Before this gets out of hand I wanted to explain the issue and explain why there is no reason to question the security of Google Docs. The feature explained is intentional and required for Google Docs to be fully collaborative but there is a minor problem.
Issue
There have been a few reports recently on the Google Docs Help Forum that unrecognized collaborators are appearing on Google Docs with sharing settings set as Private. Additionally, this Doc has been shared explicitly with other Google Docs accounts or email addresses not connected to a Google account. Users are worried that since unrecognized collaborators are appearing on Private Docs, their security is severely undermined.
Note: This only happens with Private Docs that have been shared at any time. This will not happen with Private Docs that have never been shared.
Terms
Understanding a few terms for Google Docs will help understand the intricacies of the issue and hopefully understand why Google Docs is still safe and the proper steps to take to insure complete understanding of security.
Sharing Settings - Umbrella term to define how permissions are doled out (this include Private, Anyone with the link, etc.)
Editing Permissions - Permission to Edit a Doc
Visibility Permissions - Permission to assign who can access the Doc
Google Account - an account that can access and create Google Docs (this can include a gmail account, a Google apps account, or an account under another domain that is used as the username to access Google Docs. Ex. I have username@hotmail.com as my Google Docs account and I sign in at docs.google.com with the username username@hotmail.com and my password that I set up for Google Docs that does not have to match my password for my hotmail email address)
Non-Google Account - an email address that has never accessed Google Docs or would not be recognized when trying to log into Google Docs via docs.google.com or another Google Apps domain (this could also be username@hotmail.com but only if I've never accessed Google Docs or tried to sign up with Google Docs using this name)
Background
When you create a Google Doc the default Sharing Settings are "Private", the default Editing Permissions include only the owner (you) and the default Visibility Permissions are "Editors are allowed to add people and change permissions." This means that when you share this Doc with someone as an Editor, this person can share it with anybody.
One way to do this that might seem wrong is when a Doc is shared with someone who uses a Non-Google Account. This will show up in the Sharing menu with the email address and three little dots above a line that looks like either three people in a group or a crown of some sort. If you choose to send a notification to this person, the notification include a link to the Doc as an invitation. This is a blanket invitation that is generated that will allow a Non-Google Account to access the Doc. Let us say that this person decides not to access the Doc but forward it on to their friend who has a Google Account. The email is forwarded and the invitation is unaltered. Therefore, the Google Account user can click on the invitation and access the Doc. This user seemingly accessed the Private Doc without the permission of the owner. But remember, this permission was not needed because Visibility Permissions are set so that editors can invite anyone! In this case, the Non-Google Account was invited as an editor and chose to allow the Doc to be accessed by someone else. This is no different from an editor with a Google Account that was explicitly defined by the owner, sharing the Doc with another Google Account holder.
Why this isn't an issue
The explanation above shows no violation of security based on the default settings assigned to the Doc. To keep this from happening the owner must change Visibility Settings to allow only the owner to choose who has access to the Doc. This is done at the bottom of the Share menu circled below.
Choose "Change" to change Visibility Settings |
Choose "Only the owner can change the permissions" |
Why this is a problem
Currently, when an owner chooses to share a Doc to a non-Google Account email address regardless of the visibility settings the notification email sent to the non-Google Account can be forwarded and access by anyone who clicks on the notification link. This is a violation because the owner is not explicitly defining the user who received the invitation via the forwarded message. This violates the visibility setting where the owner has control over who can allow access to the Doc.
Conclusion
As the owner of a Google Doc you have complete control over who has access to the Doc owned by you. The only way One way around this is the paragraph explanation above or if someone makes a copy or takes a screen shot of your Doc. You are then no longer technically the owner of any new Doc and the new owner can do as they please. This is no different from someone making a photo-copy of a piece of paper or making a copy of a file and attaching it to an email to someone else.
I hope this helps clear up confusion but most importantly puts you at ease that your Google Docs are indeed safe if you make them!
Cheers!
Well security is a big concern with Google Docs, thanks for the article!!Really worth!!!!!! On this note I would be happy if all of you can share some alternative to Docs, One such tool which I ve come across is CollateBox: http://www.collatebox.com/ really looking forward for this..
ReplyDeleteHi JohnD,
ReplyDeleteThanks for your comment. While security is a huge concern for all cloud based hosting applications, the point of this post was to show how versatile sharing settings are for Google Docs. Glad you enjoy it!
Ted
Hi Ted -
ReplyDeleteI appreciate your help with this. Could you clarify a bit more for me?
With my spreadsheet, I DID change the visibility settings before I ever shared it with anyone. A few names I added as editors ARE coming up with the "three-headed" icon. Can those people access the file? If they forward the link, will the new recipient be able to access the file without getting my permission as the owner first?
Also, one of the people I added as an editor told me that she doesn't have a Google account (and doesn't want one), but her icon is a single head. Does that mean that she does have a Google Account associated with her email address, but just doesn't realize it? Could it be through YouTube, Picasa, etc.?
Finally, is there a way to tell BEFORE clicking "share" if someone's address is a Google or Non-Google account? If non-Google addresses are going to be security loopholes, I'd rather not add them.
Thanks in advance for your expertise!
Ken
To clarify, I changed the visibility settings to prohibit editors from being able to share with others. I need to approve people to view and edit.
ReplyDelete