Is It Safe to Use Google Docs?

While most personal use will likely cover photos and notes, for businesses, Google Docs often means storing sensitive business information, intellectual property, client data and other important files. If the security of Google Drive or Docs were to be compromised in any way, it could result in serious damage for any business, small or large.

Google’s services are free, so it’s a no brainer when it comes to choosing Docs or Sheets over more traditional yearly office subscriptions. But is it worth the potential headache of impending security risks? In the first six months of 2019 , we have seen more than 3,800 publicly disclosed security breaches, with over 4.1 billion records compromised. Considering these figures, alongside GDPR compliance and other data laws, now is the time to make your business’ information and files as secure as possible. So, how safe is it to use Google Docs?

How it Works

Let’s first explore how Google’s flagship office software works. Briefly, in order to access any files on a user’s account, one must be a Google user and therefore have their own account. Any files are only accessible if uploaded and created by the user or shared with another user. There is an option to choose anonymous sharing, whereby anyone with a link can find the file, otherwise shared files are only accessible once the user has given strict permission for Google to share the files with another user; said user has to be specified by account/email address.

In terms of security, the accounts of users involved in the process, the original creating user and the user with whom files are shared, all require passwords to be accessed. Search engines cannot find or access the files unless the files are published separately. When sharing files it may be useful to instruct Google re the security settings for folders, sub-folders or files being shared.

 

What the Public Says

According to a public forum on Quora, one way to make sure your documents are extra safe in Google’s storage system is to use two-factor authentication and prevent any phishing for your password. This means someone would have to access to both your password and your phone or alternate email address to access your Google account.

One user says GSuite applications, the service Google provides, are HIPAA compliant, meaning government services can use them, and that all information uploaded and downloaded via Google is encrypted and inaccessible to third parties. In this user’s opinion, as long as your password is strong and two-factor authentication is applied, your files are super safe.

What Google Says

Google’s FAQ statement on Google Drive’s security encourages users to take several precautions in order to keep their files safe.

When you upload files to Google Drive, they are stored in secure data centres.

• If your computer, phone, or tablet is lost or broken, you can still access your files from other devices.
• Your files are private unless you share them.

To help ensure your Google Drive files are private:

• If you share a computer, sign out of your Google Account when you’re done.
• We suggest you don’t install Backup & Sync or Drive File Stream on a shared or public computer. Anyone who uses the computer could access your files.

Your files are private unless you choose to share them. You can share files with:

• One person or a few people using a link.
• Everyone by making the files public.

Early Days

When Google Docs first came around (2007), there were plenty of security flaws. These were quickly patched up and further security risks were prevented with the upgrade of Google’s systems, including the addition of SSL to Google Docs’ URLs.

It was recently revealed that for 14 years, Google had been storing all account passwords in unhashed form (between 2005 and 2019). What does this mean?

When you set your password, instead of remembering the exact characters of the password Google scrambles it with a “hash function”, so it becomes something like “232hf12obertax3422”, and that’s what Google stores alongside your username. Both are then encrypted before being saved. When you then sign in, the password is unscrambled in the same way; if it matches the stored figures, then you’re good to go.

This news was quite a shock to many GSuite users, but it was promptly fixed once Google caught on and announced the error: “To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google said.

In 2010, a blog on Upwork stated that: “Truly sensitive documents probably shouldn’t be stored, viewed, shared or edited in Google Docs or on any third-party server.” It also suggested that “if you need more security, consider a more secure project management platform, a secure VPN, FTP with SSL, or FTP over SSH.”

Is still the case? Have things changed since 2010 or is Google Docs just as safe as it was back then? Granted, there are more cyber risks these days, but have Google’s security features been ramped up in accordance? And should you use Google Docs for sensitive business files?

Google Docs Security

According to its Ts&Cs Google promises to keep your data and files safe. However, there’s only so much Google can actually do to keep your files safe, and eventually, there may be an element of risk. The truth is, we are human and we make mistakes. Simply leaving your account logged in at work or on a public device puts your Google Docs account and files at risk, and this isn’t Google’s fault, this would be your own doing.

Similarly, a recent phishing attack succeeded in tricking users to give away their login details, a common phishing tactic. An email invited respondents to access a file via Google drive, except that in order to access Google Drive documents, you will have to login to your Google account – this is actually the aforementioned measure of security Google uses when you are ‘sharing’ files. Because the document was hosted on Google Drive, the URL did not seem suspicious and was served over SSL; a seemingly legitimate URL linked from Google itself. Except it wasn’t. It was a replica recreation of Google’s login page and the scammers succeeded in gaining access to numerous Google accounts via the victims’ login details entered.

This attack was clever, but it doesn’t reflect any real risk or weakness in Google Drive or Google Docs itself. The weakness here was human naivety.

Confidential Files

Is it worth keeping confidential files in a Google Doc or on Google Drive? If you have an option you know to be much safer, then go with that. We’ve established that it is safe to use Google Docs, but there are some risks for your file security.

One thing to note if you are going to use Google to store confidential files is that the Alphabet giant’s Ts&Cs state: “Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received and when it is stored.”

This actually means that if you are storing personal data relating to your clients, which in your own capacity you have promised to keep safe and out of reach form third parties, then you have just allowed Google to access those files and use the information therein.

It’s a little bit of a grey area, but legally speaking, you will have breached your confidentiality agreement. Then again, if you use a Gmail account for the transfer of such information, the same applies, as the above conditions from Google apply to all files and data stored and transferred via any of its services.

Corporate Files

As with personal, client or other confidential files, the same would apply to corporate or company data and files. The best thing to do in this situation is see if your company has any policies on data and file storage, or cloud computing use, and find out whether your company allows Google services. It may be that your company uses its own trusted servers and/or a chosen third-party cloud storage service.

When it comes to GDPR and other strict compliance-based regulations on data storage and use, a recent report states that Google does in fact comply not only with the regulations imposed by GDPR, but also with Privacy Shield, an agreement signed between EU member states and the United States.

Using Add-Ons

You may have noticed when using Google Docs that you can throw in add-ons, which are in essence third-party plugins or programs that enhance productivity within Google’s base services. They can be browsed and installed directly while editing or using a document you’re working on. However, the ease and convenience of this process lulls users into thinking that these third-party apps are equally as safe as Google Docs itself and are officially endorsed or approved by Google.

When installing these add-ons you will, in most cases, have to allow access and privileges to the app, which often will include permanent permission to change or delete your files and data within Google’s services. We often hit ‘yes/allow’ and let this happen, but if you want to be extra secure, give this a moment’s thought and consider who you are giving access to, what the third party is accessing and what it is being allowed to do with your files and data.

IP of Content in Google Docs

Like all storage platforms, Google’s services specify that the intellectual property of the files and data stored are exclusively the original owner’s, however, reading the Ts&Cs:

Section 11.1 of Google’s terms of service says: “You give Google a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through the Service for the sole purpose of enabling Google to provide you with the Service in accordance with its Privacy Policy.”

Upon first glance, this sounds like Google is appropriating all of your IP and will be able to do anything with it without being subject to copyright or intellectual property claims, however the Ts&Cs continue:

“The rights that you grant in this licence are for the limited purpose of operating, promoting and improving our Services, and to develop new ones. This licence continues even if you stop using our Services (for example, for a business listing that you have added to Google Maps).”

This clarifies that you are actually not granting full IP access and rights for Google to do what it wants with your files, but just licensing the files so that Google can help you translate them, or link them with other Google services.

In addition, it’s unclear but it seems Google would be allowed to use your images or videos to promote Google’s services, potentially in ads or such. However, it does specify:

“Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.”

This is the statements that confirms your IP rights remain yours and any photos, videos or other IP based files uploaded, stored or transferred remain yours.

In Conclusion

Google Docs and Google Drive have a primary aim when it comes to its users: to facilitate productivity and collaboration between users. Therefore, these are its main concerns. Security comes secondary, as it wants to allow you to share your files and information.

This doesn’t mean its not secure though, and as explained in several of my previous points, Google Drive is safe, providing the user keeps their password secret, doesn’t leave a device unattended and logged in, and uses two-factor authentication.