Is Google Drive secure

Cloud storage services are popular and here to stay. A lot of users and businesses have gotten comfortable using them. Many internet companies offer free and premium cloud storage services. Google Drive is one of them. Google Drive is a cloud-based file storage and synchronization service developed by Google in 2012.

The service through its website or mobile app allows users to store, synchronize, and share files. Google Drive encompasses an office suite (Google Docs, Google Sheets, and Google Slides) that supports collaborative editing and sharing of documents. Files created and edited through the office suite are saved in Google Drive. Google Drive offers users 15GB of free storage and options for paid plans if exceeded. If you have a Gmail account, you’re guaranteed 15GB of free cloud storage from Google.

Google Drive affords users with capabilities to store and process their data in Google owned servers. This raises serious security and privacy concerns. It is therefore critical for us to ensure that the service provider in question can be trusted with our data. When it comes to cloud storage services and especially Google—a company that profits from user data—it’s natural to have those concerns. In this piece, we’ll take a closer look at Google Drive security, and offer possible steps you can take to improve it.

Google Drive security in a nutshell

Google fully understands the security implications of providing cloud storage services and powering businesses in the cloud. One of the key questions to ponder when deciding to adopt Google Drive cloud storage is: Can you provide better security than the service provider when it comes to protecting your data? For many, the economics favor Google.

Google’s robust global infrastructure, industry-leading knowledge in building secure cloud infrastructure and applications at scale, huge investment in data security, along with a high concentration of dedicated security expertise, puts them in a position to offer better security than the consumers themselves. For most computer users, Google Drive is more reliable, automatically backed up, relatively safe from ransomware, and almost certainly more secure from theft. In general, the benefits largely outweigh the risks.

When you upload files to Google Drive, they are stored in Google’s secure data centers. Google Drive encrypts data at rest in the Drive, and data in transit to and from the Drive.

Google uses 128-bit or 256-bit AES keys (depending on the type of storage device) to encrypt data at rest in Google Drive, which helps in protecting the confidentiality of the data stored in Google Drive. But it’s important to point out that Google is also in possession of the encryption keys, and can potentially decrypt your files at will. Likewise, the hosted “at rest” data is only one click away from becoming “data in transit” due to Google Drive’s file-sharing capabilities. So even with these modern encryption practices, your files are still potentially vulnerable to internal decryption by Google while at rest, and external exposure as they get shared.

Some alternative cloud backup and storage providers such as SpiderOak and MEGA allow users to use encryption keys that are not shared with the service provider. This is a more secure “trustless” model that makes it difficult or impossible for service providers to decrypt hosted data, thus offering a high level of privacy. But if the user loses their password, those files are permanently inaccessible.

For data in transit, Google uses TLS (Transport Layer Security) standard to protect data in motion and prevent eavesdropping or man-in-the-middle attack. TLS secures the communication channel (using the https protocol), but again files may become vulnerable once they are shared externally, and each additional share escalates the risk. The risks of data leak are highest when users create publicly accessible links with full rights, which allow anyone with the file link to read, modify, copy, print or download the document. At this point, TLS encryption is incapable of preventing unauthorized access to your files.

In addition to Google’s responsibility and efforts towards securing your data, you also have a responsibility to protect the integrity and confidentiality of your files. Your Google Drive is as secure as your Google account and file-sharing settings you apply. To ensure your Google Drive files are kept secure and private, you have to make your Google account more secure, and use the sharing settings properly.

To make your account more secure, Google recommends the following key steps:

  1. Do a Security Checkup: Go to Google’s Security Checkup to get personalized security recommendations for your Google account.
  2. Add account recovery options:  Your recovery phone number and email address are powerful security tools that can be used to block someone from using your account without your permission, alerts you if there’s suspicious activity on your account, and recover your account if you’re ever locked out.
  3. Turn on two-factor authentication: Two-factor authentication (2FA) helps prevent a hacker from getting into your account, even if they steal your password. To avoid common phishing techniques associated with account access codes sent via SMS, choose stronger second verification steps such as Security keys (most secure) and Google Prompts (more secure than SMS codes)—a notification in the form of a question sent to the 2FA verification device.
  4. Remove risky access to your data: Consider removing account access for any non-essential apps to better protect sensitive information. You can also review apps with access to your account and turn off access for apps that use less secure sign-in technology.
  5. Turn on screen locks: Screen locks help protect your device from being used without your permission, especially your smartphones and tablets. Each time you turn on your device or wake up the screen, you’ll be asked to unlock your device, usually with a PIN, pattern, password, or fingerprint or faceID.
  6. Use strong unique passwords: It’s risky to use the same password across multiple sites. If your password for one site is stolen, it could be used to gain access to your account on other sites. A password manager such as Password Safe, Dashlane, or LastPass can help you generate and manage strong, unique passwords.

One of the key features of Google Drive is its sharing options (see Table 1.0 below for details) that give you the ability to share and collaborate on documents and folders. Your files are private (Restricted) by default unless you share them, and sharing them comes with some security trade-offs. Document link-sharing enables you to share files with anyone by sending them the document URL. Depending on the setting you choose, anyone with the link will be able to either read (Viewer), read and comment (Commenter), or read, comment and edit ( Editor), with the default set to Viewer.

Google gives you the ability to limit how your files are shared by providing options to prevent anyone with “Editor” permissions from changing the sharing settings for the file; and anyone with “Viewer” and “Commenter” permission from printing, copying, or downloading your file.  If unchanged, people with edit permissions to your shared files can share a file with others, add or remove specific people from the file, and copy, print, or download the file. Viewers and commenters can also print, copy, or download your file.

Link Sharing SettingsDescriptionNon-Optional Permissions
Optional Permissions
PrivatePublic
RestrictedOnly people added can open with this linkRead, Comment or Edit Download, Print, and Copy
YesNo
ViewerAnyone on the internet with this link can viewReadDownload, Print, and Copy
NoYes
CommenterAnyone on the internet with this link can commentRead and Comment
Download, Print, and Copy
NoYes
EditorAnyone on the internet with this link can editRead, Comment, Edit, Copy, Print, and DownloadChange permissionsNoYes
Table 1.0 Google Drive link sharing settings and permissions

In the case of folders, you can limit access rights to the minimum permissions required for collaborators to perform their work. Share folders in the “Viewer” mode and only give edit access on documents that need to be modified by other users. If you’re giving “Editor” permission to collaborators, disable the “Editors can change permissions and share” option (see Figure 1.0 below) unless it’s absolutely necessary. Leaving this option enabled allows collaborators to make the folder accessible to others.

Figure 1.0 Screenshot showing Google Drive share with people settings (optional permissions)
Figure 2.0 Screenshot showing Google Drive link sharing settings

One of the security trade-offs that results from the convenience that comes with link sharing is that your supposedly private Google Drive files can be easily discovered and exposed. If you are uncomfortable with document link sharing, Google Drive enables you to share files and folders with Google Groups. You can create a Google Group and add the people with whom you want to share files. One of the key benefits of sharing with Google Groups is centralized management. Adding users to a Group gives them immediate access to all the shared files and folders within the group. Removing users from the Group immediately revokes their access to Google Drive files and folders shared with the Group.

Google Drive privacy issues

Why would a for-profit company like Google want to give 15GB of free cloud storage to its approximately 2 billion users? Is it just an act of generosity or they have something to gain in return that we don’t know about? This is where the question of trust comes to play. Cloud services are based on trust, and reputation is a big part of it. Can we trust large corporations such as Google with our data?

For most users, the benefits of cloud storage solutions such as Google Drive far outweigh the risks. Notwithstanding, there are inherent privacy issues. Firstly, you risk the provider spying on and monetizing your content. Google has over the years perfected the art of surveillance capitalism—where your data is mined and sold to advertisers, which is then used to manipulate or influence your buying behavior. One thing to pay attention to if you’re going to use Google Drive to store confidential files is Google’s Terms of Service (ToS); and you have to be absolutely sure you are comfortable with it. Parts of section 11 of the ToS states thus:

“By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services. You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.”

Secondly, you accept the risk of the provider denying you access to your data at any time for any reason. Moving your data into Google Drive means that Google is ultimately in control of that data. Most users aren’t really bordered as long as Google does a good job, but the story is different if they don’t. That means you want to make sure you truly own your data in Google Drive and be able to download it at any time. You want assurances that your data will not disappear if the cloud provider discontinues your service. You want assurances that your data will not fall into the hands of third parties—government,  advertisers or hackers.

You might have legal or regulatory requirements that the cloud provider cannot meet. Google Drive does not currently allow you to choose a geographical location for your data; and so your data might be stored in countries with lax privacy laws. Some individuals and companies for instance are skeptical about storing their data in data centers inside the United States or its allies, because of laws that allow the government access to it, with or without a warrant. The existence of international surveillance agreements like 14 Eyes allows member countries access to your data stored within their territory.

Thirdly, Google Drive sharing capabilities can lead to some undesirable security and privacy issues if your files are unintentionally shared in an inappropriate manner. Besides, your browsing activities and the sites you visit (including your Google Drive file URL) can be easily logged by your browser, third-party trackers or your ISP (in some countries). Therefore, knowing how to correctly leverage file visibility or sharing settings is key to protecting your digital assets.

Improving your Google Drive security and privacy

Google no doubt has put in a lot of effort towards securing your files in Google Drive. However, if you still have concerns about the security and privacy of your files,  there are additional steps you can take to improve it.

Firstly, organize your files in folders, and where possible store all your shared documents in a designated folder. This enables you to have better oversight and control of all the items you’ve shared with others. A good security practice for Google Drive sharing is to periodically review the documents you’ve shared with other people and unshare old documents and folders or revoke access for users who are no longer on your projects or teams.

If you share a computer, sign out of your Google account when you’re done. It’s also recommended you don’t install Backup & Sync or Drive File Stream on a shared or public computer. Otherwise, anyone who uses the computer could access your files. Avoid using public Wi-Fi to access your Google Drive, or use a reliable VPN if you must.

Secondly, Consider encrypting your data before transmitting them to Google Drive. This is called client-side encryption. Client-side encryption ensures that files stored in Google Drive can only be viewed on the client-side of the exchange, and eliminates the potential for your data to be viewed by your service provider or third parties that demand access to it. With client-side encryption, only you can unlock your cloud data. Data that you encrypt on the client-side arrives at Google Drive in an encrypted state, and Google has zero knowledge of the keys you used to encrypt the data. This further protects the confidentiality of your data by rendering it unreadable to anyone that gains access to it. There are lots of free and premium third party client-side encryption tools such as nCrypted Cloud, Cryptomator, Encrypto, or Boxcryptor that can plug directly into your Google Drive account and encrypt your files.

Finally, Google Drive security revolves around protecting your Google account from unauthorized access and making sure that your sharing settings are right. If you’re a high-risk user such as journalists and activists, consider enrolling in Google’s Advanced Protection Program which uses security keys and blocking mechanisms to provide a higher level of security. If Google Drive doesn’t meet your security and regulatory requirements, you may consider other Google Drive alternatives—especially those that support client-side encryption, or you take up private offline storage.