ProtonBlog(new window)

Is Google Drive secure?

Share this page

Google Drive is the world’s most popular cloud storage service by far, with over 3 billion people using Google Workspace(new window) (which includes Google Drive, Google Calendar, Gmail, and more). But this ubiquity has recently caused concern following several well-publicized debacles concerning who can access your files on Google Drive, including Google falsely reporting a parent for abusive material(new window).

The main issue with Google Drive is it does a good job preventing external attackers from gaining unauthorized access to your files, but security should also mean that no one besides you and those you’ve shared a file with can access it. As this article explains, Google always retains access to your files and can share them with third parties, like law enforcement, at any time without your knowledge.

This has made people question whether Google Drive is truly secure. This post examines everything you should know before you decide to upload a file onto Google Drive.

What is Google Drive?

How Google Drive secures your files

Why you might not want to use Google Drive

How to make Google Drive more secure

Use Proton Drive to safely store your files on the cloud

What is Google Drive?

Google Drive is Google’s cloud storage service that comes bundled with other services in your Google Account, like Gmail. It includes 15 GB of free storage (shared between Drive and Gmail) and is an integral part of Google’s walled garden, allowing Google to keep you in its ecosystem when you compose documents, store photos, or share files. Google Drive also comes pre-installed on most Android devices, meaning many people use it by default. 

How Google Drive secures your files

Google Drive offers several important security features to protect your files from unauthorized access that are typical of most cloud storage services.

Data encryption

When a service encrypts your file, it runs it through an algorithm that uses an encryption key to transform the readable text into unintelligible ciphertext, ensuring no one can read it. The only way to read that file again is to decrypt it using the encryption key. The file will remain secure as long as the encryption is sufficiently strong to withstand brute force attacks and attackers do not get access to the encryption key.

Learn more about encryption(new window)

Google Drive encrypts your files while they’re in transit with HTTPS, which uses an encryption algorithm called TLS. TLS secures the overwhelming majority of internet traffic and is highly secure. If it were vulnerable, the internet as we know it would cease to function. 

Learn more about TLS encryption(new window)

Google Drive also encrypts your files while they’re stored on its servers using AES-128 symmetric encryption. Experts consider this extremely secure, though there are stronger forms of symmetric encryption (such as AES-256).

Learn more about AES encryption(new window)

Account security

Google provides two-factor authentication and lets you see suspicious security-related events (like login attempts from new or unrecognized devices) for your account.

Two-factor authentication (2FA) is a backup to your password that requires you to provide a second identity verification to log in. It’s usually with a time-based, one-time code from an app on your phone or a hardware security key.

Learn more about 2FA(new window)

Google also sends emails and notifications to alert you of security-related events it believes are urgent.

Access controls

All files in Google Drive are, by default, set to “private” mode, meaning only you can access them. You can adjust this and share files with other people, either to specific people by entering their email addresses or making the files public with a link. You can also turn off links you’ve previously shared, although you must have a business or school account to use expiring links(new window).

As far as Google’s track record, considering Google Drive stores trillions of files, it has done reasonably well when it comes to preventing data breaches (Google’s last major breach was in 2018 when a bug exposed the personal data of over 50 million Google+ users(new window)). 

Why you might not want to use Google Drive

Despite the security measures Google takes, there are still several valid reasons you might be concerned about the security and privacy of your files on Google Drive.

Google always retains access

As mentioned earlier in this article, encryption keeps your files safe as long as the attacker never gets access to the encryption key. But Google uses a type of symmetric encryption that gives the company control of the encryption keys to all files on Google Drive, meaning Google can access them at any time, for any reason, without your knowledge or permission. This is spelled out explicitly in Google’s terms and conditions. By using Google Drive, you give Google permission to scan and potentially remove your personal files at any time. This means Google is in control.

Google also uses this access to your data to train AI services, like its spell check and autocomplete features. There is no way to opt out of having your personal data used to develop these services, although Google says it anonymizes data before using it. It also claims it doesn’t show you personalized ads based on the content you have in Google Drive, Docs, Sheets, Slides, or Photos.

Google’s control of your files’ encryption keys also means that if a hacker were to succeed in breaching Google’s defenses, they could access both your files and their keys. They could decrypt and read any files you stored on Google Drive. 

There are ways to encrypt data so that you, the owner of the data, are in control, like end-to-end encryption(new window). End-to-end encryption also ensures files remain encrypted even if a service provider suffers a catastrophic data breach. Google doesn’t implement this type of encryption on any of its services by default.

Google’s jurisdiction

Google is headquartered in the United States, which means it’s subject to some dubious privacy laws. The FISA court, which is charged with reviewing and approving government wiretap and data collection efforts, has long been little more than a rubber stamp, with the vast majority of applications being approved. Even worse, the Federal Bureau of Investigation (FBI) can use national security letters, essentially secret, warrantless subpoenas, to access information and documents from companies without any judicial overview. 

Learn why it’s hard to run a privacy-focused company in the US(new window)

Numerous other countries, including Iceland, Sweden, and Switzerland, provide more transparency, protection of human rights, and adversarial judicial review that better protect people’s right to privacy.

Google’s business model

Google has proven to be a poor steward of its users’ data in the past. Though Google boasts of its willingness to let you turn off data collection, the reality is not so simple.

First, Google relies on the fact that most people never change their default settings. Over 80% of Google’s revenue in 2022(new window) came from advertising. If most Google users turned on all the Google privacy controls, this would cause a major disruption to their business. Under Google’s surveillance capitalist business model, it’s compelled to capture and monetize every piece of data it can. 

Second, Google has misled people about purported privacy-protecting measures. Even worse, it ignored when people turned these features on and continued collecting data anyway. In 2017, journalists discovered that Google collected Android users’ location data(new window) even if they had turned off location services. This year, a judge found that Google had misled users(new window) about their privacy when they used Chrome’s Incognito Mode. And its newest privacy feature, Privacy Sandbox(new window), is nothing more than a new tracking method. 

These are red flags because you need to be able to trust that the company storing your sensitive files is both competent enough to protect your information and honest enough to respect your privacy choices.

Google passes the technical challenges, but its incentive structure and spotty history make it hard to trust. 

How to make Google Drive more secure

There are some steps you can take to increase your security when storing files on Google Drive. Like nearly all online services, the weakest link is often the human element. This means you must always be alert for suspicious emails asking for your Google username and password that could be phishing attacks(new window)

You should also use a strong, unique password for your Google Account and enable 2FA (in fact, you should do these for all your accounts, if possible).

Finally, you can minimize Google’s ability to monitor or access the files you upload by encrypting your files before you upload them using a third-party encryption service. 

Use Proton Drive to safely store your files on the cloud

Fortunately, there are alternatives to Google Drive that make protecting your privacy and security easier without having to use any third-party encryption software. For example, Proton Drive automatically uses end-to-end encryption on all your files and their metadata by default, meaning no one can access them but you. You’re always in control. And you remain in control even after you share a file with others by limiting who can access it with password protection. 

Proton Drive goes far beyond Google in account security. In addition to 2FA and authentication logs, we also provide our high-security Proton Sentinel program(new window) with certain paid plans. Proton Sentinel can recognize and stop malicious login attempts, meaning that even if an attacker gets a hold of your password, there’s still a good chance they won’t be able to access your account.

Proton Drive is headquartered in Switzerland, meaning strict Swiss data privacy laws protect all of your data. But, perhaps most importantly, we’ve structured our business around protecting your information(new window), not exploiting it. We don’t show any ads and we never share your information with advertisers or any other third parties. Our end-to-end encryption means we couldn’t share your data even if we wanted to.

We’re entirely supported by subscriptions to our paid plans, so our only incentive is to keep your data as secure as possible. 

You can sign up for Proton Drive for free and receive up to 1 GB of storage. Or you can sign up for our Proton Drive Plus plan and get 200 GB of storage for just €3.99 per month. 

Protect your privacy with Proton
Create a free account

Share this page

Richie Koch(new window)

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Related articles

What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be