How to securely share files on Google Docs
For those of you familiar with GoogleDocs, it’s an excellent tool for file sharing and collaboration. You upload a document, select those you wish to share with and Google will send them an email with a link to access the document. Multiple people can access and edit the same document at once - in Excel for example, when multiple users are in the same document, each user will have a different colored cursor/cell outline indicating which cell they are active in. (Great for playing live tic-tac-toe if you’re bored)
We’ve been sharing a few documents at work lately and I stumbled upon a security “flaw”. It’s actually not a flaw but more of a misleading and not easily accessible feature if you’re trying to achieve complete confidentiality of the shared documents. Recently I noticed that some docs shared in GoogleDocs are viewable by anyone as long as they have the link Google sends your collaborators in the notification email. If you click the link without being logged in, you can view the full document with the following message at the top of the screen:
Although the link GoogleDocs sends out to your collaborators is somewhat encrypted with a long string of scrambled letters & numbers, it doesn’t make me feel safe knowing these shared docs are accessible by anyone with the link.
After some brief experimentation, here’s the solution:
There’re 2 ways to share a doc in GoogleDocs, I’ll call these the “quick share” and the “extended share”.
Quick Share (not secure):
1. In the ‘all items’ view, you can check a number of documents and then click the “Share” button at the top to share.
2. Next, a popup appears promption you to enter emails of those you wish to share with.
3. Then you click “Send Invitation” and the invites are sent with a URL to the document. Notice there are no privacy options here besides adding a user as a “Collaborator” or “Viewer”.
4. The link sent in the email doesn’t require users to be signed in to Google to view the document - the Collaborator/Viewer option is fairly misleading since all non-collaborators have viewer privileges.
Extended Share (this is the secure method):
1. Once you have a specific document opened in GoogleDocs, there’s a Share button at the upper right corner of the document view. This is the “extended share” button.
2. When you click “Share”, it takes you to a new page with more options than quick share.
3. Under ‘Advanced Options’, you have to uncheck the 2nd box ‘Invitations may be used by anyone’ to have truly secure document sharing. When this option is unchecked, URLs sent in share notification emails will redirect you to the GoogleDocs login screen if you’re not logged in as an approved collaborator/viewer.
Unfortunately the ‘Invitations may be used by anyone’ box is always checked by default and there isn’t a global setting to change the default. Not sure why Google doesn’t have this global setting option or at least put these advanced options in the ‘quick share’ window. The down side to using “extended share” is you can only securely share one document at a time since you have to open each document first before you share. Hopefully Google will implement a fix soon…
