How Secure Are Your Documents In Google Drive?

I use Google Drive every day. While Word is still my go-to for writing, Drive is my home base for storing documents and cataloging the test results I collect while reviewing computer hardware. There are literally thousands of documents in my drive, and I take it for granted that they’ll be available whenever I need them.

Is that wise? Or is Google Drive’s security not as robust as it may seem? Recent events, including NSA spying and an incredibly convincing phishing scam, have some users worried. Here’s what you need to know about Drive’s security.

Terms Of Service

Security threats don’t always come from outside an organization. Google is a huge company, and it’s worth asking whether it can be trusted to keep data in Drive private.

The answer, according to the terms of service, appears to be “yes.” Google says it does not use Drive data for marketing purposes, which means the company isn’t using what you upload to create a marketing profile of you.

googledrivetos   How Secure Are Your Documents In Google Drive?

While Google claims “a worldwide license to use, host, store, reproduce, modify, create derivative works” from your data, this clause is only meant to give Google permission to offer services like Google Translate, which technically creates a derivative work.  The paragraph preceding this section says “You retain ownership of any intellectual property rights that you hold” and “what belongs to you stays yours.”

There’s no boogeyman in the ToS, but remember; Google does have to comply with each country in which it operates. If a law enforcement agency can produce a legally sound reason to access your data, Google has no choice but to comply. This won’t matter to most people most of the time, but folks who believe a government may have reason to try and access their data would do well to remember it.

Only As Secure As Your Google Account

Drive is a service offered by Google, so that of course means it is tied to your Google account. This may prove to be a problem for people who are concerned with their security. If anyone gains access to your Google account, they have access to what’s in Drive, too.

Let’s say, for example, you leave your Gmail account logged in on your PC and forget to lock Windows when you go to lunch. People do this all the time, and it gives anyone who wanders by access to not only your email but also Drive – and anything else you do through Google. Drive does not automatically log users out after a period of inactivity, something a highly secure service would do.

googlelogin 456x500   How Secure Are Your Documents In Google Drive?

To Google’s credit, though, the company does offer two-factor authentication and provides login information that lets you see if any recent logins came from an unusual location or occurred at an unusual time. You can also print out a code sheet that can be used to regain access to your account if someone swipes your password, logs in, and then changes the password to something you don’t know.

While nothing is ever 100% secure, a Google account secured by two-factor authentication is sufficient for most users. Provided they remember to log out when not using their PC, of course.

Tricky Phishing

Still, there are some attacks that can be particularly devious. A recent example involved a phishing attack that used a document hosted on Google Drive to trick users. Because the document was hosted on Drive, the URL did not seem suspicious and was served over SSL, making victims more likely to think it was legitimate. The fake page presented a convincing recreation of Google’s login page, and anyone who entered their email and password had the data sent to a compromised server.

fakegooglelogin 383x500   How Secure Are Your Documents In Google Drive?

This attack, though clever, doesn’t reflect any particular weakness in Google Drive. Instead it exposes the obvious, but often forgotten, downside to any cloud storage service; your data is no longer physically in your possession. Your data is hosted somewhere else, and you can only access it through a computer with Internet access. This presents many opportunities for tricks that compromise your account by stealing your login and password.

Locally hosted files, on the other hand, can only be stolen if a Trojan is installed on your PC or someone gains physical access to your hardware. Phishing attacks, hacked servers and compromised WiFi aren’t a concern for people who don’t host their data in the cloud.

Conclusion: Is Drive Secure?

I think a Google Drive account protected by two-factor authentication and a strong password is reasonably secure. That’s not the same as invulnerable, but it does mean anyone who wants the data in your Drive would have to use extraordinary measures to gain it. Most of us don’t host particularly sensitive information on Drive, and hackers probably aren’t going to use a previously unknown exploit to steal a collection of haiku inspired by condiments (or whatever else you have in your squirreled away).

On the other hand, Drive is not secure enough for users who store valuable or sensitive information. You shouldn’t host all your financial records in Drive, or use it to store your world-famous secret BBQ recipe, or use it to store photos from your last trip to the Adult Entertainment Expo. Drive is vulnerable to the tricks that can impact any online account and can also be compromised simply by forgetting to log out.

What do you think of Google Drive’s security? Is it sufficient, or could Google do more? Sound off in the comments.

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

30 Comments -

0 votes

Michael

Between the two-step verification and Google using HTTPS on all of it’s services, I’d say it’s more secure than most. By forcing unknown locations to require a password and a code sent to your phone, you’re pretty set. As for other techniques of acquiring your info, not only does Google use HTTPS, but if you also use a VPN service like Hotspot Sheild, as I do, then you’re in even better shape. I’ve been a Google power user for the past 5 – 6 years and I think they’re doing a pretty solid job when it comes to securing your information.

0 votes

Danielx386

But then there nothing to stop google from looking at your stuff like drop box does

0 votes

rk

I am no tech guru but SSL is now under scrutiny after a bug was found. It’s being patched in a jiffy I am told but what other bugs are lurking to be discovered? I had to view something on google drive for the first time yesterday and I must’ve been living under the rock. I found it (at first glance/usage) a bit cumbersome and videos were super slow although they were only a min long videos!

0 votes

KB

I find it hard to trust TOS, especially from American-based companies. In light of the NSA and subpoenas from the secret court, companies could NOT disclose information about the governments requests into user data (and I’m guessing much much more). I would much rather trust my data to an end-to-end encryption service like mega, or perhaps use an encryption-application to encrypt the data before it hits my Google drive.

0 votes

Ed

I only store stuff in Drive or any cloud storage that I wouldn’t mind printing out and letting it sit on an open desk.. If it needs to be private or secure, it’s not going in anybody’s cloud service. That’s just me.

0 votes

Bram

Can you actually say the same thing about other cloud services like Dropbox en Onedrive?

1 votes

Terence @ eStrategyPro.com

Google Drive may be ‘secure’ in the sense that
(1) they provide good authentication control (e.g. two-factor login) and
(2) that your files in transit to and fro their servers are encrypted (i.e. TLS/SSL)
(3) that your files at rest in their servers are encrypted

But these points also apply to every other cloud storage provides (e.g. DropBox, OneDrive, Box, etc).

But the more crucial question is this: are your files PRIVATE?

No matter how much security Google employs, this fact remains: GOOGLE CAN SEE EVERYTHING YOU STORE THERE! And that, by extension, means that Google has to comply with whatever legal obligation to turn over your files to the authorities when compelled. In fact, this applies to almost every cloud storage providers.

If you want security and privacy, then the only way is to encrypt your files PRIOR to uploading to any cloud storage providers. And make sure you keep the encryption keys secret to yourself only.

So, is Google Drive secure? Sure, I believe so. Is it private? Nope, definitely not.

0 votes

james

Its actually easier for law enforcement to enter your home and take your computer than it is for them to subpoena your docs on drive. Its more secure than your laptop.

0 votes

dragonmouth

They still need a search warrant or a subpoena to enter your house, or your explicit permission.

0 votes

James

At your house it is most likely there is no lawyer who can determine if the request is too broad or challenge it should it be mistargeted. Google on the other hand fights these regularly, for free.

0 votes

Matt S

I think this is a good point. While the NSA stuff is troubling, I think it’s wrong to think less of Google or Microsoft because of it. Ultimately they have to follow the law. The problem is the law, not the companies.

0 votes

Mark M

Given the growing popularity/use of cloud-based storage, I believe that it’s overall security will only get stronger. Companies like Google, AWS, OneDrive, DropBox etc. will develop to better suit the needs/concerns of the average “every-day” user. This will bode well for both the host and the user. I’m just beginning to get comfortable with using cloud storage for my documents, spread-sheets, pics & vids and even purchase receipts, I think most folks are beginning to accept this as well. Only the future will tell of the overall security of this venture, as for now, the “privacy” of your information is becoming more of a concern than the security of it.

0 votes

dragonmouth

Security is not something to be comfortable with, or about because that is when you start losing it. New threats arise constantly.

0 votes

dragonmouth

“There’s no boogeyman in the ToS”
No, the boogie man is in the law offices of the firm(s) representing Google, and in the interpretation of ToS by those lawyers. If Google decides that it wants to sell your documents to a third party, I’m sure the lawyers can find ways of justifying it.

Yes, the documents are secure, and will become more so in the future, from hacking. But as you say, “Security threats don’t always come from outside an organization”

0 votes

jack

Cloud Storage Secure? Are you kidding me? I refuse to store any documents in the cloud.

0 votes

victor

How about encrypting files using EncFS: http://ninjatips.com/encrypt-dropbox-using-encfs/ then upload them to the drive. Will that make them secure?

0 votes

Petew

“There’s no boogeyman in the ToS”
Really?
From the EULA: “communicate, publish, publicly perform, publicly display and distribute such content.”
You better bring your lawyer along.

0 votes

Guy M

Once people accept the fact that there is no such thing as perfect security, they need to determine what is acceptable security for them and their documents.
For most people and most information, I believe the security of Google Drive is acceptable. If they encrypt before they upload, then even more so.
The least I can say is that I find it acceptable for me and the documents I store there.
Really liked the article!

0 votes

Al C

I am dubious about hosting any sensitive personal information, e.g documents containing bank account details, card numbers etc on any cloud service – because its security is outwith my control.

0 votes

Jenni

I don’t like to use any cloud service for very private information, as Al C stated too. Also, I have had discussions with my work place because we are using the cloud for our new whole employee database (indirectly) and yet our privacy processes and documentation have not caught up with it yet. Few have any real idea of what / where information is being stored now. The information that I provided to them has been put away for ‘later’.

0 votes

Robert Wm Ruedisueli

For particularly sensitive documents, you can use an encryption program prior to upload. Of course, this eliminates the ability for online viewing and editing. Thus, you probably should reserve this measure for things that absolutely must be kept secret.

0 votes

Larry

Google Apps (and Drive) is the only cloud service I have found that has a HIPPA compliance method so your medical record may be on it. Hope it’s secure…

0 votes

Jo-anne P

I really don’t have a whole heck of a lot of really secret stuff but no I am not willing to cloud my stuff only because I feel once it is out there its gone.

0 votes

Emma

The sensitive info on your terabyte hard disks is what your governments are trying to get at eventually. But for now their agents can test “cloud services” untll the time when hard-diskless computers will be standard by law in the name of “security”. Everyone will only save on the cloud services provided by your governements.
For now enjoy your limited freedoms

0 votes

Roy

If you send unencrypted information to Drive, is it encrypted before going over the internet to Drive or is it only encrypted after being placed on Drive?

Roy

0 votes

Julio C

It’s enough for me according the documents I store there. For sensitive information , a pen drive or an external disc

0 votes

Daniel E

<quote>
You can also print out a code sheet that can be used to regain access to your account if someone swipes your password, logs in, and then changes the password to something you don’t know.
</quote>

Eh? The code sheet I’m familiar with is the substitute for SMS or Google Authenticator. That is, if you don’t have your phone with you, you can use the code in that code sheet for the second step of the authentication.

0 votes

Swetank R

Why did you left your email address visible on that Google log in page image? This could increase your security issue.

0 votes

Steven E. Browne

I just found out that google drive’s TOS give google the right to your work.

http://www.askmen.com/entertainment/tech-news/google-drive-licence-agreement.html

i would not suggest posting any creative works there.

0 votes

Not Telling

Nothing stored in the “Cloud” is safe from government prying eyes…

Google FBI National Security Letters (NSL’s)… no warrant required by an FBI agent who wants to see your content.

Can you encrypt prior to upload in order to protect your data? Sure, just don’t use US government certified cryptographic ciphers… complete with back doors for “you know who” to access.