Privacy issue: Google Docs seems to not delete but only hide documents when the trash is emptied

We are going to demonstrate in this article that documents on Google Docs (in July 2007) are not deleted, even after the user asked to empty the trash.
We are also going to show that there is an privacy issue with documents on Google Docs: parts of private documents on Google Docs can be accessed without having to enter any user-id and password.

Video proof:

The symptom:

Maybe Google still has not fixed the issues while you are reading this article. Try for yourself the URL that was used in the video:

http://docs.google.com/File?id=dchrr3kn_5cdc9q3dc

If you are able to download the image by clicking on the URL then Google still has not fixed the deletion issue and the privacy issue.
When we last checked the URL (at the time of this writing) 12 hours passed by since we “deleted” Document1 from Google Docs:
12 hours later we still can access the private document that we deleted and we can access it even without being asked to provide user-id or password!

Please remember that you should not be able to access and read the text of the notepad screenshot because:

a) Document1 was a private document on Google Docs while it existed

b) Document1 was supposed to be completely deleted (including the embedded image) from Google Docs already at the 12th of July.

Do not be “disappointed” when clicking on the URL does not download the image anymore:
It would be good if the URL above is broken!

It would mean that Google has taken at least some action to fix (or less good: to work around) the identified issues.
The conceptual problem that is highlighted in this article will continue to exist, if the URL is broken or not does not change anything:

How can we talk about privacy on the Web if we can NEVER be sure that our “private” content (like mails, daft mails, documents) will be ever finally deleted from any of the services out there today?

For further discussion please read the rest of this article.

Details:

All of the steps below have been executed, tested and verified several times at the beginning of July 2007. While it would be for some of our readers exciting to experience the issues online themselves we hope that these issues are all fixed when you are reading this article.

Lets go through the example step by step:

1) Document1 is a document on Google Docs. It contains an embedded screenshot of notepad:

Step1

The URL for the embedded notepad screenshot is:

http://docs.google.com/File?id=dchrr3kn_5cdc9q3dc

2) The document Document1 on Google Docs has not been published:

Step2

3) And the document Document1 on Google Docs is also not shared:

Step3

4) Now Document1 will be deleted and the trash will be emptied:

Step4

5) The trash is empty and Google Docs is confirming that Document1 has been deleted from Google Docs:

Step5

Now we are ready to make use of the URL that is/was pointing to one part of Document1: the image that is (or better was) embedded in Document1:

http://docs.google.com/File?id=dchrr3kn_5cdc9q3dc

Now the (first) surprise is coming: Although we asked Google Docs to delete Document1 we can click on the URL of the embedded image and the image can still be retrieved from Google Docs like shown here:
Step6

How can this be? The Google Docs UI is clearly telling us: Document1 is deleted, there is no way of how you ever can access it again. Still we have just seen that we can access parts of the document (and we believe the rest of the document is also existing, we just do not have a way to proof that) although it should be deleted.
Windows users maybe know of a similar issue with the Windows trash. Emptying the Windows trash does not delete the files in the trash. This is the reason why it is recommended for Windows to use “Shredder” programs that make sure, that files are overwritten several times to delete them.
On Google Docs this problem is worse. Google Docs did not delete the image that was embedded in Document1. With high probability the rest of the document1 is also still available on Google Docs. Fact: The UI of Google Docs is just hiding the document from you. The issue of deletion on Google Docs is worse then on Windows because there is no “Shredder” available for you that you can trust. Until now you could have hoped that the Google UI is telling you the truth about the deletion of the file. Now you can not simply trust anymore.

The additional privacy issue:

At the time of the writing of this article 12 hours passed since we emptied the trash. Twelve hours ago we thought we deleted Document1 completely from Google Docs, still we can access from Google Docs the image that was embedded in Document1. This fact on its own can create serious questions about Google Docs: How can I ever be sure that documents on Google Docs will be deleted? Maybe there is a process that deletes trashed documents every 12 hours, maybe such a job is starting on demand. Or maybe my documents that I wanted to be completely removed from Google Docs will never be deleted.

But it does not stop here: Maybe you noticed in the movie that we signed out of Google docs before we retrieved with the specific URL the image from within document1. And maybe you noticed that we did not have to sign in to retrieve the image, Google Docs did not ask us for user and password. We shown that Document1 was not shared and not published, so it is really a private document. But never the less we can access a part of this private document without having to log-in into Google Docs!
This is in addition to the deletion issue another problem: If a URL (that is difficult to guess) is giving access to parts of private documents on Google Docs without asking for user-id and password how can one easily believe in Google Docs privacy statement as shown below?

Step7

Pure speculation:

What if Google would not only have an issue with deletion of documents on Google Docs?
What if also none of your mails would be ever deleted?
What if even a draft of a mail that you wrote but that you never sent and that you even never saved would be still stored on Google Mail because the new Google Mail “auto-save” feature saved it anyhow?

This would be not problem at all because you have nothing to hide?
You never wrote something where you later were happy that you did not share or sent it to someone (you boss, your wife)?
You would not feel uncomfortable if there is even only a theoretical small chance that people can still at some point get access to this against your will?

Conclusion:

The good thing is that Google Docs is still in Beta and things can change until it goes into release mode. But chances are higher that something will happen when we bring our privacy concerns to the attention of Google and also to the attention of all others that are offering to us either free or paid services on the Web.

It is our responsibility. Let us choose wisely what and what not we are using as the the core of our personal information infrastructure.



Bookmark Buttons
Bookmark this: Digg Bookmark this: Del.icio.us Bookmark this: Facebook Bookmark this: StumbleUpon Bookmark this: Google


Juli 15th, 2007 at 11:15 pm and is filed under Issues explained. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

65 Responses to “Privacy issue: Google Docs seems to not delete but only hide documents when the trash is emptied”

  1. Michael Harrison Says:
    Juli 16th, 2007 at 7:35 pm

    If you care about privacy why would you ever use a product that forces you to store drafts and documents on their servers?
    They may “promise” that your information is secure but if you pay attention to any of the news from the last several years about various security breaches, it’s clear it doesn’t matter what they promise.
    They may even change their minds without any advance notice.

  2. Ralf Scharnetzki Says:
    Juli 19th, 2007 at 2:58 pm

    I agree with you completely. The point of this article is to provide those that maybe would trust the big service providers with concrete evidence of an existing issue.

  3. Google Documents Can’t Be Deleted Entirely · New York Articles Says:
    Juli 31st, 2007 at 3:53 am

    [...] Ralf Scharnetzki found that things are not that bright. Each image included in a document has its own public address, even [...]

  4. Matt Says:
    Juli 31st, 2007 at 10:15 am

    Unbelievable. I use Google Docs on a daily basis, for a variety of tasks, and this really makes me question the security/privacy of my data.

    Wake up Google! This is unacceptable.

  5. Never Store Private Details in Google Docs - Private Docs can be accessed through Public Link even after Deleting Says:
    Juli 31st, 2007 at 1:57 pm

    [...] from the trash bin and you can still access your deleted private file through a public link. Read Scharnetzki´s line of reasoning for [...]

  6. Google Docs Privacy Concerns - CyberNet News Says:
    Juli 31st, 2007 at 6:30 pm

    [...] Scharnetzki discovered a way that Google is not protecting a user’s privacy as much as they should. It all stems from the [...]

  7. The Journal of Missing Hours » Blog Archive » Links for 2007-07-31 Says:
    August 1st, 2007 at 1:32 am

    [...] Docs returns the vintage sorting options from the previous incarnation. But also worth a read is Ralf Scharnetzki’s newly discovered security loopholes in Google [...]

  8. Google sempre più spione « Aniceweb Says:
    August 2nd, 2007 at 5:28 pm

    [...] Per saperne di più: http://www.line-of-reasoning.com  [...]

  9. Matt Cutts Says:
    August 4th, 2007 at 12:36 am

    Hey, some other Googlers saw this and asked me to post their response. Here’s what they wanted to say:

    “Because Google Docs and Spreadsheets (GDS) is often used for posting content to external websites (e.g., via our blog publishing feature), images linked to by GDS are maintained so that we don’t break any external sites that might be displaying them.

    However, we hear clearly that users want more control over images, so we’re working on adding a feature to provide this control. In the meantime, please contact GDS support and we will be happy to purge images from your account.”

    And I just wanted to say thanks for mentioning this.

  10. Google Documents Can't Be Deleted Entirely · Articles Says:
    August 5th, 2007 at 6:39 am

    [...] Ralf Scharnetzki found that things are not that bright. Each image included in a document has its own public address, even [...]

  11. Google Documents Can’t Be Deleted Entirely « Webmaster Tech Blog Says:
    August 6th, 2007 at 9:34 am

    [...] Ralf Scharnetzki found that things are not that bright. Each image included in a document has its own public address, even [...]

  12. Ralf Scharnetzki Says:
    August 7th, 2007 at 10:44 pm

    Thank you Matt for sharing with us the perspective of some other Googlers about this issue. It looks like that Google will support in the near future additional file types (like Presentations http://googleblog.blogspot.com/2007/04/were-expecting.html) in the “virtual file system” of GDS. Not only from the perspective of the user the question of access and guaranteed file deletion should be addressed in the most professional way. If Google wants to play a dominant role in the future of everyones Personal Information Infrastructure it could be a mission critical success factor that the equivalent of a file system (if there is such a thing) is understood as THE basis to provide over time a growing number of applications as services to users on top of it. It would be probably also in Googles own interest that this basis not only would deliver all expected functionality but that it would also be secure, stable and reliable.

    PS: Before I forget – Can you maybe find out for us if the document that was deleted was really deleted or if it is still existing in GDS in the same way as the embedded image? Thank you once again!

  13. rod Says:
    August 18th, 2007 at 9:02 am

    wtf, august 18 and i just saw the image. not that i’m actually surprised (everyone knows gmail is not deleted in a long long time) but this is just insane.

  14. Jitendra Manaswin Says:
    September 13th, 2007 at 10:31 pm

    I’m surprised. Image is still displaying. I love google but this is really unacceptable.

  15. John Says:
    Oktober 15th, 2007 at 10:29 am

    Image is *still* displaying today ! :O

  16. Papa G Says:
    Oktober 29th, 2007 at 12:00 am

    Oh well. Just hope it gets fixed.

  17. Stella Morabito Says:
    November 25th, 2007 at 12:08 pm

    Apparently nothing has been modified, yet…

  18. Evert Makinen Says:
    Dezember 9th, 2007 at 10:17 am

    Just came across your piece today about the Google privacy loophole on Google docs. Here it is, December 9, 2007, and I was able to download your file and, using Windows Picture and Fax Viewer, read your Notepad note.
    FWIW

  19. Michael Says:
    Dezember 19th, 2007 at 8:52 pm

    This is crazy to never delete google docs. They must have a large storage facility. I could download the document easily. I wonder if someone could use a program to randomly download and harvest pictures using the url that should be private but are really public. Computers can find valid images faster than I could. This would be a problem if you one used this to find out what people are putting on their documents. Good thing I don’t put any picture on googledocs I wouldn’t want others to be able to access. One thing though is you can not find out who owns that particular document. That’s good. Well see ya round.

  20. Jens Scharnetzki Says:
    Dezember 31st, 2007 at 5:10 pm

    Today is the last day of the year and the image is still online and accessible. Perhaps they will handle it in 2008.

  21. Nico WM Says:
    Januar 21st, 2008 at 2:49 pm

    Over 5 months since the “deletion” and three weeks since Jens last message: no progress whatsoever. Talk about a loooong purge cycle…

  22. MgrofChaos Says:
    Januar 30th, 2008 at 3:16 pm

    Well, I just downloaded it today. :::shaking head:::
    SkyNet is active, folks!

  23. Be aware: You will not be able to delete from Google Docs any image embedded in your Presentations | Scharnetzki´s - line of reasoning Says:
    Februar 3rd, 2008 at 5:27 pm

    [...] issue is not new: In July I shown this problem to Google ( you will find in this article a video that is describing the details of how you can get to the specific URL so that you can test [...]

  24. Matt Says:
    Mai 23rd, 2008 at 11:27 pm

    Still there! ;-)

  25. Aaron Says:
    Juli 16th, 2008 at 1:44 am

    The links is STILL up! Way to go Google!

  26. jjm Says:
    September 18th, 2008 at 1:14 am

    The image is still visible on 17 September 2008

  27. Matt Says:
    Oktober 6th, 2008 at 6:37 pm

    Yep, you guessed it! Still there…

  28. may Says:
    Dezember 5th, 2008 at 4:59 am

    Dang – Dec 4, 2008, Still there… I’ve been doing tests of my own. So IS there a way to unpublish stuff in the vast cyber url black hole?

  29. heerschlag Says:
    Mai 9th, 2009 at 6:36 pm

    Holy crab!!!!!!!!!
    Still nothing fixed; thanx for this article. I was hardly thinking about using Google-Docs.
    Now I won’t.

  30. canny Says:
    Juni 16th, 2009 at 5:38 am

    It seems to me that this article is a bit misleading. The document they specified sharing property and later deleted was Document1. Note that nothing is said about the image file stored on google Docs. It is fairly possible that the image is set to be shared and never deleted. In this sense, it is quite reasonable the image is accessible by everyone.

  31. rchard2scout Says:
    Juli 6th, 2009 at 8:11 pm

    lol, still not fixed

  32. concerned with google's tactics Says:
    September 3rd, 2009 at 5:19 pm

    when on opens up an email attachment using google docs, it saves an editable copy on their server automatically.

    google docs should not save an editable copy on their server without asking first. and at a minimum, they should provide an option to delete it afterwards, which they do not.

    it does not matter whether i am the only one with the link to that doc. i do not want my personal documents on their server, period.

    not knowing what other zealous tactics google is using, i will stay away from google docs app. the app is not worth risking my privacy.

    just look at their blunder from March 2009, where many people’s documents were ‘shared’ without their permission. just stay away.

  33. DK Says:
    Dezember 10th, 2009 at 8:42 am

    in the video, you never logged out of your gmail account. only your google docs. therefore you would still be able to access you google doc.

    As far as the link still working…

    don’t you people realize that the maker of the video could have just put that stuff back up to make you think it still existed?

  34. Budoboy Says:
    Januar 26th, 2010 at 5:09 pm

    This is indeed a problem. We came across this the other day as we were trying the new “Upload any File” feature. The file is uploaded to Docs, and if it is an image file, Google creates a preview of the image file and stores it an an unsecured URL. Anyone and their mother can just enter that URL in any web browser and see a copy of the image that was uploaded. If you delete the uploaded document from Google Docs, the image preview file still exists at the unsecured URL. This is a major blow to Google for anyone who has considered Google Apps for Business. I don’t know how companies like Motorola and others can use Google Docs(which they say they do) without this being an issue for them. I guess this behavior has been around for years and Google has come up with some lame excuse regarding images linked to other blogs and websites from Google Docs. This had been less of an issue for Google since it only dealt with embedded images in Docs. Now that you can upload any file type to store up on Google Docs(especially images), it is going to create huge security concerns for storing sensitive files at Google.

  35. Benjamin Chen Says:
    Februar 25th, 2010 at 1:51 pm

    Hi,

    as of today, 25 February 2010, the link still works. Looks like Google is still not fixing this issue.

    Also, for DK above, pleae note that Google is designed that once you log out of one application in Google, you log out of Google completely. so for example, if you log out of gmail, then you are automatically logged out of google docs, google news, etc.

    I am a small business owner, and I use Google docs to store a lot of my documents, like PDF files of research papers. i never store my important data with Google. That is a no no. I use Microsoft office, and my most important data is stored on a flash drive, or a USB hard drive, which I always have around me. It is encrypted, in case I lose the data, and some thief picks it up. And that is not even half-ass secure, but at least it will prevent against common threats.

  36. Google Docs Info | Helix Zone Blog Says:
    April 20th, 2010 at 6:52 pm

    [...] http://www.line-of-reasoning.com/issues/privacy-issue-google-docs-seems-to-not-delete-but-only-hide-… [...]

  37. helix2301 Says:
    April 20th, 2010 at 6:54 pm

    I never store anything of importance on google docs. After reading this I am glad now that I don’t.

  38. Pandra Says:
    Juli 5th, 2010 at 12:01 am

    This sucks. We have been using Google docs for easy doc sharing. Will have to move to a server.

  39. Note-Taking Tools « Lumber Tribe Says:
    Juli 25th, 2010 at 3:34 pm

    [...] other things, especially when I need to edit a doc with several other people. But Google Docs has privacy issues, and there are anecdotal tales of lost and censored documents all over the web. Which would [...]

  40. -- Says:
    September 14th, 2010 at 7:54 pm

    Image still there as of 9/14/10. That’s one hearty jpeg.

  41. Jeepers Says:
    September 23rd, 2010 at 3:54 am

    The fact that this image is still there, while Google is well aware of it, is very disturbing. I read other articles about Google docs, and that Google assumes a “shared” ownership of any documents stored there. So it has a right to scan everything and then uses the scans to create targeted ads to the gmail accounts associated with the docs. My concern is with universities and such who use Google Docs and Gmail. Google is datamining on a scale unheard of, and storing all that info, along with your sign on, your IP address, your search history…. get the picture? They will soon have a very accurate profile of every person who uses their free services. Ingenious, but a bit scary too….

  42. Crumsley Says:
    Dezember 1st, 2010 at 6:13 am

    Just wait till Sarah Palin wins the 2012 election, Patriot Act ][ is passed, and the US Attorney General subpoena’s all of Google’s search histories to find “Potential Terrorists” and others guilty of “Thoughtcrime”

    All you Google nerds who defended Google will see the day when the government acts so irrationally, and perverts that hivemind google is storing. It’s coming folks. Don’t be evil.

  43. mtb Says:
    Mai 15th, 2011 at 6:39 pm

    Image still there now

  44. jdelano Says:
    Juni 27th, 2011 at 6:03 pm

    It can still be accessed today, what part of delete does google not get?

  45. Mark D Says:
    Juni 27th, 2011 at 9:31 pm

    Just checked today, 6/27/11. The doc is obtainable.

  46. Google Docs doesn’t want bad news « Jack Yan: the Persuader Blog Says:
    Juli 23rd, 2011 at 7:58 pm

    [...] images are also wiped. Those who use the service might wish to take heed.    In 2007, Ralf Scharnetzki created a private, unpublished Google Docs document, with an image. He deleted the document. However, three years on, you can still access the image [...]

  47. Wikzo Says:
    September 23rd, 2011 at 2:12 pm

    It is 23/9/2011 and the image is still online.

  48. stillthere Says:
    Oktober 25th, 2011 at 6:25 pm

    Still there. October 25, 2011

  49. Anderson Says:
    November 9th, 2011 at 10:33 pm

    Still online, 4 years on.

  50. Google Non-Privacy Says:
    Februar 7th, 2012 at 9:08 am

    Your completely deleted Google Docs image is still accessible in February 2012. And it’s only a few weeks until Google’s new privacy policy takes effect, allowing it to share user information across its various products and services. I wonder what the ramifications are of all the “permanently deleted” images that Google is permanently storing?

  51. Google Docs Security Info - Lipani Technologies BlogBusiness Computer Systems Done Right Says:
    April 13th, 2012 at 3:26 am

    [...] Google Docs Security Info Leave a comment » http://www.line-of-reasoning.com/issues/privacy-issue-google-docs-seems-to-not-delete-but-only-hide-… [...]

  52. Ramandeep Says:
    November 6th, 2012 at 5:03 am

    Even in November 2012 I can still access that screenshot. How come?

  53. Dragon Says:
    November 14th, 2012 at 5:06 am

    Nov 13, 2012… Still there!

  54. Google still hasn’t removed “deleted” private Docs data from 2007 | My Daily Feeds Says:
    November 14th, 2012 at 3:49 pm

    [...] Hacker News http://www.line-of-reasoning.com/issues/privacy-issue-google-docs-seems-to-not-delete-but-only-hide-… This entry was posted in Uncategorized by admin. Bookmark the [...]

  55. Nathan Alden, Sr. Says:
    November 14th, 2012 at 3:51 pm

    LOL @ Google.

    I guess that planned update’s taking a bit longer than expected, eh?

    Or was it just a lie. Hmm, I wonder.

  56. name Says:
    November 14th, 2012 at 4:30 pm

    Had the same issue on 512px.com > saved the full url to test whether the image would actually be deleted. It was still online (amazon s3) after 8 weeks.

    Can’t trust any (free) provider with your data these days.

  57. Not surprised Says:
    November 14th, 2012 at 5:51 pm

    Guys? We’re talking about Google, remember them sniffing passwords in the wild? The only reason they “care” for privacy is to keep the customers content, if they had their way they would store number of breaths you take during your lifetime and how many flowers were placed on your grave.

    Obviously in this case they care more for a couple of URLs (which should’ve been invalidated if the document is deleted, no?) than your privacy.

  58. dan Says:
    November 14th, 2012 at 7:10 pm

    The documents are retained because the American intelligence machine has forced, through secret and unpublished law that requires secret retention of information and prevents any of the companies from discussing or even acknowledging that they are working with the ONI and it’s offshoots.

  59. dan Says:
    November 14th, 2012 at 7:13 pm

    This is not even just a privacy or security matter…it is also a matter of vulnerability to industrial espionage.

  60. Google Docs хранит «удалённые» документы пользователей с 2007 года | Bur-IT.ru Says:
    November 26th, 2012 at 10:25 am

    [...] Ральф Шарнецки (Ralf Scharnetzki) в далёком 2007 году привёл доказательства, что документы: а) хранятся на хостинге Google Docs после [...]

  61. Fan boy Says:
    Januar 14th, 2014 at 2:14 pm

    You’d be happy to know that the image is no longer there. Only took 3 years.

  62. David | MagicsubmitterReviews Says:
    Januar 30th, 2014 at 10:23 pm

    If only we’d had all paid attention to posts such as this from 2007.

    Google (and Facebook and others) know so much about us, is it any wonder that the NSA and GCHQ among others use their data to spy on us all.

  63. average joe Says:
    April 1st, 2014 at 6:08 pm

    I just got notice my son’s Jr. High signed up all the studnets with a google’e Gmail to access ggogle docs.
    I asked the school if they used anonymous names for trhe accounts but have not heard back asa yet. What and enourmous privacy invasion, to profile students as minors. A google+ account now begins tracking each and every one of them. I will need to explain all this to my son. SIince i work in IT I have the household’s devices all blocking google and Ixquick is our default search engine. But now to do homework i have to make an exception to google docs at home for my son to do homework? This is criminal. DNT and ghostery are greatat blocking google but only at home. Does this bother anyone out there? Google’s CEO claims kids will have to get new identities once they tarnish their original. What a way to begin – being tracked by google as a teen. Skynet third reich!

  64. elmo dufen Says:
    Mai 28th, 2014 at 9:15 pm

    The reference to the third reich is very apposite. Think of the fun Hitler & Co would have had with the data held by the mass data harvesters of today.

  65. Google Documents Can’t Be Deleted Entirely | Google Operating System Says:
    Dezember 4th, 2014 at 4:01 pm

    [...] Ralf Scharnetzki found that things are not that bright. Each image included in a document has its own public address, even [...]

Leave a Reply