Friday, January 26, 2007

Suggestion for increased security in Google Docs & Spreadsheets

At some point last year Google launched "Google Docs & Spreadsheets", offering their users the opportunity to store, edit and share documents online. I love this product and I use it very frequently, for sharing documents, but also to keep a golden copy of important documents online so that I can access them wherever I am on the planet, with nothing more than a web connection.
However, as I started to add more personal documents I also became increasingly concerned about the potential for loss or abuse of my data. I am not so much worried about some Google employee being able to view my data stored on their servers. I know Google is very keen on protecting the data and privacy of its users, although I agree with John Battelle that we shouldn't become complacent and ignore the dangers of all our data being so vulnerable, within reach of one ill-intentioned but well-connected individual.
I am not so worried either about the lack of SSL encryption in Google Docs & Spreadsheets, which means that my data is being transmitted unencrypted from my computer to Google's server, available to be snatched by anybody watching Internet packets go by on my wireless network. I am worried about it of course, but it is possible to force Google Docs & Spreadsheets to work in SSL by using a Firefox extension such as CustomizeGoogle. (* see update below)
What I became concerned about was the potential for somebody from my inner circle of acquaintances (colleagues, friends, passing visitors, etc...) to be granted access to my personal documents without my knowledge or desire. It is well-known that identity theft crimes are often committed by a person in the inner circle of the victim, and by the same token I think this is how my data is the most vulnerable.

Google Docs & Spreadsheets is restricting access to your documents through your Google account and password, which are certainly secure in terms of their encryption ; however I find that many people are now logged almost constantly in their Google account, be it through the Google personalized homepage, Gmail, or any other Google service. This is good for Google of course, who benefits from the knowledge of your surfing habits, however it can open a breach in your own security. The "secure" protection that you thought your Google password provided is not going to be much of a barrier. For this reason, I posted a message on the Google Group for Google Docs & Spreadsheets, with a suggestion to improve the security for those few sensitive documents that you may have stored. The idea is inspired by the method that Google themselves (itself?) put in place to restrict access to your Search History: add a new layer of security, even though you are already logged into your Google account. Here is how Google explains it:
To help protect your privacy, we'll sometimes ask you to verify your password even though you're already signed in. This may happen more frequently for services like Personalized Search which involves your personal information.
My suggestion for Google Docs & Spreadsheet is very similar. Here is how the main page currently looks like:
Let's say you have two documents, "Sensitive Info Spreadsheet" and "Top Secret Document", that you would really like to keep private. The idea is to be able to lock (meaning: to encrypt) those documents and to ensure that they cannot be decrypted and read without first entering a password. My suggested implementation would be to add, next to the document title, a little lock that you could click/un-click, not unlike how the "star" function works. This could look something like this:
Clicking (activating) the little lock would do just that. The document would become instantly encrypted and protected, using your Google password (the same as your Google account). In order to read or unlock the document, you would have to enter your password in a little pop-up input field, like this:
I think this would be simple and efficient, however I welcome your comments and feedback. If you like this idea, I would recommend that you go to my post in the "Ideas & Suggestions" Google group and either rate my post and/or add a message to the thread. Hopefully if enough people express their interest in this, Google might pick up on it and implement it sooner.

Update (2007-07-26): Google upgraded their Docs & Spreadsheets about a month ago, and since around that time they also implemented SSL support for spreadsheets as well. This is a welcome improvement, unfortunately it does not address the other security and privacy issues mentioned above.

Labels: , , , ,