Every day, millions of people use Google Docs to share and collaborate on documents. And when it comes to working on documents online, few tools match the power and versatility of Google Drive and Google Docs. But like all online tools that provide an open environment for many people to share data, Google Docs entails privacy risks.
A while back, one of the readers of TechTalks raised expressed concern that a malicious actor was using Google Drive to stalk him and find his identity. “[A] person sent me a public link to a video on their Google Drive. I clicked and viewed the video and then realized the owner was stalking me and trying to find out my identity. Can he see who I am? Can he trace me by IP address or by my Google Drive account? I saw the video in my Google Drive and deleted it but now I am concerned,” the user asked.
In this post, I will go over the privacy issues of Google Drive link-sharing and whether malicious actors can use publicly shared Google Drive files to gather sensitive information about users. The following post focuses on link-sharing in Google Docs, but the same rules also apply to other file types shared in Google Drive. First, let’s see how link-sharing works.
Does viewing publicly shared Google Docs reveal your identity?
Google Drive lets you share your documents with specific people by selecting their Google Account emails. But it also has a link-sharing feature that enables you to share documents with anyone without explicitly including them in the document’s access list. By turning on link sharing, Google Drive produces a URL that gives access to the file. You can publish the URL online or send it to your mailing lists to share it with a large group of people.
Link sharing is widely used to share press releases, online courses and other public documents. Some organizations use link sharing to collaborate on internal documents (it’s a terrible idea).
Now, the question is, if you open a publicly shared Google Doc, does the owner of the document learn your identity?
Explicitly shared documents show the name and avatar of users who have currently opened the document. It also shows a full history of edits made by each user. In contrast, publicly shared documents show placeholder animal profiles such as “Anonymous Badger,” “Anonymous Kraken” and “Anonymous Camel” to represent users who are currently viewing the document.
Even if you’ve logged in to your Google Account while viewing a publicly shared document, your identity will remain secret.
The only exception to this rule is the owner of the document and other users who have explicitly been given access to the Google Doc. Their avatars and names will always be visible when they’re viewing the document.
Bottom line: Viewing publicly shared Google Docs does not reveal your identity. If you accidentally open a Google Doc, the owner won’t be able to gather information about your account. Neither will they gain access to information about your device, IP address or geographical location.
Does editing publicly shared Google Docs reveal your identity?
Google Docs keeps a history of all edits made to a document. But when users edit the document through public sharing, their identity remains anonymous, regardless of whether they’ve signed in to their Google Account or not. All edits made by people other than the owner or users who have been given explicit access to the document are filed under “All anonymous users.”
Things get tricky when you leave comments or suggestions. In this case, if you’re logged in as a Google user, then Google Docs will register your name.
If you’re not logged in your Google Account, your comments and suggestions will be registered under “Anonymous.”
Bottom line: As long as you don’t leave comments or suggestions, editing publicly shared Google Docs will not reveal your identity to the owner of the document or other users.
Note: Editing rules apply to all native Google file types, including Docs, Sheets and Slides. Video, audio and other file types that can’t be edited in Google apps don’t track edits and user identities.
Does adding publicly shared file to your Google Drive reveal your identity?
Shared documents have a “Add to My Drive” feature that lets you create a shortcut to the file in your Google Drive. This feature is only meant for convenience, organization and easy access to shared files. It doesn’t reveal your identity to the owner of the file. Also take note that this feature doesn’t create a copy of the file in your Google Drive. If the owner revokes access, you will not be able to access the file anymore.
Bottom line: If a shared file appears in your Google Drive, it doesn’t mean the file’s owner knows about your identity. They won’t even know you’ve added the file to your drive.
Google knows everything
Let’s be clear: Google knows quite a lot about you, even if the owner of the shared Google Docs doesn’t. Google runs the servers of Google Docs, which means it will collect your IP address, device info, browser info, geolocation and much more. Even if you haven’t logged in your Google Account and are using private browsing mode, Google will still know that you’ve previously used the same device to access an account.
While this post is only about protecting your privacy against owners of shared Google Docs, if you’re interested in hiding your data from Google itself, there are a few things you can do, such as using a virtual private network (VPN) or the Tor browser.
Privacy concerns beyond Google Docs
Like emails and social media posts, Google Docs can become subject to phishing scams and information theft. Aside from the points raised above, you must take a few things into consideration when dealing with publicly shared Google Docs.
If you see a link to a publicly shared Google Doc file in an email, make sure that the hyperlink really points to a real Google Docs file. Some senders use email and link trackers to collect information about users. When you click on a tracked link, you’re not directly taken to the destination. Instead, you go through an intermediate server that can collect information such as device type, browser type, IP address, geographical location and more. If you’re not careful, you won’t notice that you have just been tracked. Below is a tracked link. While the anchor text clearly shows it’s a Google Doc link, the real URL of the link is a tracker.
You can verify this by hovering your mouse pointer on the link and reading the address that appears at the bottom of your browser window. If it doesn’t start with “https://docs.google.com” then it’s not an authentic Google Docs link.
There’s another way to avoid clicking on tracked links by accident. If you’re using Gmail or a corporate G Suite email, real Google Docs links will appear as document attachments at the bottom of the email message. You can directly click on the icon to open the file in Google Docs. If the icon doesn’t appear, then there’s something wrong with the link.
A final privacy consideration when using publicly shared Google Docs: Be very careful of links inside documents. Google Docs makes sure document owners can’t track IP addresses and device information of visitors. But there’s no guarantee about the safety and privacy of the links inside the document. Make sure to check the destination of links inside the document. They might go through trackers, giving the owner the capability to collect information about visitors.