The day that Google Drive broke my trust (Updated)
We had a good thing going Google Drive. Why’d you have to ruin it?
I’m an avid user of the cloud document creation platform Google Documents (or affectionately G-docs), which has since been rolled into the aforementioned Google Drive. I have never installed Microsoft Office on my Mac, so it’s my default productivity suite. I use it to create personal finance spreadsheets, to take notes during phone interviews, and to draft all the articles I would eventually publish on PandoDaily. It even serves as a real time collaboration platform with my editors and colleagues. My PandoDaily Google Drive account has seen more than 1,200 items created in the last 9 months, let alone the several thousand I’ve created in my personal equivalent dating back to sometime in 2007, shortly following its launch.
And yet yesterday was the first time I ever felt that the platform presented a security risk.
Before I get into the details, let’s establish why this is important. Beyond any personal information I may share in these documents, I often input the confidential details of the companies I report on: product launches, executive hires, fundings, and closures. In our industry, trust is the primary currency on which we trade. Should that trust be compromised, whether through fault of my own or through that of some technology on which I rely, it would be tough to rebuild.
And I’m far from the only user who relies on the Google Apps platform for mission critical tasks and high value information. According to the company, “Over 5 million businesses have gone Google.”
So here’s what happened. In the process of writing this story yesterday, I composed a draft in Google Drive. The last time I opened that draft was 3:37pm, and then transitioned at that point to WordPress. The story was then published on PandoDaily at 5:14 pm. At 5:25 pm, I got the first email from Google, informing me that an absolute stranger had requested access to this Google Document. In the roughly 18 hours since, I have received eight more such requests, making nine in total.
This is the first time I have ever encountered this issue.
The sharing settings on the document are set to “Private – Only the people listed below can access.” The only name listed below is mine, next to which is the designation “Owner.” So how did these nine strangers know this document existed? And how did they know the name and, or the unique URL to which to request access? A Google search for the domain corresponding to the document – which presumably only I know – turns up no results. Viewing my Google+ profile as “Public” similarly offers no clues.
One commenter in a Google Drive product forum speculated as to a possible explanation. Trunky, a “level 1” contributor to the forum, conjectured that owners of the websites underlying the hyperlinks in a Google Document might get notified of those links and then, in turn, request access. Other commenters in similar threads offer the same explanation. On the surface this would seem plausible, and in some cases it may even be the correct explanation. In total, I linked out to four websites in the article in question, although only one non-PandoDaily piece of content – an ecommerce report from Nielsen Korea.
What doesn’t jive with the theory in my particular case is the names and profiles of the individuals requesting access. One was a Melbourne-based software consultant, according to his Google+ profile. Another is an “ecommerce expert” based in Long Beach. The others either turn up no results in a Google Search of their Gmail address, or return complaints of “endless spamming.” None of them, however, suggest ownership of the Nielsen Korea page.
At this point, I’m at a loss for explaining the occurrence. I have reached out to Google for comment but have yet to receive a response. Until I can get a concrete explanation, I won’t use Google Drive to create or manage documents containing sensitive information.
Update I: Following the publishing of this post, we received the following response from a Google Drive spokesperson:
That is very weird - I totally agree. Unfortunately, I don't have any additional insight. You already checked the hyperlinks and any other possible connections between WordPress and the Google Doc, which would have been my first guess. If it's not that, I'm not sure from your description what else it could have been.
Now that you're aware of the issue, I'd suggest just writing your articles like normal but keeping an eye on the requests. Let me know if this happens again, with as much detail as you can provide about your copy-and-paste process. Update II: A commenter below identified himself as the "Melbourne-based software consultant" referenced in the post and indicated that he clicked on the link to the Nielsen survey and was directed to a Google Drive page where he was asked to request access to the document in question. One possible explanation for this would be that the URL for the Google Drive document was incorrectly inserted into the survey huperlink, however there were no changes on our end between yesterday and today, to my knowledge, yet this does not seem to be the case currently. We will continue to explore any possible explanation on our end.