Google Drive is the world’s most popular cloud storage service by far, with over 3 billion people using Google Workspace(new window) (which includes Google Drive, Google Calendar, Gmail, and more). But this ubiquity has recently caused concern following several well-publicized debacles concerning who can access your files on Google Drive, including Google falsely reporting a parent for abusive material(new window).
The main issue with Google Drive is it does a good job preventing external attackers from gaining unauthorized access to your files, but security should also mean that no one besides you and those you’ve shared a file with can access it. As this article explains, Google always retains access to your files and can share them with third parties, like law enforcement, at any time without your knowledge.
This has made people question whether Google Drive is truly secure. This post examines everything you should know before you decide to upload a file onto Google Drive.
What is Google Drive?
Google Drive is Google’s cloud storage service that comes bundled with other services in your Google Account, like Gmail. It includes 15 GB of free storage (shared between Drive and Gmail) and is an integral part of Google’s walled garden, allowing Google to keep you in its ecosystem when you compose documents, store photos, or share files. Google Drive also comes pre-installed on most Android devices, meaning many people use it by default.
How Google Drive secures your files
Google Drive offers several important security features to protect your files from unauthorized access that are typical of most cloud storage services.
When a service encrypts your file, it runs it through an algorithm that uses an encryption key to transform the readable text into unintelligible ciphertext, ensuring no one can read it. The only way to read that file again is to decrypt it using the encryption key. The file will remain secure as long as the encryption is sufficiently strong to withstand brute force attacks and attackers do not get access to the encryption key.
Google Drive encrypts your files while they’re in transit with HTTPS, which uses an encryption algorithm called TLS. TLS secures the overwhelming majority of internet traffic and is highly secure. If it were vulnerable, the internet as we know it would cease to function.
Google Drive also encrypts your files while they’re stored on its servers using AES-128 symmetric encryption. Experts consider this extremely secure, though there are stronger forms of symmetric encryption (such as AES-256).
Google provides two-factor authentication and lets you see suspicious security-related events (like login attempts from new or unrecognized devices) for your account.
Two-factor authentication (2FA) is a backup to your password that requires you to provide a second identity verification to log in. It’s usually with a time-based, one-time code from an app on your phone or a hardware security key.
Google also sends emails and notifications to alert you of security-related events it believes are urgent.
All files in Google Drive are, by default, set to “private” mode, meaning only you can access them. You can adjust this and share files with other people, either to specific people by entering their email addresses or making the files public with a link. You can also turn off links you’ve previously shared, although you must have a business or school account to use expiring links(new window).
As far as Google’s track record, considering Google Drive stores trillions of files, it has done reasonably well when it comes to preventing data breaches (Google’s last major breach was in 2018 when a bug exposed the personal data of over 50 million Google+ users(new window)).
Why you might not want to use Google Drive
Despite the security measures Google takes, there are still several valid reasons you might be concerned about the security and privacy of your files on Google Drive.
Google always retains access
As mentioned earlier in this article, encryption keeps your files safe as long as the attacker never gets access to the encryption key. But Google uses a type of symmetric encryption that gives the company control of the encryption keys to all files on Google Drive, meaning Google can access them at any time, for any reason, without your knowledge or permission. This is spelled out explicitly in Google’s terms and conditions. By using Google Drive, you give Google permission to scan and potentially remove your personal files at any time. This means Google is in control.
Google also uses this access to your data to train AI services, like its spell check and autocomplete features. There is no way to opt out of having your personal data used to develop these services, although Google says it anonymizes data before using it. It also claims it doesn’t show you personalized ads based on the content you have in Google Drive, Docs, Sheets, Slides, or Photos.
Google’s control of your files’ encryption keys also means that if a hacker were to succeed in breaching Google’s defenses, they could access both your files and their keys. They could decrypt and read any files you stored on Google Drive.
There are ways to encrypt data so that you, the owner of the data, are in control, like end-to-end encryption(new window). End-to-end encryption also ensures files remain encrypted even if a service provider suffers a catastrophic data breach. Google doesn’t implement this type of encryption on any of its services by default.
Google is headquartered in the United States, which means it’s subject to some dubious privacy laws. The FISA court, which is charged with reviewing and approving government wiretap and data collection efforts, has long been little more than a rubber stamp, with the vast majority of applications being approved. Even worse, the Federal Bureau of Investigation (FBI) can use national security letters, essentially secret, warrantless subpoenas, to access information and documents from companies without any judicial overview.
Numerous other countries, including Iceland, Sweden, and Switzerland, provide more transparency, protection of human rights, and adversarial judicial review that better protect people’s right to privacy.
Google’s business model
Google has proven to be a poor steward of its users’ data in the past. Though Google boasts of its willingness to let you turn off data collection, the reality is not so simple.
First, Google relies on the fact that most people never change their default settings. Over 80% of Google’s revenue in 2022(new window) came from advertising. If most Google users turned on all the Google privacy controls, this would cause a major disruption to their business. Under Google’s surveillance capitalist business model, it’s compelled to capture and monetize every piece of data it can.
Second, Google has misled people about purported privacy-protecting measures. Even worse, it ignored when people turned these features on and continued collecting data anyway. In 2017, journalists discovered that Google collected Android users’ location data(new window) even if they had turned off location services. This year, a judge found that Google had misled users(new window) about their privacy when they used Chrome’s Incognito Mode. And its newest privacy feature, Privacy Sandbox(new window), is nothing more than a new tracking method.
These are red flags because you need to be able to trust that the company storing your sensitive files is both competent enough to protect your information and honest enough to respect your privacy choices.
Google passes the technical challenges, but its incentive structure and spotty history make it hard to trust.
How to make Google Drive more secure
There are some steps you can take to increase your security when storing files on Google Drive. Like nearly all online services, the weakest link is often the human element. This means you must always be alert for suspicious emails asking for your Google username and password that could be phishing attacks(new window).
You should also use a strong, unique password for your Google Account and enable 2FA (in fact, you should do these for all your accounts, if possible).
Finally, you can minimize Google’s ability to monitor or access the files you upload by encrypting your files before you upload them using a third-party encryption service.
Use Proton Drive to safely store your files on the cloud
Fortunately, there are alternatives to Google Drive that make protecting your privacy and security easier without having to use any third-party encryption software. For example, Proton Drive automatically uses end-to-end encryption on all your files and their metadata by default, meaning no one can access them but you. You’re always in control. And you remain in control even after you share a file with others by limiting who can access it with password protection.
Proton Drive goes far beyond Google in account security. In addition to 2FA and authentication logs, we also provide our high-security Proton Sentinel program(new window) with certain paid plans. Proton Sentinel can recognize and stop malicious login attempts, meaning that even if an attacker gets a hold of your password, there’s still a good chance they won’t be able to access your account.
Proton Drive is headquartered in Switzerland, meaning strict Swiss data privacy laws protect all of your data. But, perhaps most importantly, we’ve structured our business around protecting your information(new window), not exploiting it. We don’t show any ads and we never share your information with advertisers or any other third parties. Our end-to-end encryption means we couldn’t share your data even if we wanted to.
We’re entirely supported by subscriptions to our paid plans, so our only incentive is to keep your data as secure as possible.
You can sign up for Proton Drive for free and receive up to 1 GB of storage. Or you can sign up for our Proton Drive Plus plan and get 200 GB of storage for just €3.99 per month.