Newsrooms, let’s talk about G Suite

Martin Shelton

Principal Researcher

A photo peering into a window of the French newsroom, Le Point, where reporters are working at their desks.

If you work in a newsroom, there’s a good chance you work with colleagues on Google Docs, Slides, Sheets, and more. G Suite software is simple and powerful. In fact, here at Freedom of the Press Foundation, we use it too. But we also lack viable alternatives with the flexibility needed in modern newsrooms, and anyone working in a newsroom has probably asked themselves: What can Google see? What about our most sensitive conversations and documents? What about documents that concern our own unreleased reporting, or information on our sources?

(Full disclosure: I previously worked at Google, and for a long time, even I didn't know.)

Documents within your G Suite domain are not end-to-end encrypted, meaning that Google has everything they need to read your data. This insight into user data means that U.S. agencies have the ability to compel Google to hand over relevant user data to aid in investigations. G Suite also offers organizations powerful tools to monitor and retain information about their employees’ activities.

In our ideal world, Google would provide end-to-end encrypted G Suite services, allowing media and civil society organizations to collaborate on their work in a secure and private environment whenever possible. Until we have a way to do that, journalists should understand the risks alongside the benefits of using G Suite, and how to be mindful when using it. For now we should consider when to keep our most sensitive data off of G Suite in favor of an end-to-end encrypted alternative, local storage, or off of a computer altogether.

First things first: What can Google see?

Rows of server racks, glowing blue inside of a Google data center.

Google’s St. Ghislain, Belgium data center. Source: Google

G Suite is doing a lot of work in the background to prevent hacking attempts on your organization’s Google accounts, monitoring for suspicious access attempts and incoming email to your domain. But to provide these services, Google needs enormous visibility into how you use your account.

When users connect to Google services, the connection is protected by strong encryption, making it unreadable to eavesdroppers as their data moves across the web to Google’s data centers — a global network of facilities for storing backups of user data. Similarly, data at rest on Google’s servers is stored in an encrypted format so that it can’t be read unless someone with the necessary access needs to unscramble it.

Google has many reasons why they might end up reading your data.

G Suite is a little different than other Google services. You might expect Google to use your G Suite data to target ads. In fact, they say that they do not use G Suite data for advertising. Instead Google leverages G Suite user data for several purposes, including filtering for spam, malware or targeted attack detection, spellcheck and for assisting with search within a user’s Google account. They may scan for content that is illegal, or in violation of Google’s policies.

We've seen examples where journalists' work has been inadvertently flagged in violation of Google's terms of service, even when there were no violations.

Google may also be compelled to share relevant user data as part of law enforcement investigations.

Though G Suite can be configured to comply with dozens of standards for storing sensitive data (e.g., HIPAA for protected health information) these protections do not promise end-to-end encryption, meaning that your data is usually still stored in a format legible to the company.

Physical protections

Google says that they provide several protections for their data centers. Employees need an authorized key card, and approval from their manager and the data center director to enter authorized parts of the building. Closed-circuit TV cameras are inside and outside of these buildings, recording at all hours of the day, every day of the week. They provide some interesting details, down to the number of days these recordings are retained. (It’s 30 days.) They log and audit access. Their servers detect and remove unexpected modifications to the software, so both physical and remote attacks would be tough to pull off.

While we have a lot of details about their infrastructure, we don’t know as much about the humans behind the infrastructure. That is, we don’t know much about how many people at Google have access to user data, nor how that access is determined. What kind of user data might they have access to, and under what circumstances? How many people can actually pull user data, say, responsive to a legal request? We don’t know.

What we can say is that Google has said in their security documentation that they constrain the number of employees who have access, log employee access to user data, and conduct both internal and external audits on employee access. Employees caught abusing their access would likely be fired, and may face legal action.

“To help ensure that only this limited set of trusted employees uses their given access as approved by Google, we use a combination of automated tools and manual reviews to examine employee access to customer data and detect any suspicious events. We strictly enforce our policies for customer data access. We have established an incident response team to investigate violations of misappropriation of customer data. We have established a disciplinary process for noncompliance with internal processes which could include immediate termination from Google, lawsuits and criminal prosecution.”

While Google says they have built processes designed to curb abuse of user data, the company maintains the ability to read and analyze the data you put into your G Suite account, as well as data passively generated as you use these tools. This includes your organization’s activities when using G Suite.

What can government agencies see?

In the summer of 2012, reporters released a flurry of books and articles concerning national security activities within the Obama administration. Among the many reporters who worked on these stories, New York Times reporter David Sanger published a book and report detailing the inner-workings of the Stuxnet malware, widely considered to be designed by the U.S. and Israeli governments with the intention to disrupt the Iranian nuclear program. Following these disclosures, FBI investigators requested data from electronic communications providers, including Google.

Court documents show that FBI investigators compelled Google to hand over a variety of user data as part of their investigations into an alleged source, James E. Cartwright, a retired Marine Corps general who served under President Obama as vice chairman of the Joint Chiefs of Staff. This user data included email exchanges between Cartwright and three reporters, including David Sanger.

Court documents detailing contact dates and frequency between an investigative target’s Gmail account and a reporter.

Contact dates and frequency between an investigative target’s Gmail account and a reporter. Source: U.S. District Court for the District of Columbia

Image from court records showing details of the data types requested.

Details of the data types requested. Source: U.S. District Court for the District of Columbia

The court ordered Google to disclose sent, received, deleted messages, and address books attached to Cartwright’s Gmail account. They also requested videos, computer files, received, sent and deleted messages, as well as metadata records including logs of Cartwright’s activities, dates, times, information about Cartwright’s internet connection, account preferences, subscriber information, IP addresses, and locations.

This sounds like a lot, and it is. But the truth is this only scratches the surface of what’s possible.

How does this work?

In the U.S., government agencies can compel any U.S. communications provider to disclose information about their users — of course, this includes Google. These requests usually take the form of a subpoena, court order, or search warrant, compelling a company to provide data to the requesting agency.

According to Google's data transparency report, the company receives more law enforcement requests with each passing year. In 2018 Google received 43,683 U.S. government requests for user data from 124,991 accounts. In 81% of those requests the company provided data. We can see that Google doesn’t cooperate as nicely with most countries, and Google reports they almost never comply with some countries (e.g., Turkey).

The most common type of request, a subpoena, can yield valuable data about the user’s account. This data may include the user’s IP addresses and the times they are logged in. This can be used for a rough estimation of a user’s location and patterns of movement.

The content of a user’s account (e.g., a message in an email, or the content of Google Docs) usually requires a search warrant with a higher threshold to demonstrate to a court that a data request is relevant to their investigation. Investigators may also issue preservation requests, requiring the company to retain certain types of user data for investigative purposes.

Google explains their process in this video.

The company says that when they receive a warrant for content within a user’s account, their legal team sometimes receives data requests that are "so vague and broad” that they’ll work with investigators to narrow a warrant or ask a judge to amend it. This helps the company to constrain any disclosure of user data.

The short version: if it’s in your account and Google can read it, it’s also subject to request from government agencies.

What can your employer see?

G Suite allows administrative users to view a remarkable level of user data within their organization, depending on what version of G Suite you have.

There are several versions of G Suite [1], but G Suite has three core versions of its service, G Suite Basic, G Suite Business, and G Suite Enterprise, each tier offering more storage capacity, as well as more tools for storing and analyzing an organization’s user data. You can see all of the differences between each version here.

In general, G Suite Enterprise offers administrators the greatest transparency into users’ Google activities, followed by G Suite Business. Finally, G Suite Basic offers the fewest monitoring capabilities.

When we talk about monitoring capabilities, what do we mean?

G Suite offers some powerful tools for searching for account and device data within the G Suite domain. Administrators can search for things like Gmail and Google Drive content, as well as metadata (e.g., dates, subject lines, recipients). They can create as many rules as they choose to automate how this data is treated. All of this data can be logged and retained, depending on how the administrator chooses to configure G Suite.

By default, G Suite Business and Enterprise enable audit logs, which allow administrators to see who has looked at, or modified each document within the organization. Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, and more, from both desktop and mobile devices. This may also include other forms of metadata, including IP addresses. Administrators can even receive push alerts for targeted behaviors. This could be used for organizations that want to monitor for behaviors they deem suspicious.

Similarly, G Suite Business and Enterprise administrators can optionally enable a feature called Google Vault, which helps organizations create custom rules for retaining user data. What does this mean?

If you’ve had the ability to see organizational data from your G Suite account, it’s visible to your administrator. The question is how long they have access for, and that all depends on what kinds of retention rules they create.

For a fun example, administrators have the choice to keep draft copies of emails, even after the email is removed from the draft folder. These drafts can even be ported into Vault minute by minute. In other words, administrators have the ability to read your draft emails live, or replay them after the fact.

Screenshot of multiple iterations of a draft email within Google Vault.

Screenshot of multiple iterations of a draft email within Google Vault. Source: August Brice

There are many legitimate reasons to give administrators this far-reaching ability to organize and retain user data, such as compliance with legal requests. All of this logging and retention functionality may also help your organization’s administrators monitor for security incidents. But as a user of these systems, it’s nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to.

Using G Suite mindfully

You still need to get your work done, and G Suite may play a critical role. Take a few steps to learn how to use it in a way that makes you feel comfortable.

Consider giving yourself a G Suite audit. Look through your Gmail, Drive, and potentially Google-connected activity on mobile devices that are tied to your G Suite domain. If you can see it, the administrator can likely see it. If the administrator can see it, Google can likely see it. And if Google can see it, it’s likely subject to requests from government agencies.

A lot of journalistic work done in G Suite ends up in publication, and isn’t terribly secretive. However, there are some things you probably wouldn’t want to hear read aloud in federal court, such as unpublished details on your sources.

Consider getting details from your G Suite administrator. You can delete unwanted data, but depending on your organization’s retention settings, it’s not necessarily gone. Consider doing some homework to identify your G Suite administrators and find out what G Suite version you have. If your organization has G Suite Business or Enterprise versions, find out what rules your organization has set up in Google Vault, audit logs, as well as any internal policies your organization may have for administrative data retention and access.

Consider carefully what you put in G Suite. There are times when it’s best to store our data somewhere besides G Suite. Data about internal credentials, sources, long-term investigations, and other sensitive data may belong somewhere else.

It may be that another cloud service provider that stores your data in an end-to-end encrypted format (e.g., Tresorit) is a better choice for sensitive data. The main trade-off is that these services are not free. Likewise, sometimes it’s best to keep data offline or off a computer entirely.

G Suite offers powerful tools that help us collaborate and build long-term memory in our work. But it may also remember things we prefer to keep to ourselves. Be mindful about when it’s the right tool for the job.

This article was updated on October 10, 2019. Photo by Gabriel Jorby. CC BY-ND 2.0

Correction: We errorneously referred to the Enterprise "access transparency" feature when describing audit logs, and have corrected this language.



[1] On top of the three core versions, Basic, Business, and Enterprise, G Suite offers multiple versions for schools, similar to Business and Enterprise accounts. They also offer G Suite for government, and a version of G Suite for nonprofits, which are similar to Basic accounts. Then there’s Drive Enterprise, which includes Google Drive but strips out other G Suite apps.

Donate to protect press freedom.

Your support is more important than ever.