The Case of the Shared Trash
I wrote a letter of recommendation for a colleague using a new letterhead template designed by a design contractor. It was saved in the contractor’s Google drive during development and then she transferred ownership to us. Before transferring one particular file – that letter of recommendation I wrote on our new company letterhead – she turned on “share with anyone who has the link”.
I know that sharing a file with “anyone who has the link” is a security risk. To mitigate that risk, I saved it locally, then trashed Google Drive version stored in the cloud. That was months ago
I never would have thought of that file again except…
Late on a Friday afternoon, my CTO gently popped into my Slack to ask me why I was sharing this file so publicly, in violation of company policy. He was reviewing the security hygiene alerts in the Obsidian platform against our own data and found this letter being shared with “anyone who has the link”.
There’s nothing quite like ending the week on a wave of panic and humiliation.
Using our product our CTO recalled the entire social life of that letter. I was clearly working on it on December 1st in Princeton, NJ. Then I downloaded it and saved it locally. Then Adele, our contractor (not her real name), changed some user permissions and moved it to a file called _Archive on the 13th. She emailed me to let me know she had archived it (Thanks, Adele!) at which point I highlighted the file and selected the trash icon to delete the file.
In our product that action is accurately recorded as moving the file to the trash.
Turns out, selecting the trash icon does not mean “go away forever” or even “go away forever after a purgatory period of 30 days” in Google Drive. It means, “we’ll hide your file in a trash can that is never emptied but keep all the sharing permissions active”.
The Unsearchable Lightness of the Trash
Of course, the first thing I did when my CTO told me I was sharing a letter of recommendation with the entire internet was to run a search for it so I could change the sharing settings. Here’s what I found. NOTHING.
So…how was this document still appearing in my file system according to Obsidian, when searching my G Drive turned up no matching files. I thought Google was supposed to be the king of search?!
Sitting there staring at the emptiness of the search field I noticed a little black stripe pop up at the bottom of the screen indicating that there *may* be a file in the trash that matched my search query. I clicked on the button and there it was. The file I thought I had deleted five months ago. Now the drop down gave me the chance to “Delete Forever”.
Silver Lining: I Have Proof That Nothing Bad Happened
I am still riddled with guilt that the file was available to “anyone with the link” for five months. My feelings were assuaged dramatically by our product’s audit history which showed that nothing happened to that file in those five months. It just sat there. Nobody edited it, downloaded it, moved it, changed sharing permissions, added people, or made other changes.
What’s At Stake in the Deletion Decision?
I can see why Google opts not to delete files when users click on the trash icon. People accidentally delete all sorts of things they actually want to see again. It saves Google a lot of time if users don’t come running to them begging them to revive an accidentally deleted file.
Here’s the big trade-off: a decent number of people will likely assume that trashing a file means the file ceases to exist, if not immediately, then within a week or a month. They may also assume that deleting a file removes its sharing privileges, especially if they are the owner of the file. But nope. That file is still fully available to anyone with whom it was originally shared while it hangs out in the trash. When the file is set to be shared with “anyone on the internet” or “anyone on the internet (link required)” – the privacy and security risks go way up.
Pro-tips and Takeaways
- The trash icon in the G Drive does not mean delete. If you really want a file gone without a trace, move it to the trash and then select “Delete Forever” for that file. Or empty the entire contents of the trash.
- A file in the trash maintains all of its sharing privileges. Only file owners can delete files forever. Until a file is deleted forever, it can have a very active social life.
- If you want to be alerted to all of publicly shared files and have access to the social history of those files to make sure nothing weird has happened, you may want a tool like Obsidian. Not only will we scan your G Drive looking for files that may be shared too broadly, we can show you the social life (e.g. audit trail) of everything that has happened to any file.
Much of the trouble here comes from misunderstanding the idiosyncrasies of each cloud providers’ menus and configurations. If it’s too much to assume everyone in your organization is going to master these rules, a tool like Obsidian may be an efficient way to achieve better cloud security hygiene.