301 points by tysone 5 days ago
[I'm a googler, who works in Apps, but not directly on anything relevant here].
This article mentions Access Transparency
> By default, G Suite Enterprise enables a feature called Access Transparency, which allows administrators to see who has looked at each document within the organization.
But gets it a bit wrong. Access Transparency is a log of any Google employees who have looked at stuff in your domain. From the official site "Access Transparency logs provide information about actions of Google staff when they access your data.". Which is a nice way of knowing that Google employees aren't randomly snooping on your files.
Only downside over a self-hosted solution is that legal requests won't always create an entry in access transparency.
The point of eavesdropping would largely be defeated if the person can find out, so I get why it's a part of law.
The thing about NSLs is the target often never finds out because there was no public investigations or courts involved.
I remember reading a particular drug investigation had over 50 wiretaps including the mother's and sister's (of the targets) smartphones because they sometimes used their phones for business, which is pretty common in poorer households. I've always been curious if they found out afterwards.
In The Wire they had a scene where they would pause the audio if it's only someone else talking after x amount of time. But I highly doubt every single text, picture, and message sent to the person isn't being seen by at least one person.
If you selfhost, you'll definitely find out if you get a NSL. That's the advantage.
Only if you 100% completely selfhost (machine running in the basement?). Otherwise they could compromise your hosting provider at various different levels of the stack.
Come to think of it though, even if you put your own machine in your own basement, they could just come in when you're not home and rootkit your box in numerous ways, and you'd probably never know barring some pretty heavy security.
State level actors are very hard to defend against, especially when it's your own state.
There is a lot of law associated with residences, often constitutional, that does not protect you when the access is to a provider.
The mere existence of a local alarm can greatly increase the risk of getting caught when going into a residence. State level actors really hate getting caught. They tend to be the sort of people who do not deal very well with uncertainty.
It's a matter of scale. How many experience covert ops / TAO teams do you think the FBI has? Are they going to do a covert entry to your basement, deploy a custom software or hardware implant, watch you, retrieve their implant, etc? They would have to have probably cause, and in any case they don't have the budget or people to do many.
And you can actually make it incredibly hard quite easily -- do everything on an ipad with a strong passphrase and no network connection (except occasionally to get software updates from Apple), keep it in a decent tamper evident safe (not a money safe), a painfully loud alarm with PIRs, in a location where people are around.
Contrast that with surveillance via grep.
"Which is a nice way of knowing that Google employees aren't randomly snooping on your files."
does it do that? Or does it just show you times that Google is willing to tell you Google employees snooped on your files?
The generic answer to these concerns is usually the following: if a (well-known, very scrutinized) company such as Google writes that kind of promise in public documentation that is part of a binding contract with paying customers, there is a good chance they won't purposefully break that agreement, and risk being caught by an audit, just for the sake of accessing someone's personal data.
That's great, but if it's only true until it isn't. The moments when that idea is false (however rare) are the life altering, permanent moments that result in irrevocable ruin for whomsoever might dare trust the promises and honor of [faceless corporation].
The truth is twofold.
One: if the barrier can be melted according to magic rules, then it is no real barrier. It is a sweet candy coating that melts in your mouth, not in your hands.
Two: if a corporation is made of many incidental strangers who happen to share an employer for overlapping moments in time, and the system has at least one authorization bypass, then so does the audit trail.
If you don't think corporations implode, suffer from disgruntled criminal employees, sell out to rivals, go completely bankrupt, or land themselves in jail, then bet all of your secrets on the idea that what they tell you is 100% truth.
Yep, a solution exists through. Here's how you get there:
* Strong identity: employees must be strongly identified before acting.
* Multi-party authz: nobody ever acts alone. One person can't be trusted, two people might be, M of N effectively represents the company.
* Noisy security: making a change to security parameters notifies all relevant parties in a way that intentionally avoids notification fatigue. You can't sneak a change through.
* Full auditability: even after the fact you can readily unravel what was done, seeing what the old state was, what was changed, who made the change, and who approved it.
Get those points, and a few other minor details, and this larger problem actually becomes tractible.
You know, we, working at Google, are people, right? We have moral and ethical standards just like everyone else. Many (but not all) of us also aren't locked in to Google and can find employment elsewhere easily but choose not to.
The following isn't about Google as such: Thing with a disgruntled criminal employee is that they don't usually come in bunches and don't collude because they can't easily identify each other. Which means they can't generally commit such acts and then also corrupt a whole 'nother department to cover it up.
Trusting your privacy on the moral and ethical compass of every individual at giant corporations is incredibly foolish. If this is a wide-spread belief at Google, it only further erodes my trust in the company.
It's not every employee, but rather something like any. As in: any employee with access to user data can check that their actions are logged correctly.
This doesn't protect against government action, and not at Google leadership specifically targetting you. But it does prevent the (rather common) abuse of such access by regular employees.
> You know, we, working at Google, are people, right? We have moral and ethical standards just like everyone else.
Could’ve fooled me. Or maybe your standards are just particularly low. Do you mind explaining where surveillance capitalism fits into your principled worldview?
> We have moral and ethical standards just like everyone else.
No, you don't. If that were true then you wouldn't be working at Google. Google has already passed the threshold were you can claim bonus points in the ethics department just for working there. That ship sailed long ago.
"If a well known agency such as the FBI writes that kind of promise in congressional hearings ... "
I'm not entirely sure the old generic answers apply these days...
There's at least one major difference here, which is that corporate entities don't have sovereign immunity. The CIA and NSA are immune from consequences when they systematically abuse our rights.
That may be a de facto outcome but I don’t think there is a de jure legal basis there.
Who audits Google? Serious question.
This suggests they are SOC compliant, among other things, and been audited by an independent accounting firm: https://support.google.com/googlecloud/answer/6056694?hl=en
SOC seems to be the gold standard in terms of what enterprises are asking for, these days. Not that it addresses all the concerns as discussed here, but it does probably start to answer your question.
According to this: https://support.google.com/googlecloud/answer/6056650?hl=en
E&Y does (apparently), and Google is compliant with some ISO standard for software security. See "Does giving Google access to my data create a security risk? How does Google ensure that its employees do not pose a threat?"
Your assumption is that the company will knowingly access your data, but the more likely scenario is that a rogue employee working for your competitor (or simply looking to start their own startup) will access and steal your data/code/client list.
Right. As an end user how can I actually verify that instead of just taking Google's word.
This is a difficult argument to counter; for instance, are you sure that signal can't decrypt your messages? If so, do you remain sure knowing that they can update the app?
As a security person I really can't think of any service (or piece of hardware) which I think satisfies the threat model where the provider is both clever and truly hostile.
You can verify what the binary did while you were watching. You can't verify what it did before, or what it will do next. OP said hostile and clever, and part of clever is only being hostile when nobody is watching. Apps that don't snoop constantly, delay transmissions, and hide transmissions in existing and expected communication channels are much harder to catch.
No, I'm saying, you can crack open the binary and see what it's capable of doing. If Signal wanted, it could obfuscate itself in various ways to make that hard, but (1) you'd notice that pretty quickly (that the code was hinky) and (2) Signal does not in fact want to do that.
You personally might not be able to do that (but then, you personally might not be able to spot a defective authenticated key exchange either), but people can. Once someone spots the "Signal Backdoor", that's it for Signal. There's a lot of incentive to do that legwork.
In contrast, G Suite could be comprehensively backdoored, and you'd have no way of knowing, no matter what your level of systems programming competence. I'm not saying they are backdoored; I rather doubt that they are, and I myself trust G Suite more than most other applications I use. But the point is, the trust you have to have in G Suite is different and more demanding than the trust you have to have in Signal.
This assumes that everyone gets the same binary, and the binary doesn't get updated. There is no reason that the binary delivered to your phone by the Google Play Store needs to be the same as the binary delivered to a reporter's phone.
Even if we can trust the binary (and I agree, with Signal as the example we probably can), the application distribution mechanism and the underlying OS and its update mechanisms are still a problem.
There is no reason that the binary delivered to your phone by the Google Play Store needs to be the same as the binary delivered to a reporter's phone.
That's moving the goalposts to individual targeting, though. The individual targeting scenario is not that interesting because, as the winged quote from the technical literature goes, "YOU’RE STILL GONNA BE MOSSAD’ED UPON".
There are still mechanisms to mitigate reliance on trust.
If you truly cared you wouldn't download it from Play Store and you wouldn't use a stock Android ROM.
Of course that moves the problem up to the firmware level but the attack space is getting narrower.
With G Suite you rely on trust from the ground up.
> As a security person I really can't think of any service (or piece of hardware) which I think satisfies the threat model where the provider is both clever and truly hostile.
...I can. Disconnect from the internet.
It's a pain, and it won't be useful advice in many cases, but if you're a newsroom doing sensitive investigations on powerful individuals? I could make a case for it. Although, you'd want to ditch G Suite.
(You can certainly think up clever attacks that work without internet, but disconnecting really does remove most vectors.)
The threat model does not need to be that the provider as a whole is truly hostile. It could be "a rogue employee went snooping" or "the server got hacked" or "there was an access control bug."
Instead of "trust us to keep your data", what if Google said "we don't have your data." That would give me more confidence, since it both makes the hostile actor's job much harder and it's also easier to verify.
It may be that we never can say "Google employees aren't randomly snooping on your files."
We shouldn't start saying it for things that prove nearby but entirely different things just because we won't ever be able to say it definitively.
"Google is willing"? You make it sound like there's a person making a decision. The system is automated, there's no mechanism for employees to be unwilling.
A lot of effort goes in to ensuring that audit trails are non-optional.
While they may not have used the correct terminology, the issue itself is correct. You can, by default, see who all in the org have viewed a document.
Oh absolutely, but that's a different feature that they also mention (and imo a less interesting one).
I want a list of any google employees who have looked at my Gsuites
How do I get that list
Read the docs for access transparency and follow the instructions. I don't admin a gsuite domain so I don't actually know the sequence of buttons to click to view AT logs.
>Which is a nice way of knowing that Google employees aren't randomly snooping on your files.
Why would I, as a end user, be given to trust this if I think Google employees are snooping in my files? I have no way to audit how this is kept, so I'd have to assume that any Googler snooping these files is either doing so using a backchannel that is not audited or the log is a no-op.
What's your threat model?
If your worry is Google, as an organization, is actively trying to steal your stuff, that's one thing. If your worry is a rogue google employee is doing some unsanctioned thing, that's another. This (imo) mostly helps with the second, unless you also assume that Google as an organization is fairly inept and so can't log things reliably.
> What's your threat model?
Government action that I'm left in the dark over.
If the government is interested in something from my mail servers, I'll see the legal request or judges orders and will know what is going on, and will be able to take appropriate action.
If the government makes appropriate legal threats against Google, I won't necessarily know (National Security Letters) until long after the fact.
If your threat model includes the US government, then I would expect you would self-host anything sensitive. Even then, there's still the possibility that they could exploit some 0day they've been stockpiling, and root your servers without leaving a trail. Certainly harder than sticking Google with a gagged NSL, but possible.
But I don't think most people's threat model includes the US government. Probably not even most news organizations.
> If the government is interested in something from my mail servers, I'll see the legal request or judges orders and will know what is going on, and will be able to take appropriate action.
Or the mail servers of the person/people you're communicating with. At which point you wouldn't know, because they'd be subject to the same laws, and less well equipped to fight them.
I'd like to add an additional possible threat model that gets ignored pretty comprehensively and, in some cases, intentionally: Your data being fed to automated systems that provide summaries or derivative information based upon your data. People ignoring this is behind much of the NSAs snooping. They believe that until a HUMAN operator views the cleartext of some communication, the communication can not legally be said to have been 'intercepted' at all. And if you look up any statement ever made about reforms done at the NSA after Snowden's revelations, you will find that all of them, every single one, spoke exclusively about human analysts reading communications directly. They avoided addressing analysis, profiling, ML training, summarization, and other automated things very intentionally. The government has dropped a good many cases, serious cases involving child pornography even, to avoid ever testing this idea of theirs in court. We learned about this particular legal opinion of theirs (which would almost certainly never survive any court challenge at all) before Snowden even, back when the AT&T whistleblower came forward.
The likelihood a company like Google is reading your emails directly and trying to scoop your business on a product idea or something like that is slim. The likelihood they are profiling your communications in aggregate and producing derivative information like "how many companies in the space are considering hiring" or "do the employees at this company talk about Chipotle" and using that for advertising or data products is, I would guess, pretty high.
I wouldn’t trust a company with personal data while their main business model depends on violating your privacy, just like you wouldn’t trust an alcoholic with guarding a warehouse full of vodka.
The only way to be somewhat sure is to deal with companies that have zero uses for your personal data - this will not mitigate the risk of a malicious employee poking around but will at least mitigate the risk of large-scale data misuse like ad targeting because there’s simply no ads to target and no infrastructure to do so.
In this context, we're discussing gsuite, which doesn't use any data for ad targeting.
> No. There are no ads in G Suite Services or Google Cloud Platform, and we have no plans to change this in the future. We do not scan for advertising purposes in Gmail or other G Suite services. Google does not collect or use data in G Suite services for advertising purposes.
We're talking about a company that makes the bulk of its money with ads, running a (supposedly ad-free) product on the same infrastructure that the ad-contaminated products run on.
There's both a risk of accidentally misusing data given the two services share infrastructure and code, as well as a business incentive to commit such "accidents", especially given both Facebook and Twitter set a precedent that there's absolutely no downside in doing so.
If you don't trust that the access transparency log is genuine then why on earth would your files be in G Suite in the first place?
At the end of the day, you want to trust that your provider isn't out to get you, otherwise why are you even a customer (Oracle gets a free pass, because reasons). However, you want to know that they're serious about their claims, and transparency in their tools and processes is a big part of that.
Access Transparency is a new feature, and for some reason pre existing customers used GAuite before Access Transparency.
Sure, I was one of them. But if your distrust of Google is high enough to believe that Access Transparency is basically a fake feature (i.e that there is a way for Google employees to access your files without showing up in the logs, except for legally required reasons), then I don't see how or why you would be giving them your files in the first place. I don't think that level of distrust is unreasonable -- Google has proven to be a bad actor in many scenarios -- but I just don't see how you could be a G Suite customer at that level of distrust.
because you've planted malware in sheets files and your account is a honeypot to catch the baddies
I believe we should also support more open-source software here. Google Docs are in no doubt best and provide a lot of good functionality to its users. Even Office(365?) is getting good. LibreOffice is developing an online version which is at alpha stage I would say.
I recently installed Collabora Online(a packaged version of LibreOffice Online) on my Nextcloud server and it is working fine for basic document editing. And with Nextcloud, I am also able to get comments and chat on the side. Maybe they can integrate this feature more into documents/files.
Have you tried OnlyOffice? Integrates with nextcloud as well. Licenced unter AGPLv3 and works really good. I used Collabora before but i prefere OnlyOffice.
This is great. I looked at it previously but leaned towards LibreOffice for my case. I will try it.
CryptPad  provides end-to-end encryption for collaboration on documents. It seems that the server will have some metadata, but no access to content. It would require some development to integrate with existing workflows, but the foundation seems solid.
If you don’t want your data encrypted at rest, self-hosting with Sandstorm  would be a good choice.
Though it hasn’t happened yet (to my knowledge), putting CryptPad and Sandstorm together seems like a natural next step.
Edit: fix footnote numbering
I thought Sandstorm was shutting down? YUNOHOST seems cool https://github.com/YunoHost-Apps
The hosted-as-a-service version of Sandstorm is shutting down. Self-hosted Sandstorm will keep running as long as you want it to.
I've never understood the whole cloud hype.
Am I the only one who uses a (bridging) VPN to provide me with LAN-level access to an office-server, running Samba and locally hosting the office documents?
With Linux, OpenVPN and LibreOffice, my running costs are zero, and if you can install this yourself, so are your installation costs.
Wasn't this the standard before the cloud hype began? Was it too expensive/complicated/no experts available for SMOs?
You can always use a third party plugin like SyncDocs  to do end-to-end encryption of Google Docs.
Although I have not tried it, there is also an office suite from KDE called Calligra : https://en.wikipedia.org/wiki/Calligra
> I believe we should also support more open-source software here.
Yes, I concur.
> Google Docs are in no doubt best and provide a lot of good functionality to its users. Even Office(365?) is getting good. LibreOffice is developing an online version which is at alpha stage I would say.
I'm having trouble understanding how you think Google Docs or Office 365 are open source.
I am sorry I was not clear with the language. I was trying to put current market players(opensource or not) and compare them with an open source initiative i.e. LibreOffice Online.
I used to be an SRE on Google Enterprise - I ran the Admin panel you see in the article, and worked on Docs infrastructure.
I endorse this message. It's important that people understand how the technology they use works. Yes, Google Docs are stored in a format legible to the company. There were tool such that they could be included in legal holds or subpoenas. There were no access tools that Google or Googlers could read those documents directly, but they absolutely were included in legal discovery tooling. You should be aware of that fact, just as you should be aware that your enterprise can read (and include in response to subpoenas, etc) your e-mail.
Since the article mentioned TOS Violations as a potential threat vector, I'll also share an interesting anecdote: Journalists using Google Docs were one of our worst headaches. It was not uncommon for journalists to put Google Docs links, or internal links, into stories - It got used as an image sharing service a lot. At one point, there was insufficient (read: No) caching on some of the Google Spreadsheets "Graph" features... and the NY Times embedded an image generated by such into their homepage. The mechanism that prevented that from taking down all of google docs was the same one that prevents abuse. Documents with poor sharing properties are likely to trigger anti-abuse mechanisms, and get that TOS message in response. It's not personal, and quite frankly - I'm in agreement with the message, because while not intentional, it is abuse.
”Yes, Google Docs are stored in a format legible to the company.”
I would think that’s practically unavoidable if you want to support sharing of files and, in particular, concurrent editing.
It's definitely not impossible to make collaborative end-to-end encrypted docs-like app, but it would add a lot of friction if you needed to be online, and on a computer that already has view access, to approve giving access to another person.
This sounds like you guys aren't doing your job correctly.
You're literally serving a text file with a browser based editor, this doesn't need tremendous amounts of caching.
If you can't handle the traffic a news article might bring to a google docs document, then you probably shouldn't be pushing for google docs.
I can't believe I'm having to say this to someone who used to be an SRE at Google, but this is literally YOUR problem to solve.
Crossing into personal attack is not cool on HN and we ban accounts that do that. Would you mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the spirit of this site to heart when posting here? We'd be grateful.
This is needlessly aggressive and a bit ridiculous - unless you've worked on Google Docs specifically (and I'll assume you haven't, since most people would disclose in this case if they had), you have no way of knowing the unique challenges for both engineering and scale they'd have dealt with.
I'd bet good money it's nowhere near as simple as "serving a text file".
> You're literally serving a text file with a browser based editor, this doesn't need tremendous amounts of caching.
Serving anything dynamic at thousands of QPS requires a lot of caching.
> Serving anything dynamic at thousands of QPS requires a lot of caching.
QPS = queries per second?
And if you can't pull it off, stop pushing everyone to use the cloud and your services.
The point is that Docs is a tool for collaboration on writing, sheets for collaboration on spreadsheets, etc. Unless you get a contract with Google to use it as such, these services aren't meant for hotlinking or adding dynamic content to your website or article.
Though they have actually gotten pretty good for these uses now. I imagine they have something that adds a cached layer - I sometimes get a due to high volume reduced functionality message for the open shared popular items (rather than just an access denied).
Ok I'm a little distressed by this tweet the article linked: https://twitter.com/Rachael_Bale/status/925352538110595072
It it looks like it was a bad code push and it was being reverted? So, I mean, those things happen for non nefarious reasons. So unless people know it was for the actual text of the doc, I think it’s likely just an unlucky glitch.
Even if it was bad code that falsely flagged the Docs, wouldn't that still imply that Google are parsing Docs in some manner if they're able to be flagged for ToS violations in general?
I got the impression that Google reading your documents was the source of distress in the parent comment.
> ...wouldn't that still imply that Google are parsing Docs in some manner if they're able to be flagged for ToS violations in general?
Public documents in Google Docs are used as targets for spam or phishing campaigns pretty frequently. (The latter is usually by way of Google Forms, which can be used to drop content into a spreadsheet.) Google needs some way to allow this behavior to be flagged, and ideally to recognize it before it gets abused.
Private documents are another matter. Even there, though, I imagine they are obliged to scan some content, e.g. checking images against child pornography databases.
is there empirical evidence of this type of pornography check being performed?
No, that may be a generic message wrongly assigned to the observed behavior.
I get it now. It may have (falsely) determined a violation from their behavior/use of Docs instead of the actual content of those documents.
Nevermind my original comment then. That makes sense.
Well, the fact that Google scans your documents as you're writing them, and that they can summarily remove your access to the thing that you were working on for an indefinite amount of time, are both pretty scary for someone using Google Docs for work.
I'm sure it's just fine most of the time but I don't understand how people trust it for mission critical (or even just important) stuff.
Does anyone know if this situation would be partially mitigated if you've enabled online access to GDrive, i.e. syncing files to your hard drive?
Ha, journalists would be pretty high on a list of people to avoid annoying with your product errors.
I rely on Google so much. One glitch in Google code can cost me a lot.
You can hedge that risk with periodic backups.
You can even set periodic backups in Google Takeout now.
Yes but you can't set your own schedule and it's not incremental. On the positive side, you can now directly export to OneDrive, DropBox or Box.
The market for end-to-end encrypted office suite is pretty immature. There're products like Tresorit and GraphiteDocs, but they are more like text editors, than a full-featured word processor that newsrooms need.
One good google docs alternative is Zoho Writer (https://zoho.com/writer).
Zoho doesn't do funny business scanning content for Ads. You pay and you use the software, that's all (Source: I work @ Zoho). Even better, Zoho offers APIs to use just the editors, while allowing companies to retain their data within their own cloud - https://www.zoho.com/officeplatform/integrator/
For full protection, even against legal government requests, we might have to look at self-hosted solutions, which are again not very mature to call themselves a viable Google Docs alternative.
This is pure advertising for a competing product. G-Suite doesn't do any scanning for advertising either.
Thanks. Never knew this. But the fact something like this - https://www.zoho.com/officeplatform/integrator/ exists is useful information. So I wouldn't rule it out as "pure advertising".
How do you know this?
Its Google, they scan all they can and apologize later
Below some g apps user was locked out of a single document for alleged Tos violations.
Clearly, some scanning is going on.
If you upload important documents or data to Google, as a firm especially, you are out of your mind.
If there are any journalists/news directors/managers on this thread, Nillium is building a system to manage reporting information/logistics for newsrooms. Basically everything for a story up to the point its ready for a CMS. It will provide way better organizing and archiving within individual organizations, and across affiliated newsrooms.
We're still working through our security and encryption protocols, but would love to hear from you what your concerns may be - from the incredibly sensitive investigations to run of the mill police blotter stories.
I'd love to talk to you - jared AT nillium DOT com
>For a fun example, administrators have the choice to keep draft copies of emails, even after the email is removed from the draft folder. These drafts can even be ported into Vault minute by minute. In other words, administrators have the ability to read your draft emails live, or replay them after the fact.
I wonder why Google would develop tools to enable such creepy behaviour?
Not sure why you're being downvoted. I struggle to think of a legitimate business use for that kind of thing.
I’m sure lots of people reading HN know of plenty of providers for email etc that are not related to google, but what about all the other services? What are alternatives to things like google docs? SMB shares and suchlike can work as a replacement for google drive, but I don’t know of anyone (other than keybase) who has a strong security model for anything like that.
I use Sandstorm.io with Etherpad, EtherCalc, and Wekan. It doesn't get a lot of active development right now but it's security model is pretty solid.
Self-hosted, I'm assuming? Their hosted service is shutting down. https://sandstorm.io/news/
I'm actually currently on that hosted service, but will be finding time to migrate soon!
https://www.zoho.com/writer - no content scanning, no ads. Just pay and use. Free for personal use.
The biggest issue that I see here is journalists getting locked out of their accounts, on claim of violating the TOS, with no explanation given, and likely no human in the review process. If true, then this is bad enough that I would suggest that nobody ever use Gsuite ever again, not just journalists.
I urge you guys to checkout some of the decentralized alternatives that are built on Ethereum or Lightning network. Here are some decentralized apps from Blockstack's App Mining program that have been gaining a lot of traction lately:
- Dmail (Gmail alternative): https://www.dmail.online/
- Recall (Google Photos alternative): https://app.recall.photos/
- Arcane Office (Google Docs/Office alternative): https://docs.arcaneoffice.com/
- Forms.id (Google Forms alternative): https://forms.id/
- Arcane Maps (Google Maps alternative): https://arcanemaps.com/
It's not just Google you need to be worried about. Your data could easily be subject to a government surveillance request, which Google not only can't turn down, but can't even notify you if it's ongoing.
Regular run off the mill Google employee (even one working on G Suite) can't see anything of course. But I have no doubt there is a small group of Google employees who can see whatever the hell Google wants to see.
That said I don't quite get what the motivation would be, unless the reporting in question could be of material consequence to Google.
I think US government is a far more worrisome attack vector.
Keep it simple. Use Markdown and encryption. Cryptomator.org works well across most platforms. Editorial staff can track track changes with CriticMarkup.
Shameless plug for Filewatch (https://filewatch.net), a client-side web application I made which enables you to see who your Google Drive files and folders are shared with.
Filewatch doesn't get any information about you or your files, no information about your files leaves your browser.
I just tried your tool. Pretty nice.
I think it would be helpful to add a filter:
- only files with other users
(Include any 'anyone with the link' files in the above)
Thanks for sharing your tool on HN.
I believe a newsroom located in the US can just as well be compelled by a court of law to hand over information on systems that it controls. Regardless of where the data is stored physically or whether it's self-hosted.
Newsrooms, let's also talk about threat models, and which of these G Suite concerns apply to your actual threats.
Why are google employees snooping on my files in the firstplace?
Because you reached out to them for support and you want to make sure they're only looking at what they're supposed to
Doesn't this sound like a really good reason to work with a smaller private provider?
Don't do sensitive work on free services...
G Suite isn't free.
My business got grandfathered into G Suite for free since I used it from beta.
Actually, a smaller provider with effective canary policies....
Wow, that's a surprisingly fair and neutral write up, really good work!
First post here, hi! I would say that a good way to ditch Google from your information is to use PGP.
Can you elaborate on how to do this? Thanks.
Check out GPGTools ... it integrates with macOS Mail.app to send encrypted and/or cryptographically signed emails.
They claim that it "integrates the power of GPG into almost any application via the macOS Services context menu. It allows you to encrypt/decrypt, sign/verify text selections, files, folders and much more."
e2e encryption takes google mostly out of the loop (except for the "meta" data)
I urge you guys to checkout some of the decentralized alternatives that are built on Ethereum or Lightning network. Here are some decentralized apps from Blockstack's App Mining program that have been gaining a lot of traction lately:
- Dmail (Gmail alternative): https://www.dmail.online/
Exact same comment as https://news.ycombinator.com/item?id=21209462 ?
That's great, but if it's only true until it isn't. The moments when that idea is false (however rare) are the life altering, permanent moments that result in irrevocable ruin for whomsoever might dare trust the promises and honor of