Saturday morning is slow time for viral distribution of news, but if the news sticks the viral component tends to last longer than usual, often re-distributed by the Monday morning back-to-work crowd. “Checkout what happened over the weekend”, such as this Google Docs privacy leak.
First, this is important news. If you used Google Docs, and elected to share some documents with some people, you may have been inadvertently sharing those documents with other people. Not random people (as some have said), but also not just people who have seen the document before (as others have suggested). It was a programming bug, and was documented by Richard DeVries who reported it to Google and watched it get patched over a three week period:
About three weeks ago, we discovered that some fifteen documents and spreadsheets were unintentionally shared with a lot of people, some of whom were outside of our domain. We found out that one of us had been wanting to share these documents with a colleague (within our domain). He selected the documents on the documents list and added one user. Google Docs then shared all these documents with everyone who had access to one of the selected documents…Fortunately, we found this out fairly quickly and were able to revoke the unintentionally granted rights before any damage was done (we think). These documents weren’t ultra-secret, but you can imagine what could go wrong. I decided to try and contact Google about this.
Now Google lovers defend Google, saying this like (actual quotes):
- You guys are getting way carried away with this. Talking like people had their Docs shared with random people is wrong. These Docs were shared with people that they had previously been shared with.
- Look what you’ve become, people. Using free service and not being grateful..You should be ashamed, really
While Google haters will jump on this and say things like (paraphrasing):
- Google can’t be trusted
- You’re stupid to use Google Docs for your documents
- the sky is falling
For me, it is obvious that if you use a third-party storage facility and allow that third-party to manage access permissions via a public interface, you have already decided to manage the risk (or ignore it). OF COURSE this is risky behavior. It is generally not a matter of whether or not Google will compromise your security, but WHEN. Unless you believe Google is perfect, you know that your documents are not perfectly secure.
But is 3 weeks to long for a problem like this one to be left open?
Richard DeVries obviously likes Google, as his journal is very kind to Google while reporting the security flaw:
I think Google handled the issue admirably. It was solved within two weeks, they un-shared affected documents and notified their owners.
He’s an experienced IT user… he knows that the chances of other companies with similar security problems handling it as Google did are….well… probably not that great. He knows that some companies would never reveal they had a security issue, and some would take months to fix such issues.
But is two or three weeks to long for Google to be fixing such a serious security issue? That question needs to be asked. We trust Google a whole helluvalot more than we trust other companies. Google responded to Richard DeVries that it was able to reproduce the problem. At that point, while Google scheduled the work to fix the problem, should the offending feature have been turned off? Should a warning have been added to the user interface? This is part of the Google Beta problem… Google leaves products in beta and tells users they are not responsible for glitches, sometimes for many years.
As this news hits inboxes around the world over the weekend, and re-circulates on Monday morning, try and keep the focus. It’s not about liking or hating Google. It’s about holding Google to a standard appropriate for the level of trust it has been granted. Brilliant employees can create brilliant products which generate brilliant profits for brilliant executives and shareholders. Let’s encourage them to maintain the brilliance when handling our privacy and security as well. We don’t need you to be better than the other companies in this regard, Google. We need you to be freakin’ awesome.