Photo by Gabriel Jorby. CC BY-ND 2.0
If you work in a newsroom, there’s a good chance you work with colleagues on Google Docs, Slides, Sheets, and more. Google Workspace (previously known as G Suite) is simple and powerful. In fact, here at Freedom of the Press Foundation, we use it too. But we also lack viable alternatives with the flexibility needed in modern newsrooms, and anyone working in a newsroom has probably asked themselves: What can Google see? What about our most sensitive conversations and documents? What about documents that concern our own unreleased reporting, or information on our sources?
(Full disclosure: I previously worked at Google, and for a long time, even I didn't know.)
In most cases, documents within your Google Workspace domain are not end-to-end encrypted, meaning that Google has everything they need to read your data. This insight into user data means that U.S. agencies have the ability to compel Google to hand over relevant user data to aid in investigations. Google Workspace also offers organizations powerful tools to monitor and retain information about their employees’ activities.
In our ideal world, Google would provide end-to-end encrypted Google Workspace services to all of its users, allowing media and civil society organizations to collaborate on their work in a secure and private environment whenever possible. Until we have a way to do that, journalists should understand the risks alongside the benefits of using Google Workspace, and how to be mindful when using it. For now we should consider when to keep our most sensitive data off of Google Workspace in favor of an end-to-end encrypted alternative, local storage, or off of a computer altogether.
First things first: What can Google see?
Google’s St. Ghislain, Belgium data center. Source: Google
Google Workspace is doing a lot of work in the background to prevent hacking attempts on your organization’s Google accounts, monitoring for suspicious access attempts and incoming email to your domain. But to provide these services, Google needs enormous visibility into how you use your account.
When users connect to Google services, the connection is protected by strong encryption, making it unreadable to eavesdroppers as their data moves across the web to Google’s data centers — a global network of facilities for storing backups of user data. Similarly, data at rest on Google’s servers is stored in an encrypted format so that it can’t be read unless someone with the necessary access needs to unscramble it.
Google has many reasons why they might end up reading your data.
Google Workspace is a little different than other Google services. You might expect Google to use your Workspace data to target ads. In fact, they say that they do not use Google Workspace data for advertising. Instead Google leverages your Workspace user data for several purposes, including filtering for spam, malware or targeted attack detection, spellcheck and for assisting with search within a user’s account. They may scan for content that is illegal, or in violation of Google’s policies.
We've seen examples where journalists' work has been inadvertently flagged in violation of Google's terms of service, even when there were no clear violations.
Google may also be compelled to share relevant user data as part of law enforcement investigations.
We do want to recognize one hopeful development here: Google is currently in the process of testing client-side encryption, which would allow for specified documents in Google Drive to be readable only on the right user's browser. Google also announced support for client-side encryption in Google Meet. For now these features are only available to organizations using Enterprise and Education Plus editions — unfortunately, two of Google Workspace's most expensive offerings. In practice, these promising security features are likely not affordable to most newsrooms.
Though Workspace can be configured to comply with dozens of standards for storing sensitive data (e.g., HIPAA for protected health information), these protections do not promise end-to-end encryption, meaning that your data is usually still stored in a format legible to the company by default.
Physical protections
Google says that they provide several protections for their data centers. Employees need an authorized key card, and approval from their manager and the data center director to enter authorized parts of the building. Closed-circuit TV cameras are inside and outside of these buildings, recording at all hours of the day, every day of the week. They provide some interesting details, down to the number of days these recordings are retained. (It’s 30 days.) They log and audit access. Their servers detect and remove unexpected modifications to the software, so both physical and remote attacks would be tough to pull off.
While we have a lot of details about their infrastructure, we don’t know as much about the humans behind the infrastructure. That is, we don’t know much about how many people at Google have access to user data, nor how that access is determined. What kind of user data might they have access to, and under what circumstances? How many people can actually pull user data, say, responsive to a legal request? We don’t know.
What we can say is that Google has said in their security documentation that they constrain the number of employees who have access, log employee access to user data, and conduct both internal and external audits on employee access. Employees caught abusing their access would likely be fired, and may face legal action.
“To help ensure that only this limited set of trusted employees uses their given access as approved by Google, we use a combination of automated tools and manual reviews to examine employee access to customer data and detect any suspicious events. We strictly enforce our policies for customer data access. We have established an incident response team to investigate violations of misappropriation of customer data. We have established a disciplinary process for noncompliance with internal processes which could include immediate termination from Google, lawsuits and criminal prosecution.”
While Google says they have built processes designed to curb abuse of user data, the company maintains the ability to read and analyze the data you put into your Google Workspace account by default, as well as data passively generated as you use these tools. This includes your organization’s activities when using Google Workspace.
What can government agencies see?
In the summer of 2012, reporters released a flurry of books and articles concerning national security activities within the Obama administration. Among the many reporters who worked on these stories, New York Times reporter David Sanger published a book and report detailing the inner-workings of the Stuxnet malware, widely considered to be designed by the U.S. and Israeli governments with the intention to disrupt the Iranian nuclear program. Following these disclosures, FBI investigators requested data from electronic communications providers, including Google.
Court documents show that FBI investigators compelled Google to hand over a variety of user data as part of their investigations into an alleged source, James E. Cartwright, a retired Marine Corps general who served under President Obama as vice chairman of the Joint Chiefs of Staff. This user data included email exchanges between Cartwright and three reporters, including David Sanger.
Contact dates and frequency between an investigative target’s Gmail account and a reporter. Source: U.S. District Court for the District of Columbia
Details of the data types requested. Source: U.S. District Court for the District of Columbia
The court ordered Google to disclose sent, received, deleted messages, and address books attached to Cartwright’s Gmail account. They also requested videos, computer files, received, sent and deleted messages, as well as metadata records including logs of Cartwright’s activities, dates, times, information about Cartwright’s internet connection, account preferences, subscriber information, IP addresses, and locations.
This sounds like a lot, and it is. But the truth is this only scratches the surface of what’s possible.
How does this work?
In the U.S., government agencies can compel any U.S. communications provider to disclose information about their users — of course, this includes Google. These requests usually take the form of a subpoena, court order, or search warrant, compelling a company to provide data to the requesting agency.
According to Google's data transparency report, the company receives more law enforcement requests with each passing year. In 2020 Google received 78,591 U.S. government requests for user data from 168,663 accounts. In roughly 82% of those requests the company provided data. We can see that Google doesn’t cooperate as nicely with most countries, and Google reports they almost never comply with some countries (e.g., Turkey).
A simple subpoena can yield valuable data about the user’s account. This data may include the user’s IP addresses and the times they are logged in. This can be used for a rough estimation of a user’s location and patterns of movement.
The content of a user’s account (e.g., a message in an email, or the content of Google Docs) usually requires a search warrant with a higher threshold to demonstrate to a court that a data request is relevant to their investigation. Investigators may also issue preservation requests, requiring the company to retain certain types of user data for investigative purposes.
Google explains their process in this video.
The company says that when they receive a warrant for content within a user’s account, their legal team sometimes receives data requests that are "so vague and broad” that they’ll work with investigators to narrow a warrant or ask a judge to amend it. This helps the company to constrain any disclosure of user data.
The short version: if it’s in your account and Google can read it, it’s also subject to request from government agencies.
What can your employer see?
Google Workspace allows administrative users to view a remarkable level of user data within their organization, depending on what version you have.
There are several versions of Google Workspace [1], but it has four core versions of its service — Business Starter, Business Standard, Business Plus, and Enterprise — each tier offering more storage capacity, as well as more tools for storing and analyzing an organization’s user data. You can see differences between each version here.
In general, Enterprise editions offer administrators the greatest transparency into users’ Google activities, followed by Business Plus. Finally, Google Workplace Starter and Standard editions offer the fewest monitoring capabilities.
When we talk about monitoring capabilities, what do we mean?
Source: Google’s Google Workspace Security Center product marketing page
Google Workspace offers some powerful tools for searching for account and device data within the organization's domain. Administrators can search for things like Gmail and Google Drive content, as well as metadata (e.g., dates, subject lines, recipients). They can create as many rules as they choose to automate how this data is treated. All of this data can be logged and retained, depending on how the administrator chooses to configure Workspace.
Google Workspace provides audit logs, which allow administrators to see who has looked at, or modified each document, as well as chat activity within the organization. Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, Meet, Chat, and more, from both desktop and mobile devices. This may also include other forms of metadata, including IP addresses. Administrators can even receive push alerts for targeted behaviors. This could be used for organizations that want to monitor for behaviors they deem suspicious.
Similarly, Business and Enterprise administrators can optionally enable a feature called Google Vault, which helps organizations create custom rules for retaining user data. What does this mean?
If you’ve had the ability to see organizational data from your Google Workspace account, it’s visible to your administrator. The question is how long they have access for, and that all depends on what kinds of retention rules they create.
For a fun example, administrators have the choice to keep draft copies of emails, even after the email is removed from the draft folder. These drafts can even be ported into Vault minute by minute. In other words, administrators have the ability to read your draft emails live, or replay them after the fact.
Screenshot of multiple iterations of a draft email within Google Vault. Source: August Brice
There are many legitimate reasons to give administrators this far-reaching ability to organize and retain user data, such as compliance with legal requests. All of this logging and retention functionality may also help your organization’s administrators monitor for security incidents. But as a user of these systems, it’s nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to.
Using Google Workspace mindfully
You still need to get your work done, and Google Workspace may play a critical role. Take a few steps to learn how to use it in a way that makes you feel comfortable.
Consider giving yourself a Workspace audit. Look through your Gmail, Drive, and potentially Google-connected activity on mobile devices that are tied to your Workspace domain. If you can see it, the administrator can likely see it. If the administrator can see it, Google can likely see it. And if Google can see it, it’s likely subject to requests from government agencies.
A lot of journalistic work done in Google Workspace ends up in publication, and isn’t terribly secretive. However, there are some things you probably wouldn’t want to hear read aloud in federal court, such as unpublished details on your sources.
Consider getting details from your Workspace administrator. You can delete unwanted data, but depending on your organization’s retention settings, it’s not necessarily gone. Consider doing some homework to identify your Workspace administrators and find out what version your organization has. If your organization has Business Plus or Enterprise versions, find out what rules your organization has set up in Google Vault, audit logs, as well as any internal policies your organization may have for administrative data retention and access.
Consider carefully what you put in Google Workspace. There are times when it’s best to store our data somewhere besides Workspace. Data about internal credentials, sources, long-term investigations, and other sensitive data may belong somewhere else.
It may be that another cloud service provider that stores your data in an end-to-end encrypted format (e.g., Tresorit) is a better choice for sensitive data. The main trade-off is that these services are typically not free. Likewise, sometimes it’s best to keep data offline or off a computer entirely.
Google Workspace offers powerful tools that help us collaborate and build long-term memory in our work. But it may also remember things we prefer to keep to ourselves. Be mindful about when it’s the right tool for the job.
Correction: We erroneously referred to the Enterprise "access transparency" feature when describing audit logs, and have corrected this language.
[1] When Google rebranded from G Suite to Google Workspace in late 2020, they changed a number of the names of their offerings. Those can be found here. On top of the four core versions editions with varying levels of storage and support, Google has some additional offerings for government organizations, nonprofits and schools. Then there’s Google Workspace Essentials, which includes most Workspace applications (e.g., Google Drive) except for Gmail and Calendar.