How far is Google willing to go to secure your data? It’s a question I get asked a lot. For this article I’ll be focusing specifically on the Google Drive service. Many of these policies are broad and also apply to some other services like Gmail, but I will not cover beyond what pertains to Google Drive.
What is Google Drive?
Google Drive is a service that lets you store your personal files in the “cloud”. That is to say, on Google’s servers out there on the internet somewhere. Drive is a direct competitor to other services like Dropbox, iCloud, SpiderOak, and Microsoft OneDrive.
For a more complete list of cloud storage services, see this Wikipedia page.
Without going into detail, these cloud storage services store your files in a central location so you can access them from several devices and essentially from anywhere in the world. They also offer varying levels of backup protection in case you lose something.
How Google Drive Does Security
- Before your data leaves your device, it is encrypted using the TLS standard. This is the same standard used to encrypt your browser connections to secure (HTTPS) websites. It is then uploaded to Google.
- After your data reaches Google, it gets unencrypted then re-encrypted using 128-bit AES. While not the 256-bit algorithm that most other services use, this is still perfectly fine. This is done on-the-fly before the data is actually stored, which prevents the possible leakage of unencrypted data on their hard drives.
- The AES encryption keys that were used to encrypt your data are then, themselves, encrypted with a rotating set of master keys. This adds another layer of security by requiring a second set of encryption keys to get to your data.
- This process is simply reversed when one of your devices retrieves your data from Google.
Other Security Highlights
- Two-factor authentication is supported
- Metadata is also encrypted while stored
- Your data is encrypted when moved internally
- Google Drive is not HIPAA compliant
This has become a necessary feature. Passwords are stolen so easily these days that we simply cannot do without this feature anymore. Even if you’re not using Google Drive, this should be enabled on your Google account. Go here to turn it on.
Not only your data, but all the information about your data is encrypted as well.
In response to the revelation of the NSA spying efforts, Google started encrypting all data in transit on their internal network. This means that your data is encrypted when passing between Google’s own data centers.
Because Google wants to be able to see everything you upload, they of course cannot claim HIPAA compliance.
All things considered, Google seems to be doing a very good job of keeping your data safe from hackers. It’s certainly better security than is utilized by the majority of homes and small businesses. But security is only half the story. What about the privacy of your stuff?
Google Drive Privacy Practices
If you value a high level of privacy, Google Drive probably won’t be for you. Google admits to actively scanning and analyzing everything you upload. They do this to “provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.” Mainly, they’re interested in monetizing you with advertising. That’s what their business model is based on.
Google also retains “a worldwide license to use, host, store, reproduce, modify, create derivative works […], communicate, publish, publicly perform, publicly display and distribute” your stuff. This license to use your data specifically persists even after you stop using their services. Although they specify that there are some services which will allow you to “access and remove” your data, they are not specific in their terms of service as to which services these are.
Arguably of more important note, this license to use your data also applies to, in Google’s words, “those we work with”. This means third parties, which might include governments, social networking sites, and anyone else Google has relationships with. They don’t specify any further what entities this applies to.
Bottom line, if it’s in Google drive, then it’s not private. How you feel about that is completely personal. I don’t believe that Google is going to use your data for nefarious or questionable purposes, but the fact remains that they can. That’s worth considering, especially if you have sensitive information you’d like to store.
How to Use Google Drive More Safely
It’s a simple matter to take the security of your data into your own hands. Before putting anything into your Google Drive, encrypt it yourself on your computer. This ensures that Google will not be able to see your stuff.
See this article for instructions on how to do this for free with AxCrypt.
Alternatives to Google Drive
For all my cloud storage, I use SpiderOak. They maintain zero-knowledge practices, which means your stuff is completely private when uploaded to their servers. They couldn’t see it even if they wanted to. Read more about how they do this in my SpiderOak guide.
Another promising service that looks to have similar policies to SpiderOak is Tresorit. However, I have not used their service before so I cannot endorse it.