Ex-Employee Claims Your G Suite Data Is Not Encrypted
A report by a former Google employee on the ‘Freedom of the Press Foundation’ website warns organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.
G Suite is Google’s set of cloud-based computing, productivity and collaboration tools including Gmail, Drive (for your company documents) and Calendar.
Former Google employee Martin Shelton alleges that files stored within Google’s G Suite have no end-to-end encryption as other Google services do, thereby potentially leaving business data vulnerable to being viewed by Google and by other persons such as Administrators. Mr Shelton reports that:
- While Google leverages your G Suite user data for e.g. filtering for spam, malware or targeted attack detection, it can also scan a user’s Google account for content that is illegal, or in violation of Google’s policies.
- U.S. agencies can compel Google to hand over relevant user data from G Suite accounts to aid in investigations.
- Business versions of G Suite, such as G Suite Enterprise, offer administrators the tools to monitor users and search device data within the G Suite domain thereby giving them remarkable levels of transparency to users’ (employees’) Google activities, For example, Administrators can search for Gmail and Google Drive content, and metadata (e.g. dates, subject lines, recipients), and can log and retain this data.
- Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, and more, from desktop and mobile devices and can receive push alerts for certain (suspicious) behaviours.
- Administrators can use audit logs to see who has looked at or modified each document within the organisation.
Not The First Time
This is not the first time that Google has made the news over G Suite privacy. Back in July 2018, The Wall Street Journal highlighted how third-party developers could view Gmail users’ messages.
What Does This Mean For Your Business?
This is clearly some unwanted publicity for Google, particularly when there is fierce competition in the business Cloud services market.
The advice for those worried about G Suite’s privacy and security suggested by former Google employee Martin Shelton is to use G Suite mindfully and give yourself a G Suite audit (Gmail, Drive, and Google-connected activity on mobile devices). This way, if you can see certain data you can assume that the administrator and Google are likely to also be able see it.
Also, if you are concerned about unknown administrators seeing your G Suite data you could consider trying to identify who your G Suite administrators are, what G Suite version you have, whether your organisation is using G Suite Business or Enterprise, finding out what rules have been set in Google Vault and audit logs, and what policies exist for administrative data retention and access.
Mr Shelton also suggests that users may wish to find another cloud service provider that has end-to-end encrypted format to store any particularly sensitive data, or to simply keep data offline or off a computer entirely.