In a privacy error that underscores some of the biggest problems surrounding cloud-based services, Google has sent a notice to a number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them.
According to the notice, this sharing was limited to people “with whom you, or a collaborator with sharing rights, had previously shared a document” – a vague statement that sounds like it could add up to quite a few people. The notice states that only text documents and presentations are affected, not spreadsheets, and provides links to each of the user’s documents that may have been shared in error.
I’ve contacted Google for confirmation and haven’t heard back, but this seems to be legit – our tipster says that he had previously shared the document listed in his notice, but now it has been reset to show 0 collaborators (one of the precautionary measures mentioned in the note).
Update: Google has confirmed that the note is real, and says that it was an isolated incident affecting less than .05% of all documents. The damage may not be widespread, but it’s still an unsettling lapse in security.
Here’s the letter in full:
Dear Google Docs user,
We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.
To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.
We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.
The Google Docs Team
In short, this is a massive blunder on Google’s part. I fully appreciate the lengths Google has gone to to offer a wide array of helpful online services, many of which are free of charge. But this error highlights why cloud-based services scare many people. Regardless of what a site’s posted rules and policies are, a technical glitch is all it takes to expose your sensitive data.
Update: An affected user posted his story and the exchange he had with Google support over the issue on Slashdot.
Update 2: A Google spokesperson has confirmed that the note is real:
We fixed the bug, which affected less than 0.05% of documents, and removed any collaborators. We also contacted the users who were affected to notify them of the bug and to identify which of their documents may have been affected. We have extensive safeguards in place to protect all documents, and are confident this was an isolated incident.
Thanks to Ed McManus for the tip.