Is Google Docs Secure? An Evaluation of Google Cloud Security

Is Google Docs Secure? An Evaluation of Google Cloud Security
Page content

Transit Risks

Any data stored online, with a URL address remains open to indexing by search engine bots. Google, however, assures users search engines will not be able to find the information contained within a Google Docs file unless the document owners choose to make it public.

The biggest risk with Google Docs, and for that matter any cloud storage facility, is the possibility of data lost or theft when in transit between the user’s computer and the storage center. Google Docs by default offers no protection, and a determined hacker can very easily capture information from a network connection.

Google does offer a solution. Use https://docs.google.com instead of https://docs.google.com, especially when on an unsecured wireless connection. The extra “s” encrypts all traffic, rendering the data useless for any preying eyes, but also slows down the process considerably. Clicking on the option “always use HTTPS” in Google settings sets up this encryption by default. The other option is to add “s” is the browser bar manually.

Storage Risks

Any third party storage not under the user’s direct control carries some risk of data loss or data theft. Hackers can compromise vulnerabilities in the storage server to gain access, service provider mistakes can corrupt the data beyond repair, inadvertent oversights can transmit the data to another user, or fire may destroy the data. Moreover, the government or other third parties may request and force the provider to provide them with access to the documents. Google cloud storage does not remain immune to such risks, even though the odds of such happenings are rare.

Although Google does not reveal details of its storage facilities, it most likely adopts redundancy or storing on multiple database servers, to pull the data from a second server if one server fails. This increases reliability, but also doubles the risks inherent with such third party storage. Apart from the database servers that store data, application servers run the actual software, and an administrative server exercises control.

Bugs and Vulnerabilities

A review of Google cloud security reveals that Google Docs has succumbed to bugs in the past. In September 2009, some users enjoyed continued access to documents even when the document owner had revoked such rights to such users.

Google Docs runs on the integrated Google account that includes Gmail, the social networking sites Orkut and Plus, and more. Phishing or malware such as keyloggers can easily seek out passwords to compromise such accounts, and the Google Docs involved with such accounts. Google’s centralized login system, code-named Gaia, was itself reportedly compromised by hackers in December 2010.

The Issue with Images

Google provides images embedded in a Google document with a separate ID, accessible via a separate URL. The user may protect or restrict rights to documents, but the images embedded in such documents are not bound by such restrictions or sharing controls, and remains open to anyone who knows (or guesses) the URL. Google’s justification is that image URLs are known only to those users who at some point had access to the document with the image embedded, and therefore, could have saved the image anyway. Moreover, it is not possible to guess URL addresses cryptographically, as it is possible with passwords. Document owners may still contact Google support to purge such images.

Another issue related to images is users who receive the document continuing to be able to view the embedded images even after the document owner revokes their viewing rights, or delete the document itself! Google retains the image even after the document owner deletes the document as deleting images would break image references in users’ other Google documents and external blogs.

A third issue with images is people with access rights to documents being able to view any previous version of the embedded diagram, which may contain some uncomfortable facts. The document owner may retract some parts of the image before sending the document across, but users can still view the earlier retracted versions. Google creates a new raster image on every modification, and the old versions remain accessible by just changing the “rev=” number in the URL. Google recommends creating a new copy from the file menu and share this new copy, to block users from accessing older versions.

The Verdict

Google Docs is a fantastic tool that makes collaboration easy, but only when document security is not a pressing concern. Google itself acknowledges this, when Google Enterprise President Dave Girouard recently endorsed the use of Google Docs as a supplement to MS Office, to facilitate collaboration.

Section 11.1 of Google’s Terms of Service states “…you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.” The license is perpetual for all content, and does not even if the user marks a document private, deletes the content, or closes the account. Although Google states it respects users’ privacy, and lives up to its promise, it remains within its legal rights not to do so.

A secure VPN, FTP with SSL, or FTP over SSH (secure shell) rank as more secure options to store and share sensitive documents over the Internet.

References

Google Doc Blogs.

Barakh, Ade. “Security issues with Google Docs.” https://peekay.org/2009/03/26/security-issues-with-google-docs/. Retrieved July 23, 2011.

“Google: Don’t upgrade Office, add Docs.” https://news.cnet.com/8301-13860_3-20004612-56.html. Retrieved July 23, 2011.

Image Credit: flickr.com/tom raftery / C.C. 2.0 License