Warning: Google Docs Is NOT Safe
Do you use Google Docs? Increasing numbers of people are jumping on aboard, especially among web workers. But how safe is your data?
After some of my coworkers expressed security concerns, I set out on a mission. I’ve waded through pages and pages of info, to provide you with the bottom line on Google Docs security.
Google’s terms
The first thing to read is Google’s Terms of Service.
Intellectual property is safe
Surprisingly, Google’s terms provide strong protection for your intellectual property. You can’t abuse other people’s intellectual property rights:
8.2 … You may not modify, rent, lease, loan, sell, distribute or create derivative works based on this Content (either in whole or in part) unless you have been specifically told that you may do so by Google or by the owners of that Content, in a separate agreement.
And Google clearly acknowledges your rights:
9.4 Other than the limited license set forth in Section 11, Google acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights which subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist). …
Google gets a license to your work, so it can provide services to you, but it affirms your property rights:
11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. …
But you CAN’T SUE
After reading those positive statements from Google you’re probably feeling warm and fuzzy inside. But if you keep reading the ToS, you come across this little statement:
15.1 SUBJECT TO OVERALL PROVISION IN PARAGRAPH 14.1 ABOVE, YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS SHALL NOT BE LIABLE TO YOU FOR:
(A) ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL CONSEQUENTIAL OR EXEMPLARY DAMAGES WHICH MAY BE INCURRED BY YOU, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY.. THIS SHALL INCLUDE, BUT NOT BE LIMITED TO, ANY LOSS OF PROFIT (WHETHER INCURRED DIRECTLY OR INDIRECTLY), ANY LOSS OF GOODWILL OR BUSINESS REPUTATION, ANY LOSS OF DATA SUFFERED, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSS;
This lawyer-speak translates to: “You waive any possible damages we might cause.” That doesn’t sound very promising, does it? According to my simple reading, if Google loses your data or causes the destruction of your entire business, you’re out of luck.
Privacy policy
Now that you’re freaked out of your mind, we’ll see if the Privacy Policy restores any faith in Google. It’s full of the typical guarantees, but this one speaks to the heart of the issue:
We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data.
We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
So Google protects your data and will take actions against people who screw with it, but you can’t enforce that against the company. Unfortunately, the Google Docs privacy policy doesn’t provide any further assurances.
Other resources
Since Google’s pages were unsatisfactory, I did some other research. Apparently there were serious cookie theft issues earlier this year, which might be inherent in Google’s architecture. For a great background on some Google holes, check out TechCrunch’s security summary, even though it’s almost a year old.
I also found a couple other people who are questioning security with Google. And then there’s a guy with mysterious documents popping into his account.
User beware
In the end, caveat emptor (“buyer beware”) captures the best approach to Google Docs. Google makes promises, but there’s not much to back them up.
I’ll probably continue using Docs for mundane information. But if it’s mission-critical, I don’t think Google Docs is the ticket for me.
And you?
What do you think of Google’s security? Is it good enough for you? Did I miss a key point? Let’s talk!
Get more legal tips
|
See also... |
Comments
30 Responses to “Warning: Google Docs Is NOT Safe”
September 24th, 2007
Now we know why they are billionaires.
September 25th, 2007
I have had similar concerns with using the service, but I’ve actually found Google’s terms to be quite solid in comparison to online file-hosting services like Mozy, etc.
As far as being unable to enforce an illegal/non-contractual disclosure of your private data, I think that’s an overbroad reading of the paragraph you’ve cited. You don’t forfeit your right to seek an injunction or to enforce the privacy policy – it only limits Google’s liability for damages caused by a breach of the privacy policy/disclosure of your private data.
Losing your business over a documents loss or disclosure is a pretty doomsday-type scenario. If you use Google Docs as your sole method of document storage, that’s your fault for not backing things up; if Google discloses your private data, you can’t recover damages from Google, but you can enjoin them from further disclosure and you can sue anyone that accesses the data, as it would have been disclosed contrary to the privacy contract and without your consent (i.e. you would still retain copyright and other rights).
And that all assumes that Google’s boilerplate would hold up in court, which is a pretty big assumption given the power disparity between the parties here. That said, use of the service is entirely voluntary and free, so maybe it’s not so unlikely that the policy would stand.
At any rate, I think you’d be hard-pressed to find anyone offering a better alternative. Data-device separation is a classic example of introducing insecurity into data storage; but the utility of the service may just outweigh the risk.
September 25th, 2007
Just because they’re not willing to take responsibility for you losing your password to a phishing scheme etc, doesn’t mean it’s not secure. You’re misrepresenting the ideal of secure.
There are no software vendors, service providers etc., that will claim responsibility for the loss of your information. Even government sites have a standard disclosure that your information is only as safe as you make it.
Google docs is as secure as the person using it, if you take precautions, such as using SSL and strong passwords, as well as not using the same password for all your needs, you data is assuredly secure. Don’t be so alarmist…
September 25th, 2007
I’m curious what you think of Google Desktop. Its saved me a few times at the office, but I wonder if there are security issues. Thanks. btw, nice blog.
September 25th, 2007
Nelson – You brought up some great points. You’re right that an injunction or other equitable relief might be available if security was breached. I honestly hadn’t thought of that. Also, I agree that there might be room to poke holes in the boilerplate language.
Marcus – I’m sorry that I came across as “alarmist.” When I started researching this issue, I was hoping to find rock-solid evidence of security. Instead, I found some strong promises without much to back them up. My final conclusion of “user beware” takes into account your points that security heavily depends upon the user. And I did say that I’m going to continue using Docs, albeit for non-sensitive purposes.
Kim – The Terms of Service that I outline here apply to all Google services. My assessment for Desktop would be similar. I used to heavily use Google Desktop, but I abandoned it when I got Vista, since the new Windows desktop search suits my needs. If Desktop has value for you, keep using it, but don’t put all your eggs in the Google basket.
September 25th, 2007
Google’s Board of Directors should run for Congress. They make a lot of promises, but have no intentions of backing them up.
October 3rd, 2007
I work in the IT industry and I have learned one thing well: putting your eggs in one basket is suicidal. Using Google Docs is fine and just as safe as using any other online service of that caliber. The problem is users who rely on it as a backup for important documents. Sure I have some docs there, but I also have them in two other places.
Never rely on one source for storing your documents. One hard drive equals one single point of failure. One online service equals a single point of failure. Use three or more to be sure.
October 9th, 2007
seogeek,
You’re absolutely right! If it’s too important to lose, always have 2 copies. 🙂
October 21st, 2007
I’m not sure how you came to the conclusion that Google respects your property rights to “Content which you submit, post or display on or through, the Services.” Google recognizes that you own the content, but by using the services, you grant Google non-exclusive license to to nearly all the rights associated with ownership, including reproduction, publication and distribution, as well as “for the provision of syndicated services, and to use such Content in connection with the provision of those services.” Granted, Google is unable to sell the actual copyright, which you retain, but what good is copyright ownership if Google possesses “perpetual, irrevocable, worldwide, royalty-free” rights to the copyrighted material? In fact, the copyright loses significant value, since any subsequent owner must also respect the irrevocable rights granted to Google by you.
By using Google Services, and granting such broad rights to Google, there is nothing stopping them from selling your work, for example, to a publishing company, in order to obtain rights from that publishing company to make electronic copies of books, to which the publishing company has distribution rights, available by Google, all without any compensation to you. That doesn’t mean they will inevitably do that, just that they are legally entitled to do so.
I don’t see how Google is respecting your property rights with their Terms of Service.
From Google Terms of Service:
“11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.
“11.2 You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.”
October 21st, 2007
Chris,
Thanks for your comment. I really appreciate you contributing to the discussion, but I don’t agree with your reading of the Terms.
I think this is a key phrase:
“This license is for the sole purpose of enabling Google to display, distribute and promote the Services.”
I read that to mean you’re giving Google a license to your content, so it can actually provide the Services. Maybe I’m reading it too narrowly.
Thanks again,
Andrew
November 14th, 2007
In the story “Silver Blaze”, Sherlock Holmes makes a deduction on the basis of something NOT happening (the dog didn’t bark, which showed that the ‘theft’ was carried out by someone familiar to the dog).
My concern is about security. Can uninvited people read my google docs?
I don’t find evidence on the web, the blogosphere etc, of google docs being opened by others. I hear that it might theoretically be possible, but not examples of it in reality.
So, like Sherlock Holmes, can I assume that therefore it isn’t happening? – and that it can’t happen? The lack of evidence makes me think that the answer is ‘yes’ to both: surely the dog would be barking if google docs were being hacked.
November 14th, 2007
JG,
I like your reasoning! I’m inclined to agree with your theory. If Docs was being hacked, we’d hear about it on the internet (the dog would bark like crazy). I think it’s safe to assume people aren’t reading your Docs.
BUT I still wouldn’t trust sensitive data in Docs. I use it for a lot of my work and writing, but I don’t consider that sensitive. I don’t use it to store passwords or write up plans for my latest life-saving invention; those are sensitive.
Best to you!
Andrew
December 14th, 2007
Aside from the legalese, your data is not usually safe on google docs because it is often transfered (and stored) in plain text, and hackers, google workers, and people sitting next to you in the office and all see your network traffic. There are a few things you do about this however.
The first and easiest method is to use https:// and not http:// when you connect to google websites. that S stands for SSL. (secure socket layer) and it means that your data is sent over an encrypted connection to google. This will provide you with basic protection from sniffers and hackers, however, once the data gets to google, it is stored in plain text.
Gwebs has a product called webmailSaftey which will encrypt your gmail messages. You can download it at http://www.gwebs.com/
February 19th, 2008
I’m taking a class in Information Technology, and the prof introduced us to Google docs for use in the class and elsewhere. From what one student found in the Terms of Service, it sounds as if our (copyrighted?) content is not all that safe, from Google itself:
11.2 You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.
11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions.
11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence.”
Personally, I usually just skip through the terms of service, as my “content” probably doesn’t often have anything I wouldn’t mind sharing. But if a company were to use Gdocs to share files, they’d better know what they’re in for! Doris
February 29th, 2008
Doris – You’re absolutely right that we should pay attention to the Terms when we’re using a service. That’s especially true when we’re trusting important content to them.
April 4th, 2008
I recently discovered Google Docs and am trying to convince the sports club I belong to that this is the answer to our problems with document controls — multiple teams at various levels and any changes to rosters or schedules affects a lot of other people and lots of changes *are* being made all the time at all levels.
Currently, we use email to send new versions of rosters out, but there are days when I get up to 5 versions, and there is no version control in place as most are technophobic. My email is jammed with emails and the logistics of keeping things organized is getting too cumbersome. Google Docs looks like the solution — limited collaborators can make their changes directly into the *master* file in real time and all can get notified and access the most up-to-date data.
My question is about security. The roster contains personal data like name, age, address, phone, dob. Is GD more, equally, or less secure than what we currently do, which is emailing the docs with no encryption. I think we are at least as safe if not more, but I wanted to get someone to point out the inherent security problems with both and compare them.
I will never be able to get them to use cvs for version control, nor will I get them to use SSL, but if it is no less secure than the email, at least I will not have dozens of email copies of the same file with slight changes in each, filling up my inbox and disc space.
Is there a way to*force* the link invitation that GoogleDoc sends out to be https and not just http? Maybe this is a feature enhancement that should be added to requested improvements. Or would something like having the link take someone to the doc but first require them to log into a Google account be another level of security (but also possibly another failure point when people refuse to set up a new account. And then how would my Google Docs account recognize the *new* Google account when it was not known at the time of the invitation to collaborate?)
April 5th, 2008
MamaMia – I would say that Google Docs is more secure than emailing documents back and forth. And it’s definitely easier to collaborate through Google Docs. I wouldn’t put social security numbers in Docs, but the stuff you’re talking about is probably. To me, the collaboration benefits (for your needs) outweigh the security concerns.
June 2nd, 2008