Google Doc Privacy Scare Explanation

*I've made a few changes to the post and they are highlighted in yellow.

Before this gets out of hand I wanted to explain the issue and explain why there is no reason to question the security of Google Docs.  The feature explained is intentional and required for Google Docs to be fully collaborative but there is a minor problem.

Issue
There have been a few reports recently on the Google Docs Help Forum that unrecognized collaborators are appearing on Google Docs with sharing settings set as Private. Additionally, this Doc has been shared explicitly with other Google Docs accounts or email addresses not connected to a Google account.  Users are worried that since unrecognized collaborators are appearing on Private Docs, their security is severely undermined.

Note: This only happens with Private Docs that have been shared at any time.  This will not happen with Private Docs that have never been shared.


Terms
Understanding a few terms for Google Docs will help understand the intricacies of the issue and hopefully understand why Google Docs is still safe and the proper steps to take to insure complete understanding of security.

Sharing Settings - Umbrella term to define how permissions are doled out (this include Private, Anyone with the link, etc.)
Editing Permissions - Permission to Edit a Doc
Visibility Permissions - Permission to assign who can access the Doc
Google Account - an account that can access and create Google Docs (this can include a gmail account, a Google apps account, or an account under another domain that is used as the username to access Google Docs. Ex. I have username@hotmail.com as my Google Docs account and I sign in at docs.google.com with the username username@hotmail.com and my password that I set up for Google Docs that does not have to match my password for my hotmail email address)
Non-Google Account - an email address that has never accessed Google Docs or would not be recognized when trying to log into Google Docs via docs.google.com or another Google Apps domain (this could also be username@hotmail.com but only if I've never accessed Google Docs or tried to sign up with Google Docs using this name)


Background
When you create a Google Doc the default Sharing Settings are "Private", the default Editing Permissions include only the owner (you) and the default Visibility Permissions are "Editors are allowed to add people and change permissions."  This means that when you share this Doc with someone as an Editor, this person can share it with anybody.

One way to do this that might seem wrong is when a Doc is shared with someone who uses a Non-Google Account.  This will show up in the Sharing menu with the email address and three little dots above a line that looks like either three people in a group or a crown of some sort.   If you choose to send a notification to this person, the notification include a link to the Doc as an invitation.  This is a blanket invitation that is generated that will allow a Non-Google Account to access the Doc.  Let us say that this person decides not to access the Doc but forward it on to their friend who has a Google Account.  The email is forwarded and the invitation is unaltered.  Therefore, the Google Account user can click on the invitation and access the Doc.  This user seemingly accessed the Private Doc without the permission of the owner.  But remember, this permission was not needed because Visibility Permissions are set so that editors can invite anyone!  In this case, the Non-Google Account was invited as an editor and chose to allow the Doc to be accessed by someone else.  This is no different from an editor with a Google Account that was explicitly defined by the owner, sharing the Doc with another Google Account holder.

Why this isn't an issue
The explanation above shows no violation of security based on the default settings assigned to the Doc.  To keep this from happening the owner must change Visibility Settings to allow only the owner to choose who has access to the Doc.  This is done at the bottom of the Share menu circled below.

Choose "Change" to change Visibility Settings

Choose "Only the owner can change the permissions"

When this Visibility Setting is chosen, a notification will not be sent to Non-Google Accounts even if you try.  This keeps the Visibility Setting consistent and your Doc secure.

Why this is a problem
Currently, when an owner chooses to share a Doc to a non-Google Account email address regardless of the visibility settings the notification email sent to the non-Google Account can be forwarded and access by anyone who clicks on the notification link.  This is a violation because the owner is not explicitly defining the user who received the invitation via the forwarded message.  This violates the visibility setting where the owner has control over who can allow access to the Doc.

Conclusion

As the owner of a Google Doc you have complete control over who has access to the Doc owned by you. The only way One way around this is the paragraph explanation above or if someone makes a copy or takes a screen shot of your Doc.  You are then no longer technically the owner of any new Doc and the new owner can do as they please.  This is no different from someone making a photo-copy of a piece of paper or making a copy of a file and attaching it to an email to someone else.

I hope this helps clear up confusion but most importantly puts you at ease that your Google Docs are indeed safe if you make them!

Cheers!

Jekyll and Hyde Accounts

In 1886 Scottish author Robert Louis Stevenson published a novella entitled [The] Strange Case of Dr Jekyll and Mr Hyde. The novella is famous because of its interpretation of Dissociate Identity Disorder, a psychiatric condition in which a person displays at least two distinct identities each having their own way of interacting with and perceiving the world.  In the story, the main character, a doctor, struggles in understanding the difference between good and evil. He spends a significant amount of time trying to repress his evil urges.  Dr. Henry Jekyll creates a potion which transforms himself into the evil Edward Hyde.  Throughout the novella, the Mr. Hyde personality grows in power and no longer relies on the potion to express his evil.  Eventually, the potion's role reverses and Dr Jekyll must rely on it to remain his normal "good" self.  As the potion runs out he realizes that he will be Hyde forever and chooses to take his own life.

With the many different types of Google Accounts, some of them are naturally going to develop personality disorders (I'm kidding...kind of).  There is a current known issue that has been given the name "The Jekyll and Hyde Problem."  The problem surfaces when someone with a free personal Google account shares the account name with a Google Apps account.  The Google Apps account can be any Enterprise, Education, non-profit, admin-controlled account.

Note: When signing up for a Google Docs account, you don't have to have a Gmail account.  I can use any email address to sign in at docs.google.com provided I have an account where the username is an email address.  However, if you use your gmail address for your personal docs account then you will never have the Jekyll and Hyde problem.

Here is how the scenario works:

I have a Google Docs account (which I created at docs.google.com) using my business email, lets call it Ted@tedjcompany.com. I log into this account by logging in at https://docs.google.com. This is my personal account which is the "Jekyll" account.  This account is called Jekyll because I haven't taken any potion yet so when people share docs with me using Ted@tedjcompany.com they are shared to my personal account.

TedJCompany decides to use Google Apps for business.  This means that TedJCompany now has their own dedicated domain called @tedjcompany.com.  Since I am the system administrator I decide that I want my employees to be able to use Google Docs.  To access the my business Docs account directly I will sign in at https://docs.google.com/a/tedjcompany.com.  The potion has now been consumed.  Any docs that are shared with Ted@tedjcompany.com will now only be shared with my Business account.  If I sign into my personal account via docs.google.com, I will not see any docs that are shared with Ted@tedjcompany.com.  This is the Hyde account because this account is the most powerful of the two and shall not allow the personal account to have and docs shared with it. The potion runs out and the Jeykll account becomes seemingly useless.

Instead of killing off both accounts, there is a solution! The system administrator should be able to resolve this if they carefully transition to the new infrastructure. They should carefully read all help articles below and follow the steps.  Ideally, before the transition users with potential conflicting accounts should change their account information.

Contact users with conflicting accounts

Resolve conflicting accounts (this includes information on how to resolve accounts before OR after migration to the Google infrastructure.)

Understand data sharing options

Please comment if you have any questions!

Cheers!

P.S. The book is free if you have a Kindle!