I use Google Drive every day. While Word is still my go-to for writing, Drive is my home base for storing documents and cataloging the test results I collect while reviewing computer hardware. There are literally thousands of documents in my drive, and I take it for granted that they’ll be available whenever I need them.
Is that wise? Or is Google Drive’s security not as robust as it may seem? Recent events, including NSA spying and an incredibly convincing phishing scam, have some users worried. Here’s what you need to know about Drive’s security.
Terms Of Service
Security threats don’t always come from outside an organization. Google is a huge company, and it’s worth asking whether it can be trusted to keep data in Drive private.
The answer, according to the terms of service, appears to be “yes.” Google says it does not use Drive data for marketing purposes, which means the company isn’t using what you upload to create a marketing profile of you.
While Google claims “a worldwide license to use, host, store, reproduce, modify, create derivative works” from your data, this clause is only meant to give Google permission to offer services like Google Translate, which technically creates a derivative work. The paragraph preceding this section says “You retain ownership of any intellectual property rights that you hold” and “what belongs to you stays yours.”
There’s no boogeyman in the ToS, but remember; Google does have to comply with each country in which it operates. If a law enforcement agency can produce a legally sound reason to access your data, Google has no choice but to comply. This won’t matter to most people most of the time, but folks who believe a government may have reason to try and access their data would do well to remember it.
Only As Secure As Your Google Account
Drive is a service offered by Google, so that of course means it is tied to your Google account. This may prove to be a problem for people who are concerned with their security. If anyone gains access to your Google account, they have access to what’s in Drive, too.
Let’s say, for example, you leave your Gmail account logged in on your PC and forget to lock Windows when you go to lunch. People do this all the time, and it gives anyone who wanders by access to not only your email but also Drive – and anything else you do through Google. Drive does not automatically log users out after a period of inactivity, something a highly secure service would do.
To Google’s credit, though, the company does offer two-factor authentication and provides login information that lets you see if any recent logins came from an unusual location or occurred at an unusual time. You can also print out a code sheet that can be used to regain access to your account if someone swipes your password, logs in, and then changes the password to something you don’t know.
While nothing is ever 100% secure, a Google account secured by two-factor authentication is sufficient for most users. Provided they remember to log out when not using their PC, of course.
Still, there are some attacks that can be particularly devious. A recent example involved a phishing attack that used a document hosted on Google Drive to trick users. Because the document was hosted on Drive, the URL did not seem suspicious and was served over SSL, making victims more likely to think it was legitimate. The fake page presented a convincing recreation of Google’s login page, and anyone who entered their email and password had the data sent to a compromised server.
This attack, though clever, doesn’t reflect any particular weakness in Google Drive. Instead it exposes the obvious, but often forgotten, downside to any cloud storage service; your data is no longer physically in your possession. Your data is hosted somewhere else, and you can only access it through a computer with Internet access. This presents many opportunities for tricks that compromise your account by stealing your login and password.
Locally hosted files, on the other hand, can only be stolen if a Trojan is installed on your PC or someone gains physical access to your hardware. Phishing attacks, hacked servers and compromised WiFi aren’t a concern for people who don’t host their data in the cloud.
Conclusion: Is Drive Secure?
I think a Google Drive account protected by two-factor authentication and a strong password is reasonably secure. That’s not the same as invulnerable, but it does mean anyone who wants the data in your Drive would have to use extraordinary measures to gain it. Most of us don’t host particularly sensitive information on Drive, and hackers probably aren’t going to use a previously unknown exploit to steal a collection of haiku inspired by condiments (or whatever else you have in your squirreled away).
On the other hand, Drive is not secure enough for users who store valuable or sensitive information. You shouldn’t host all your financial records in Drive, or use it to store your world-famous secret BBQ recipe, or use it to store photos from your last trip to the Adult Entertainment Expo. Drive is vulnerable to the tricks that can impact any online account and can also be compromised simply by forgetting to log out.
What do you think of Google Drive’s security? Is it sufficient, or could Google do more? Sound off in the comments.