Newsrooms, let’s talk about Google Workspace
Dr. Martin Shelton
March 13, 2024
Photo by Gabriel Jorby. CC BY-ND 2.0
If you work in a newsroom, there’s a good chance you collaborate with colleagues using Google Docs, Slides, Sheets, and more. Google Workspace (previously known as G Suite) is simple and powerful. In fact, here at Freedom of the Press Foundation, we use it too. But there’s a lack of viable alternatives that have the flexibility modern newsrooms need, and anyone working in a newsroom has probably asked themselves: What can Google see? What about our most sensitive conversations and documents? What about documents that concern our own unreleased reporting, or information on our sources?
(Full disclosure: I previously worked at Google, and for a long time, even I didn't know.)
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
In most cases, documents within your Google Workspace domain are not end-to-end encrypted, meaning that Google has everything it needs to read your data. This means that U.S. agencies have the ability to compel Google to hand over relevant user data to aid in investigations. Google Workspace also offers organizations powerful tools to monitor and retain information about their employees’ activities.
In our ideal world, Google would provide end-to-end encrypted Google Workspace services to all of its users, allowing media and civil society organizations to collaborate on their work in a secure and private environment whenever possible. Until we have a way to do that, journalists should understand the risks alongside the benefits of using Google Workspace, and how to be mindful when using it. For now we should consider when to keep our most sensitive data off of Google Workspace in favor of an end-to-end encrypted alternative, local storage, or off of a computer altogether.
Google’s St. Ghislain, Belgium data center. Source: Google
Google Workspace is doing Google Workspace is doing a lot of work in the background to prevent hacking of your organization’s Google accounts, monitoring for suspicious access attempts and incoming email to your domain. But to provide these services, Google needs enormous visibility into how you use your account.
When users connect to Google services, the connection is protected by strong encryption. This makes it unreadable to eavesdroppers as their data moves across the web to Google’s data centers — a global network of facilities for storing backups of user data. Similarly, data at rest on Google’s servers is stored in an encrypted format so that it can’t be read unless someone with the necessary access needs to unscramble it.
Google has many reasons why it might end up reading your data.
Google Workspace is a little different from other Google services. You might expect Google to use your Workspace data to target ads. In fact, the company says that it doesn’t use Google Workspace data for advertising. Instead, Google leverages your Workspace user data for several purposes, including filtering for spam, malware or targeted attack detection, spellcheck, and assisting with search within a user’s account. It might scan for content that is illegal, or in violation of Google’s policies.
We've seen examples where journalists' work has been inadvertently flagged for breaching Google's terms of service, even when there were no clear violations.
https://web.archive.org/web/20171101010212/https://twitter.com/Rachael_Bale/status/925352538110595072
Google may also be compelled to share relevant user data as part of law enforcement investigations.
We do want to recognize one hopeful development here: Google is currently in the process of rolling out client-side encryption, which allows for items in Google Drive and Google Calendar, as well as specific messages in Gmail and Google Meet meetings, to be legible only on the right user's browser. For now these features are only available to organizations using Enterprise, Education, and Education Plus editions — unfortunately, some of Google Workspace's most expensive offerings. In practice, these promising security features are likely not affordable to most newsrooms.
Though Workspace can be configured to comply with dozens of standards for storing sensitive data (e.g., HIPAA for protected health information), these protections do not promise end-to-end encryption, meaning that your data is usually still stored in a format legible to the company by default.
Google says that they Google says that it provides several protections for its data centers. Employees need an authorized key card and approval from their manager and the data center director to enter secure parts of the building. Closed-circuit TV cameras are inside and outside of these buildings, recording at all hours of the day, every day of the week. Google provides some interesting details, down to the number of days these recordings are retained. (It’s up to 30 days.) The company logs and audits access, and its servers detect and remove unexpected modifications to the software, so both physical and remote attacks would be tough to pull off.
While we have a lot of details about Google’s infrastructure, we don’t know as much about the humans behind it. That is, we don’t know much about how many people at Google have access to user data, nor how that access is determined. What kind of user data might they have access to, and under what circumstances? How many people can actually pull user data, say, in response to a legal request? We don’t know.
What we can say is that Google has said in its security documentation that it limits the number of employees who have access, logs employee access to user data, and conducts both internal and external audits on employee access. Employees caught abusing their access would likely be fired, and may face legal action.
"To help ensure that only this limited set of trusted employees uses their given access as approved by Google, we use a combination of automated tools and manual reviews to examine employee access to customer data and detect any suspicious events. We strictly enforce our policies for customer data access. We have established an incident response team to investigate violations of misappropriation of customer data. We have established a disciplinary process for noncompliance with internal processes which can result in immediate termination from Google, lawsuits and criminal prosecution."
While Google says it has built processes designed to curb abuse of user data, the company maintains the ability to read and analyze the data you put into your Google Workspace account by default, as well as data passively generated as you use these tools. This includes your organization’s activities when using Google Workspace.
In the summer of 2012, reporters released a flurry of books and articles concerning national security activities within the Obama administration. Among the many journalists who worked on these stories, New York Times reporter David Sanger published a book and report detailing the inner-workings of the Stuxnet malware, widely considered to be designed by the U.S. and Israeli governments to disrupt the Iranian nuclear program. Following these disclosures, FBI investigators requested data from electronic communications providers, including Google.
Court documents show that FBI investigators compelled Google to hand over a variety of user data as part of their investigations into an alleged source, James E. Cartwright, a retired Marine Corps general who served under President Barack Obama as vice chairman of the Joint Chiefs of Staff. This user data included email exchanges between Cartwright and three reporters, including Sanger.
A court document shows contact dates and communication frequency between an investigative target’s Gmail account and a reporter. Source: U.S. District Court for the District of Columbia
A court document shows details of the data types requested. Source: U.S. District Court for the District of Columbia
The court ordered Google to disclose sent, received, and deleted messages, and address books attached to Cartwright’s Gmail account. They also requested videos, computer files, and metadata records — including logs of Cartwright’s activities, dates, times, information about his internet connection, account preferences, subscriber information, IP addresses, and locations.
This sounds like a lot, and it is. But the truth is this only scratches the surface of what’s possible.
In the U.S., government agencies can compel any U.S. communications provider to disclose information about their users — of course, this includes Google. These requests usually take the form of a subpoena, court order, or search warrant, compelling a company to provide data to the requesting agency.
According to Google's data transparency report, the company receives more law enforcement requests with each passing year. In 2022, Google received 111,608 U.S. government requests for user data from 207,360 accounts. In roughly 84% of those requests, the company provided data. We can see that Google doesn’t cooperate as nicely with most countries, and Google reports that it almost never complies with some countries’ requests (e.g., Turkey).
A simple subpoena can yield valuable data about the user’s account. This data may include the user’s IP addresses and the times they are logged in. This can be used for a rough estimation of a user’s location and patterns of movement.
The content of a user’s account (e.g., a message in an email, or the text of a Google Doc) usually requires a search warrant with a higher threshold to demonstrate to a court that a data request is relevant to an investigation. Investigators may also issue preservation requests, requiring the company to retain certain types of user data for investigative purposes.
Google explains its process in this video.
The company says that when it receives a warrant for content within a user’s account, the requests are sometimes "so vague and broad” that its legal team will work with investigators to narrow a warrant or ask a judge to amend it. This helps the company to curb any disclosure of user data.
The short version: if it’s in your account and Google can read it, it’s also subject to request from government agencies.
Google Workspace allows administrative users to view a remarkable level of user data within their organization, depending on what version you have.
There are several versions of Google Workspace [1], but it has four core versions of its service — Business Starter, Business Standard, Business Plus, and Enterprise — each tier offering more storage capacity, as well as more tools for storing and analyzing an organization’s user data. You can see differences between each version here.
In general, Enterprise editions offer administrators the greatest transparency into users’ Google activities, followed by Business Plus. Finally, Google Workplace Starter and Standard editions offer the fewest monitoring capabilities.
When we talk about monitoring capabilities, what do we mean?
Source: Google’s Google Workspace Security Center product marketing page
Google Workspace offers some powerful tools for searching for account and device data within the organization's domain. For example, administrators can search the content of Gmail and Google Drive, as well as metadata (e.g., dates, subject lines, recipients). They can create as many rules as they choose to automate how this data is treated. All of this data can be logged and retained, depending on how the administrator chooses to configure Workspace.
Google Workspace provides audit logs that allow administrators to see who has looked at or modified each document, as well as chat activity within the organization. Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, Meet, Chat, and more, from both desktop and mobile devices. They may also monitor other forms of metadata, including IP addresses. Administrators can even receive push alerts for targeted behaviors. This could be used for organizations that want to monitor for behaviors they deem suspicious.
Similarly, Business and Enterprise administrators can optionally enable a feature called Google Vault, which helps organizations create custom rules for retaining user data. What does this mean?
If you’ve had the ability to see organizational data from your Google Workspace account, it’s visible to your administrator. The question is how long they have access for, and that all depends on what kinds of retention rules they create.
For a fun example, administrators have the choice to keep draft copies of emails, even after the email is removed from the draft folder. These drafts can even be ported into Vault minute by minute. In other words, administrators have the ability to read your draft emails live, or replay them after the fact.
Screenshot of multiple iterations of a draft email within Google Vault. Source: August Brice
There are many legitimate reasons to give administrators this far-reaching ability to organize and retain user data, such as compliance with legal requests. All of this logging and retention functionality may also help your organization’s administrators monitor for security incidents. But as a user of these systems, it’s nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to.
You still need to get your work done, and Google Workspace may play a critical role. Take a few steps to learn how to use it in a way that makes you feel comfortable.
Look through your Gmail, Drive, and activity on Google services when you are logged in on mobile devices that are tied to your Workspace domain. If you can see it, the administrator can likely see it. If the administrator can see it, Google can likely see it. And if Google can see it, it’s likely subject to requests from government agencies.
A lot of journalistic work done in Google Workspace ends up in publication, and isn’t terribly secretive. However, there are some things you probably wouldn’t want to hear read aloud in federal court, such as unpublished details on your sources.
You can delete unwanted data, but depending on your organization’s retention settings, it’s not necessarily gone. Consider doing some homework to identify your Workspace administrators and find out what version your organization has. If your organization has Business Plus or Enterprise versions, find out what rules your organization has set up in Google Vault and audit logs, as well as any internal policies your organization may have for administrative data retention and access.
There are times when it’s best to store our data somewhere besides Workspace. Data about internal credentials, sources, long-term investigations, and other sensitive information may belong somewhere else.
It may be that another cloud service provider that stores your data in an end-to-end encrypted format (e.g., Tresorit) is a better choice for sensitive data. The main trade-off is that these services are typically not free. Likewise, sometimes it’s best to keep data offline or off a computer entirely.
Google Workspace offers powerful tools that help us collaborate and build long-term memory in our work. But it may also remember things we prefer to keep to ourselves. Be mindful about when it’s the right tool for the job.
Correction: We erroneously referred to the Enterprise "access transparency" feature when describing audit logs, and have corrected this language.
[1] When Google rebranded from G Suite to Google Workspace in late 2020, it changed a number of the names of its offerings. Those can be found here. On top of the four core versions with varying levels of storage and support, Google has some additional offerings for government organizations, nonprofits, and schools. Then there’s Google Workspace Essentials, which includes most Workspace applications (e.g., Google Drive) except for Gmail and Calendar.