Yesterday, a researcher publicly reported some concerns with Google Docs. At Google, we treat the privacy and integrity of our users' data with the highest priority. We quickly investigated, and we believe that these concerns do not pose a significant security risk to our users. If you want the details, read on...
The first concern that the researcher raised is that an image embedded in a document is not deleted when a document is deleted. Images are maintained because removing them would break image references in users' other Google documents and external blogs. In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway (which is fully expected). You can always contact support to purge images from your account.
The second concern that the researcher raised is that viewers may be able to see revisions of drawings that are included in a document, using the new "Insert Drawing" feature. The ability for document collaborators to view revision history is a feature built into Docs. The ability to view past versions of the drawings is limited to authorized persons who have been given explicit access to the document with the embedded drawing. We may consider explicitly preventing viewers from accessing drawing revisions. For now, if document owners decide they don't want viewers to have access to their revisions, they can simply make a new copy of the document (from the File menu) and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents.
The final concern that the researcher raised is that users removed from documents can, in a specific case, regain access to them. The specific case is related to the use of a feature which allows document invitations to be forwarded to more than one person. That feature was provided in response to user requests for "invitation forwarding" and sharing documents with email lists. Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it (in documents and presentations, it's called "invitations may be used by anyone" and in spreadsheets it's "editors can share this item").
We have begun adding more documentation in the Help Center here and here to describe in more detail the functions related to each concern. We are also exploring alternative design options that might further address the concerns.
We'd like to thank the researcher for sharing his concerns with us. We always welcome your feedback on our products, and thank you for your continued support.
[Update 3/28/09: I failed to mention the researcher's name in the original post. His name is Ade Barkah]
The first concern that the researcher raised is that an image embedded in a document is not deleted when a document is deleted. Images are maintained because removing them would break image references in users' other Google documents and external blogs. In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway (which is fully expected). You can always contact support to purge images from your account.
The second concern that the researcher raised is that viewers may be able to see revisions of drawings that are included in a document, using the new "Insert Drawing" feature. The ability for document collaborators to view revision history is a feature built into Docs. The ability to view past versions of the drawings is limited to authorized persons who have been given explicit access to the document with the embedded drawing. We may consider explicitly preventing viewers from accessing drawing revisions. For now, if document owners decide they don't want viewers to have access to their revisions, they can simply make a new copy of the document (from the File menu) and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents.
The final concern that the researcher raised is that users removed from documents can, in a specific case, regain access to them. The specific case is related to the use of a feature which allows document invitations to be forwarded to more than one person. That feature was provided in response to user requests for "invitation forwarding" and sharing documents with email lists. Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it (in documents and presentations, it's called "invitations may be used by anyone" and in spreadsheets it's "editors can share this item").
We have begun adding more documentation in the Help Center here and here to describe in more detail the functions related to each concern. We are also exploring alternative design options that might further address the concerns.
We'd like to thank the researcher for sharing his concerns with us. We always welcome your feedback on our products, and thank you for your continued support.
[Update 3/28/09: I failed to mention the researcher's name in the original post. His name is Ade Barkah]