In a privacy error that underscores some of the biggest problems surrounding cloud-based services, Google has sent a notice to a number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them.
According to the notice, this sharing was limited to people “with whom you, or a collaborator with sharing rights, had previously shared a document” – a vague statement that sounds like it could add up to quite a few people. The notice states that only text documents and presentations are affected, not spreadsheets, and provides links to each of the user’s documents that may have been shared in error.
I’ve contacted Google for confirmation and haven’t heard back, but this seems to be legit – our tipster says that he had previously shared the document listed in his notice, but now it has been reset to show 0 collaborators (one of the precautionary measures mentioned in the note).
Update: Google has confirmed that the note is real, and says that it was an isolated incident affecting less than .05% of all documents. The damage may not be widespread, but it’s still an unsettling lapse in security.
Here’s the letter in full:
Dear Google Docs user,
We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.
To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.
We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.
The Google Docs Team
In short, this is a massive blunder on Google’s part. I fully appreciate the lengths Google has gone to to offer a wide array of helpful online services, many of which are free of charge. But this error highlights why cloud-based services scare many people. Regardless of what a site’s posted rules and policies are, a technical glitch is all it takes to expose your sensitive data.
Update: An affected user posted his story and the exchange he had with Google support over the issue on Slashdot.
Update 2: A Google spokesperson has confirmed that the note is real:
We fixed the bug, which affected less than 0.05% of documents, and removed any collaborators. We also contacted the users who were affected to notify them of the bug and to identify which of their documents may have been affected. We have extensive safeguards in place to protect all documents, and are confident this was an isolated incident.
Thanks to Ed McManus for the tip.
I knew the wake-up call would come. And it won’t be the last one.
Finally, the super-naive (companies) will get a chance to rethink their “perfect” Google solution…
This shows 1 thing very clearly:
Google products are NOT FREE. The Worlds’ Biggest Data Hoover makes you pay with your privacy.
Enjoy the ride in the “cloud”.
I agree with this balanced opinion.
Free or not, some things are just not acceptable.
Yes, air is “free”, but that does not allow people to pollute it with without abandon.
Facebook is “free”, but that does not allow it to take away all ownership rights of all the content I would post there.
As one comic book character once said, “With great power comes great responsibility”.
Google, you have great power. Your compromising your users’ privacy is just not acceptable … for whatever reason.
From India,
Anjali Sen
Can you believe this retard? Quoting spider-man to pass judgement on one of the great innovative companies in the world?
Seriously, you need to sober up….
Can you assure us that the mistake was not committed by one of the many super-smart-know-it-all Indians crawling around Google?
@Anatole. You have a point. Although Indian workers are busy *saving America* as per this Anjali moron, they could never, ever make a mistake at Google…
Intriguing, though, why is it that many incompetent Indians’ H1B visas are not renewed/sponsored by Google and many others are asked to leave? According to the spammer-blogger “From India,” racism is the reason…
What is up with all this stupid, racist anti-India comments on Techcrunch?
“Can you assure us that the mistake was not committed by one of the many super-smart-know-it-all Indians crawling around Google?”
“Although Indian workers are busy *saving America* as per this Anjali moron, they could never, ever make a mistake at Google…”
Posters who are afraid to post under their real names, who are such cowards. But then of course everyone would know what stupid racist ignorant idiots they all are.
Anjali Sen
Dear carlos=matthew=anatole
You need to take a basic course in logic and rhetoric.
No one is fooled by your insipid attempts to attribute statements to me which have been wholely fabricated by you.
“Isn’t it possible that Google’s employees from India may have [inadvertently] made a mistake and caused the Docs’ problems? Isn’t it?”
Hmm … Remind me when exactly I identified and accused any certain race of causing this data privacy breach?
“But for you, Indian coders/engineers are not *capable* of making mistakes?”
Hmm, remind me once again where in my comment I wrote that Indian coders are not capable of making mistakes?
*** Stop taking up valuable space here your stupid comments. No one wants to hear them, and they belie your lack of education, and everyone can see what cowardly idiots you are making derogatory comments behind a pseudonym.
Anjai Sen
PS.
Let’s see:
cowards
stupid
racist
ignorant
idiots ….
I still think that most people writing and posting comments on Techcrunch are highly educated professionals. Unfortunately, you have proved me wrong with your comments. The language you are using is more suitable for a vulgar street person. You have no class at all.
Dear Anjali Sen,
Please don’t be too thrilled about a few morons who utter their racist ignorance over the web. Many people in the world hold racist opinions and I guess that as long as they just bark anonymously and don’t take real actions, it means they are well held back.
The issue of Indian coders has, at least as far as I understand, NOTHING to do with this article.
Peace
Keep up the good and thoughtful comments, Anjali – don’t let a few dolts who are annoyed by/jealous of your early placements in the comment section get to you (in case you don’t know, in the US anyway, it *is* a big deal to be first – or even “close to first”, way up at the top of the page) – and the fact that you are every day is probably eating them alive with envy. If you weren’t Indian, chances are they’d find some other issue to attack you over.
Oh, and @ carlos: “I still think that most people writing and posting comments on Techcrunch are highly educated professionals…The language you are using is more suitable for a vulgar street person. You have no class at all.”
Snob. You wouldn’t last a minute here in the real world – would ya?
@anatole
Your comment is ripe with racial commentary, I don’t know if you intended it too but why even bring his race or country into it – except to belittle him purely on some racial hangups you seem to be having.
I agree totally.
Free things are not always good – fine – but Google doing al this is really not acceptable. Google is pretty clever to market most of their products as a beta
News flash: Google is made by humans. Humans err. With other paid services you usually get compensated for mistakes which may cause you harm. I guess that the few users who suffered due to this bug can sue Google.
To err is human.
To ARR is pirate.
No such thing would happen at YourNight.com’s docs feature. Keep an eye out for our launch this quarter of 2009.
And all this mess was “just” caused by a “bug”.
Now please add to that & always keep in mind:
1) ANY computer that is connected to the net can be hacked.
2) Huge User Data Monopolists like Facebook or Google will ALWAYS be a preferred target for a lot of hackers.
yep.
Please. Let’s see how many millions of documents were shared.. oh wait, there weren’t. Unlike all the recent Credit Card compromises we have heard about. And those would be from not what we would consider “super-naive” companies. This is FUD plain and simple.
But perspective folks, this isn’t the sky falling. A poorly configured server exposed to the Internet will give more info away and is a larger threat due to bots and zombies.
No, the mere fact that the documents were available to third parties without the document owner’s permission is bad. You can’t say how many documents actually fell into the wrong hands.
Keep your documents in machines you control if you don’t want to share them with strangers.
“No, the mere fact that the documents were available to third parties without the document owner’s permission is bad. You can’t say how many documents actually fell into the wrong hands.”
If you had RTFA you would realize it is only people you have given explicit access to some of your documents that were *potentially* given access to other docs. This doesn’t let anybody you don’t already know get access to any of your docs.
Might want to get your facts straight before you get your panties in a bunch.
@SensationalistMedia
Quite a sensationalist you are… the issue here is not wether the files were available to the whole world but that the files were given permision without being authorized even if you had share info with the people on your list.
I’m not screaming that “the sky is falling,” but I do think users need to be strategic about the files/data they choose to put in the “clouds.”
Enough said, something like this would not happen on Extreme Enterprise’s Documents feature on YourNight.com. Again, read:
CEO RJ Garbowicz was asked what is YourNight.com, he responded, “Picture this; you get home from work in the evenings and you turn on your PC, what do you do . . . answer email . . . browse your social networking or dating site . . . play online games . . . search videos and music . . . shop online . . . peruse job listings . . . check out local events . . . search for a business . . . go to your online banking . . . well you get the point, YourNight.com affords you all of this, and much, much more – all within one colossal, user-friendly portal . . . that’s all I can say for now, since we are still in stealth mode . . . however, as soon as we complete our Series A capital raise of $10 million our purpose and presence will be known.”
But I can do all of this by putting links onto my browser. All within one “colossal, user-friendly” internet explorer that is already on my computer when I bought it.
Well played sir. Well played.
“which may have caused you to share some of your documents without your knowledge”
Umm… Not really there Google, I think “which may have caused “US” to share some of your documents” is entirely more appropriate.
Gmail down for a few hours last week – now this. Looks like things are slipping over at Google.
Truly brief downtime which has been explained, and for which safeguards are surely now in place is the first sign of Google’s downfall.
We live in interesting times.
I had this 2 months ago. A saw a document in my shared docs and a person that is and never was in my contacts. I never shared a document with this person. I reported this to Google but no answer. Finaly I deleted the document because I thought that someone tries to access my Google Account via an infected document.
Btw. this was a free Google Apps Account and I never got any feedback from Google or advice what to do.
From this day I never used Docs again. Those problems should not but can happen – but I would be happy if Google could answer my email.
Google Mail, Google Docs, photos, and many such “very nice products” are always a BETA marketed product. So in any case, if things go wrong … can google be sued?
Look what you’ve become, people. Using free service and not being grateful – instead, following the problems with great pleasure and thinking when would the blessed time come when you ‘d be able to sue the company who gives you that service. To maybe make some money without working. Who cares that you get for free much more than you would ever be able to come up with yourself.
You should be ashamed, really. This kind of attitude (as if someone owes you something) maddens me. Here’s a simple solution: build your own product which would never have bugs and sell it.
What? You can not? And no one else can? Then cut down with the counter-productive comments and I don’t know – go make a baby or something.
> go make a baby or something
oh good, tell the people you just yelled at to go multiply. that will get things done.
> sue the company who gives you that service
i’m sure there is an “as-is” clause in the Terms of Service, as any prudent company would have. however, user security isn’t something that should be compromised (sorry for the pun).
i agree with No Way up in the first comment and have always avoided using Google for any sensitive information, period.
Hey! when did I say that I will sue them, just wanted to know if that can actually happen
It’s legit alright. I reported this issue to Google on February 24th. Last Thurday I was notified it had been fixed.
I knew this would cause a few discussions about cloud computing and the beta-status of most of Google’s applications. I work for a small company. We use Google Docs a lot and we unintentionally shared some internal documents with a few clients. None of these were ultrasecret and the issue was quickly discovered, but you can imagine what could go wrong.
I can say, however, that I’m very happy with the way Google handled this. The e-mails were polite and helpful, the issue was resolved fairly quickly and they have gone out of their way to correct erroneous shares and they sent e-mails to all affected users. They knew they would get reactions like this article, but they did the right thing.
Regards,
Richard
This is really bad timing for this… Yikes!
http://www.bardonia.net
I have been using Google Apps since it was launched and I have not experienced any security risk issues.
“I have been using Google Apps since it was launched and I have not experienced any security risk issues.”
Don’t be so sure about that. Ignorance is bliss.
I’m fully aware of the limitations of Google Apps and if you use the apps with this in mind there shouldn’t be any major problems.
Well, just because you have not noticed an issue doesn’t mean that you didn’t have one in your shared account. Google was cool, but they are a public company now and report to shareholders. They do anything to meet their numbers. Just like their “so-smart” ranking algorithm. You rank well, they lose money … so you go figure …. Power brings corruption and that is the law of the wild, some may call it Corporate America. Lastly, there is not perfect programmer out there. So mistakes are just the matter of time.
interesting, thankfully i havent had that email so i guess im ok. i use google apps to publish my reports for clients but i never in put personal data. i give them a client number and thats all.
interesting, thankfully i havent had that email so i guess im ok. i use google apps to publish my reports for clients but i never in put personal data. i give them a client number and thats all.
Sorry, forgot to add great post! Can’t wait to see your next post!
Oh no!
Cloud Computing Questions:
1. Who owns the data/documents/content?
2. How much access do the data custodians have to your data?
3. How much access SHOULD they have?
4. During an outage, what, if any, recourse do you have to continue doing business with your various collaborators?
5. How secure is your data in the cloud? How patched is the cloud environment? How well monitored is it for violations?
6. Just how interconnected are the various Google sites? Calendar, mail, Docs etc…
I only use Google docs for convenience of sharing a few minor docs. Until I get satisfactory answers to the above questions, nothing business critical or remotely private will be going up.
All of which SHOULD keep us aware of the Go Ogle terms of service, and continue to use the simple and obvious method of sharing via email rather than the “cloud”. Go Ogle’s track record is at best average and creeping downward.
Whoops! security nightmare… dang!
What’s happening in here?!
Sharing some files without permission is kinda bad but this is what the clouds caused us.
@musashi:
“2. How much access do the data custodians have to your data?”
Interestingly, I had to grant google’s helpdesk access to some of our documents before they could look into the issue.
Alyx and Clif are right…compared to credit card security lapses this is not nearly as onerous. And as Clif says…be careful what you put on the cloud.
Having said that…Google’s memo is pathetic. dave from wikibon.
Classified business files being shared between business partners over in the cloud can be extremely valuable – especially to a competitor!
Just imagine you’re discussing a new product (a new killer app, or product) amongst your colleagues before you’ve patented the idea and that leaks out (without their knowledge); I’m sure you’ll be more worried about that.
Many small businesses are using the cloud (Google or others) to do just that. Their Intellectual Property is extremely valuable to them.
If you shared a document with a competitor on the same account you use to share with clients, I think you should do a review of your company’s security practices.
More info here: http://slashdot.../journal/225229
linked it up in the post.
Such an old news…I think RWW already covered this almost a month ago. I’m surprised Google hasn’t fixed this yet.
Can’t find anything on the issue on RWW?
Sorry, that was Wired….http://blog.wired.com/business/2009/01/google-docs-des.html
Its the same issue, isn’t it?
This could be quite embarrasing for some people, not least Google. If you want your documents public, better to use someone like Scribt or http://www.twidox.com.
Google has had some problemas lately. I prefer to use Scribd, Box or Issue to store docs instead of Google Docs.
Yes. Twidox is also very good. But I prefer http://www.scribd.com
I stored there more tham 900 docs.
This is one reason Docs isn’t making any headway in the enterprise. An IT managers worst nightmare.
I just received this email today. I don’t think this will prevent us from using Google with our students. It’s still too valuable a resource. We will just keep reminding them to keep private information private.
You guys are getting way carried away with this. Talking like people had their Docs shared with random people is wrong. These Docs were shared with people that they had previously been shared with.
This happened to me and I am FINE with how Google handled it.
You guys love to harpoon Google for stuff like this and the Gmail outage but noondy says a word about Yahoo mail being down all morning.
I’m not sure sharing documents with people I’ve shared them with previously is “ok”. Take a real world example: You use Google spreadsheet to manage your information regarding a new product launch to get bids from your contract manufacturers, including 10 new ones in china you want to get a bid from. Then you select one, and start to use Google spreadsheet to share the final version include component costs, etc. But, it get shared with all of the contract manufacturers you rejected in the bidding round. OK? I don’t think so …
And they want to be entrusted with my medical records, too? Please.
Had you placed your medical records on Google Health and this had happened there your records would have only been exposed to people that you previously exposed them to.
I don’t use Google Health because none of my providers upload records there. Yet.
This happened to me, my files were shared with people, but they were people that had previously had access to those files. Nobody new was added.
I don’t like it, but Google handled it in a way that I feel is appropriate. I don’t place information there that is critical to my business, but there are still some very important documents in my account. I am leaving them there.
Yeah, this is way worse than the old days when people collaborated by emailing Word docs around. Back then, if you emailed the doc to the wrong mailing list, you could just retract the email in Outlook.
@Jores – Back in the day you could only recall a message in Outlook of both you and the recipient were using Outlook with an Exchange server. If you emailed to someone off the Exchange ecosystem you had no way of recalling that message. Outlook would go through the motions of recalling, but it simply didn’t work.
No kidding. Sarcasm is lost.
You’re working on and storing your documents ONLINE? Well, obviously, “the cloud” is that huge, nebulous ball of gas between your ears. WAKE UP, people!
Great, now they want to safeguard my health records ? No thanks !
Sharing information on the web will always have some limitations, but the risk of sharing data without our knowledge can happen with any digital device, including personal computers or companies servers.
Small businesses need to make the choice by assessing their abilities to secure their documents better than Google or other online services.
I think that in that specific case Google could have handled the matter faster and should also have responded to the email from Andy. The final response seems appropriate, they have fixed the problem and notified users.
I also agree that the Beta-forever practice that Google has pioneered is not responsible and undermines users’ rights on the web.
Finally there is a lot of confusion in this article and others between the term ‘Cloud Computing’ and ‘Online services’. Cloud Computing is a deployment technology for service developers competing with web hosting, dedicated servers, collocation, this is NOT an end-user service. Google Docs is an online service, not Cloud Computing.
The response from Google is absurd — just because it % of users impacted (%0.05 of users) was relatively small this does not consider the value of the information that was made public (somebody’s tax returns, health records, business plans, etc.)
This is one of the reasons, I hardly use Google Docs for sharing data.
I have been a collaborator for a few docs with friends, but they were not critical at all even if it got compromised. It’s good to know about this issue, so I will be cautious in the future as well.
Thanks for the notice, Jason.
Techcrunch provides a valued service to the community. Just deleted all collaboraters PERIOD.
I guess if we share, it’s back to email attachments. Sad.
I wonder if google will ever be owned by Nigerian and Russian scammers! Cloud computing for everyone, haha!
It’s like the New Depression we have…you asked for it, you got it (can’t finish the jingle with TOYOTA).
Maybe you should go back to PDP-8s again.
This bug has NOT been fixed as of the date and time of this posting on TC. Before learning of this bug today via TC, we were actually testing the security features of Google Docs and assigned one of our own staff ‘View’ permissions to a low security document. We then removed all permissions. However, a) Clicking the link in the invitation email still allowed the test invitee to view the document. b) The invitees name re-appeared on the Owner’s document list. Clearing caches, logging out, re-launching browsers, re-starting computers, re-creating and disabling permissions all fail to cure the bug.
Google, it’s still out there!
Giving a percentage is disingenuous. Because it’s the active, shared docs of people who shared docs with multiple groups of people, it’s exactly the worst ones to share.
This probably happened to a friend of mine who was really hurt by it. She was working with two groups last month, sharing different docs with both, and one of them saw the other’s. Bad for negotiations. She reported it to G, but without immediate results.
So, sharing 0.05% of the documents on your hard disk could be irrelevant if it’s man pages, or really bad if it’s recent emails & diary entries. In this case it was more like the latter.
Coincidently, in adult males, the testes are typically 0.05% of body mass. Small percentagewise, but not unimportant.
Last para, priceless. Nice one!
Even worse, you can’t encrypt the documents before saving them to Google docs. tried to encypt some microsoft office files, and the upload fails. The process considers encrypted file to be corrupted. So you are just screwed with google docs.
In view of the fact Google are assumed to be the one company offering an alternative to Microsoft, the following issues really damage their cause:
1. Aforementioned security problems with Docs
2. Lengthy downtime for Gmail etc on several occasions, including in the last few weeks
3. Lack of integration between the different Google services. You cannot even drop Picasa images into Docs or Sites, nor embed a Google spreadsheet into a Google document. (Such features are standard on all desktop apps and hardly complex to implement online.)
4. Various bugs and system failures within Docs, such as documents refusing to save for no reason.
5. Lack of consistency between GUI in said services. For example, the [Save] button is on different sides of the screen depending on the service.
(The argument that these services are free does not wash. Their are paid upgrades for some, and that does not cure these issues.)
I believe these problems to be related to the fact the staff at Google are too young or inexperienced to be diciplined. Neither Apple or Microsoft for all their flaws would allow such obvious issues to languish for so long. Lack of ethical and/or wise hiarchial management in an organisation has been proven to be catastrophic thoughout history.
Further reading…
Lord of The Flies by William Golding
(BTW, I love a lot of what Google do, it is often intuitive, fast and widely accessible, but for something to be useful – and not just interesting, it must work reliably and offer the same or more than any supposedly infierior alternatives.)
I am glad Google at least admitted its mistake and fixed it rather than denying it ever occured
carlos writes:
“cowards
stupid
racist
ignorant
idiots ….
I still think that most people writing and posting comments on Techcrunch are highly educated professionals. Unfortunately, you have proved me wrong with your comments.”
The original comments were clearly racist and the words “cowards stupid ignorant idiots” are perfectly reasonable adjectives for describing racists.
Well said!
I had some huge group of people I don’t even know share documents with me. Does that mean they can now all see my private documents?
Maybe they should set things up so I get a message the first time anyone looks at one of my docs.
“You should be ashamed, really. This kind of attitude (as if someone owes you something) maddens me. Here’s a simple solution: build your own product which would never have bugs and sell it. What? You can not? And no one else can? Then cut down with the counter-productive comments ”
You are right. We should never criticize anything, ever. If only the world was free of all criticism, then goods and services would be certain to improve.
True that!
And if someone can’t do what I can do they should never have a bad word to say about what I did, either. And no, that doesn’t make me a close-minded, jealous tyrant. Just so much smarter than ya’ll. What a bunch of blather. Too bad there isn’t a way for the page to detect nonsensical comments and play loud music as you begin reading them so that your mind just can’t handle all the distraction until poof! the nonsense words seem to just run right off the page – that is, until you hit the next intelligent comment (assuming there is one, of course).
this again goes to show that the mega biggies arent really that adept at handling the level of security and uptime that is necessary for enterprise SaaS. frankly, im more confident going with smaller companies with extensive experience like HyperOffice.
Damn….click on a link and end up at techcrunch. Maybe this is a good article, maybe not. With all the tabloid nonsence and crappy journalism on this site im simply going to leave without reading. Ta ta.
No-one else notice the way they worded the letter:
“We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge.”
No, you’ve found a bug that may have caused *google* to share…
Cloud computing has miles to go before people can even think of using it. Google docs and emails are just some of the preliminary forms of cloud computing but nonetheless these symbolizes the future of computing.
Is Google now banning this article on Google News?
‘Your search – Google Privacy Blunder – did not match any documents’
Other articles from TechCrunch still show up, like this one:
‘Elevator Pitch Friday: Valu Valu’
Thanks. nice post, good information.