If you work in a newsroom, there’s a good chance you work with colleagues on Google Docs, Slides, Sheets, and more.G Suitesoftware is simple and powerful. In fact, here at Freedom of the Press Foundation, we use it too. But we also lack viable alternatives with the flexibility needed in modern newsrooms, and anyone working in a newsroom has probably asked themselves: What can Google see? What about our most sensitive conversations and documents? What about documents that concern our own unreleased reporting, or information on our sources?
(Full disclosure: I previously worked at Google, and for a long time, even I didn’t know.)
Documents within your G Suite domain arenotend-to-end encrypted, meaning that Google has everything they need to read your data. This insight into user data means that U.S. agencies have the ability to compel Google to hand over relevant user data to aid in investigations. G Suite also offers organizations powerful tools to monitor and retain information about their employees’ activities.
In our ideal world, Google would provide end-to-end encrypted G Suite services, allowing media and civil society organizations to collaborate on their work in a secure and private environment whenever possible. Until we have a way to do that, journalists should understand the risks alongside the benefits of using G Suite, and how to be mindful when using it. For now we should consider when to keep our most sensitive data off of G Suite in favor of an end-to-end encrypted alternative, local storage, or off of a computer altogether.
First thing’s first: What can Google see?
Google’s St. Ghislain, Belgium data center. Source:Google
G Suite is doinga lot of workin the background to prevent hacking attempts on your organization’s Google accounts, monitoring for suspicious access attempts and incoming email to your domain. But to provide these services, Google needs enormous visibility into how you use your account.
When users connect to Google services, the connection is protected bystrong encryption, making it unreadable to eavesdroppers as their data moves across the web to Google’s data centers –a global networkof facilities for storing backups of user data. Similarly, data at rest on Google’s servers is stored in an encrypted format so that it can’t be read unless someone with the necessary access needs to unscramble it.
Google has many reasons why they might end up reading your data.
G Suite is a little different than other Google services. You might expect Google to use your G Suite data to target ads. In fact, they say thatthey do not use G Suite data for advertising. Instead Google leverages G Suite user data for several purposes, including filtering for spam, malware ortargeted attackdetection, spellcheck and for assisting with search within a user’s Google account. They may scan for content that is illegal, or in violation of Google’s policies.
We’ve seen examples where journalists’ work has been inadvertently flagged in violation of Google’s terms of service, evenwhen there were no violations.
Has anyone had@ googledocslock you out of a doc before? My draft of a story about wildlife crime was just frozen for violating their TOS.
– Rachael Bale (@Rachael_Bale) (October) , 2017
Google may also be compelled to share relevant user data as part of law enforcement investigations.
Though G Suite can be configured to comply withdozens of standardsfor storing sensitive data (eg,HIPAAfor protected health information) these protections do not promise end-to-end encryption, meaning that your data is usually still stored in a format legible to the company.
Physical protections
Google says that theyprovide several protectionsfor their data centers. Employees need an authorized key card, and approval from their manager and the data center director to enter authorized parts of the building. Closed-circuit TV cameras are inside and outside of these buildings, recording at all hours of the day, every day of the week. They provide some interesting details, down to the number of days these recordings are retained. (It’s 30 days.) They log and audit access. Their servers detect and remove unexpected modifications to the software, so both physical and remote attacks would be tough to pull off.
While we have a lot of details about their infrastructure, we don’t know as much about the humans behind the infrastructure. That is, we don’t know much about how many people at Google have access to user data, nor how that access is determined. What kind of user data might they have access to, and under what circumstances? How many people can actually pull user data, say, responsive to a legal request? We don’t know.
What we can say is that Google has said in their security documentationthat they constrain the number of employees who have access, log employee access to user data, and conduct both internal and external audits on employee access. Employees caught abusing their access would likely be fired, and may face legal action.
“To help ensure that only this limited set of trusted employees uses their given access as approved by Google, we use a combination of automated tools and manual reviews to examine employee access to customer data and detect any suspicious events. We strictly enforce our policies for customer data access. We have established an incident response team to investigate violations of misappropriation of customer data. We have established a disciplinary process for noncompliance with internal processes which could include immediate termination from Google, lawsuits and criminal prosecution. ”
While Google says they have built processes designed to curb abuse of user data, the company maintains the ability to read and analyze the data you put into your G Suite account , as well as data passively generated as you use these tools. This includes your organization’s activities when using G Suite.
What can government agencies see?
In the summer of 2012, reporters released a flurry of books and articles regarding national security activities within the Obama administration. Among the many reporters who worked on these stories, New York Times reporterDavid Sangerpublished abookandreportdetailing the inner-workings of the (Stuxnet) malware, widely considered to be designed by the US and Israeli governments with the intention to disrupt the Iranian nuclear program. Following these disclosures, FBI investigators requested data from electronic communications providers, including Google.
Court documentsshow that FBI investigators compelled Google to hand over a variety of user data as part of their investigations into an alleged source,James E. Cartwright, a retired Marine Corps general who served under President Obama as vice chairman of the Joint Chiefs of Staff. This user data included email exchanges between Cartwright and three reporters, including David Sanger.
Contact dates and frequency between an investigative target’s Gmail account and a reporter. Source:US District Court for the District of Columbia
The court ordered Google to disclose sent, received, deleted messages, and address books attached to Cartwright’s Gmail account. They also requested videos, computer files, received, sent and deleted messages, as well as metadata records including logs of Cartwright’s activities, dates, times, information about Cartwright’s internet connection, account preferences, subscriber information, IP addresses, and locations.
This sounds like a lot, and it is. But the truth is this only scratches the surface of what’s possible.
How does this work?
In the US, government agencies can compel any US communications provider to disclose information about their users – of course, this includes Google. These requests usually take the form of a subpoena, court order, or search warrant, compelling a company to provide data to the requesting agency.
According toGoogle’s data transparency report, the company receives more law enforcement requests with each passing year. In 2018 Google received 43, 683 US government requests for user data from 124, 991 accounts. In 81% of those requests the company provided data. We can see that Google doesn’t cooperate as nicely with most countries, and Google reports they almost never comply with some countries (eg,Turkey).
The most common type of request, a subpoena, can yield valuable data about the user’s account. This data may include the user’s IP addresses and the times they are logged in. This can be used for a rough estimation of a user’s location and patterns of movement.
Thecontentof a user’s account (eg, a message in an email, or the content of Google Docs) usually requires a search warrant with a higher threshold to demonstrate to a court that a data request is relevant to their investigation. Investigators may also issue preservation requests, requiring the company to retain certain types of user data for investigative purposes.
Google explains their process in this video.
The company says that when they receive a warrant for content within a user’s account, their legal team sometimes receives data requests that are “so vague and broad” that they ‘ll work with investigators to narrow a warrant or ask a judge to amend it. This helps the company to constrain any disclosure of user data.
The short version: if it’s in your account and Google can read it, it’s also subject to request from government agencies.
What can your employer see?
G Suite allows administrative users to view a remarkable level of user data within their organization, depending on what version of G Suite you have.
There are several versions of G Suite [1], but G Suite has three core versions of its service,G Suite Basic, (G Suite Business, andG Suite Enterprise, each tier offering more storage capacity, as well as more tools for storing and analyzing an organization’s user data. You can see all of the differences between each versionhere.
In general, G Suite Enterprise offers administrators the greatest transparency into users’ Google activities, followed by G Suite Business. Finally, G Suite Basic offers the fewest monitoring capabilities.
When we talk about monitoring capabilities, what do we mean?
G Suite Access Transparency interface. Source: Google’sG Suite Security Center product marketing page
G Suite offers some powerful tools for searching for account and device data within the G Suite domain. Administrators can search for things like Gmail and Google Drive content, as well as metadata (e.g., dates, subject lines, recipients). They can create as many rules as they choose to automate how this data is treated. All of this data can be logged and retained, depending on how the administrator chooses to configure G Suite.
By default, G Suite Enterprise enables a feature calledAccess Transparency, which allows administrators to see who has looked at each document within the organization. Administratorscan monitorGmail, Calendar, Drive, Sheets, Slides, and more, from both desktop and mobile devices. This may also include other forms of metadata, including IP addresses. Administrators can even receive push alerts for targeted behaviors. This could be used for organizations that want to monitor for behaviors they deem suspicious.
Similarly, G Suite Business , Enterprise, or Drive Enterprise administrators can optionally enable a feature calledGoogle Vault, which helps organizations create custom rules for retaining user data . What does this mean?
If you’ve had the ability to see organizational data from your G Suite account , it’s visible to your administrator. The question is how long they have access for, and that all depends on what kinds of retention rules they create.
For a fun example, administrators have the choice to keep draft copies of emails, even after the email is removed from the draft folder. These drafts can even be ported into Vault minute by minute. In other words, administrators have the ability to read your draft emails live, or replay them after the fact.
Screenshot of multiple iterations of a draft email within Google Vault. Source:August Brice
There are many legitimate reasons to give administrators this far-reaching ability to organize and retain user data, such as compliance with legal requests. All of this logging and retention functionality may also help your organization’s administrators monitor for security incidents. But as a user of these systems, it’s nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to.
Using G Suite mindfully
You still need to get your work done, and G Suite may play a critical role. Take a few steps to learn how to use it in a way that makes you feel comfortable.
Consider giving yourself a G Suite audit.Look through your Gmail, Drive, and potentially Google-connected activity on mobile devices that are tied to your G Suite domain. If you can see it, the administrator can likely see it. If the administrator can see it, Google can likely see it. And if Google can see it, it’s likely subject to requests from government agencies.
A lot of journalistic work done in G Suite ends up in publication, and isn’t terribly secretive. However, there are some things you probably wouldn’t want to hear read aloud in federal court, such as unpublished details on your sources.
Consider getting details from your G Suite administrator.You can delete unwanted data, but depending on your organization’s retention settings, it’s not necessarily gone. Consider doing some homework to identify your G Suite administrators and find out what G Suite version you have. If your organization has G Suite Business or Enterprise versions, find out what rules your organization has set up inGoogle Vault,Access Transparency, as well as any internal policies your organization may have for administrative data retention and access.
Consider carefully what you put in G Suite.There are times when it’s best to store our data somewhere besides G Suite. Data about internal credentials, sources, long-term investigations, and other sensitive data may belong somewhere else.
It may be that another cloud service provider that stores your data in an end-to-end encrypted format (eg,Tresorit) is a better choice for sensitive data. The main trade-off is that these services are not free. Likewise, sometimes it’s best to keep data offline or off a computer entirely.
G Suite offers powerful tools that help us collaborate and build long-term memory in our work. But it may also remember things we prefer to keep to ourselves. Be mindful about when it’s the right tool for the job.
Photo by Gabriel Jorby. CC BY-ND 2.0
[1] On top of the three core versions, Basic, Business, and Enterprise, G Suite offers multiple versionsfor schools, similar to Business and Enterprise accounts. They also offer G Suite forgovernment, and a version of G Suite fornonprofits, which are similar to Basic accounts. Then there’sDrive Enterprise, which includes Google Drive but strips out other G Suite apps.
(Read More)
GIPHY App Key not set. Please check settings