Not only does Google Drive lack in the security department, it is set to be a more dangerous place thanks to 10GB attachments, argues Brian Spector
Nothing quite like a good headline, is there? I’m not talking about the title of this piece, but rather one I read this morning, entitled “United States of ‘Holy F*ck, this is easy!’”
Now, it seems to me that you can’t really argue with a heading that combines reverence for nationhood with the language of a navy stoker. But when I dug deeper into the content of the piece, its central revelatory proposition – the idea that Google now enables you to “send” large files up to 10GB – melted away to nothing, like yesteryear’s swearwords.
This was quite simply because the writer had completely avoided the question of security. Well, sorry, Mr. Holy F*cker, but bigger files = meatier content = higher risk = greater attractiveness to anyone who would potentially like to get their hands on your stuff. Surely that’s the story here, gadzooks?
Federal Bureaux of Insecurity?
Well, actually, it’s only half of the story. And not even the half that a lot of people seem to be most worried about. Let me explain this a little further.
The notion of insecure data isn’t just about being hacked. Yes, that can happen, and it’s true to say that it’s on the up. According to research from Experian, more than 12 million pieces of UK users’ information were illegally traded online by identity fraudsters in the first four months of 2012, representing an increase of 200 percent since 2010. Legitimate organisations (secret services, government departments, etc.) can use the same techniques to get at your data, although they don’t do it for personal monetary gain.
But what a lot of people are now coming to realise is that you can actually become the willing exponent of your own digital insecurity. Why? Because you choose to hand over your data in some way to a vendor or organisation whose economic model and operating policies require them to be able to see or understand your data in some way.
This is the scenario that tends to apply to storage and file transfer websites – like Google Drive. They’re constantly exploring the content of your files – electronically or otherwise – and then working out how they can make money out of them. All perfectly legal, but doesn’t it somewhat fly in the face of the reasoning behind storing this material somewhere other than your hard drive in the first place?
It’s a simple statement of logic: if the definition of security is that data is only visible to its originator and the desired recipient(s), then a service that can access and see that data means, by definition, the data is not secure in that service. For “that service” read Google Drive.
From the General to the particular
The now infamous General Petraeus found out very quickly what consequences the insecurity of data can bring. But let’s look more closely at the Google example, specifically. It is problematic for me, and will be for a lot of other people too, not only because Google Drive in itself is “voluntarily insecure”, as I’ve described above, but because that site also now forms the basis of the large file transfer service that Google has made available from your Gmail inbox.
Consider the following:
- Google Drive does not have two-factor authentication built in as standard. Its user authentication relies as standard on username and password, which is vulnerable to smash and grab attacks as well as concerted social engineering incursions of the type that destroyed Wired writer Mat Honan’s digital life
- Gmail does not have two-factor authentication built in as standard. See above, and go again
- Gmail doesn’t send a genuine attachment. It sends a link back to Google Drive. This newfound ability to send large files doesn’t actually send any files at all. What is does do is send a link that simply drives the recipient back to a service (Google Drive) that is, of itself, fundamentally insecure.
So, to summarise, instead of insecure file storage, you now have insecure file storage PLUS the ability to extend the insecurity of that site to the action of sending and receiving files as well.
Now do you understand why I (and others) are worried about this?
Is it all bad?
Actually, it’s not. Large file transfer via email is both beneficial and desirable. File outputs are becoming bigger and bigger, as the authoring software that creates them becomes more powerful. Medical imaging, animation and motion graphics, movies, hi-res photography, photogrammetry – the average size of files in these and other disciplines is already huge and is growing constantly.
Moving these files around represents a real headache when you consider that, according to research carried out recently, 89% of workers are unable to send or receive emails in excess of 15MB. And, at the same time, the average number of files we are all sending is increasing; still more research indicates that, in 2009, corporate users sent and received, on average, 37 attached files per user, per day; in 2013, that will rise to 53 attachments.
So Google’s attempt to bring large file transfer back down to the “ground zero” of the inbox, and its use of a creative way to get round the transport limitations of the email client, is to be applauded. We all need this stuff. But what we don’t need is Google – or any other provider – looking at our stuff.
I’ve said it before, and I’ll say it again, unless it’s secure enough that the security vendor themselves can’t open it, it ain’t secure by my reckoning.
Editor’s note: Google did not respond to a request for comment on Spector’s comments.
Brian Spector is CEO of security company CertVox
Think you’re a security pro? Try our quiz!