In the past three years since Google Docs launched, several notable security flaws have emerged. The most recent exploitation of user’s accounts (massive amounts of pharma-related spam — read more here at ARN) may leave you wondering about the safety of your Google account and, furthermore, about the safety of your documents stored in their cloud.
Previous Security Holes
Last year, there was a Google Docs security error that inadvertently shared documents with users who previously, but no longer, had approved access to the files. This hole was acknowledged and fixed. (See this Google blog entry for more.) Then, the following three security holes came to the attention of Ade Barkah and several other users. On his blog, Barkah goes in to further detail, but in a nutshell:
- Permissions of the document do not extend to images contained inside. Images embedded in documents could be accessed by a direct link by any users, if they have the URL.
- “Drawings” in documents keep a revision history that is available to users with “view-only” permissions, making redacted diagrams unintentionally available.
- In certain cases, users whose permissions have been revoked can reinstate themselves to have access. This is related to the “forward invitation” feature, which can be disabled.
On Google’s blog, they claim the above problems are misunderstood features. This response raises concerns, especially since the casual user may not fully understand these features. What information should Google Docs be trusted with, and how should “final” copies of documents be distributed?
How Safe Is Safe Enough?
Google Docs is a fantastic tool. In fact, this post was written in Google Docs. Why? Because the security of this document is not all that crucial. But, you’ve been warned. Truly sensitive documents probably shouldn’t be stored, viewed, shared or edited in Google Docs or on any third-party server.
I’ll agree, the security should be better, but it’s a free tool. To make you feel better about using Docs on a public network, Google implemented SSL for Google Docs and Gmail some time ago. Double check that your browser bar says https://docs.google.com … — if not you can manually add the s to the address or enable “always use HTTPS” in Gmail’s settings. (Read more here at the unofficial Google Operating System Blog.)
The Hybrid Approach
It’s important to use the right tool for the job. Even Google Enterprise President Dave Girouard agrees, and he endorsed the use of Google Docs as a supplement to MS Office last week — read more here at CNet. He’s right, they work rather well together and can add excellent collaborative functionality. Office – either MS or OpenOffice – is a great tool for your local machine, while Google Docs’ strength is sharing documents (albeit non-security critical documents). If you need more security, consider a more secure project management platform, a secure VPN, FTP with SSL, or FTP over SSH.
Finally, if you’re distributing important “final” documents like catalogs, contracts, RFPs, one sheets, press releases, etc., use PDFs to distribute copies to avoid any unforeseen viewing of revisions or redacted information.