This TechCrunch article highlights three security holes in Google Docs, each of which varies in terms of severity. The most severe, according to the researcher, is an issue where a user whose permission to share/view your document has been revoked may still be able to see the documents.
Several observations come to mind. First off, is this really a surprise? Come on. No one should be overly surprised here. Think back to the Gmail announcement where they offered free use and massive amounts of storage with the assumption that the user would be targeted with ads based on their email content. A mild uproar occurred but Gmail is still the most widely user webmail application, appearing in 58 out of 60 organizations (Fall 2008 Application Usage and Risk Report).
Now take a look at their terms of service, as pointed out on the Google Docs blog where Jacob Browne said:
Why are people surprised? This lack of security is clearly stated in the google terms of service: Section 11.1 " . . . you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services." The license is perpetual for all content, it doesn't end just because you mark it as private or deleted the content or the account. So legally, since we agreed to this license, google can do this. Morally, that is another question. I think google should modify their terms more like Yahoos, which does end upon deletion of content or account, and does distinguish between public and private content.
Google’s business relies on what people post on the web – either through their tools or elsewhere. Blocking access to content, simplifying removal, extending more granular permissions over content is counter productive. Not only is personal privacy an issue here, but corporate privacy is also at risk. The Fall 2008 Application Usage and Risk Report showed that 48 out of 60 enterprises had Google Docs – and none of them endorsed it as an “approved application”. Connecting the dots shows that the risk of exposing intellectual property is high, given these three security risks.
Google Docs is not unique. Google Desktop presents users and companies with a similar security dilemma. If improperly configured, Google Desktop will index a users hard drive to the Google site. A year or so ago, a financial services firm described how they had cleared un-approved applications off every employee desktop and within 3 weeks, they were all installed again. One of the applications they were concerned about was Google Desktop indexing brokers desktops – a severe SEC violation.
The use of these applications only continues to grow. For good reason - they are convenient and they work. But they do present users with risks that they need to be aware of.
Want to learn more? Watch for our Spring 2009 Application Usage and Risk Report where we will discuss issues and trends around application usage in the enterprise.
Thanks for reading.