Avoid this privacy folly when sharing on Google Docs

4 min read

Google Docs

Out of the numerous companies I’ve worked with in the past years, most use Google Docs to submit and collaborate on draft articles and documents. Google’s productivity suite has become the defacto work platform for millions of people and organizations across the world. And with good reason: It’s free, it’s easy to use, and it’s already available to every user who has a Google account (which includes more than one billion active Gmail users).

However, one problem I’ve observed is how easily people ignore the privacy concerns surrounding Google Docs when sharing and collaborating on documents. Users and organizations often choose convenience over the protection of their information and use anonymous sharing, which makes their sensitive business information accessible to unintended parties.

Here’s what you need to know about preserving the privacy of your data when sharing Google Docs with colleagues and friends.

Google’s sharing settings

Google offers three modes of document sharing, each with different privacy and access settings:

Google docs sharing settings

On both ends of the privacy spectrum are the “Public on the web” and the “Specific people” settings. The “Public on the web” setting makes the document completely public and available for indexing, which means it’ll appear in Google search and anyone with the document’s URL can access it. On the other hand, the “Specific people” setting will make the document available only to the people with whom you decide to share it. If an uninvited party discovers the document’s URL, they won’t be able to access it.

The middle option, “Anyone with link,” won’t make the document indexable by search engines but people who have the link will be able to access it. This anonymous sharing is problematic because many organizations use it when they want to share a document with a large number of people but don’t want to explicitly add their emails to sharing settings. And they often use this setting to collaborate on documents with sensitive content. Their line of reasoning is that as long as you don’t give away the document’s URL to anyone, no one will find it. Right?

Wrong.

How anonymous sharing on Google Docs gives away your secrets

As the editor of a fast-growing tech blog, I regularly monitor the analytics page to see the “referrers.” This is where I can see the sources from which users come to my site, and it helps me track sites that link back to or republish TechTalks’ content.

referrers

A while ago, while going through the referrers, I noticed that someone had reached TechTalks through Google Sheets. As with all referrers, there was a link to the source file.

Google doc referrer link

Curious, I clicked on the link, and I was transferred to a spreadsheet that was unsurprisingly shared anonymously, accessible to anyone with the link. What was surprising however, was the fact that the document was open to edits, which meant I could make any changes I wanted.

The spreadsheet contained the contact information and website URLs of hundreds of bloggers, including myself. I was quickly able to see the name of one other user who else was using the document at that moment, probably the same user who had just clicked on the link to TechTalks. (She couldn’t see my identity, courtesy of anonymous sharing, which displays the names of users without explicit permissions as anonymous animals.)

A quick Google search later, I found out that she worked for a sponsorship and deal-sharing company. A few uneventful minutes later, when a letter popped in my inbox through my contact page, I already knew who had sent it and what it would contain without even opening it.

Promo email

This is a stark example of “security by obscurity,” where people leave their assets unprotected on the internet, thinking that no one will find them.

To be fair, in this specific case, I didn’t stumble on any private and sensitive information. Everything the spreadsheet contained was already available online. But this wasn’t the first time that someone browsed to my blog through a Google Doc URL. And in the past few months, I’ve seen quite a few documents with information not meant to be viewed by the public, and certainly not by me. One Google Doc laid out the internal discussions of a PR company about their plans to discuss their service and offerings with me. Another was the draft of an unpublished whitepaper about artificial intelligence by a group of academics.

Google does a pretty decent job of randomizing the URLs it generates for its documents, which means there’s a very slim chance of someone brute-force guessing the URL to a document. But as the above examples show, every time you click on a link embedded in a Google Docs or Sheets file, you’ll be giving away the address of your document to anyone looking at the analytics of the link’s destination.

How to protect your privacy on Google Docs

Don’t be fooled by the “Anyone with the link” feature’s false sense of privacy. Only use anonymous sharing if you’re okay with anyone seeing the content of your document. This also stands for the easy-to-use “Get shareable link” feature that you’ll find on the context menu and simplified sharing dialog.

Google docs share with others

Otherwise, use the “Specific people” setting and send individual collaboration invitations to every person who should have access to the file.

In case you’re working with many people and you don’t want to go through the process of sharing every document with every single user, you can use Google Groups. Groups let you bundle users together in a single email address and collectively assign document permissions to all of them.

Whatever you do, don’t use the anonymous sharing for the sake of convenience.

A reminder on Google privacy

All this said, let’s not forget that whatever privacy settings you adjust on your documents, it won’t protect you from the data-hungry eyes of Google itself. By using Google Docs, you’ll be giving Google access to its content of your document, even if you’re not sharing it with anyone. If that happens to be an issue, consider using encrypted alternatives to Google’s services.

Bottom line: Use Google Docs. It’s a pretty cool tool. But also know its limits.

5 COMMENTS

    • You’re right. But in handling sensitive information, exceptions and edge cases are just as important—if not more important—as normal cases. The point is, security by obscurity sucks. If you think you can keep your whitepaper, internal communications log, classified letter… safe by keeping the URL of the Google Doc secret, you’re in for a big disappointment, sooner or later.

    • As far as I know, the only way you can prevent referrer information from being sent to a destination website is to click on a link that has rel=noreferrer attribute or to directly copy/paste the url in your address bar.

  1. Thanks for clarifying that! I was not 100% sure how “secure” that middle option was and now I know. I shall avoid it (despite it having some benefits to me!)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.