Hi, if you want free updates from my blog, you can enter your email address here.

Warning: Google Docs Is NOT Safe



lock

Do you use Google Docs? Increasing numbers of people are jumping on aboard, especially among web workers. But how safe is your data?

After some of my coworkers expressed security concerns, I set out on a mission. I’ve waded through pages and pages of info, to provide you with the bottom line on Google Docs security.

Google’s terms

The first thing to read is Google’s Terms of Service.

Intellectual property is safe

Surprisingly, Google’s terms provide strong protection for your intellectual property. You can’t abuse other people’s intellectual property rights:

8.2 … You may not modify, rent, lease, loan, sell, distribute or create derivative works based on this Content (either in whole or in part) unless you have been specifically told that you may do so by Google or by the owners of that Content, in a separate agreement.

And Google clearly acknowledges your rights:

9.4 Other than the limited license set forth in Section 11, Google acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights which subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist). …

Google gets a license to your work, so it can provide services to you, but it affirms your property rights:

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. …

But you CAN’T SUE

After reading those positive statements from Google you’re probably feeling warm and fuzzy inside. But if you keep reading the ToS, you come across this little statement:

15.1 SUBJECT TO OVERALL PROVISION IN PARAGRAPH 14.1 ABOVE, YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS SHALL NOT BE LIABLE TO YOU FOR:

(A) ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL CONSEQUENTIAL OR EXEMPLARY DAMAGES WHICH MAY BE INCURRED BY YOU, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY.. THIS SHALL INCLUDE, BUT NOT BE LIMITED TO, ANY LOSS OF PROFIT (WHETHER INCURRED DIRECTLY OR INDIRECTLY), ANY LOSS OF GOODWILL OR BUSINESS REPUTATION, ANY LOSS OF DATA SUFFERED, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSS;

This lawyer-speak translates to: “You waive any possible damages we might cause.” That doesn’t sound very promising, does it? According to my simple reading, if Google loses your data or causes the destruction of your entire business, you’re out of luck.

Privacy policy

Now that you’re freaked out of your mind, we’ll see if the Privacy Policy restores any faith in Google. It’s full of the typical guarantees, but this one speaks to the heart of the issue:

We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data.

We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

So Google protects your data and will take actions against people who screw with it, but you can’t enforce that against the company. Unfortunately, the Google Docs privacy policy doesn’t provide any further assurances.

Other resources

Since Google’s pages were unsatisfactory, I did some other research. Apparently there were serious cookie theft issues earlier this year, which might be inherent in Google’s architecture. For a great background on some Google holes, check out TechCrunch’s security summary, even though it’s almost a year old.

I also found a couple other people who are questioning security with Google. And then there’s a guy with mysterious documents popping into his account.

User beware

In the end, caveat emptor (“buyer beware”) captures the best approach to Google Docs. Google makes promises, but there’s not much to back them up.

I’ll probably continue using Docs for mundane information. But if it’s mission-critical, I don’t think Google Docs is the ticket for me.

And you?

What do you think of Google’s security? Is it good enough for you? Did I miss a key point? Let’s talk!

Get more legal tips

Sign-up below to receive my bi-monthly email newsletter with free legal tips. All fields are required.





See also...

Comments

30 Responses to “Warning: Google Docs Is NOT Safe”

  1. digitalnomad
    September 24th, 2007

    Now we know why they are billionaires.

  2. Nelson
    September 25th, 2007

    I have had similar concerns with using the service, but I’ve actually found Google’s terms to be quite solid in comparison to online file-hosting services like Mozy, etc.

    As far as being unable to enforce an illegal/non-contractual disclosure of your private data, I think that’s an overbroad reading of the paragraph you’ve cited. You don’t forfeit your right to seek an injunction or to enforce the privacy policy – it only limits Google’s liability for damages caused by a breach of the privacy policy/disclosure of your private data.

    Losing your business over a documents loss or disclosure is a pretty doomsday-type scenario. If you use Google Docs as your sole method of document storage, that’s your fault for not backing things up; if Google discloses your private data, you can’t recover damages from Google, but you can enjoin them from further disclosure and you can sue anyone that accesses the data, as it would have been disclosed contrary to the privacy contract and without your consent (i.e. you would still retain copyright and other rights).

    And that all assumes that Google’s boilerplate would hold up in court, which is a pretty big assumption given the power disparity between the parties here. That said, use of the service is entirely voluntary and free, so maybe it’s not so unlikely that the policy would stand.

    At any rate, I think you’d be hard-pressed to find anyone offering a better alternative. Data-device separation is a classic example of introducing insecurity into data storage; but the utility of the service may just outweigh the risk.

  3. MarcusBrutus
    September 25th, 2007

    Just because they’re not willing to take responsibility for you losing your password to a phishing scheme etc, doesn’t mean it’s not secure. You’re misrepresenting the ideal of secure.

    There are no software vendors, service providers etc., that will claim responsibility for the loss of your information. Even government sites have a standard disclosure that your information is only as safe as you make it.

    Google docs is as secure as the person using it, if you take precautions, such as using SSL and strong passwords, as well as not using the same password for all your needs, you data is assuredly secure. Don’t be so alarmist…

  4. Kim
    September 25th, 2007

    I’m curious what you think of Google Desktop. Its saved me a few times at the office, but I wonder if there are security issues. Thanks. btw, nice blog.

  5. Andrew Flusche
    September 25th, 2007

    Nelson – You brought up some great points. You’re right that an injunction or other equitable relief might be available if security was breached. I honestly hadn’t thought of that. Also, I agree that there might be room to poke holes in the boilerplate language.

    Marcus – I’m sorry that I came across as “alarmist.” When I started researching this issue, I was hoping to find rock-solid evidence of security. Instead, I found some strong promises without much to back them up. My final conclusion of “user beware” takes into account your points that security heavily depends upon the user. And I did say that I’m going to continue using Docs, albeit for non-sensitive purposes.

    Kim – The Terms of Service that I outline here apply to all Google services. My assessment for Desktop would be similar. I used to heavily use Google Desktop, but I abandoned it when I got Vista, since the new Windows desktop search suits my needs. If Desktop has value for you, keep using it, but don’t put all your eggs in the Google basket.

  6. FacingTheSharks
    September 25th, 2007

    Google’s Board of Directors should run for Congress. They make a lot of promises, but have no intentions of backing them up.

  7. seogeek
    October 3rd, 2007

    I work in the IT industry and I have learned one thing well: putting your eggs in one basket is suicidal. Using Google Docs is fine and just as safe as using any other online service of that caliber. The problem is users who rely on it as a backup for important documents. Sure I have some docs there, but I also have them in two other places.

    Never rely on one source for storing your documents. One hard drive equals one single point of failure. One online service equals a single point of failure. Use three or more to be sure.

  8. Andrew Flusche
    October 9th, 2007

    seogeek,

    You’re absolutely right! If it’s too important to lose, always have 2 copies. :)

  9. Chris
    October 21st, 2007

    I’m not sure how you came to the conclusion that Google respects your property rights to “Content which you submit, post or display on or through, the Services.” Google recognizes that you own the content, but by using the services, you grant Google non-exclusive license to to nearly all the rights associated with ownership, including reproduction, publication and distribution, as well as “for the provision of syndicated services, and to use such Content in connection with the provision of those services.” Granted, Google is unable to sell the actual copyright, which you retain, but what good is copyright ownership if Google possesses “perpetual, irrevocable, worldwide, royalty-free” rights to the copyrighted material? In fact, the copyright loses significant value, since any subsequent owner must also respect the irrevocable rights granted to Google by you.

    By using Google Services, and granting such broad rights to Google, there is nothing stopping them from selling your work, for example, to a publishing company, in order to obtain rights from that publishing company to make electronic copies of books, to which the publishing company has distribution rights, available by Google, all without any compensation to you. That doesn’t mean they will inevitably do that, just that they are legally entitled to do so.

    I don’t see how Google is respecting your property rights with their Terms of Service.

    From Google Terms of Service:
    “11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

    “11.2 You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.”

  10. Andrew Flusche
    October 21st, 2007

    Chris,

    Thanks for your comment. I really appreciate you contributing to the discussion, but I don’t agree with your reading of the Terms.

    I think this is a key phrase:

    “This license is for the sole purpose of enabling Google to display, distribute and promote the Services.”

    I read that to mean you’re giving Google a license to your content, so it can actually provide the Services. Maybe I’m reading it too narrowly.

    Thanks again,
    Andrew

  11. JG
    November 14th, 2007

    In the story “Silver Blaze”, Sherlock Holmes makes a deduction on the basis of something NOT happening (the dog didn’t bark, which showed that the ‘theft’ was carried out by someone familiar to the dog).

    My concern is about security. Can uninvited people read my google docs?

    I don’t find evidence on the web, the blogosphere etc, of google docs being opened by others. I hear that it might theoretically be possible, but not examples of it in reality.

    So, like Sherlock Holmes, can I assume that therefore it isn’t happening? – and that it can’t happen? The lack of evidence makes me think that the answer is ‘yes’ to both: surely the dog would be barking if google docs were being hacked.

  12. Andrew Flusche
    November 14th, 2007

    JG,

    I like your reasoning! I’m inclined to agree with your theory. If Docs was being hacked, we’d hear about it on the internet (the dog would bark like crazy). I think it’s safe to assume people aren’t reading your Docs.

    BUT I still wouldn’t trust sensitive data in Docs. I use it for a lot of my work and writing, but I don’t consider that sensitive. I don’t use it to store passwords or write up plans for my latest life-saving invention; those are sensitive.

    Best to you!
    Andrew

  13. Alex Miller
    December 14th, 2007

    Aside from the legalese, your data is not usually safe on google docs because it is often transfered (and stored) in plain text, and hackers, google workers, and people sitting next to you in the office and all see your network traffic. There are a few things you do about this however.

    The first and easiest method is to use https:// and not http:// when you connect to google websites. that S stands for SSL. (secure socket layer) and it means that your data is sent over an encrypted connection to google. This will provide you with basic protection from sniffers and hackers, however, once the data gets to google, it is stored in plain text.

    Gwebs has a product called webmailSaftey which will encrypt your gmail messages. You can download it at http://www.gwebs.com/

  14. Doris Dejwakh
    February 19th, 2008

    I’m taking a class in Information Technology, and the prof introduced us to Google docs for use in the class and elsewhere. From what one student found in the Terms of Service, it sounds as if our (copyrighted?) content is not all that safe, from Google itself:

    11.2 You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

    11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions.

    11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence.”

    Personally, I usually just skip through the terms of service, as my “content” probably doesn’t often have anything I wouldn’t mind sharing. But if a company were to use Gdocs to share files, they’d better know what they’re in for! Doris

  15. Andrew Flusche
    February 29th, 2008

    Doris – You’re absolutely right that we should pay attention to the Terms when we’re using a service. That’s especially true when we’re trusting important content to them.

  16. MamaMia
    April 4th, 2008

    I recently discovered Google Docs and am trying to convince the sports club I belong to that this is the answer to our problems with document controls — multiple teams at various levels and any changes to rosters or schedules affects a lot of other people and lots of changes *are* being made all the time at all levels.

    Currently, we use email to send new versions of rosters out, but there are days when I get up to 5 versions, and there is no version control in place as most are technophobic. My email is jammed with emails and the logistics of keeping things organized is getting too cumbersome. Google Docs looks like the solution — limited collaborators can make their changes directly into the *master* file in real time and all can get notified and access the most up-to-date data.

    My question is about security. The roster contains personal data like name, age, address, phone, dob. Is GD more, equally, or less secure than what we currently do, which is emailing the docs with no encryption. I think we are at least as safe if not more, but I wanted to get someone to point out the inherent security problems with both and compare them.

    I will never be able to get them to use cvs for version control, nor will I get them to use SSL, but if it is no less secure than the email, at least I will not have dozens of email copies of the same file with slight changes in each, filling up my inbox and disc space.

    Is there a way to*force* the link invitation that GoogleDoc sends out to be https and not just http? Maybe this is a feature enhancement that should be added to requested improvements. Or would something like having the link take someone to the doc but first require them to log into a Google account be another level of security (but also possibly another failure point when people refuse to set up a new account. And then how would my Google Docs account recognize the *new* Google account when it was not known at the time of the invitation to collaborate?)

  17. Andrew Flusche
    April 5th, 2008

    MamaMia – I would say that Google Docs is more secure than emailing documents back and forth. And it’s definitely easier to collaborate through Google Docs. I wouldn’t put social security numbers in Docs, but the stuff you’re talking about is probably. To me, the collaboration benefits (for your needs) outweigh the security concerns.

  18. [...] The Content in Google Apps Belongs to Google Does Google own your content? Gasp! Google Adapts and Modifies Your Docs & Spreadsheets Content?! Yes, But… Warning: Google Docs Is NOT Safe [...]

  19. Joe Smith
    July 5th, 2008

    Folks,

    Google Apps uses a different Terms of Service policy. It seems to be more respectful of user privacy and confidentiality. No granting of licenses, etc.

    http://www.google.com/a/help/i.....terms.html

    If you are going to be making serious use of google’s services, I recommend Apps.

  20. Michael Paul
    July 9th, 2008

    The bottom line is this: you get what you pay for, and the Google Docs service is free. You can’t possibly expect Google to be responsible for anything — especially monetary damages — when it’s offering its services for FREE. Again, you aren’t paying for anything–it’s offering a FREE service, and it is YOU who chooses to use it. Google does not force you to use the service, right? You choose it.

    Obviously, if you run a business, you don’t want to store your stuff on Google Docs. But for simple collaboration needs–even those with such urgency as natural disaster coordination–Google Docs fits the bill just fine. Just don’t go barking up its tree if it’s down for a few hours or one of your docs gets hosed. Remember, it’s free. If you were paying for service, I’d expect something different.

  21. מיון ערימה 1.7#
    August 22nd, 2008

    [...] עם ה-wishlists של אמזון, מפות גוגל ותמונות לוויין. ואם כבר – מה בעצם אומרות האותיות הקטנות במסמך הפרטיות של גוגל והאם זה בטוח. כבר מזמן כתבתי על הבעייתיות של מסמכי גוגל [...]

  22. [...] a year ago, I wrote about the Google Docs end user license. Basically, I concluded that Google Docs isn’t very safe for confidential information that [...]

  23. [...] free version of Google Docs has been criticized for being lax around both security and legal issues, but as our little mishap proves, sometimes the weakest security link is the end [...]

  24. [...] his article, Warning: Google Docs is not safe, Legal Andrew looks at issues around Google Docs’ security and privacy. His conclusion is [...]

  25. Tim Acheson
    July 16th, 2009

    Twitter’s internal systems were recently been hacked, along with the accounts of Twitter users (including celebrities):

    http://www.timacheson.com/Blog.....oogle_apps

    The initial point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.

  26. [...] the confidentiality concerns found with Google Docs, I know that there are plenty of people who use and love Google Docs. [...]

  27. Sean
    August 20th, 2009

    Great post, answered a couple of my questions. However I am wondering- how safe is it compared to sending a file in an email (with gmail)?

    If I am ok with sending an attachment via email- should I be any more concerned about the security of google docs?

    are there more secure email providers than others?

  28. concerned with google's tactics
    September 3rd, 2009

    when one opens up an email attachment using google docs, it saves an editable copy on their server automatically.

    google docs should not save an editable copy on their server without asking first. and at a minimum, they should provide an option to delete it afterwards, which they do not.

    it does not matter whether i am the only one with the link to that doc. i do not want my personal documents on their server, period.

    not knowing what other zealous tactics google is using, i am stay away from google docs app. the app is not worth risking my privacy.

    just look at their blunder from March 2009, where many people’s documents were ‘shared’ without their permission. just stay away.

  29. adele pace
    September 28th, 2009

    Losing your business over a documents loss or disclosure is a pretty doomsday-type scenario

    I can think of so many companies that have been literally destroyed by data breaches. From a public relations standpoint it can have catastrophic consequences, irrespective of the perceived or actual culpability of the company

  30. james
    October 14th, 2009

    What? I know this is an old article but how many times has Windows Exchange, OS, Office crashed and lost some of my data? 100s of times. Does M$ care? Hell NO! If you think you are more secure with the most hacked virus/spyware ridden OS in the world think again. Google Docs used properly and backed up locally, yes if you pay for it you can do that, is so far the best option out there.

Comments are automatically closed on older posts.

  • Legal tips by email

    Sign-up below to get email tips and exclusive discounts on videos, webinars, and future items.

    All fields are required.





  • Receive updates

    By email
    By rss (full feed)
  • About Andrew Flusche

    Lawyer, bicyclist, husband.
    More about me...
    Tumble Log
    View Andrew Flusche's profile on LinkedIn
    Andrew Flusche's Facebook Profile
  • Popular Posts