Avoid this privacy folly when sharing on Google Docs

By
-

Google Docs

Out of the numerous companies I’ve worked with in the past years, most use Google Docs to submit and collaborate on draft articles and documents. Google’s productivity suite has become the defacto work platform for millions of people and organizations across the world. And with good reason: It’s free, it’s easy to use, and it’s already available to every user who has a Google account (which includes more than one billion active Gmail users).

However, one problem I’ve observed is how easily people ignore the privacy concerns surrounding Google Docs when sharing and collaborating on documents. Users and organizations often choose convenience over the protection of their information and use anonymous sharing, which makes their sensitive business information accessible to unintended parties.

Here’s what you need to know about preserving the privacy of your data when sharing Google Docs with colleagues and friends.

Google’s sharing settings

Google offers three modes of document sharing, each with different privacy and access settings:

Google docs sharing settings

On both ends of the privacy spectrum are the “Public on the web” and the “Specific people” settings. The “Public on the web” setting makes the document completely public and available for indexing, which means it’ll appear in Google search and anyone with the document’s URL can access it. On the other hand, the “Specific people” setting will make the document available only to the people with whom you decide to share it. If an uninvited party discovers the document’s URL, they won’t be able to access it.

The middle option, “Anyone with link,” won’t make the document indexable by search engines but people who have the link will be able to access it. This anonymous sharing is problematic because many organizations use it when they want to share a document with a large number of people but don’t want to explicitly add their emails to sharing settings. And they often use this setting to collaborate on documents with sensitive content. Their line of reasoning is that as long as you don’t give away the document’s URL to anyone, no one will find it. Right?

Wrong.

How anonymous sharing on Google Docs gives away your secrets

As the editor of a fast-growing tech blog, I regularly monitor the analytics page to see the “referrers.” This is where I can see the sources from which users come to my site, and it helps me track sites that link back to or republish TechTalks’ content.

referrers

A while ago, while going through the referrers, I noticed that someone had reached TechTalks through Google Sheets. As with all referrers, there was a link to the source file.

Google doc referrer link

Curious, I clicked on the link, and I was transferred to a spreadsheet that was unsurprisingly shared anonymously, accessible to anyone with the link. What was surprising however, was the fact that the document was open to edits, which meant I could make any changes I wanted.

The spreadsheet contained the contact information and website URLs of hundreds of bloggers, including myself. I was quickly able to see the name of one other user who else was using the document at that moment, probably the same user who had just clicked on the link to TechTalks. (She couldn’t see my identity, courtesy of anonymous sharing, which displays the names of users without explicit permissions as anonymous animals.)

A quick Google search later, I found out that she worked for a sponsorship and deal-sharing company. A few uneventful minutes later, when a letter popped in my inbox through my contact page, I already knew who had sent it and what it would contain without even opening it.

Promo email

This is a stark example of “security by obscurity,” where people leave their assets unprotected on the internet, thinking that no one will find them.

To be fair, in this specific case, I didn’t stumble on any private and sensitive information. Everything the spreadsheet contained was already available online. But this wasn’t the first time that someone browsed to my blog through a Google Doc URL. And in the past few months, I’ve seen quite a few documents with information not meant to be viewed by the public, and certainly not by me. One Google Doc laid out the internal discussions of a PR company about their plans to discuss their service and offerings with me. Another was the draft of an unpublished whitepaper about artificial intelligence by a group of academics.

Google does a pretty decent job of randomizing the URLs it generates for its documents, which means there’s a very slim chance of someone brute-force guessing the URL to a document. But as the above examples show, every time you click on a link embedded in a Google Docs or Sheets file, you’ll be giving away the address of your document to anyone looking at the analytics of the link’s destination.

How to protect your privacy on Google Docs

Don’t be fooled by the “Anyone with the link” feature’s false sense of privacy. Only use anonymous sharing if you’re okay with anyone seeing the content of your document. This also stands for the easy-to-use “Get shareable link” feature that you’ll find on the context menu and simplified sharing dialog.

Google docs share with others

Otherwise, use the “Specific people” setting and send individual collaboration invitations to every person who should have access to the file.

In case you’re working with many people and you don’t want to go through the process of sharing every document with every single user, you can use Google Groups. Groups let you bundle users together in a single email address and collectively assign document permissions to all of them.

Whatever you do, don’t use the anonymous sharing for the sake of convenience.

A reminder on Google privacy

All this said, let’s not forget that whatever privacy settings you adjust on your documents, it won’t protect you from the data-hungry eyes of Google itself. By using Google Docs, you’ll be giving Google access to its content of your document, even if you’re not sharing it with anyone. If that happens to be an issue, consider using encrypted alternatives to Google’s services.

Bottom line: Use Google Docs. It’s a pretty cool tool. But also know its limits.

RELATED ARTICLESMORE FROM AUTHOR

14 COMMENTS

    • You’re right. But in handling sensitive information, exceptions and edge cases are just as important—if not more important—as normal cases. The point is, security by obscurity sucks. If you think you can keep your whitepaper, internal communications log, classified letter… safe by keeping the URL of the Google Doc secret, you’re in for a big disappointment, sooner or later.

    • As far as I know, the only way you can prevent referrer information from being sent to a destination website is to click on a link that has rel=noreferrer attribute or to directly copy/paste the url in your address bar.

  3. Thanks for clarifying that! I was not 100% sure how “secure” that middle option was and now I know. I shall avoid it (despite it having some benefits to me!)

  4. Hi Ben. Thanks for the tips! I’m interested to know: if I “Publish” a Google doc/sheet, it is indexible?

  5. Hi, thanks much for this info. Could you reiterate, please, your statement regarding identity. For example, I am sharing a doc (“anyone can view”), but want to be sure no one can see my identity in any way when they are viewing the doc.

    I read somewhere that they can see your identity, unless you log out, which would be a pain.

    Do you know if that’s true?

    Thank you!

    • The identity of the person who shared the document will always be visible to the people who visit the doc. But the identity of the other people who visit the link will remain hidden, regardless of whether they’ve logged in to their Google accounts or not.

  6. Ben, a person sent me a public link to a video on their Google Drive. I clicked and viewed the video and then realized the owner was stalking me and trying to find out my identity. Can he see who I am? Can he trace me by ip address or by my Google Drive account? I saw the video in my Google Drive and deleted it but now I am concerned.

    • Hi Ace,
      As long as the file is publicly shared, (anyone with the link can view/edit), Google will not reveal your identity, regardless of whether you’re logged in to your Google account or not. The file may appear in your drive if you click on the “Add to My Drive” button, but it still won’t reveal your identity. Google also doesn’t reveal IP addresses.

      If the Doc contains a tracked link or a link to a server that belongs to the sender, then if you click on it, they’ll be able to track your IP address. But you’ve received a video, so I guess you’re safe.

      Here’s my concern though. You said the person “sent you” a link, so I suppose they already know who you are? How did they send it? Was it in an email with a tracked link? Link trackers are a privacy nightmare and they reveal a lot of information about you, and it has nothing to do with Google Docs.

  7. Hello Ben,

    I just want to know the impact of external links from a pdf or google doc published on a website. Are those links really helpful?

  8. Hi, Ben! My school uses a G-Suite, and there is an option of switching on link sharing for ONLY members within the G-Suite. is it safe, or do privacy issues still exist?

  9. Thanks for the article. Someone sent me a Google doc. I don’t know them. It has graphic information. I blocked them and then I tried to delete the document. Every time I try to delete the document, it says, “Write access to the document denied.” The document won’t go away. Have a suggestion? This is absolutely disgusting and I am very sad and disturbed. Makes me think about what people might be sending my children! Also, is there a way to stop people I don’t know from sending me a doc? I have no idea how I got it!

Leave a Reply to Ben DicksonCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.