Is Google Drive Secure?

Google Drive is not end-to-end encrypted. Is it secure?

Google Drive security vs Skiff private encrypted drive

Passport copies… Medical records… Tax documents…. If you’re like most people, you probably store these documents on Google Drive, along with a wide range of other types of personal information. While Google Drive is easy to use, its use should not come at the cost of data security and privacy. Unfortunately, Google’s security measures don’t fully protect against the possibility of your sensitive information being stolen, changed, or accessed by hackers, governments, or even Google employees when you use Google Drive.In this article, we will answer two important questions:

Is Google Drive secure?
How can you protect your sensitive documents and files against security and privacy risks?

1. What Security Measures Google Uses to Protect Google DriveImagine that you keep your private journal on Google Docs and it contains sensitive details about your life. What if a disgruntled Google employee accesses this content, sells it on the dark web, or uses it against you? Or, in the case of your medical information, are your sensitive details secure against unauthorized access? Can Google or others use it for advertising?Google does implement various measures to protect your files and documents on Google Drive, including encryption of your data both “in transit” and “at rest,” the details of which we’ll cover below. But these measures are table stakes in online privacy — while they may be effective against external threats to some extent if implemented properly, they are not enough to provide full security and privacy for the data that you store on Google Drive.Let’s delve into why and answer the million-dollar questions: Is Google Drive secure? What security and privacy gaps does it have?
2 . Is Google Drive secure?A. Three states of dataTo understand if your data on Google Drive is secure, it’s important to first understand how your data travels through Google Drive.Your data can exist in three states and it must be protected in all states to maintain the security and privacy of your sensitive information. These three states are as follows:

Data at rest

When your data, such as your documents, is stored on Google servers or on your device, it is “at rest.” Put simply, this state covers situations where your data is not being actively accessed, transferred or used. Google Drive encrypts your data at rest using AES-256 encryption, a widely used encryption standard.

Data in transit

When you transfer your data from your device to Google Drive or to other third parties, that data is “in transit.” “Data in transit” refers to the transmission of data from one point to another, such as from a client device to a server or from one server to another. Google also encrypts your data using AES-256 when it’s in transit.

Data in use

When your documents, files or other data are opened or accessed on Google Drive — for example, when you’re editing them — your data is “in use.” Your data is not encrypted when it’s in use. In fact, Google has to decrypt your data using the decryption keys it holds in order for you to access it. That brings us to the next key point.B. Google Drive does not provide client-side encryption and it holds both your data and the decryption key As we explained in the previous section, Google protects your data both “in transit” and “at rest” with encryption. However, when it encrypts your data, it also stores the encryption key along with your data. This is called server-side encryption — because the encryption and decryption of your data take place not on your device but instead on Google’s server — and server-side encryption exposes your data to various risks.To make a real-world analogy, it’s as though Google has both the safe and the key. There is no security wall between your sensitive data and Google: Google employees with access privileges or government authorities can easily gain access to your data. Moreover, if Google were ever to be breached by attackers, the attackers could potentially gain access to the decryption keys for your data, since Google holds them.A more secure alternative to server-side encryption is client-side encryption. Using client-side encryption, your data is fully encrypted before it is transferred from your local device to external servers, such as Google Drive, and only you hold the encryption and decryption keys. This means that a recipient of your data or files cannot decipher the content of your data unless you share the keys with them.The key advantage of client-side encryption compared to server-side encryption is that it renders your data and files inaccessible to the recipient; your data is like a black-box that cannot be opened by anyone but you. If you use client-side encryption, then your data can still be stored by third parties — you can hand them a black box to store on your behalf — but they can never actually see what’s inside, and if the data ever gets into the wrong hands through an attack, it will still be completely secure because the attackers don’t have the keys either.3. What security and privacy risks do you face when you use Google Drive?Since Google has both your encrypted data and the decryption key that can open up your data, your data is exposed to a range of security and privacy risks:

Google employees with bad intentions can access your data

According to a Vice report, Google fired dozens of employees between 2018 and 2020 for accessing and using confidential information without authorization. In some instances, Google employees accessed users’ sensitive personal details and deleted user data. In one instance, an engineer accessed the voice logs of a teenager.Since there is not an extra layer of security between Google and your data, Google employees with access privileges can exploit this reality and view your data.

Government agencies can require Google to disclose your data

Government agencies across the globe can subpoena Google to view user data. In the last six months of 2020, for example, Google received around 40,000 requests to access user data from the U.S. government.

Google can use your data for its own purposes such as advertising and analytics

When you create or store a file, document, or spreadsheet on Google Drive, the content of your documents and metadata of your documents — such as info on document formats or when they were created — can be accessed by Google and then used for Google’s own commercial purposes, including analytics and advertising.Google’s Terms of Service for Drive do not rule out the possibility that document metadata can be used for advertising or marketing purposes. And although Google states that the content of your files is not used for advertising purposes, it does not warrant that it will not use the content of your files for other privacy-intruding purposes, such as data analytics.4. How to eliminate those security and privacy risks with end-to-end encryptionTo eliminate the security and privacy risks we listed above, you need a type of security that guards your data wherever it goes and from whomever might try to access it — regardless of whether it’s in transit, in use, or at rest on a third-party company’s servers.As discussed, once your data ends up on Google servers, you lose control over your data because Google, its employees, and government authorities can get access to your data. Furthermore, because Google holds the keys, if they ever lose them in an attack, your data will also be compromised.If you’d like to protect against these risks, you need a way to ensure that your data is inaccessible to any third parties, including your service providers, after it leaves your device.This is where a superior type of encryption technology comes into play: end-to-end encryption.5. Overcoming privacy and security risks with SkiffSkiff provides everything you need to communicate and work together online — a collaborative note-taking platform, an email service and a storage tool — in a way that protects your sensitive data from everyone, including Skiff itself. It accomplishes this using end-to-end encryption.End-to-end encryption refers to the encryption of data in such a way that only the sender and intended recipients can ever get access to it. Put simply, end-to-end encryption transforms your files into black-boxes that can only be accessed by two entities: you, the sender, and the intended recipient who you grant access to the decryption key. Using end-to-end encryption, if you don’t proactively choose to share your data with someone, then they simply can’t access it.Skiff’s end-to-end encryption technology can protect and maintain the security and privacy of your sensitive documents and information across the entire journey taken by your data, from the moment it leaves your device to the time it is hosted on Skiff servers.When you use Skiff’s end-to-end encryption, the data is encrypted on your own device and you alone hold the decryption key. This simple but powerful technology eliminates all of the security and privacy risks we addressed previously in this article.Interested in using a new kind of collaboration platform that protects the security and privacy of your sensitive information? Sign-up for Skiff today.