Google Docs and protection of personal information

Google is one of a number of companies presently offering office-type services in the cloud previously reserved for your desktop. Google offers Google Docs, Zoho has a pretty comprehensive suite of services, Microsoft has Office Live and Acrobat has Buzzword. There are a number of obvious benefits to using these cloud-based services, not least of which is the ability to work with your documents anywhere you have a connection to the Internet and the necessary equipment and a decent browser and the ability to collaborate better with friends and colleagues. Granted the services don’t quite match up to a desktop equivalent but they do cater for most people’s day to day needs. Google is promoting Google Docs as a tool for business and has incorporated it into its Google Apps offering.

Unfortunately there is a downside and it exists independently of Google’s (and other services’) terms of use and privacy policies may say. Richard DeVries discovered a technical bug in Google Docs which he described in his post on Slashdot earlier today:

I work for a small Dutch company that uses Google Apps. This means that we can share documents with users within our domain (www.deondernemers.nl), as well as @gmail.com accounts or other Apps-domains. About three weeks ago, we discovered that some fifteen documents and spreadsheets were unintentionally shared with a lot of people, some of whom were outside of our domain. We found out that one of us had been wanting to share these documents with a colleague (within our domain). He selected the documents on the documents list and added one user. Google Docs then shared all these documents with everyone who had access to one of the selected documents.
Fortunately, we found this out fairly quickly and were able to revoke the unintentionally granted rights before any damage was done (we think). These documents weren’t ultra-secret, but you can imagine what could go wrong. …

Fortunately Google acted on his report and remedied the error. It sent out a message to users affected by the bug (the problem apparently affected around 0.05% of all documents on Google Docs according to TechCrunch) reading as follows:

Dear Google Docs user,

We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.

To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.

We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.

The Google Docs Team

Google also responded to specific queries from the press stating as follows:

We fixed the bug, which affected less than 0.05% of documents, and removed any collaborators. We also contacted the users who were affected to notify them of the bug and to identify which of their documents may have been affected. We have extensive safeguards in place to protect all documents, and are confident this was an isolated incident.

The challenge this sort of bug/issue presents is that a technical glitch could compromise the security of your documents and business information if you use services like Google Docs to manage your documents. Despite the many reasons to use these services, there are a couple issues you should consider first. One issue is potential liability if confidential information is made public through such an outage. Another related issue is the consequences of having your documents being made available to someone or a group of people who you would rather not have access to that information. No doubt this story will give rise to discussion about privacy in the sense of secrecy and while there is some merit in seeing this as a privacy as secrecy debate, it is also a question of privacy as in the ability to control how your information is processed and made available.

It is one thing for a service to have a privacy policy or terms of use that don’t cater adequately for the level of privacy you demand for your documents but it is another matter entirely when your information is exposed through a technical glitch which negates any steps you may have taken to protect your documents and only make them available to chosen people. Granted the glitch in question may be grounds to sue the service concerned for some form of recompense but when it comes to services, like Google, that are run from a foreign country with a foreign legal system that governs disputes (this time in terms of the terms of use), there is a practical difficulty taking action against the service where the damage suffered isn’t substantial.

So what can you do? Assuming you continue using these services it is a good idea to retain up to date copies of all documents hosted on the service in offline backups. Google Docs has introduced offline synchronisation using Google Gears and although this helps, it remains a better idea to keep backups outside the service’s ecosystem. It is also a good idea to consider the implications of unintended disclosure of your documents before you post them to a Web-based service. If you could find yourself on the receiving end of court proceedings if the documents are leaked, perhaps don’t put them online in the first case. If you need to collaborate on sensitive documents, consider the old fashioned method: emailing versions of documents that can be secured and only opened by authorised people.

Cloud-based services open many doors to new opportunities to share, collaborate and work more productively and at the same time to a range of new risks and challenges. As with most things, it comes down to how much risk you are prepared to accommodate before you go offline.

Comments are closed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: