A colleague recently asked me about Google Docs, wanting to know if it would be suitable to share documents within the organisation. She had heard that other Council’s were using it, and Google Docs certainly ticks many of the boxes:
- Free and easy to set up
- Possible to allow multiple users to access and contribute to documents
- Available (not blocked by our corporate filters and excellent uptime)
But the major question I wanted an answer to was around security. As soon as information leaves our internal corporate network, there are security issues which need to be considered.
In his article, Warning: Google Docs is not safe, Legal Andrew looks at issues around Google Docs’ security and privacy. His conclusion is that although he’d trust it with ‘mundane information’, he won’t be using it for ‘mission-critical’ content.
Google’s own take on the subject is a lot more positive, as demonstrated by a response to a question on getsatisfication.com:
There are two tips which can greatly improve your safety:
1) When using an unencrypted wireless connection or some other network you don’t really trust, use https://docs.google.com instead of http://docs.google.com. The extra ‘s’ means ‘secure’; all traffic is encrypted. The only down-side is it’s a little bit slower.
2) When you use someone else’s computer (especially at an Internet cafe or at a hotel), don’t forget to logout of your Google account. And when logging in, don’t check “remember my password”. Pretty obvious.
Here at Google we use Docs to store all our confidential documents, spreadsheets and presentations. We use the same servers and we have no worries about people being able to see our data.
Neil Fraser, Google Rep
The secure protocol option is definitely a good feature, although until recently I tended to access Google Docs by simply tapping in ‘docs’ in my Firefox Google searchbar, then following the top link. This would get me there in seconds, but by default did not direct to the secure version (Google Docs isn’t secure by default because the secure protocol can be slower, as Neil mentions).
Neil’s second point raises a serious issue around our ability to trust those with the relevant log-in details to use them appropriately (important to note that this is a universal risk, and not a problem with Google Docs specifically).
But if Google’s assurances have waylaid some of your fears, let me draw your attention to last month’s rather embarrassing security glitch (as reported by cnet):
“We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document,”
And a more recent bombshell has again rocked Google’s boat. Only last week, security consultant Ade Barkah wrote a blog post about the security issues with Google Docs. In it, he suggests:
- that embedded images are not afforded the same security as documents themselves
- that people you share a document with can see previously inserted diagrams with some simple URL hacking to access other revision versions
- that people who you have stopped sharing with can, in some cases, get access back again
Google’s official response was swift and made a lot of sense, but my concern is that their solution was essentially to tell us what we were doing wrong to allow these breaches (for example, in response to point number 2, we should be creating a new document before sharing, to get rid of the revision history). They are now producing additional documentation to cover these issues more thoroughly – but is everyone likely to read these?
In my opinion, the average user shouldn’t have to think about security issues. He or she should be protected from that by people who know the subject a lot better – who know the loopholes and have covered our tracks for us. The average user may or may not care about security, or they may simply not have thought about the risks – it doesn’t matter.
If I’m having to worry about whether I’m making my data insecure by not doing things the right way, then I’d say that by default that system is not secure. It’s summed up perfectly by the need to insert the ‘s’ in the URL yourself – it’s not Google’s problem, it’s ours.
Of course, for the price (free) Google Docs does offer real value and a generally excellent service, and I’ll continue to use it for my own documents. But as a corporate solution, I think we may need to keep looking.
UPDATE 9th April: I raised this issue on the Public Sector Forums and have had an interesting response from Deborah Fern, who points out part 8 of the Data Protection Act which states:
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Although Google Docs is US-based, they are signed up to the Safe Harbour Agreement, which does offer some form of protection.
Deborah also suggests that if you’re asking people to create an account to access a service, as in my original scenario, you become the Data Holder and are therefore responsible for what happens to that data.
UPDATE 14th April: Another comment from Helen Lea points to an interesting article over at The Big Money – Google’s Cloudy Day.