a public network, Google implemented SSL for Google Docs and Gmail some time ago. Double check that your browser bar says https://docs.google.com … — if not you can manually add the s to the address or enable “always use HTTPS” in Gmail’s settings. (Read more here at the unofficial Google Operating System Blog.)
The Hybrid Approach
It’s important to use the right tool for the job. Even Google Enterprise President Dave Girouard agrees, and he endorsed the use of Google Docs as a supplement to MS Office last week — read more here at CNet. He’s right, they work rather well together and can add excellent collaborative functionality. Office – either MS or OpenOffice – is a great tool for your local machine, while Google Docs’ strength is sharing documents (albeit non-security critical documents). If you need more security, consider a more secure project management platform, a secure VPN, FTP with SSL, or FTP over SSH.
Finally, if you’re distributing important “final” documents like catalogs, contracts, RFPs, one sheets, press releases, etc., use PDFs to distribute copies to avoid any unforeseen viewing of revisions or redacted information.
Hi, great article! Just need to get some more info about Google docs’s SECURITY. One thing is the activation of the p2p encryption with https. But is there any encryption of the data itself, I don’t think so. This – to me – is much more important than https, since I do not want any person – or Google (admins) to be able to open an insecured file. How does Google’s security mechanism compare to other free cloud storage systems such as WUALA (which encrypts locally and then distributes the data to many servers around the world). BR
boots fromugg are<a href="http://www.uggaustraliasheepskin.c
Great point !
Companies adopting google docs face this very relevant question and find that they are quite in the dark. Google docs security paradigm leaves the google administrator without the necessary visibility and control over the companies intellectual property.
Solutions that help secure google docs are emerging from the marketplace.
check out http://www.informationweek.com/news/smb/services/showArticle.jhtml?articleID=225800161
SafeGDocs is another solution that helps to secure Google Docs documents: http://www.safegdocs.com
It is a free add-on for Firefox that allows to encrypt and decrypt Google Drive documents through a user master password. With SafeGDocs full privacy is guaranteed and anyone, neither Google or any other who intercepts the communication, is able to access the real documents content.
Pingback: I don’t know if I’m comfortable with that?! « The Everyday Musings of Mom of the Year