Is Google Docs sharing secure & how to share Google Docs securely
The challenges of sharing Google Docs securely – how to stop sharing between unauthorized users and create locked documents that cannot be copied or misused.
Google Docs has rapidly gained market share over the past five years, likely spurred by its simple interface and cloud-based nature. Users can write and edit documents on any device, from anywhere, and quickly share them with whomever they like.
These features are convenient for end users but present a headache for IT admins. Easier sharing generally leads to more leaks of sensitive and confidential information, intentional or not. They must find a way to ensure the security of shared Google Docs to avoid reputational and monetary damage to their company. This blog will examine the pitfalls of sharing Google Docs and the options for securing them.
Is it secure to share via Google Docs?
Those who utilize Google Docs daily will know that it’s not without security. Google has put some effort into controlling which users can view docs and what they can do with them. These come in the form of access and document controls. Both need to be effective to prevent unauthorized sharing – let’s assess the security of shared Google Docs by looking at both.
Is sharing in Google Docs secure?
There are two access levels in Google Docs: “anyone with the link” and “restricted”. Both have their issues:
- Anyone with the link: Only the shareable link is required to gain access.
This offers very little protection against sharing. A recipient can share the Google Docs link with anybody, including those outside of the organization or in competing firms. Additionally, you may unintentionally leak links to Google. Google could index them from a site, or somebody could accidentally set a messaging channel to public, etc.
- Restricted: You enter the email addresses of the people you want to share with.
This is supposed to make it so that only specific people can access the document. It sounds secure until you realize that:
- Users can share their account details.
- Users can make a copy of the document and share that.
- If you share it with non-Google account users, it will still be sent as a link that anybody can open.
Preventing printing, editing & copy-pasting
Google tries to address some misuse with document controls to prevent users from printing, editing, and copy-pasting. There are three access levels for this:
Viewer and Commenter both disable editing, copy-pasting, and printing.
In other words, the security of shared Google Docs is poor, and you should not use it for sensitive and confidential documents. While turning off external sharing in Google Workspace may help to prevent accidental links, it won’t stop intentional ones since users can make unprotected copies of the document. A different approach is therefore required.
How to tell if a Google doc has been shared
Unfortunately, because of the ways to bypass Google Docs security you cannot tell if a Google doc has been shared even if it is locked or restricted. Users can just copy and share documents outside of the Google Docs environment. This effectively means that audit trails or activity logs to monitor use and sharing are useless.
How to improve the security of shared Google Docs
You’ll need to look at third-party solutions to share Google Docs securely or stop sharing of a Google doc with unauthorized users.
To summarize, an ideal solution needs to be able to:
- Allow only authorized users to view documents. The most secure way to achieve this is to lock documents to authorized devices since online logins to web apps can be easily shared.
- Have adequate controls to stop printing, copy-paste, and editing.
- Prevent saving to new, unprotected formats.
- Stop screenshots and screen recorders, including those by third-party software and in virtual machines.
- Deter sharing via photos of the screen and printed copies (if printing is allowed).
Though it might not sound like it, that’s a tall order. Let’s first look at a few solutions that don’t make the cut so you know what to avoid.
Password protecting documents
One popular suggestion you’ll see is adding a password to a document before you upload it to Google Drive. You can achieve this by saving the document as a PDF and password-protecting it. Drive cannot convert password-protected Word files to the Google Docs format and, therefore, does not let you upload those at all. We cover password protecting Word docs in our blog on How to encrypt Google Docs.
A password on the document may help if somebody randomly stumbles across the link. It might also help if somebody with access to the document gets their account hacked – the attacker will have to crack another password. In all other situations, however, it is useless:
- It doesn’t stop intentional sharing since the sharer can provide the password and
- as users can still download the file, they can also download a copy, remove the password, and share the unprotected document.
- Users can still screenshot the PDF – they may share that screenshot intentionally or inadvertently.
- Hackers can brute force or use dictionary attacks against the password. Google Docs does not limit how many incorrect passwords you can enter or how quickly, which makes writing a script to try thousands of combinations simple. Cracking is usually made easier because long and complex passwords are more challenging for users to remember.
Then there are the management issues and overheads. For the best security, you need a different password for each document. You then need a mechanism to share them with users securely, a procedure for lost and forgotten passwords, a policy to ensure they don’t store them improperly, etc. That’s a lot of resources for a solution that provides poor security.
Encrypting Google Docs
Another option is to encrypt files using PGP before you upload them. This has advantages over password protection, such as using public/private keys rather than passwords, which makes it much harder to crack. It’s a suitable choice if your primary concern is the prevention of accidental leaks or hacker access.
However, PGP encryption isn’t much help when it comes to intentional leaks. Since file previews are not available for PGP-encrypted files in Google Docs, users will have to download and decrypt the file – at which point it will have no protection and can be mass-shared.
To summarize, PGP encryption is a poor choice if you want to stop leaks and piracy in their entirety. On top of this, it is not very well suited for sharing outside of an organization, as you need to request somebody’s public key before you can encrypt a document for them.
How to share Google Docs securely
A more secure way to share a doc securely is using DRM software such as Locklizard Safeguard. Safeguard is a digital rights management (DRM) solution that utilizes encryption, document controls, and a secure viewer application to stop all forms of unauthorized sharing. It offers robust security without the management overhead of password security or the inconvenience of managing public and private keys.
Here’s how it works:
- You encrypt a PDF on your local PC and add any DRM restrictions you want to enforce.
- Your protected PDF file is saved to your disk and a document record is created on the Admin System.
- You create a user account for each user you want to view your protected PDF.
- A link to the Viewer and their license file is automatically sent to the user’s email address.
- Once the Viewer is installed and the license file activated (clicked-on) it is locked to that device and cannot be activated elsewhere (unless you allow this).
- You control which protected documents each user can access from the Admin System.
- You distribute your DRM-protected docs via Google Docs.
- A protected PDF can only be opened by someone who has been authorized to view it. Depending on your DRM controls, they also cannot be printed, edited, copied, or screen grabbed. Sharing is always prevented since the recipient must be authorized to view the protected Google Drive file – if they are sent a protected file and have not been authorized to view it, then it will not open. You can also automatically expire PDFs based on their date, number of opens or prints, and instantly revoke access.
Let’s take a look at how to do that step-by-step:
- Open your Doc and press “File > Download > PDF”.
- Right-click on a PDF file on your computer and press “Make Secure PDF”, then choose the DRM controls you want to enforce in Safeguard Writer. Optionally, add a dynamic watermark that will display the user’s name. This will deter them from taking pictures of the screen with a secondary device.
- When you press “Publish,” your secured PDF is saved to your disk as an encrypted file, and a document record is created on the Admin System.
- You create a user account for each user you want to view your secured PDF by pressing “Add” in the “Customers” tab of your admin system.
- Grant the customer access to the document in the admin system.
- Distribute your DRM-protected PDF by uploading it to Google Drive and press the share icon. You can choose “Anybody with the link can view” and “Copy link” if you wish since only authorized users with a valid license file installed can view it. However, choosing “restricted” from the drop-down menu will work fine. For more tips on Google Drive security, see Is Google Drive secure?.
How to view Locklizard-protected documents in the browser
Naturally, uploading an encrypted Locklizard PDF will mean that users can no longer preview your documents in the browser or edit them in Google Docs. This is why you shouldn’t be looking to protect every document in this way, but rather the ones that are sensitive/confidential or those you mean to sell.
For cases where you do not need the best possible security, there is the Locklizard web viewer. The web viewer offers reduced protection over the desktop client but is still a significant upgrade over Google Docs. To enable the web viewer after you protect your document, press “Protect to WEB…” in the “Protection status” window.
Alternatively, open the web publisher application, add the documents you want to add to the cloud-based web viewer and press “Publish All”.
You can enable web viewer access for a customer by selecting the more details arrows next to their name in the Customers tab of your admin portal, ticking “Enabled” under “Web Viewer,” and sending them their login info.
The user can view any web-enabled documents you grant them access to from a convenient portal.
The best way to share Google Docs securely
It’s not possible to share Google Docs securely in their default format. Google does not prevent document controls from being bypassed, and any web-based environment will always provide poor security for locked docs.
With PDF passwords, PGP encryption, and other solutions offering little protection against intentional sharing, Locklizard DRM is your best option to stop unauthorized sharing or block unsolicited shares.
Are “anyone with the link” Google Docs secure if you don’t share the link?
Not necessarily. The random component of a Google Docs link is 44 characters and would therefore take billions of years to brute force. However, this assumes no pattern can be discerned with Google’s document links. If somebody could guess the algorithm generating the link, it would substantially speed up the process.
Even so, the most considerable risk is the link leaking. Links are stored in your browser history and clipboard, which an attacker could extract. You could also share the link accidentally and it could be saved by a browser extension, Google Docs plugin, etc. Ultimately, there is little reason to run this risk when you can easily access your document by logging into your account.
How do I share a lot of Google Docs at once?
Open your Google Drive and control or shift-click the documents you want to share. Then, press the share button, choose your settings, and click “Done”. Sharing them with an account will be much faster than sharing them via a link. You can also create a shared folder and make it so only people whose email you add can see it.
Why can’t I share my Google Doc?
Likely because your administrator has not given you permission to. Google Workplace admins can disable sharing to help prevent leaks, though this doesn’t stop users from copying and pasting from one doc into a text file etc.
Can you share a Google Doc with someone without a Gmail account / Google account?
Yes, you can add any email to the share window, including ones from Yahoo, Outlook, Protonmail, etc. However, Docs will send the document as a link, which the recipient can share with anybody they want to grant access to.
Are Google Docs private?
It depends on what you mean by private. Private from other people? They can be if you never share them with anyone and ensure strong account security.
Private from Google? They are not end-to-end encrypted, so Google could technically read them or provide them to law enforcement if it wanted to. Additionally, Google collects and saves data for performance and crash analysis.
Is Microsoft Word Online more secure than Google Docs?
If you have a non-business version of Microsoft Word/OneDrive, its security is pretty much useless. You can’t stop users from downloading shared Word documents, and downloaded versions are unprotected. You also can’t stop copying and pasting or printing to a PDF.
Business users can use SharePoint/OneDrive business to protect their Word files, which offers improved security such as the ability to block downloads. However this still doe not prevent users from screenshotting the document.
How can I stop sharing of a Google doc?
The only way you can effectively stop sharing of Google Docs is by using a DRM solution to protect files before they are uploaded to Google Workspace. This is because the security of shared Google Docs is weak allowing users to easily save files outside of the Google Workspace environment. While turning off external sharing in Google Workspace may help to prevent accidental links, it won’t stop intentional ones since users can make unprotected copies of the document.