Google Docs is one of the few online applications that I’m deeply dependent on for my everyday work. Like millions of other people, I use it to write, edit, collaborate, and to archive my documents. There’s no arguing on the convenience that Google Docs provides, whether you’re a professional writer, an account manager, an academic researcher, or just a random person taking inventory of your thoughts.
But like every other piece of useful technology, Google Docs can cause unwanted security and privacy problems. The convenience of Google Docs often leads users to let their guard down and ignore security issues. If you’re using Google Docs to store business secrets, the next best-selling novel, or a future award-winning research paper, here are some tips that will make sure your documents are secure.
A few notes on Google Docs security
Before we delve into our Google Docs security tips, some clarification is necessary. In this piece I’ll be discussing ways to protect your Google Docs against unauthorized access.
We’re not going to be discussing Google scanning your documents and mining your data to train its artificial intelligence algorithms or serve personalized ads. I suppose you already know that when you’re not paying, you’re the product.
Neither is this a rant about Google sharing your data with government agencies. That too is an issue for a separate post on digital rights and privacy regulation.
And finally, I’m not going to discuss security incidents and data breaches at Google’s data centers. Those are genuine concerns, but in my experience, Google has some of the strongest security practices. Most security incidents regarding Google Docs happen because of user negligence and misusing Google’s own security features.
If you want to evade corporate or government snooping and surveillance, read our post on encrypting your entire life. If you’re interested in keeping your Google Docs secure, read on.
Note: All the tips in this post also apply to Google Sheets and Slides.
Don’t use Google Docs link sharing unless you absolutely must
One of the greatest features of Google Docs is to share them with colleagues and collaborate on them. Google supports two sharing modes: link sharing and individual sharing.
Individual sharing requires you to explicitly give access to each user who should have access to the document. When you turn on link sharing, anyone who has the link to your Google Doc will be able to access it.
As we’ve previously seen in these pages, Google Docs link sharing is a privacy disaster. Even if you’re careful to only share the link to the document with relevant people, there are several ways that uninvited people can get access to your Google Doc. For instance, when you click on a link in the text of the Google Doc, the analytics system of the website you’re redirected to will register your document’s URL. The owner will then be able to open your Google Doc.
Bad use of Google Docs link sharing is a perfect example of “security through obscurity” gone wrong.
In many cases users turn on link sharing because the people they want to work with don’t have a Google Account. In explicit sharing mode, Google Docs requires each user who wants to access a document to have a Google Account.
In this case, I still believe the security tradeoff of turning on Google Docs link sharing is not worth the convenience of quickly making it available to a colleague. Fortunately, Google doesn’t require you to have Gmail or G Suite to have a Google Account. Anyone can create one with their existing personal or corporate email in a few easy steps.
In case your colleague(s) can’t or don’t want to create a Google Account to access your Google Doc, I suggest downloading it as a Microsoft Word (.docx) document and sending it to them as an email attachment. It will deprive you of the possibility to collaborate on the document, but it will make sure your Google Docs are secure against unauthorized access.
So why does Google Docs have link sharing? I personally find very few cases where I want to turn on link sharing. But in the cases where you have a public document such as a press release or announcement, then using link sharing is justified. But even for such cases, there’s usually a better place to publish the document, such as your company’s website.
Bottom line: Google Docs link sharing is very insecure! Use it sparingly, if ever.
Use Google Groups if you want to mass share
Users sometimes tell me that they turn on link-sharing when they must share several Google Docs with many people, even if it contains confidential and private information. Their excuse to compromise the security of their documents is that there’s no efficient way to share the document with so many people. This is especially true for freelancers and people who don’t have a corporate domain and don’t have G Suite or other tools to create corporate work groups.
Google, however, already has an old tool that can help you create and manage working groups. Google Groups, which launched in 2001, has lost much of its popularity in the past years. But it is still a very useful tool for collaboration using the free version of Google Docs, Drive and Google’s other creativity tools.
To avoid turning on link-sharing and undermining the privacy and security of your Google Docs, you can create a Google Group and add all the people you want to collaborate with. You can have different Groups for different tasks and projects. Every time you want to collaborate on a new document, instead of manually typing or copy/pasting all the email addresses of your colleagues (or turning or the security nightmare “link sharing” feature), just share it with the email address of the relevant group or groups. It will give access to all the people who are members of those groups without compromising the security of your Google Doc.
To make sure that Google Groups don’t compromise your Google Docs’ security, please take the following measures:
Manage your Google Groups regularly. If one person is off the team, remove them from the Google Group. This will immediately revoke their access from all Google Docs shared with that group. Always make sure to keep you Google Groups up to date to avoid any old users from taking advantage of their remaining access to your Google Docs.
Also, make sure your Groups are not public, unless you explicitly intend them to be so. My personal recommendation is to set your Group’s visibility to “members only” and your join policy on “invite only.” This will make sure you have full control on the security of your Google Docs and who has access to them.
Google Groups is a very useful tool that can reduce the overhead of managing the security of your Google Docs by giving you a central access administration center.
Turn off editor sharing rights
By default, if you give a user edit rights to your Google Docs, they will be able to share the document by other users. This can set the stage for accidental (or intentional) security mishaps. The editors might end up sharing the document with people that should not have access to it.
As a best security practice of minimum rights, Google should remove this right and only enable it if a user explicitly wants to give access management rights to their editors. Fortunately, you can turn it off. You can find it in the advanced sharing settings. By enabling the “Prevent editors from changing access and adding new people” checkbox, you’ll make sure that your editors can’t give uninvited people access to your document.
While you’re at it, I also suggest enabling the “Disable options to download, print and copy…” checkbox. While it can’t prevent viewers from stealing your documents, it will certainly make it harder for them.
Keep your Google Account secure
One of the key overlooked measures to protect your Google Docs is keeping you Google Account secure. An insecure Gmail that falls victim to a phishing or spear phishing attack will immediately give hackers access to all your Google Docs. (Though honestly, if your Gmail gets hacked, you’ll probably have bigger problems to worry about than Google Docs security.)
Choosing a strong password for your Google Account is a good place to start to secure you Google Docs. Long and complex passwords, unique passwords and using password managers are some of the techniques that will make your account more robust against hijacking. Also, if you’ll be managing your Google Docs on the go, be very careful if you decide to connect to public wi-fi networks in libraries, hotels and cafes. Eavesdropping and man-in-the-middle attacks might enable hackers to steal your password and gain access to your documents.
My personal recommendation is to turn on two-factor authentication and secure your account with a physical key such as YubiKey, which Google has been supporting for several years now. Having a physical security key will make sure that your Google Docs remain secure even if some hacker manages to steal your password.
A secure Google Account is an inseparable part of protecting your Google Docs. Without it, none of the other steps we mentioned can protect your confidential documents from unauthorized access.