I work for a small Dutch company that uses Google Apps. This means that we can share documents with users within our domain (www.deondernemers.nl), as well as @gmail.com accounts or other Apps-domains. About three weeks ago, we discovered that some fifteen documents and spreadsheets were unintentionally shared with a lot of people, some of whom were outside of our domain. We found out that one of us had been wanting to share these documents with a colleague (within our domain). He selected the documents on the documents list and added one user. Google Docs then shared all these documents with everyone who had access to one of the selected documents.
Fortunately, we found this out fairly quickly and were able to revoke the unintentionally granted rights before any damage was done (we think). These documents weren’t ultra-secret, but you can imagine what could go wrong. …
Fortunately Google acted on his report and remedied the error. It sent out a message to users affected by the bug (the problem apparently affected around 0.05% of all documents on Google Docs according to TechCrunch) reading as follows:
Dear Google Docs user,
We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.
To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.
We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.
The Google Docs Team
Google also responded to specific queries from the press stating as follows:
We fixed the bug, which affected less than 0.05% of documents, and removed any collaborators. We also contacted the users who were affected to notify them of the bug and to identify which of their documents may have been affected. We have extensive safeguards in place to protect all documents, and are confident this was an isolated incident.
The challenge this sort of bug/issue presents is that a technical glitch could compromise the security of your documents and business information if you use services like Google Docs to manage your documents. Despite the many reasons to use these services, there are a couple issues you should consider first. One issue is potential liability if confidential information is made public through such an outage. Another related issue is the consequences of having your documents being made available to someone or a group of people who you would rather not have access to that information. No doubt this story will give rise to discussion about privacy in the sense of secrecy and while there is some merit in seeing this as a privacy as secrecy debate, it is also a question of privacy as in the ability to control how your information is processed and made available.
So what can you do? Assuming you continue using these services it is a good idea to retain up to date copies of all documents hosted on the service in offline backups. Google Docs has introduced offline synchronisation using Google Gears and although this helps, it remains a better idea to keep backups outside the service’s ecosystem. It is also a good idea to consider the implications of unintended disclosure of your documents before you post them to a Web-based service. If you could find yourself on the receiving end of court proceedings if the documents are leaked, perhaps don’t put them online in the first case. If you need to collaborate on sensitive documents, consider the old fashioned method: emailing versions of documents that can be secured and only opened by authorised people.
Cloud-based services open many doors to new opportunities to share, collaborate and work more productively and at the same time to a range of new risks and challenges. As with most things, it comes down to how much risk you are prepared to accommodate before you go offline.