Google Docs & Spreadsheet Security and Privacy
We are going to keep more and more of our work on central servers, whether on private company servers or on Google's or some other third party. There have been a lot of good discussion about the security and privacy implications, especially with Google Docs and Spreadsheets. I thought I'd round up some of the better discussions:
le petit radiateur: Suggestion for increased security in Google Docs & Spreadsheets has good suggestions for Google to improve the security around sensitive documents. There are no comments from Google yet on the sugggestions.
One of the suggestions is to use the CustomizeGoogle Firefox add-on to force the use of SSL with Google Docs & Spreadsheets. (Update Feb 26, 2006: Actually the SSL works only with docs, not spreadsheets. Thanks to Hugues de Saint Salvy for pointing this out).
Freedom to Tinker describes a few different design choices that could have been used to implement Google video and speculates Google is not privacy-concsious enoungh:
So why did Google choose a less privacy-friendly solution, even though it provided no real advantage over a more privacy-friendly one? Here I can only speculate. My guess is that Google is not as attuned to this kind of privacy issue as they should be. The company is used to logging lots of information about how customers use its services, so a logging-intensive solution would probably seem natural, or at least less unnatural, to its engineers.
and concludes:
It’s high time for Google to figure out that it is one or two privacy disasters away from becoming just another Internet company. The time is now for Google to become a privacy leader.
Finally Google Blogoscoped quotes from a Google statement about security. Reading it you get the feeling at least a few people at Google are paranoid about security but there isn't much that can be done about the weakest link, the users.
Improving security of server-based apps like Google Docs will required three pieces (1) securing the application stack (2) secure communications and (3) the most difficult, securing the client/user interactions. We need all of these and the weakest one can bring the others down.
I'm not ready to trust sensitive information to Google Docs, ThinkFree, or any other 3rd party service just yet but I want to get there.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Hi Dan,
Thanks for your post on this topic ; it's good to see a major figure in web search weigh in on this issue.
I whole-heartedly agree with you and Ed Felten that even though Google is very serious about security, they would be seriously damaged by a privacy-breach story from one of their services. Let's hope they realize this and implement more protection mechanisms for the users to feel more secure.
Just a little precision with regards to forcing SSL encryption in Google Docs and Spreadsheets using CustomizeGoogle: it seems that at this time, SSL is supported for documents only, not spreadsheets...
Posted by: Hugues de Saint Salvy | February 26, 2007 2:18 AM
Thanks Hugues for pointing out that SSL is not yet working with CustomizeGoogle and Google Spreadsheets. Configuring CusotmizeGoogle has a setting which appears to apply to both docs and spreadsheets so I suspect this will be fixed in a future release.
Posted by: Dan | February 26, 2007 6:14 PM